| |
ASIS Announces New Supply Chain Risk Management Standard
Security InfoWatch (07/17/14)
ASIS International has released a new standard to help organizations address operational risks in supply chains. A global, cross-disciplinary technical team partnered with the Supply Chain Security Council to develop "Supply Chain Risk Management: A Compilation of Best Practices (SCRM)," which will be a practitioner’s guide to SCRM and associated processes to help manage risks in an organization and its supply chain. “This is the first standard to provide practical guidance, based on the experiences of both large and small organizations, about managing risks in their supply chain to increase their resilience capacity and create value,” said Dr. Marc H. Siegel, the commissioner of the ASIS Global Standards Initiative. The SCRM standard also will help security practitioners anticipate, prevent, manage, respond to, and recover from potentially undesirable events, and to identify opportunities.
Cameroon Security Risks Prompt Chinese Oil Firm to Halt Exploration
Wall Street Journal (07/15/14) Tumanjong, Emmanuel
The Chinese oil firm Yan Chang Logone Development has decided to suspend exploration in Cameroon’s Far North Region in response to the Boko Haram's expansion of its insurgency into that country. The move comes after 10 Chinese road construction workers were kidnapped in the region in mid-May by suspected armed Boko Haram militants. Yan Chang has oil operations in that same area where those kidnappings took place. Boko Haram is believed to be involved in at least five abductions in the area, which borders its Nigerian stronghold.
Total Pulls Some Expat Employees From Libyan Capital Amid Violence
Wall Street Journal (07/15/14) Faucon, Benoit
The French oil company Total SA announced July 15 that it will evacuate some expatriate employees from Tripoli, Libya. The decision follows continued violence in the capital, with at least six people killed and 25 injured in a fight between rival militias over Tripoli's airport on Sunday. The airport remains closed. The company is also reportedly considering a force majeure on its Libyan operations, which would provide it with legal protections if it is unable to fulfill contractual oil production obligations. Oil production fields have been unaffected by the violence so far.
Could Drones be New Force Multiplier for Physical Security?
Security Director News (07/14/14) Canfield, Amy
After using a drone as part of a security assessment for a Houston-based pharmaceutical chain, security consultant J. Patrick Murphy is convinced the technology has incredible potential for physical security applications. Murphy contracted with West Fork Drones to conduct a nighttime light study of the client's parking lot and was impressed by the functionality and maneuverability of the drone. Murphy began contemplating more uses for drones, and determined that the aircraft could be used to provide regular broad surveillance for mall parking lots or to monitor open areas of industrial facilities that would otherwise require regular on-foot patrols. They would be especially useful in carrying out security assessments for institutions likes schools and hospitals, and to help formulate safe evacuation routes, Murphy says. Murphy says the potential of drones for emergency planning is "limitless." However, there are practical limits to the utility of drones, particularly limited battery life. Michael Sclafani of West Fork Drones says most of his aircraft can stay airborne for only 15 to 20 minutes at a time. It also takes roughly 20 hours to train operators to be comfortable flying and landing drones.
Drilling for Opportunity
Security Today (07/01/14) Incorvati, Anthony
The U.S. energy market, particularly for oil and natural gas, is expected to grow significantly in the coming years, providing an excellent opportunity for security professionals to help protect production and processing facilities. One way to achieve this goal will be through the use of networked camera technology. There are a wide variety of these solutions available, but they must be implemented using a layered approach in order to ensure maximum return on investment. These layers should focus on perimeter control, building protection, and potentially hazardous areas. Beginning with perimeter protection, facilities can use networked cameras alongside other sensors to improve situational awareness and reduce false alarms. Building protection, meanwhile, can use networked cameras to control access and to ensure that all employees are safely evacuated in the event of an emergency. Finally, in the case of hazardous areas, networked cameras can monitor areas where humans cannot safely go, ensuring that any problem in these areas is detected as soon as possible.
Rebels in Eastern Ukraine Offer Truce to Allow Probe of Malaysia Airlines Crash
Washington Post (07/18/14) Birnbaum, Michael; Faiola, Anthony M.
Ukrainian Prime Minister Arseniy Yatsenyuk is calling the downing of Malaysia Airlines Flight 17 by a surface-to-air-missile on Thursday a terrorist attack carried out by pro-Russian militants supported by the Russian government. Ukrainian President Petro Poroshenko has made similar claims, saying that his government has obtained recordings of telephone conversations between the rebels--who control the area of Eastern Ukraine where the plane was downed--and Russian intelligence officials that suggest they were involved in the attack on the Boeing 777, which killed all 298 people onboard. Pro-Russian rebels are also known to be in possession of short-range surface-to-air missiles, though experts say those missiles likely could not have been used to hit Flight 17. However, Ukrainian authorities say the rebels recently obtained Russian Buk surface-to-air missile systems that use radar to hit targets. Meanwhile, both the Russian government and the pro-Moscow rebels in Eastern Ukraine have denied any involvement in the attack on Flight 17. One Russian government official has suggested that Ukraine was likely involved--a claim that Kiev has denied. The U.S. government has responded to the attack by having analysts work to determine who fired the missile. U.S. flight operations in the airspace over Eastern Ukraine are also being prohibited until further notice.
Hill Surveillance Reform: Time Is Not on Its Side
Politico (07/17/14) Byers, Alex
Time may be running out for the USA Freedom Act, which would curb the National Security Agency's bulk collection of phone records. The measure passed the House with support from the White House and intelligence community, but it has yet to be put before the Senate and supporters worry it will be crowded out by other legislative priorities. Many senators, including Senate Majority Leader Harry Reid, are also likely to be absorbed in campaigning for the fall election. Even if supports like Senate Judiciary Chairman Patrick Leahy (D-Vt.) can get the bill to the Senate floor for a vote, many privacy advocates say it does not go far enough. The bill would allow the government to ask phone companies for call records relevant to a specific investigation, but some critics say it does not do enough to prevent the government from getting more information on Americans than necessary. A separate effort spearheaded by Sen. Ron Wyden (D-Ore.) to pass a measure approved by the House that would ban funding for efforts by the NSA to search its databases for Americans' data without a court order is also likely to face an uphill battle.
NYPD: No Reported Terror Threat for US Open
Associated Press (07/16/14) Pearson, Jake
Rebecca Weiner, the New York Police Department's director of intelligence analysis, said Wednesday that there were no reported terror threats against the upcoming US Open tennis tournament in Queens. Al-Qaida in the Arabian Peninsula (AQAP) mentioned the tennis tournament as a possible target for attacks in its online English-language magazine Inspire. According to Weiner, the magazine featured instructions on how to build a truck bomb and advised potential attackers to target large crowds of people, rather than buildings, listing the US Open as a potential target along with several other events and locations in New York, Virginia, and Washington. "We will ensure that the suggestions in this magazine remain hypothetical," Weiner said. Separately, Boston Police Commissioner Edward Davis on Wednesday gave a presentation on lessons the department had learned from the the April 2013 bombing of the Boston Marathon. Chief among those lessons was the importance of using social media to promptly counter and correct misinformation spread through the media in the days after the bombing as the manhunt for the perpetrators was underway.
Stealth Moose Meets Concrete Donkey: GCHQ's Goofy Ops Names
Wall Street Journal (blog) (07/16/14) Fleisher, Lisa; Mizroch, Amir
Former Guardian reporter Glen Greenwald has disclosed documents provided by former National Security Agency contractor Edward Snowden that outline online espionage programs used by the U.K.'s Government Communications Headquarters (GCHQ). The spying programs were developed by the Joint Threat Research Intelligence Group (JTRIG), a department within the GCHQ, and covered a broad range of activities including stealing encrypted files, sending fax and text message spam, e-mail spoofing, manipulating online polls, collecting online video comments and private chat logs, and subverting social media accounts. Many of the programs sported odd or whimsical names such as Fruit Bowl, Nut Allergy, and Stealth Moose. Some programs were offensive attacks like Concrete Donkey, which sought to render target telephones unusable by "bombing" them repeatedly with the same messages. The programs were developed for GCHQ to meet specific operational demands and do not necessarily represent a complete list of JTRIG programs or the limits of JTRIG and GCHQ's capabilities. "If you don't see it here, it doesn't mean we can't build it," read one part of the document, which was last updated in July 2012.
Crucial Facts Not Shared at Navy Yard
Washington Post (07/12/14) Hermann, Peter ; Williams, Clarence
Washington, D.C.'s Metropolitan Police Department has issued a report detailing the problems authorities from various agencies had in coordinating their response to last fall's shooting at the Washington Navy Yard. One of the problems that was identified in the report was the U.S. Navy's failure to tell police commanders that they could access a command center where they could watch surveillance video from the building where the shooting was taking place. The security guard who was working in that room had locked himself inside and apparently did not try to contact anyone, possibly because he "froze" and did not know what to do, said Metropolitan Police Chief Cathy Lanier. Lanier added that the she does not believe that access to the video would have prevented gunman Aaron Alexis from killing anyone, but said she does believe that accessing the cameras could have helped prevent a police officer from being shot and wounded. The report also noted that access to the cameras may have helped authorities to more quickly identify Alexis as the shooter, pinpoint his location, and determine whether there were other shooters involved. There were initial reports that two or even three gunmen carried out the massacre.
How Russian Hackers Stole the NASDAQ
Bloomberg Businessweek (07/17/14) Riley, Michael
A hack of NASDAQ computer networks, which was revealed in 2011, was likely a Russian spying operation intent on copying the stock exchange's technology, concludes an investigation by Bloomberg News. Russians reportedly wanted to clone the exchange 'either to incorporate its technology directly into their exchange or as a model to learn from.' The NSA and the FBI were permitted onto the stock exchange's networks after an FBI system 'monitoring US Internet traffic picked up an alert' in October 2010. The cloning theory doesn't fully account for the malware's destructive potential, which 'couldn't destroy computers like a wiper virus, but it could take over certain functions in order to cause a network disruption.' Muddled and missing logs—one investigator referred to NASDAQ infrastructure as a 'dirty swamp'—makes finding exactly what data was taken and where it went impossible. Federal agents also found evidence of other hackers, some of which may have been in the exchange's networks for years, including criminal hackers and Chinese cyberspies.
Researchers Track Spread of Security Flaws in Software Libraries
eWeek (07/16/14) Lemos, Robert
Synack's Kymberlee Price and Risk Based Security's Jake Kouns will share the results of an analysis of popular software components at this year's Black Hat Security Briefings conference. Prompted by the havoc wrought by the Heartbleed bug in OpenSSL earlier this year, Price and Kouns used a disease-spread model to determine what action companies should take to minimize the potential disruptions that could be caused by a major vulnerability in more than 130 popular pieces of software. Such software is often a fundamental part of software libraries companies build their products and internal software systems on, and the researchers say companies can protect themselves by first cataloging their software libraries. Companies should then identify the crucial pieces of software their systems and products rely on and actively monitor them so vulnerabilities can quickly be patched if and when they are discovered. A survey of about 3,400 software developers by Sonatype earlier this year found that only 37 percent actively monitor their software components for vulnerability disclosures, and about 60 percent said they do not maintain an inventory of open source components, actions Price and Kouns recommend taking.
Critical Vulnerabilities in Web-Based Password Managers Found
Help Net Security (07/14/14) Zorz, Zeljka
Computer hackers could exploit vulnerabilities in popular Web-based password managers and learn users' credentials for arbitrary websites, according to researchers from the University of California, Berkeley. The researchers say they analyzed LastPass, RoboForm, My1Login, PasswordBox, and NeedMyPassword to evaluate their security and to provide advice to "guide the design of current and future password managers." The team uncovered problems with different features, such as one-time passwords, bookmarklets, and shared passwords. The researchers report root causes range from logic and authorization mistakes to misunderstandings about the Web security model, as well as typical vulnerabilities such as CSRF and XSS. "Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the Web authentication ecosystem," they caution. The team advocates a defense-in-depth approach to thwart attackers. They plan to develop a tool that automates the process of identifying vulnerabilities, and they also intend to work on a principled, secure-by-construction password manager.
Future Java 7 Security Patches Will Work on Windows XP Despite End of Official Support
IDG News Service (07/14/14) Constantin, Lucian
Oracle's Henrik Stahl issued a statement intended to clear up a misunderstanding about Java 7 security updates on PCs running Windows XP. The misunderstanding stems from an earlier statement in which it Oracle said support for Java 7 updates on XP machines will "only be provided against Microsoft Windows releases Windows Vista or later." Stahl says Oracle meant that it will only patch vulnerabilities in Java 7 that are seen in Windows XP and in Windows Vista and/or a later version of the operating system, and that it will no longer issue fixes for flaws seen in just Windows XP. However, some interpreted the statement as meaning Java 7 updates will no longer work correctly on Windows XP machines, which Oracle now says is untrue. If that had been the case, Windows XP users would have been unable to patch Java 7 and would have been left to run the platform with vulnerabilities in place. Stahl says Windows XP users will continue to receive automatic security updates for Java 7 until at least next April, at which point public updates for that version of Java will end. But he also notes Oracle will "take measures to keep Java users safe" if it determines the use of Java 7 updates on Windows XP machines is still high at that time.
Banking Malware Found on Google Play
Credit Union Times (07/13/14) McGarvey, Robert
The San Francisco-based mobile security firm Lookout discovered a malware banking app in the official Google Play store. The BankMirage app targeted customers of the Israeli financial institution Mizrahi Bank, putting a wrapper around the Bank Mizrahi app and masquerading as the bank's official app. As part of the phishing attack, the app stored the user ID, then sent a message to the user saying the login failed and directing them to reinstall the legitimate banking app from the Play Store. Although the threat has been neutralized, it shows that following the advice of mobile security experts and downloading apps only from Google Play or the Amazon apps store does not guarantee protection for Android users.
Abstracts Copyright © 2014 Information, Inc. Bethesda, MD |
No comments:
Post a Comment