Search This Blog

Friday, December 05, 2014

Security Management Weekly - December 5, 2014

header

  Learn more! ->   sm professional  

December 5, 2014
 
 
Corporate Security
Sponsored By:
  1. "Sony Pictures and the F.B.I. Widen Inquiry Into Hackers' Attack"
  2. "Egyptian Militant Group Says it Killed U.S. Oil Worker"
  3. "Music Publishers Finally Pull the Trigger, Sue an ISP Over Piracy" Internet Service Provider
  4. "Substation Security Challenges"
  5. "The Well-Vetted Workforce"

Homeland Security
  1. "Risks of Terrorists Attacking, or Using Materials From, a Nuclear Power Plant Are Low: Experts"
  2. "FBI Director James Comey in Mobile Visit: 'There Will Be a Terrorism Diaspora'"
  3. "Homeland Security Says There Are No Plans to Ban Carry-Ons"
  4. "Number of Lone-Wolf Terrorist Attacks in U.S. Not Rising, but Police Are Targeted More Often"
  5. "Considering the Year in Airport Security, With the TSA Chief"

Cyber Security
  1. "Computer Forensics: Preserving Evidence of Cyber Crime"
  2. "FBI Warns of 'Destructive' Malware in Wake of Sony Attack"
  3. "Iranian Hacking Targeting Airlines, Energy, Infrastructure Firms Said Posing Serious Physical Threat"
  4. "Over 23,000 Web Servers Infected With CryptoPHP Backdoor"
  5. "Sandbox Escape Bug in Adobe Reader Disclosed"

   

 
 
 

 


Sony Pictures and the F.B.I. Widen Inquiry Into Hackers' Attack
New York Times (12/04/14) Barnes, Brooks; Perlroth, Nicole

Sony Pictures Entertainment said Wednesday that it and the FBI are widening their investigation into the Nov. 24 cyberattack on the studio that resulted in a company-wide computer shutdown and the leak of corporate information. In a statement, the company said that previous reports that North Korea was responsible for the attack were "not accurate" and that the perpetrator or perpetrators have not yet been identified. While much speculation has centered around North Korea, the investigation is also considering the possibility that a current or former Sony employee was involved. Jaime Blasco, a malware researcher at AlienVault, says the attackers appeared to have access to insider information that helped them access Sony's systems, such as the names of internal directories and server passwords. The scope of the breach expanded on Wednesday when the hackers responsible for the Sony breach released confidential Deloitte data, including salary information for 30,000 Deloitte employees. It is not known why the Deloitte data was on Sony's servers.


Egyptian Militant Group Says it Killed U.S. Oil Worker
Associated Press (12/01/14)

An Egyptian militant group that has reportedly pledged its allegiance to the Islamic State has claimed responsibility for the death of a U.S. oil worker killed in Egypt in early August. William Henderson, an employee of Apache Corporation, was reportedly killed in a carjacking in Egypt's Western Desert on Aug. 6. Henderson was reportedly working as a production expert for Qarun Petroleum Co., a joint venture between Apache and the Egyptian General Petroleum Corporation. On Sunday, the militant group Ansar Beit al-Maqdis sent out a tweet containing images of Henderson's passport and two of his identification cards. The U.S. Embassy in Egypt has declined to comment on the group's claim of responsibility for Henderson's death.


Music Publishers Finally Pull the Trigger, Sue an ISP Over Piracy
Ars Technica (11/28/14) Mullin, Joe

The Internet service provider (ISP) Cox Communications is being sued by BMG Rights Management and Round Hill Music for copyright infringement. The two companies have complained the provider is not punishing customers who continuously download music illegally. BMG and Round Hill are clients of Rightscorp, a copyright enforcement agent which threatens ISPs with a lawsuit if they do not forward settlement notices to users that Rightscorp believes are repeat copyright infringers. BMG and Round Hill allege they have notified Cox about 200,000 repeat infringers on its network. The complaint states that the companies disclosed the infringements, but that Cox "actually has taken measures to avoid and stop receiving those notifications" by treating e-mails from Rightscorp like spam. The Digital Millennium Copyright Act requires ISPs to have a policy to terminate the accounts of "repeat infringers," but it is unclear exactly what that term means. BMG and Round Hill are seeking damages for contributory and vicarious copyright infringement. It is unclear why Cox was singled out for a lawsuit as it is not the only ISP ignoring notices. Cox has not commented on the allegations.


Substation Security Challenges
Security Today (12/01/14) Romanowich, John

The Federal Energy Regulatory Commission and the National Electrical Reliability Commission (NERC) are collaborating to increase physical security for electrical substations. NERC has strengthened the standards for its Critical Infrastructure Protection (CIP) program, which are close to becoming federal mandates that can be enforced with fines and other penalties. CIP standards require assets to be protected on the four surrounding sides, above, and below. While most operators use video surveillance to meet these requirements, the technology may be too passive. A better option may be "smart" automated detection solutions that can cover large distances, notice details missed by the human eye, and provide immediate information for faster response. Thermal cameras with video analytics increase intruder detection and reduce false alarms, and provide accurate information that does not require additional verification systems. These systems can send alerts when an intrusion occurs, even if a person approaches a fence line, allowing officials to be alerted, view video, and react sooner. Some smart thermal cameras can automatically control pan-tilt-zoom cameras to focus on the location of an alarm and follow a detected target. Thermal cameras may be used not only for outdoor security, but as virtual barriers along open areas around a building or asset.


The Well-Vetted Workforce
Security Management (12/14) Simo, Todd; Trindade, Rachel

Experts say that comprehensive corporate security programs need to focus on protecting the company from problem employees, because hiring the wrong person can easily become a liability or security threat. Recruitment must be done properly in order for the hiring process to be quick and efficient. Employment history and education are one of the most important components in a resume, thus verifying institutions attended and degrees received helps ensure the applicant's honesty. Data shows that almost one-third of employers do not check employment records. Drug testing is essential because workplace drug use creates an unsafe work environment. Drug testing can also help increase productivity and decrease absenteeism. A study issued by the Society for Human Resource Management found that after drug testing was enforced, 19 percent of organizations reported an increase in productivity and 50 percent saw a decrease in absenteeism.




Risks of Terrorists Attacking, or Using Materials From, a Nuclear Power Plant Are Low: Experts
Homeland Security News Wire (12/04/14)

Energy analysts and some other experts say the risk of a terrorist attack on a nuclear power plant is low, as is the risk of terrorists stealing nuclear material from these facilities to build nuclear bombs. One reason why the risk of terrorist attacks on nuclear power plants is thought to be low is because the likely outcome of such an attack, a nuclear meltdown, would probably result in few casualties, meaning the appeal of such an attack for terrorists is probably limited. During and shortly after the Fukushima Daiichi nuclear disaster, 176 workers at the plant received anywhere from one to 6.7 times the standard five-year dose of radiation, although only two of them died. In addition, the Nuclear Regulatory Commission found in 2006 that there is a low likelihood that crashing a jumbo jet into a nuclear power plant's containment dome would damage the plant's reactor core and cause dangerous levels of radiation to be released. Meanwhile, a recent article published in "The Energy Collective" found that terrorists are likely to be dissuaded from stealing nuclear material from power plants because the intense heat generated by large amounts of such material as well as the high levels of radiation would make the material effectively untransportable. Finally, security at nuclear power plants in Western nations is generally tight. Energy analyst Robert Wilson points out that there has never been a terrorist attack on a nuclear power plant and that any plots that have been made have never gotten out of the initial planning stages.


FBI Director James Comey in Mobile Visit: 'There Will Be a Terrorism Diaspora'
AL.com (12/03/14) Kirby, Brendan

During a visit to the FBI field office in Mobile, Ala., on Tuesday, FBI Director James Comey spoke about the changing nature of the terrorism threat faced by the U.S. Comey said that when he assumed office 18 months ago, he discovered that the threat from terrorism was different than it was in 2005, when he was working as deputy attorney general. Comey compared al-Qaida following the death of Osama bin Laden to fighting cancer. "We've shrunk the tumor dramatically, but at the same time, we've seen metastasization," said Comey. The FBI director said that one of the largest challenges facing the FBI is the increasing number of Americans leaving the U.S. to fight abroad with terrorist groups like the Islamic State, including Omar Hammami, who grew up in the Mobile-area before leaving to join al-Shabaab in Somalia. "Their going there is worrisome. Their coming back some day is more worrisome," said Comey, adding that this will result in the creation of a "terrorism diaspora." Comey stressed that fighting this new threat requires tight coordination between the FBI and local law enforcement through the Joint Terrorism Task Forces operated out of FBI field offices. Comey praised the Mobile field office and the Southern District of Alabama for its performance in this regard. Comey also called on local citizens to report suspicious individuals and activity.


Homeland Security Says There Are No Plans to Ban Carry-Ons
WHDH (Boston) (12/04/14) Bookman, Kimberly

Reports of a possible terrorist attack on airlines prompted rumors that the Transportation Security Administration (TSA) may ban carry-on bags, but officials with the Department of Homeland Security (DHS) deny such a plan is in the works. The original report, published by Britain's Express News and confirmed with U.S. officials by NPR, says that intelligence officials picked up signs that terrorists intend to blow up five flights by Christmas, particularly those arriving in Europe.


Number of Lone-Wolf Terrorist Attacks in U.S. Not Rising, but Police Are Targeted More Often
Homeland Security News Wire (12/02/14)

Research by Indiana State University terrorism expert Mark Hamm indicates that the number of lone wolf terrorist attacks in the U.S. is not increasing, although the nature of such attacks is changing. Hamm's research, which is being sponsored by the Justice Department and involved analyzing data from 98 cases of lone wolf terrorism between 1940 and 2013, found that 38 of the cases occurred before the Sept. 11 attacks while 45 occurred in the 13 years since then. Many of the pre-Sept. 11 cases involved multiple attacks, Hamm says, while most of the cases since Sept. 11 were single attacks. Hamm's research also shows that lone wolf terrorists have generally moved away from using bombs, possibly because of laws enacted in the wake of the 1995 Oklahoma City bombing that restricted access to bomb-making ingredients, and are instead using high-velocity firearms. Hamm also notes that lone wolf terrorists are increasingly targeting police and military personnel, as evidenced by last year's shooting at Los Angeles International Airport and a drive-by shooting at an Army recruitment center. But Hamm predicted that terrorists are likely to shift their focus to targeting the nation's power grid in the future, given the severe ramifications of a widespread attack on electricity infrastructure.


Considering the Year in Airport Security, With the TSA Chief
New York Times (12/02/14) P. B7 Sharkey, Joe

The Transportation Security Administration (TSA) is gearing up to make changes to its PreCheck program, said Administrator John S. Pistole, in an interview conducted ahead of his departure Dec. 31. Pistole said that more than 725,000 people had paid to join the PreCheck program, one of several "risk-based programs" that allow air travelers to pass through an expedited security line at the airport. Pistole expects enrollment to keep growing as the TSA establishes partnerships with private companies to evaluate passenger applications. As some members of Congress call on the agency to develop more partnerships with private companies, TSA has been working with potential contractors on rules for security and protecting personal data. Over the next several months, TSA plans to reduce the numbers of non-PreCheck members who are allowed to use PreCheck lanes. Pistole also expects to eventually see relaxed restrictions for carrying liquids through security as screening technologies improve.




Computer Forensics: Preserving Evidence of Cyber Crime
Wall Street Journal (12/03/14)

Deloitte computer forensics experts say that unlike with criminal crime scenes, the lack of a clear hierarchy and objectives when a computer breach occurs frequently stymies the ability of investigators to identify the attackers. Cyber incident first responders tend to be systems or network administrators whose priorities are to mitigate the incident and get systems back online, not to collect and preserve digital evidence. "Incident responders want to get the bad guys out and the system back online ASAP, while the forensics examiners are trying to collect evidence, which can take days depending on the size of the network and amount of data that needs to be scanned," says David Ferguson of Deloitte Financial Advisory Services. This tension can be ameliorated with some basic planning. Incident response plans should be created that designate members of an incident response team, who has what authority, and who is responsible for collecting evidence. If possible, the incident response team should include computer forensics experts. To preserve data, incident responders should copy hard drives, network data, and operating system logs before allowing mitigation efforts to proceed. One means of doing this is to keep a set of replacement hard drives that can be quickly swapped out with the affected drives, preserving them for the investigation while getting systems back up and running quickly.


FBI Warns of 'Destructive' Malware in Wake of Sony Attack
Reuters (12/02/14) Finkle, Jim

The Federal Bureau of Investigation has sent a security notice to businesses warning that hackers have used malware to carryout a destructive cyberattack against a U.S. company. Although the notice did not specifically name the company that had been attacked, experts say it clearly refers to last week's attack on Sony Pictures Entertainment. According to the notice, the malware used in the attack overwrites all the data on the hard drives of target computers, including the master boot record, rendering them inoperable and making it extremely difficult to recover the files in lieu of undamaged backups. The Sony breach took down corporate email for a week and crippled other Sony systems. Malware similar to that described by the FBI has been used in destructive attacks against companies in the Middle East and South Korea, including one that destroyed about 30,000 computers at Saudi Arabian oil company Saudi Aramco. Those attacks were traced to groups working on behalf of the Iranian and North Korean governments and the FBI is reportedly investigating possible links to North Korea in the Sony attack, along with speculation the attack came in response to Sony's promotion of an upcoming film.


Iranian Hacking Targeting Airlines, Energy, Infrastructure Firms Said Posing Serious Physical Threat
The Japan Times (Japan) (12/03/14)

According the cybersecurity firm Cylance, Iranian hackers have infiltrated some of the world's top energy, transport, and infrastructure companies over the past two years in attacks that could eventually allow them to cause physical damage. The firm did not name specific companies, but said airports, universities, hospitals, and other organizations based in several countries have been hit by the campaign. The company said it had evidence the breaches were committed by the same Tehran-based group that was behind a 2013 cyberattack on a U.S. Navy network.


Over 23,000 Web Servers Infected With CryptoPHP Backdoor
IDG News Service (12/01/14) Constantin, Lucian

A recent Fox-IT report details the spread of CryptoPHP, a malicious backdoor targeting Web servers the company helped to take down with the aid of the Dutch government and anti-malware groups. Fox-IT reports CryptoPHP had infected about 23,000 servers before the takedown, spreading through malicious pirated copies of popular themes and plug-ins for content management systems Joomla, WordPress, and Drupal. The backdoor was used by attackers for black hat search engine optimization, injecting rogue keywords into compromised websites to hijack their search engine rankings so malicious content would appear higher in search engine results. Fox-IT was able to sinkhole CryptoPHP's command-and-control servers with the help of the Dutch National Cyber Security Center, Abuse.ch Shadowserver Foundation, and Spamhaus. Fox-IT says 23,693 servers were connected to the sinkholed C&C servers, with the largest number of infected servers in the U.S., Germany, and France. Since the sinkholing, CryptoPHP's operators have redeployed their infected themes on different websites and pushed out new versions of the backdoor. Fox-IT is offering scripts for detecting the backdoor on its GitHub page and is advising infected servers reinstall clean versions of the affected content management systems.


Sandbox Escape Bug in Adobe Reader Disclosed
Threatpost (12/01/14) Fisher, Dennis

A vulnerability in Adobe Reader discovered earlier in 2014 by a member of Google's Project Zero can be used to break out of the Adobe Reader sandbox and execute arbitrary code. Adobe has not patched the vulnerability, which impacts Reader 11.0.8 and was discovered in August. A report from Project Zero's James Forshaw says the company made a change in Reader 11.0.9 that made exploiting the bug significantly more difficult. That change was part of a fix for another vulnerability in Reader discovered by Forshaw. In accordance with Google's disclosure guidelines, the details of the vulnerability became public after 90 days. "The specific vulnerability is there is a race condition in the handling of the MoveFileEx call hook," Forshaw says. "This race can be won by the sandboxed process by using an OPLOCK to wait for the point where the MoveFileEx function opens the original file for the move. This enables code in the sandbox to write an arbitrary file to the file system." The report also notes it was no longer possible to create directory junctions using the broker file system hooks.


Abstracts Copyright © 2014 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: