Search This Blog

Friday, August 08, 2014

Security Management Weekly - August 8, 2014

header

  Learn more! ->   sm professional  

August 8, 2014
 
 
Corporate Security
Sponsored By:
  1. "Pilots Say U.S. Failed to Assess Ukraine Threat"
  2. "Cease and Desist: Empty Words Without Action"
  3. "Shoplifting Mob Hits Naperville Apple Store" Illinois
  4. "Mission Critical" Office Building Security
  5. "Apprehending the Internal Thief"

Homeland Security
  1. "Obama Authorizes Possible Iraq Strikes"
  2. "Ebola Outbreak Could Inspire African Terrorist Groups to Weaponize the Virus: Experts"
  3. "More Than 1 Million People are Listed in U.S. Terrorism Database"
  4. "Sovereign Citizens Seen as Top Terrorist Threat by US Law Enforcement"
  5. "How Federal Background Checks are Changing"

Cyber Security
  1. "Some Mobile POS Devices Still Have Critical Flaws Months After Patch"
  2. "Retail Malware: PCI-DSS Is Part of the Problem, Says Retail Security Specialist Slava Gomzin" Payment Card Industry Data Security Standard
  3. "Russian Hackers Steal Passwords of Billion Users"
  4. "Experts Question Scope of Reported Russian Hack"
  5. "Network Security Concerns With BYOD" Bring Your Own Device

   

 
 
 

 


Pilots Say U.S. Failed to Assess Ukraine Threat
Wall Street Journal (08/07/14) Pasztor, Andy

The leaders of American pilot unions have suggested that the U.S. and other governments did not promptly assess and publicize the threats to airliners flying over eastern Ukraine before last month's downing of Malaysia Airlines Flight 17. Lee Moak, the president of the Air Line Pilots Association, said that agencies failed to fulfill their "duty to warn" airlines about the possible hazards of flying over areas of fighting between Ukrainian forces and Russian-backed separatists. Moak said that "the federal government has to come up with a dynamic process" to alert airlines about future threats, including a timely process for notifying the industry. He also called for more effective information sharing among carriers. Labor and airline representatives are cooperating to urge the Federal Aviation Administration and the U.S. intelligence community to streamline the threat-assessment system, Moak said.


Cease and Desist: Empty Words Without Action
SecurityInfoWatch.com (08/04/14) Albrecht, Steve

Steve Albrecht, an expert on the issues of workplace and school violence, says that the commonly used tactic of sending cease-and-desist letters to individuals who threaten a company or its employees is often ineffective and can be counterproductive. Albrecht says there are different kinds of "threateners," from disgruntled former employees and vendors, to aggrieved customers or an employee's abusive domestic partner. Their methods of making threats will often signal how dangerous they actually are: those who hide behind anonymous e-mails or phone calls are likely to be persistent but pose no serious threat to physical safety, while those who identify themselves or even make their threats in person on company property can be very dangerous. A common tactic deployed by company counsel to counter threateners is sending "strongly worded" cease-and-desist letters that threaten some form of legal action, from a temporary restraining order to seeking the threatener's arrest, should they fail to comply. However, Albrecht says that unless the legal threats in these letters are followed through, they may end up only inciting the threatener to make more threats. For this reason, Albrecht recommends reserving cease-and-desist letters for serous cases and following up with the promised legal action if the threats do not stop.


Shoplifting Mob Hits Naperville Apple Store
Naperville Sun (IL) (08/04/14) Bird, Bill

Police in Naperville, Ill., reported Monday that they are continuing to search for 10 people believed to be involved in a mass-shoplifting incident at an Apple store on Aug. 2. The suspects are said to have stolen 15 mobile phones worth approximately $8,835. This is one example of the type of "flash-mob" shoplifting incidents that are becoming more common in the U.S. In the Chicago area, another flash mob targeted a K & G Clothing Superstore on the city's south side, stealing $2,200 worth of merchandise in June. This is also the third time the same Apple store has been targeted over the past several years. Two previous burglaries resulted in the theft of $30,000 worth of merchandise each time.


Mission Critical
Security Today (08/01/14) Carlson, Brian

A 13-story, mid-rise building in Atlanta required advanced life safety features to protect its office space, training centers, and data centers. The property is owned by Childress Klein Properties, which sought the help of Gamewell-FCI distributor Critical Systems. The company installed 31 "areas of refuge," which are locations in the building that feature two-way emergency telephone lines. These areas allow occupants to communicate with on- and off-site security teams and feature communication systems used by firefighters and first responders. The technology features Network Graphic Annunciator (NGA), which is a color graphic display that helps users in the event of an emergency. The display can also be used to communicate with first responders with 512 customizable messages. For the data center, where water could do damage, a waterless fire suppression system was installed. The features for the data center are also connected to the NGA. Among the features included in the building are speaker systems, sophisticated smoke detectors, smoke dampers, and fire shutter roll down doors. The entire installation of the system went smoothly as it benefited from existing fiber optic cable within the building.


Apprehending the Internal Thief
Security Today (08/01/14) Jensen, Ralph C.

Shoplifting by employees is an ongoing problem, according to a report from Jack L. Hayes International. The report found that a total of 1.1 million total shoplifters and dishonest employees were caught in 2013 at the nation's largest retailers, and that the number of dishonest employees who were caught stealing from their employers rose 6.5 percent to 78,000. “What also is of importance is these increases follow similar increases reported the previous two years,” said Mark R. Doyle, the president of Jack L. Hayes International. Some retailers are combating the problem through the use of smart devices such as cameras. Catching a shoplifter on camera is arguably one of the best ways to let loss prevention officers know the extent of the problem they are dealing with. These systems also act as deterrence mechanisms.




Obama Authorizes Possible Iraq Strikes
Washington Post (08/08/14) DeYoung, Karen; Morris, Loveday

President Obama announced Thursday that the U.S. may carry out airstrikes against the Islamic State, the Sunni Muslim extremist group and al-Qaida offshoot that has gained control over parts of northern Iraq. Obama said the airstrikes would be launched if the militants move toward Irbil, the capital city of Iraq's Kurdish region and also the site of some U.S. facilities. In addition, Obama warned the militants that they could face potential American airstrikes if they threatened U.S. facilities in Baghdad. However, U.S. combat troops will not be returning to Iraq to deal with the crisis, the president said. Obama's remarks come as the Islamic State is continuing to make gains in northern Iraq, thanks in part to the group's ability to steal advanced U.S. military equipment from the Iraqi army. The poorly-equipped Kurdish peshmerga forces that were protecting the town of Qaraqosh retreated early Friday, allowing Islamic State militants to move closer to Irbil. Meanwhile, there are conflicting reports about the situation in Mosul, which is home to a major hydroelectric dam that some fear could be sabotaged by the militants to cause catastrophic flooding. The Islamic State claims to have captured the dam, though some Kurdish authorities have disputed those claims.


Ebola Outbreak Could Inspire African Terrorist Groups to Weaponize the Virus: Experts
Homeland Security News Wire (08/07/14)

A number of counterterrorism officials and others are concerned that terrorist organizations in West Africa and elsewhere could attempt to weaponize the deadly Ebola virus. Cambridge University professor Peter D. Walsh says that concerns about weaponized Ebola seem to be shared by federal officials, as the government has invested millions of dollars over the past 10 years to develop a vaccine and forms of treatment for the disease. Pentagon spokeswoman Amy Derrick-Frost says the Department of Defense is indeed funding research on treatments for Ebola because it is concerned about the potential use of weaponized Ebola as well as natural outbreaks. Derrick-Frost adds that Ebola is one disease that has been "explored as a potential biological weapon" in the past by a variety of different state- and non-state actors. That includes the Soviet Union as well as the Japanese cult Aum Shinrikyo, which attempted to collect samples of Ebola in 1992 but was unsuccessful. However, some experts are skeptical that West African terrorist organizations have either the scientific skills or the desire to attempt to weaponize Ebola. Others have pointed out that Ebola may not be an effective biological weapon because it is not an airborne disease, a characteristic which would limit the number of casualties that would result from a biological attack involving the virus.


More Than 1 Million People are Listed in U.S. Terrorism Database
Washington Post (08/05/14) Goldman, Adam

According to reports from the online magazine "The Intercept" and the National Counterterrorism Center, the massive government-run Terrorist Identities Datamart Environment (TIDE) contains information on some 1.1 million people, 25,000 of whom are Americans. Information in TIDE is monitored by numerous U.S. intelligence and law enforcement agencies. The number of entries in TIDE has nearly doubled since late 2010, with analysts adding some 430,000 personal records and deleting only 50,000 people from the database because their links to terrorism were refuted or failed to meet current standards. A major push has been underway, led by the CIA, to add biometric data to the database. This includes fingerprints, iris scans, and facial photographs, some 2,400 of which were gathered from U.S. driver's licenses in 2013. As of last year, the database contained some 860,000 biometric data points on 144,000 people. Information for the database has also been drawn from clandestine CIA operations, such as one titled "Hydra" that vetted some 555 Pakistanis in TIDE against their Pakistani passports. Some 250 nominations to TIDE must be vetted every day, nearly 45 percent of which come from the CIA. The cities with the most residents in the database are New York, Dearborn, Mich., Houston, San Diego, and Chicago.


Sovereign Citizens Seen as Top Terrorist Threat by US Law Enforcement
RT.com (Russia) (08/04/14)

A new survey of U.S. law enforcement entities by the National Consortium for the Study of Terrorism and Responses to Terrorism (START) finds that the sovereign citizens movement is seen as the leading threat to U.S. communities, ahead of both Islamist extremists and militia/patriot groups. The new survey polled 364 officers from 175 state, local, and tribal law enforcement agencies, and found that 55 percent agreed and 34 percent strongly agreed that sovereign citizens are "a serious terrorist threat." By comparison, 39 percent of respondents agreed and another 28 percent strongly agreed that Islamic extremists were the most serious threat. Sovereign citizens ranked only eighth in a similar START survey from 2006-2007. At the same time, concern over various extremist groups, such as the KKK, left-wing revolutionaries, and neo-Nazis, was down overall compared to the previous survey. Other survey findings include officers identifying cyber terrorism as the most likely terrorism-related crime, followed by the use of conventional explosives. Officers also named state/local fusion centers, the Joint Terrorism Task Force, FBI, and the Department of Homeland Security's Office of Intelligence and Analysis as the most useful law enforcement partners.


How Federal Background Checks are Changing
Security Magazine (08/14) Ludwig, Sarah

The Office of Personnel Management (OPM) is changing the way contractors conduct background checks. For example, U.S. Investigations Services Inc. (USIS), which had been conducting its own audits of the background checks, will now be relieved of that responsibility. OPM will now be conducting its own audits and increasing its inspection rates. A new tracking tool will also be implemented to ensure certain standards for the checks are met. OPM also wants to cut down on the number of people eligible for higher clearance levels, conduct more frequent investigations of people already cleared, and potentially gain federal funding to help state agencies keep their records updated and give reviewers greater access to criminal records. Jason Morris, the president of the background check firm EmployeeScreenIQ, says OPM's changes are necessary. "I see (the federal government) putting more controls on what the outsource company is able to do and what they might be looking for as far as turnaround time," Morris says. "I think they were trying to shoehorn a lot of stuff in there and they weren't able to do it, and all they did was rush things through the wrong way."




Some Mobile POS Devices Still Have Critical Flaws Months After Patch
IDG News Service (08/08/14) Constantin, Lucian

Vulnerabilities are still dogging certain mobile point-of-sale devices despite a patch being available for several months, according to MWR InfoSecurity researchers. MWR's' Jon Butler and an associate investigated six of the most popular commercially available mPOS devices that support the EMV standard, and announced at the Black Hat security conference that 75 percent were based on the same platform. Testing revealed flaws in the firmware update mechanism in some devices, allowing the researchers to execute commands as root. They also uncovered a stack-based buffer overflow vulnerability in the certified EMV parsing library that let them commandeer all devices using a specially programmed smart card. The researchers say a fraudster could enter a store that employs such devices, claim to purchase something, insert his rogue card into a device, and compromise it with code that would intercept the card details and PINs of customers who later use it. He could then return later with a different card to steal the information. Butler and his colleague reported the flaw to the platform vendor, who issued a patched version of the EMV library in April. However, some vendors have yet to release updates including the patch despite most of the affected mPOS devices having remote firmware updating capabilities.


Retail Malware: PCI-DSS Is Part of the Problem, Says Retail Security Specialist Slava Gomzin
Computing (08/07/14) Burton, Graeme

Retail security expert Slava Gomzin warns the PCI Data Security Standard is increasingly ineffective at helping merchants prevent retail malware attacks that target the point of sale. He says such measures were designed and implemented to protect cardholder data stolen from hard drives, but they did not "throw any significant controls around computer memory, network communications or application code, so these areas are still not protected." Gomzin notes most applications involving a card swiped at the POS leave the cardholder data readable in computer memory, and unencrypted. Moreover, this is compliant with PCI-DSS, he points out. Consultant Dave Birch sees investment in standards such as PCI-DSS coming to a close, especially because "the PAN-[permanent account number] centric card solutions will soon be replaced by chip and PIN, tokenization and new [identity-centric] alternative mechanisms." Gomzin thinks chip-based cards are no more effective at shielding online payments against fraud than PCI-DSS, and what is required to fully secure POS systems is point-to-point encryption of card data. Birch, meanwhile, believes the payments industry should concentrate on making stolen data harder to exploit by rendering it useless.


Russian Hackers Steal Passwords of Billion Users
New York Times (08/06/14) Perlroth, Nicole; Gelles, David

The cybersecurity firm Hold Security is reporting that an unnamed Russian hacker group has been able to steal 1.2 billion unique username and password combinations used to log in to a variety of Web sites. The hackers were reportedly able to amass what is considered to be the largest known collection of stolen online credentials in part by infecting computers with a virus that works in conjunction with a botnet controlled by the group. When a user whose machine is infected with that virus visits a Web site, the botnet attempts to obtain the contents of the site's database through an SQL injection attack. If the SQL injection attack succeeds, the Web site is flagged so the hackers can attempt to obtain all of the data in the vulnerable site's database at a later time. The use of a botnet to identify vulnerable sites, the names of which were not revealed, reportedly allowed the hackers to collect the username and password combinations on a large scale. The hackers were also able to collect roughly 542 million unique e-mail addresses in this manner. All of this information is apparently being used to send spam to the affected users on social networking sites on behalf of other hacker groups. The theft of this information is continuing, as most of the sites that were affected are still vulnerable. Gartner security analyst Avivah Litan says this incident underscores the need for improved identity protection on the Web.


Experts Question Scope of Reported Russian Hack
Wall Street Journal (08/06/14) Yadron, Danny

Some cybersecurity experts say that the recent theft of 1.2 billion unique username and password combinations by a Russian hacker group may not be as big of a security threat as Hold Security, the company that discovered the theft, suggests. Brian Krebs, who serves as an unpaid adviser to Hold, says that the names and passwords were likely compiled "over a long period of time." Krebs adds that some of the login credentials were probably taken in previously-announced breaches. Stewart Baker, a partner at Steptoe & Johnson, agreed, saying "1.2 billion is a very big number. If they got there by assembling two years' worth of hacks, it is less impressive."


Network Security Concerns With BYOD
Bank Systems & Technology (08/04/14) Chadda, Ankur

While experts say banks increasingly are accepting that Bring Your Own Device is here to stay, not all banks are testing their networks to identify potential security problems that might arise from BYOD. Despite the risks, BYOD can lower equipment costs, boost productivity and response times, and enhance employee engagement. However, network protection is critical, given that banks can lose millions of dollars if malicious traffic shuts down or even slows their networks. Experts note that banks cannot employ remote wiping of personal devices, nor can they expect a complete ban on BYOD to succeed. Thus, it is important for banks to test their networks by simulating breach attempts and needle-in-a-haystack scenarios, and these tests should be comprehensive and continuous and include the latest applications and updated malware definitions. Moreover, experts say banks should establish BYOD policies that balance security needs with employee productivity and mobility.


Abstracts Copyright © 2014 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: