Search This Blog

Friday, January 02, 2015

Security Management Weekly - January 2, 2015

header

  Learn more! ->   sm professional  

January 2, 2015
 
 
Corporate Security
Sponsored By:
  1. "Behind the Scenes at Sony as Hacking Crisis Unfolded"
  2. "FBI Investigating Whether Companies Are Engaged in Revenge Hacking"
  3. "White House Deflects Doubts on Source of Sony Hack"
  4. "Sony Breach Fuels Email Security Fears at Other Companies"
  5. "Addressing 21st Century Threats - Corporate Espionage"

Homeland Security
  1. "Boston Is Eager to Begin Marathon Bombing Trial, and to End It"
  2. "Shanghai Stampede Death Toll Rises to at Least 36; Accounts Differ on Cause"
  3. "Backlash in Berlin Over NSA Spying Recedes as Threat From Islamic State Rises"
  4. "Gun Smuggling on Plane Reveals Security Oversight"
  5. "TSA: Security Checks at Airports Turning Up More and More Guns and Knives"

Cyber Security
  1. "Businesses Brace for More, and More Sophisticated, Cyberattacks in 2015"
  2. "North Korea Accuses U.S. of Staging Internet Failure"
  3. "Vendor Security Will Be an Increasing Challenge for Overworked IT Security Teams in 2015"
  4. "2014: The Year Cyber Danger Doubled"
  5. "Downside of EMV Adoption: Hackers May Shift Focus to Banks"

   

 
 
 

 


Behind the Scenes at Sony as Hacking Crisis Unfolded
Wall Street Journal (12/31/14) Fritz, Ben; Yadron, Danny; Schwartzel, Erich

Sony executives and their staffers have been scrambling ever since the company's recent cyberattack, taking steps both small and major. The day after employees discovered that company e-mail was unusable, for instance, senior executives put in motion a decidedly old-style communication network: a phone tree, in which updates on the hack were relayed from person to person. The payroll department made use of an old machine to manually cut paychecks. Among the most helpful steps taken was the studio's "unearthing" of a cache of BlackBerrys, which still worked because they send and receive e-mail via their own servers. Hackers hadn't simply stolen data from Sony. They had erased it, rendering the studio's entire computer system unusable. The Thanksgiving weekend was especially intense, with Sony's IT department scrambling to get even the most basic systems back online. FBI agents worked nearby, as did investigators from FireEye Inc., a cybersecurity firm that deploys teams to companies that have been hacked. The hackers sought to create maximum chaos. One week after the hack, for instance, they leaked five Sony movies onto the Internet, in addition to thousands of internal documents and the Social Security numbers and other personal information of more than 47,000 people, including a handful of movie stars. Within a week, investigators had started to suspect that North Korea had a hand in the breach due to hints in the attack code -- a charge North Korea has denied. People involved in the investigation say North Korea remains the leading suspect as opposed to some unknown disgruntled ex-employee as others have theorized. If the company's systems remain secure, Sony Pictures' network is on pace to be fully operational again within two months.


FBI Investigating Whether Companies Are Engaged in Revenge Hacking
Bloomberg (12/30/14) Riley, Michael; Robertson, Jordan

Security specialists and former law-enforcement officials say companies affected by cyberattacks are increasingly pushing the limits of existing law to consider ways to break into hackers' networks in retaliation. Some companies are turning to cybersecurity firms to guide them on ways to disrupt hacker operations or scrutinize foreign networks to identify any stolen intellectual property. J.J. Thompson, founder and CEO of Rook, says his firm will go into hackers' computers on two conditions--the data must be stored in plain sight, and it must be clear that the targeted PCs or servers are not owned by legitimate consumers, businesses, or government agencies. U.S. Rep. Michael McCaul (R-Texas) says some affected companies may be conducting offensive operations "without getting permission" from the federal government. In the wake of the Sony attacks, for instance, fake copies of such leaked movies as "Fury" and "Annie" began appearing on file-sharing sites to slow down the computers of people trying to download the movies and disrupt torrent sites, says Adallom Inc.'s Tal Klein. However, the actions of U.S. companies are limited by the Computer Fraud and Abuse Act, which prohibits them from gaining unauthorized access to computers or overloading them with digital demands even to stop an ongoing attack. The act exempts intelligence and law-enforcement activities, however. While many companies propose hacking responses immediately following a breach, almost none follow through, says Kevin Mandia, founder of Mandiant, which is investigating the Sony breach and other high-profile hacking cases. He says efforts to retaliate can make things worse because attackers who remain inside the network could escalate the assault or ramp up attacks on other companies.


White House Deflects Doubts on Source of Sony Hack
Wall Street Journal (12/31/14) Barrett, Devlin; Yadron, Danny

The White House on Dec. 30 pushed back against criticism from some cybersecurity experts who have challenged the government’s conclusion that North Korea was behind the hacking of Sony Pictures Entertainment Inc. Since the Federal Bureau of Investigation said earlier this month that the North Korean government was responsible for the hackers’ extortion attempt against the studio, some in the field of computer security have questioned both the bureau’s conclusion and its evidence. On Monday, engineers from Norse Corp., a cybersecurity firm, met with FBI officials at the firm’s St. Louis office to lay out their own theory that a small hacking gang including former Sony employees was involved in the cyberattack on Sony, said Norse Vice President Kurt Stammberger. The firm said it had evidence that an unnamed former Sony technology employee appeared on hacker forums after leaving the company. The firm has declined to disclose all the evidence it has to support that conclusion, citing the ongoing investigation. Thus far, however, none of the alternative theories or evidence presented to the government has caused federal investigators to doubt or backtrack on their initial conclusion. "The administration stands by the FBI assessment," said National Security Council spokesman Mark Stroh. The FBI also issued a written statement saying "there is no credible information to indicate that any other individual is responsible for this cyber incident."


Sony Breach Fuels Email Security Fears at Other Companies
Los Angeles Times (12/26/14) Dave, Paresh; Parvini, Sarah

Last month's cyberattack against Sony Pictures Entertainment's computer network has spread security concerns to businesses worldwide. According to Frank Mong, general manager of enterprise security solutions at Hewlett-Packard Co., the breach was a watershed moment that represents a new threat against all industries. Cybersecurity experts say that most organizations will wait for the chaos at Sony to calm down before deciding whether to alter their computer policies, but a few executives have already begun to make changes. Some companies will reduce their use of email for internal communications, and Mong says that Hewlett-Packard is boosting its employee training on proper correspondence etiquette. The breach at Sony has also strengthened cybersecurity stocks, as analysts predict that more corporations will seek cybersecurity help from outside vendors. For example, LifeLock, which monitors individual credit and identity information, was up about 4.7 percent on the New York Stock Exchange in the last month. Lack of security also could increase company liability and raise the risk of employees suing their companies for a lack of information protection.


Addressing 21st Century Threats - Corporate Espionage
Security (12/14) Vol. 51, No. 12, P. 36 Dodge, Robert

Corporate espionage is the essential risk to corporations in the 21st century, which is often referred to as the information age. The threat to information based assets is rapidly rising, with annual losses to corporate espionage now estimated to total $300 billion annually. The likely threats to businesses include insiders with access, criminal organizations, marketplace competitors, foreign intelligence agencies or state entities, as well as inadvertent disclosure. Corporate espionage can involve anything that gives an organization an advantage in the marketplace, and thus they should look to safeguard trade secrets and patents, executives and board members, human resources and staffing, research and development, manufacturing, sales and marketing, and company operations. Threat actors use methods such as recruiting insiders, hiring competitors' staff, hacking into and surveillance of computer systems, and unsolicited inquiries via telephone and email. A corporate espionage program can help mitigate the threat and the key is to have a holistic risk management approach. The program should address personnel, physical and information security as well as legal support, education and awareness, intelligence, partnerships with government and industry, and internal communication.




Boston Is Eager to Begin Marathon Bombing Trial, and to End It
New York Times (01/02/15) P. A12 Seelye, Katharine Q.

Boston is preparing for the trial of Dzhokhar Tsarnaev, accused of staging the 2013 Boston Marathon bombing, which killed three people and wounded 276 more. Jury selection is scheduled to begin Monday, Jan. 5, but Judy Clarke, Tsarnaev’s lawyer, has argued that no jury in the Boston region could be impartial, as virtually everyone there is, “in effect, an actual victim.” The court has summoned 1,200 potential jurors from eastern Massachusetts, and only those willing to impose the death penalty can be selected. Clarke is facing the challenge of sparing the life of a defendant in a case that resonated across the United States, as federal prosecutors appear determined to give Tsarnaev a death sentence. Attorney General Eric H. Holder Jr., who personally opposes the death penalty, last year authorized prosecutors to seek it for Tsarnaev, and Carmen M. Ortiz, the United States attorney for Massachusetts, has argued that the death penalty would be justified because Tsarnaev allegedly used a weapon of mass destruction and showed no remorse. Clarke is preparing a defense that suggests her client was manipulated by his older brother, Tamerlan, and has been rebuffed in her efforts so far to reach a plea bargain. If no plea agreement is reached, the trial will proceed in two phases, first is to determine guilt or innocence, and second to determine his sentenced, if he is found guilty.


Shanghai Stampede Death Toll Rises to at Least 36; Accounts Differ on Cause
Wall Street Journal (01/02/15) Areddy, James T.

At least 36 people are dead and another are 47 wounded in Shanghai following a stampede in the city's glitzy Bund neighborhood on New Year's Eve. Cell phone videos of the event show people being trampled as the crowd surges around them. The cause of the stampede is unclear, but many who were in the area are criticizing local authorities for not having more security on hand for New Year's Eve festivities. New Year's Eve in the Bund is always a major event, especially in the waterfront areas along the Huangpu river. This year's event, however, had been moved due to concerns about surging crowds. Some reports say that the stampede was incited by fake $100 bills that were being thrown into the street from a night club, M18. The fake bills, inscribed with the club's name, were promotional item available around the club on New Year's Eve, but employees deny that they were being thrown into the street from the club. Others have focused attention on the police response to the event, which remain unclear. One local police official was quoted as saying that police had difficulty responding to the stampede and that fewer police had been on hand because no formal event was planned for that night.


Backlash in Berlin Over NSA Spying Recedes as Threat From Islamic State Rises
Washington Post (12/30/14) Miller, Greg

Despite lingering anger over the years that U.S. spies reportedly spent monitoring Chancellor Angela Merkel's cellphone, Germany has continued to secretly provide detailed information to U.S. spy services on hundreds of German citizens and legal residents suspected of having joined insurgent groups in Iraq and Syria. According to U.S. and German officials, Germany has done so reluctantly in order to enlist U.S. assistance in tracking departed fighters and determining whether they have joined al-Qaeda or the Islamic State. Most importantly, Berlin is hoping to glean whether they might seek to bring those groups' murderous agendas back to Germany. The stream of data includes everything from names and cellphone numbers to e-mail addresses and other sensitive information that German security services have been hesitant even to collect let alone turn over to an ally it has strained relations with. The hesitancy comes from the German government remaining ever mindful of the abuses by the Nazi and Stasi secret police decades earlier. One senior German intelligence official recently likened the German-U.S. relationship to a dysfunctional marriage in which trust has been fractured, but a breakup is not an option. To date, more than 550 German citizens have gone to Syria, and at least nine have killed themselves in suicide attacks.


Gun Smuggling on Plane Reveals Security Oversight
New York Times (12/30/14) P. B4 Sharkey, Joe

Brooklyn District Attorney Kenneth Thompson held a news conference about the arrest of Mark Henry, a former Delta Air Lines worker. Henry and four accomplices were charged with smuggling 153 firearms on 17 Delta flights between Atlanta and New York from May 8 to Dec. 10. After passing through standard airport security checkpoints, the suspect received the guns from a Delta baggage handler who had access to secure areas of the airport, according to Thompson. Security consultant Anthony C. Roman is concerned that workers with access to airports' secure areas are not as closely screened as passengers at checkpoints. Prosecutors in the district attorney’s office and New York police detectives reviewed hours of airport surveillance video in Atlanta and identified segments showing Henry carrying his backpack onto the Delta flight, says Lupe Todd, a spokeswoman for the Brooklyn district attorney’s office. "We thought they were doing the Iron Pipeline, driving I-95," she says. "This office had absolutely no knowledge that guns were being transported by plane until the Dec. 10 arrest." Reese McCranie, a spokesman for the Atlanta airport, says airport employees had to pass criminal background checks and were subject to "continuous vetting and random inspections." He added, "In light of these recent events, we are reviewing our security plan and will make the appropriate changes to prevent future incidents of this nature." The motive in the case appears to be smuggling guns from Georgia for illegal resale in Brooklyn.


TSA: Security Checks at Airports Turning Up More and More Guns and Knives
Philadelphia Inquirer (12/29/14) Roebuck, Jeremy

More people in 2014 were caught by the U.S. Transportation Security Administration (TSA) attempting to carry firearms, knives, grenades, and even swords through security screening checkpoints compared with any year in the last decade, according to agency statistics. As of Dec. 25, TSA agents had retrieved 2,164 guns from carry-ons, purses, and coat pockets, a nearly 20 percent increase over the previous year. In November, the agency launched a media campaign at airports to remind people to check their guns or leave them at home. Those caught trying to slip a weapon through a checkpoint can be fined up to $11,000 and face possible criminal charges. A total of 11 guns were discovered this year at Philadelphia International Airport, while 284 guns were seized at TSA checkpoints in Dallas and Houston. According to the TSA Blog, X-ray scans at Philadelphia International revealed one passenger had packed a knife in a neck pillow, while a month later, a traveler had hidden a blade the heel of a shoe. "Every time TSA discovers a firearm in a bag at the checkpoint, it delays the screening process for all travelers," notes TSA spokesman Ross Feinstein.




Businesses Brace for More, and More Sophisticated, Cyberattacks in 2015
Homeland Security News Wire (12/30/14)

The recent Sony Pictures hack is why cybersecurity firms are recommending more ways to help clients defend themselves from attacks, since more are likely to occur in 2015. The case with JPMorgan Chase & Co., when hackers breached the bank's digital infrastructure, proves that even firms with the most advanced security systems can fall victim to cyberattacks. The bank spends about $250 million a year on computer security. Mobile devices have become more popular for the workplace, but they bring more vulnerabilities. Cybersecurity firms recommend that companies remind employees to update passwords. Many mobile devices can be connected to home security systems and even vehicles, which will cause cybercriminals to start targeting mobile applications. Firms must inform the public when a breach has the potential to affect customer information so the public takes steps to protect themselves by making updates and changing passwords.


North Korea Accuses U.S. of Staging Internet Failure
New York Times (12/28/14) Fackler, Martin

North Korea on Dec. 27 accused the United States of cutting off its Internet connections and denied responsibility for the Sony cyberattack. Intermittent disruptions to North Korea's Internet connectivity continued throughout the week, with Internet and 3G mobile networks severely impaired again on Saturday. The statement, carried by the North’s state-run Korean Central News Agency, also called President Obama a “monkey” for urging the film studio to release "The Interview," a comedy depicting the assassination of the North Korean leader, Kim Jong-un. Sony had canceled the movie’s release after online threats of attacks on theaters, but then reversed itself after Obama criticized it for capitulating to North Korean pressure. The statement is the nation's first response to the intermittent disruptions that have crippled its tenuous connection to cyberspace since Monday. The connectivity problems, which at one point appeared to sever North Korea completely from the Internet, started days after Obama vowed to retaliate for the damaging attack on the Sony film studio. The United States has denied playing a role in the disruptions, which struck many of North Korea’s few websites. Internet experts have said the failures could have been caused by anything from technical malfunctions to a hacking attack.


Vendor Security Will Be an Increasing Challenge for Overworked IT Security Teams in 2015
FierceITSecurity (12/23/14) Donovan, Fred

Last year's breach of customer data at Target demonstrated the cyber security vulnerabilities that exist around vendors and other third parties, and the Information Security Forum's Steve Durbin says 2015 is likely to be the year enterprises have to reckon with the these vulnerabilities. He says vulnerabilities exist all along the supply chain and among any number of service providers. "Third parties—including accountants, lawyers, not just traditional members of the supply chain—are all going to come under increased pressure from targeted attacks because they all access information of interest to attackers," says Durbin, who believes four other areas will remain important in 2014. First is cybercrime, with criminals bringing more and more sophisticated resources to bear in their criminal campaigns. Second is regulation, with governments around the world seeking to exert greater control over cybersecurity issues, not always with useful results. Third is bring-your-own-device, which Durbin expects to accelerate and broaden, with employees bringing more and different kinds of devices into the workplace. Durbin calls manpower the fourth area, noting insufficient numbers of workers with the skills needed to combat modern threats will continue to be a major problem and obstacle to properly securing enterprise systems in 2015.


2014: The Year Cyber Danger Doubled
Government Technology (12/21/14) Lohrmann, Dan

Former Michigan CISO Dan Lohrmann says 2014 saw cyber danger double, with ever more and larger cyberattacks, greater investments in cybersecurity, and growing public awareness of cyberthreats. Although 2013 was already a huge year for cyber issues, including the Edward Snowden leaks and the Target data breach, the big cybersecurity stories simply kept coming in 2014. Lorhmann points to numerous doublings in this realm, from reports at the costs of data breaches have doubled, military spending on cyber defense doubling, the number of cyber insurance policies doubling, and so forth. The government has been hit repeatedly, with the hack of the U.S. Postal Service only the most prominent such event occurring this year. Surveys show growing awareness of cybersecurity among the public, with a recent Gallup poll finding that having a phone or computer is now the second most-feared crime in America. All of the cyber news in 2014 came to a head with the Sony hack at the end of November, arguably the biggest cybersecurity story ever, which has grown from a leak of embarrassing emails and business secrets into an issue of national security and national pride. Lohrmann says the attention paid to cybersecurity will only increase in 2015, even as the Internet of Things and continuing trends such as cloud computing and mobile security continue to generate new threats and areas of concern.


Downside of EMV Adoption: Hackers May Shift Focus to Banks
Bank Technology News (12/26/14) Crosman, Penny

EMV chip-and-PIN cards and Apple Pay's tokenization scheme will make retailers less of a target for hackers, and bankers are concerned that hackers will shift their focus to breaking into banks. "Who has the numbers the hackers want? The banks, now," says James Gordon, chief technology officer at the $1.6 billion-asset Needham Bank in Massachusetts. "Bankers need to be especially aware that this is just a shift in focus [on hackers' part] to banks, front and center." One of the ways Needham Bank is preparing for EMV involves limiting the bank's exposure to hackers. "This is easier said than done, but if there are things that can get shut off that aren't critical to the operation, shut them off," he says. Gordon says the bank is double-checking firewall rules and increasing security training and education. Meanwhile, Al Pascual, director of fraud and security at Javelin Strategy & Research, expects an increase in new account opening and account takeover fraud. "If you can't steal card data at the point of sale, then the next best option is to go out and get the cards directly from the bank," he says.


Abstracts Copyright © 2015 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: