Search This Blog

Friday, October 24, 2014

Security Management Weekly - October 24, 2014

header

  Learn more! ->   sm professional  

October 24, 2014
 
 
Corporate Security
Sponsored By:
  1. "MetLife Stadium Security a Trendsetter"
  2. "Staples Probes Possible Payment Card Data Security Breach"
  3. "Obama's Chip-and-PIN Move Is 'Meaningless,' Analysts Say"
  4. "Study Analyzes Availability of Weapon Use Among Hospital Security Personnel"
  5. "Amgen Files Lawsuit Against Sanofi and Regeneron for Patent Infringement"

Homeland Security
Sponsored By:
  1. "Canadian PM Faces Pressure Over Domestic Extremists"
  2. "Ottawa Shooting Prompts Security Review"
  3. "Canada Parliament Shooting: How it Unfolded"
  4. "Enforcer at Treasury is First Line of Attack Against ISIS" Islamic State of Iraq and Syria
  5. "In Canada, Terrorism Concerns Arise After Car Hits 2 in Military"

Cyber Security
  1. "Symantec Sees Rise in High-Traffic DDoS Attacks" Distributed Denial-of-Service
  2. "Wearable Devices Pose Security Risk as Use Is Stretched"
  3. "Researcher Creates Proof-of-Concept Worm for Network-Attached Storage Devices"
  4. "The Number of Industries Getting Classified Cyberthreat Tips From DHS Has Doubled Since July"
  5. "New Web Flaw Enables Powerful Social Engineering Attacks"

   

 
 
 

 


MetLife Stadium Security a Trendsetter
Associated Press (10/24/14)

MetLife Stadium in New Jersey last year installed a new system of security cameras that earned it a security-award nomination, and the NFL now wants to expand the stadium's security program to every team's home. The cameras feature a mega-pixel system with comprehensive, undisrupted coverage in all areas of the stadium, except inside the luxury boxes. "We can validate people's accounts of any dispute, see what actually happened," says Daniel DeLorenzi, the director of security and safety services at MetLife Stadium. "We can simply call our command center, see on video exactly who was involved and what occurred." The system monitors concourses, escalators, the building exterior, and the parking lots, and provides views of about a quarter-mile away. DeLorenzi also implemented a program that emphasizes fan conduct. A person who is ejected from MetLife Stadium is banned for all events until he or she completes a readmittance program that includes filling out an ejection report and completing an online conduct course.


Staples Probes Possible Payment Card Data Security Breach
Reuters (10/21/14)

On Monday, the office supply chain Staples announced that it is investigating a possible breach of payment data at some of its stores. The announcement came on the heels of security researcher Brian Krebs posting on his Web site that several U.S. financial institutions were monitoring a pattern of activity suggesting that payment systems had been compromised at several Staples stores in the northeast U.S. Staples says customers will not be responsible for fraudulent charges made in relation to the data breach.


Obama's Chip-and-PIN Move Is 'Meaningless,' Analysts Say
American Banker (10/20/14) Blackwell, Rob; Finkle, Victoria

On Oct. 17, President Obama signed an executive order mandating the adoption of chip and PIN technology in government cards and enabling the technology to be used in post offices and other facilities. The White House indicated that the executive order would encourage retailers and banks to follow suit, but several analysts believe it will have little impact because the industry is already in the process of adopting chip and PIN technology. While the White House indicates that the government will "lead by example in securing transactions and sensitive data," analysts point out that it would have been forced to make the transition by October 2015 anyway to comply with new rules from the card networks to shift fraud liability to most merchants or processors not using EMV technology. "They are not being a leader because the payment industry is way ahead of them. The government had to do this because if they didn't upgrade their security, criminals would focus on them as the weakest link in the chain," says Aite Group analyst Julie Conroy.


Study Analyzes Availability of Weapon Use Among Hospital Security Personnel
Security Magazine (10/14)

The International Healthcare Security and Safety Foundation has funded a recent survey that examines a number of issues related to hospital security. The survey of International Association of Healthcare Security and Safety members working in hospital settings in the United States found that 55 percent of respondents worked at facilities that had security policies that included employee involvement, management commitment, incident reporting and record keeping, training of security staff, hazard prevention and control, and worksite analysis. The survey reveals that 87 percent of hospitals required all security personnel to receive training specific to workplace violence. About 33 percent of hospitals used metal detectors. Handcuffs were the most common type of weapon carried and used by security staff (96 percent), followed by batons (56 percent), OC products (52 percent), hand guns (52 percent), TASERS (47 percent) and K9 units (12 percent). Patients accounted for 75 percent of the perpetrators of violence, and 89 percent of hospitals had at least one incident in the previous 12 months.


Amgen Files Lawsuit Against Sanofi and Regeneron for Patent Infringement
Amgen Press Release (10/17/14)

The drug company Amgen announced Oct. 17 that it has filed a federal patent infringement suit against two other pharmaceutical firms, Sanofi and Regeneron Pharmaceuticals, for allegedly infringing on three of its patents for monoclonal antibodies that target a particular protein in the body. Amgen is asking the court to issue an injunction that would prevent the manufacturing, sale, and use of Sanofi and Regeneron's monoclonal antibody alirocumab, which targets the protein in question. Amgen is seeking regulatory approval for a similar product called evolocumab, which could be used to treat high cholesterol. The lawsuit comes after Sanofi and Regeneron announced that they would ask the Food and Drug Administration for its permission to market alirocumab in the U.S.




Canadian PM Faces Pressure Over Domestic Extremists
Financial Times (10/24/14) Wright, Robert; Dyer, Geoff

Canadian Prime Minister Stephen Harper on Thursday participated in a sometimes contentious question-and-answer session with lawmakers that focused on his government's efforts to monitor and prosecute home-grown terrorists. During the session, which came one day after a lone gunman opened fire inside the parliament building and killed a Canadian soldier guarding a memorial in Ottawa, Harper noted that police and national security agencies know of "several" people who are attempting to become foreign fighters. Harper also said the national security agencies are doing "everything they can within the law" to address the threat from these individuals, but added that Canadian laws may need to be changed to give security services additional powers to better counter this threat. Such additional powers may be granted to security agencies during Harper's planned review of laws on monitoring, detaining, and charging terrorist suspects. Members of the opposition party, meanwhile, pointed out that security services have repeatedly complained of not having the resources they need to track the roughly 80 Canadians who are believed to have engaged in jihad overseas and returned to Canada. Harper also addressed Wednesday's shooting in Ottawa, saying the suspect's passport had been revoked because he was under investigation. It remains unclear if the suspect had links to the Islamic State or other terrorist groups.


Ottawa Shooting Prompts Security Review
Wall Street Journal (10/24/14) Trichur, Rita; Vieira, Paul

The deadly shooting in Ottawa on Wednesday is prompting a review of security procedures to understand how the shooter, Michael Zehaf-Bibeau, was able to storm into the Parliament building after fatally shooting a soldier at the National War Memorial. Surveillance video released by the Royal Canadian Mounted Police (RCMP) on Thursday shows that Zehaf-Bibeau drove to the entrance of Parliament Hill and then exited his vehicle before hijacking a chauffeured sedan which he drove to the main entrance of the Parliament building where he exchanged fire with security and RCMP personnel. Once inside the building, Zehaf-Bibeau was brought down by Sergeant-at-Arms Kevin Vickers of the parliamentary security force. Experts say that Zehaf-Bibeau was able to make as much progress as he did because Ottawa has a much less pronounced culture of security than other capitals, like London or Washington, D.C., even though security has been tightened following previous incidents, such as a foiled plot in 2006 to storm parliament and kill the prime minister. In response to Wednesday's shooting, security around Prime Minister Stephen Harper has been heightened and stricter security protocols are being put in place at Canadian military bases. Wednesday's attack was the second in less than a week that targeted Canadian soldiers.


Canada Parliament Shooting: How it Unfolded
CNN.com (10/23/14) Payne, Ed

A Canadian soldier was killed Wednesday in a multi-pronged attack in Ottawa believed to have been carried out by a Muslim convert whose passport had been revoked to prevent him from traveling abroad to fight. The attack began shortly before 10 a.m., when a man with a high-powered rifle opened fire on two soldiers standing guard at the Canadian War Memorial. One of those soldiers, Cpl. Nathan Cirillo, was struck and mortally wounded by at least one of the four shots that are believed to have been fired. At least one eyewitness reports that the assailant then carjacked someone at gunpoint and escaped. Just minutes later, a gunman entered the Canadian Parliament building--located a quarter mile from the memorial--and opened fire on security officers, who returned fire. Canadian Prime Minister Stephen Harper, who was in the building at the time of the shooting, was escorted to a safe location along with some parliamentarians, while others barricaded themselves in other rooms. Although the suspected shooter, Michael Zehaf-Bibeau, was killed at some point by the sergeant-at-arms, Ottawa police fan out across the city to look for any other people who may have been involved. The U.S. Embassy, meanwhile, was placed on lockdown.


Enforcer at Treasury is First Line of Attack Against ISIS
New York Times (10/22/14) Davis, Julie Hirschfeld

At the heart of the Obama administration's efforts to choke off the Islamic State's illicit oil revenues is David S. Cohen, the undersecretary for terrorism and financial intelligence at the Treasury Department. Cohen previously spearheaded the administration's effort to use sanctions to put pressure on Iran to curtail its nuclear program, but has since become a fixture in the White House Situation Room since the fight against IS heated up. Cohen's efforts have primarily focused on tracing the path of oil extracted from oil fields controlled by IS through smugglers and black marketeers to otherwise legitimate businesses, where the transactions can finally be traced to a traditional bank account. The key, Cohen says, is to identify these people at the end of the chain and put pressure on them. Cohen is also traveling the region to put pressure on various countries, particularly Turkey, to crack down on those smuggling IS oil into their countries. He says that Turkey in particular has seen benefits from this oil, which is sold at a significant discount. Cohen will be outlining the administration's financial plan of attack on Thursday in a speech at the Carnegie Endowment for International Peace in Washington, D.C.


In Canada, Terrorism Concerns Arise After Car Hits 2 in Military
New York Times (10/21/14) P. A11 Austen, Ian

A hit-and-run in Saint-Jean-sur-Richelieu, Quebec, on Monday that injured two members of the Canadian Armed Forces may have been terrorism-related. Following the incident, local police chased the car for a few miles before it overturned in a ditch. Police say the driver, an unidentified man who was already known to a special anti-terrorism program led by the Royal Canadian Mounted Police, climbed out and confronted officers before being shot and mortally wounded. Canadian authorities confirmed that the driver "had become radicalized," according to a statement from the prime minister's office. The incident took place after the Canadian Parliament voted to provide assistance to the U.S. in its air campaign against the Islamic State. Police are still investigating the hit-and-run.




Symantec Sees Rise in High-Traffic DDoS Attacks
CSO Online (10/22/14) Kirk, Jeremy

A recent Symantec study found a 183 percent increase in Domain Name System (DNS) amplification attacks from January through August. As part of the attack, recursive DNS resolvers look up a domain name and return an IP address, which can be called into a browser. However, these types of servers return a large amount of data, and attackers abuse them by making requests and substituting the IP address of their victims. The process directs a large amount of data to the victims, consuming up to 50 times more bandwidth. There are 28 million open DNS resolvers, which should be locked down and secured, according to Symantec's Candid Wueest. "Until this problem is addressed, DNS reflection attacks will continue to be used for large [distributed denial-of-service (DDoS)]," Wueest says. "In the past, we have also noticed that some attackers set up their own deliberately vulnerable DNS servers and then misused them for reflection attacks." He notes DDoS attacks continue to be a problem and, although they have become shorter in duration, they tend to focus a larger amount of traffic toward a victim.


Wearable Devices Pose Security Risk as Use Is Stretched
Wall Street Journal (10/21/14) Norton, Steve

A former National Security Agency official this week warned about the unanticipated security and privacy risks that employers are likely to face as wearable medical devices find their way into the workplace. Glenn Watt, former NSA deputy chief of network security researcher, says wearable devices "were never intended to be used as real medical devices collecting real information about each of you, but that’s what they’re evolving into." Watt says CIOs and CISOs will have to manage wearable health devices, whether they are part of company-sponsored programs or personal devices. He notes this will mean assessing the kinds of data being gathered and transmitted by the devices, who owns that data and where it goes, as well as how it will be stored. Due to the nature of that data, many organizations also will likely need to brush up on their compliance with HIPAA regulations. However, wearable medical devices also create a new potential avenue for attacks on the enterprise, especially if they connect directly with the corporate network or with other devices that do so.


Researcher Creates Proof-of-Concept Worm for Network-Attached Storage Devices
IDG News Service (10/20/14) Constantin, Lucian

Network-attached storage (NAS) devices are filled with vulnerabilities that can put the security of sensitive data and networks at risk, warns Independent Security Evaluators analyst Jacob Holcomb. He has created a proof-of-concept worm that can infect devices from three different manufacturers. The worm can automatically infect specific NAS devices by exploiting command-injection and authentication-bypass vulnerabilities that are still unpatched. The worm can scan predefined ranges of IP addresses to find devices that respond over TCP port 80 and match certain digital fingerprints associated with the targeted NAS devices. The worm then launches the necessary exploit to obtain root access and installs an interactive shell, and downloads and runs a binary copy of itself. Some cases of large-scale exploitation of NAS devices already have been found. The purpose of Holcomb's demonstration was to show that creating self-generating malware for NAS devices is relatively easy, because many of these systems have a common architecture and even code provided by chipset vendors. In addition, some manufacturers reuse code across entire product families, so one vulnerability discovered in a low-end consumer NAS device also can be present in costly, enterprise-grade devices from the same manufacturer, Holcomb notes.


The Number of Industries Getting Classified Cyberthreat Tips From DHS Has Doubled Since July
NextGov.com (10/20/14) Sternstein, Aliya

Eight of the U.S.'s 16 critical industries are now participating in the Department of Homeland Security's Enhanced Cybersecurity Services initiative, a program in which information about cyberattacks is fed into anti-malware systems so the attacks can be blocked. The financial, water, chemical, information technology, and transportation sectors are now participating in the program, joining the energy, defense, and communication industries. DHS hopes to eventually have all critical U.S. industries participate in the program, a goal one expert says the department should strive to achieve next year. The increased participation rate is being attributed to the focus Andy Ozment at the DHS Office of Cybersecurity and Communications has placed on the program since taking office in April, as well as the move from a manual to an automated process for sharing information about cyberattacks. The participation of more industries is likely to encourage even more to take part in the program, according to another expert. But former U.S. Attorney General Michael Mukasey believes the currently voluntary program should be made mandatory for critical industries since information about attacks against them could be useful in preventing attacks against other sectors of the economy.


New Web Flaw Enables Powerful Social Engineering Attacks
IDG News Service (10/17/14) Constantin, Lucian

Trustwave security researcher Oren Hafif is raising the alarm about reflected file download (RFD) attacks, in which a user's browser appears to be navigating to a legitimate website but is being forced to download a malicious executable. The concept is similar to that employed in reflected cross-site scripting attacks in which the URL itself contains malicious code the browser is forced to execute. With RFD attacks the browser instead is forced to download an executable extension such as a .bat or .cmd file containing shell commands or script files that are executed through the Windows-based script host. This can be used as a malware dropper to make the machine download malware or be used to seize control of the system. Hafif demonstrated numerous versions of RFD attacks at the recent Black Hat Europe conference. Hafif says he has found the vulnerabilities exploited by the flaw in numerous Google services, Microsoft's Bing search engine, and numerous other Alexa Top 100 websites. He notes the attacks target sites running JavaScript Object Notation and JSON with padding, among others. Hafif says he is in the process of notifying affected websites and has already informed Microsoft, which is working on a fix.


Abstracts Copyright © 2014 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: