Search This Blog

Friday, February 13, 2015

Security Management Weekly - February 13, 2015

header

  Learn more! ->   sm professional  

February 13, 2015
 
 
Corporate Security
Sponsored By:
  1. "Private Eye Is Said to Face Prosecution in a Hacking"
  2. "Security Researcher Posts 10 Million Passwords"
  3. "Anthem Breach May Have Started in April 2014"
  4. "Oil Companies in the Cross Hairs of Libyan Violence"
  5. "The Conversation Security Leaders Need to Have About Amy Pascal’s Departure"

Homeland Security
Sponsored By:
  1. "U.S. Leads Western Exodus Out of Yemen"
  2. "Withdrawing Troops, Obama Calls for Vigilance on Ebola"
  3. "U.S. Is Closing Its Embassy in Yemen as Security Concerns Mount"
  4. "U.N. Moves to Choke Off Islamic State's Cash"
  5. "British Court Says Spying on Data Was Illegal"

Cyber Security
  1. "White House to Create New Division to Streamline Cyberthreat Intelligence"
  2. "Report Sees Weak Security in Cars' Wireless Systems"
  3. "Debate Deepens Over Response to Cyberattacks"
  4. "Senators to Push Privacy, Security Legislation for IoT"
  5. "Uncovering Security Flaws in Digital Education Products for Schoolchildren"

   

 
 
 

 


Private Eye Is Said to Face Prosecution in a Hacking
New York Times (02/13/15) Goldstein, Matthew

Private investigators may be the newest front for federal prosecutors in cracking down on the hacker-for-hire business. In the coming weeks, a private investigator in New York is expected to plead guilty to charges of paying a so-called hacker-for-hire firm to steal email passwords and credentials. The guilty plea would wrap up a nearly yearlong investigation by the Federal Bureau of Investigation and federal prosecutors in New York. Separately, federal prosecutors in San Francisco on Feb. 11 announced the indictment of two private investigators and two computer hackers on charges that they illegally entered email and Skype accounts to gather information for matters they were working on for clients. Some of the illegally gathered information was intended to support a lawsuit, authorities said. The hiring of private investigators by lawyers to hack into email accounts to learn more about potential witnesses and gather evidence for trial strategies has been the subject of speculation in the legal community. Security experts and former prosecutors say that investigations over the years had unearthed evidence that some lawyers hire private investigators to obtain information for cases without delving too deeply into how it is gathered. In effect, these lawyers are seeking to hire a private investigator who is willing to skirt the law but do so in a way that gives them plausible deniability of any potentially illegal activity.


Security Researcher Posts 10 Million Passwords
USA Today (02/11/15) Weise, Elizabeth

Security researcher Mark Burnett, who has written several books on password protection and software piracy posted a database of 10 million usernames and passwords Monday, intending to provide data for experts working to improve computer security. The posting was meant to advance computer security because experts "have been working with crippled data sets," said Nate Cardozo, a lawyer with the Electronic Frontier Foundation in San Francisco, a cyber-rights group. Under current law, he said, it is not a crime to share a password list if there is no intent to defraud. In a blog post about the data, Burnett said that the ID/password combinations were old, weak, and already available from other sources. "A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security," he wrote on the blog. Under proposed changes to the Computer Fraud and Abuse Act (CFAA), however, Burnett could have been liable for up to 10 years in prison. Some computer groups and politicians say that the CFAA, first passed in 1986, is too broad and hinders security research.


Anthem Breach May Have Started in April 2014
Krebs on Security (02/09/15)

A preliminary analysis of open source information on the cybercriminal infrastructure that was likely used to siphon loads of sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold as far back as April 2014. That's nine months before the company claims it discovered the intrusion. Security experts involved in the ongoing forensics investigation say the servers and tools used in the attack bear the hallmark of a state-sponsored Chinese cyber espionage group known by various names. "Deep Panda" is the moniker given to this group by security firm CrowdStrike, which late last year published a graphic showing the malware and malicious Internet servers used in what PriceWaterhouseCoopers security professionals dubbed the ScanBox Framework. This suite of tools has been used to launch numerous cyber espionage attacks. Anthem continues to share information about the attack with the Health Information Trust Alliance (or HITRUST) and the National Health Information Sharing and Analysis Center (NH-ISAC), two industry groups dedicated to disseminating data about cyber threats to the healthcare industry.


Oil Companies in the Cross Hairs of Libyan Violence
Wall Street Journal (02/07/15) Faucon, Benoit; Kantchev, Georgi

The violence roiling Libya has increasingly targeted oil companies and their assets, upending long-term investments by Western companies and driving down production in a country that helped trigger the world-wide rout in oil prices. Libyan oil output has fallen to about 325,000 barrels a day in January from nearly 900,000 barrels a day in October, largely because of oil fields being taken over by Libyan militias or shutdowns due to security concerns, according to officials at the state-owned National Oil Co. The plunge in production comes after civil war broke out mid-2014, leading to two big closures at the end of the year. French major Total SA closed the Mabruk oil field in central Libya, a facility that once produced 30,000 to 40,000 barrels a day. And the country’s main oil port, known as Sidra, was closed because of fighting, damping prospects for three U.S. companies that have a stake in fields connected to the port— ConocoPhillips , Marathon Oil Corp. and Hess Corp. Libya has been mired in violence and political divisions since longtime dictator Moammar Gadhafi was killed in an uprising in 2011. A civil war has broken out between the internationally recognized government based in the country’s east and a rebel faction known as Libya Dawn that controls the country’s capital of Tripoli. The instability has affected other Western energy companies in the country. Late December, Wintershall Holding GmbH shut down its Libyan production because of the fighting at Sidra, which is close to the Ras Lanuf and Zueitina terminals it uses. The German company says it has invested more than $2 billion in Libya for a daily production capacity of 90,000 barrels.


The Conversation Security Leaders Need to Have About Amy Pascal’s Departure
CSO Online (02/05/15) Santarcangelo, Michael

The departure of Amy Pascal as Sony Picture's co-chair is a good opportunity to initiate a conversation with non-security executives. The goal is to examine what happened, how it was handled, and the consequences. A good question to start off with is what they think about the announcement. Their responses may give insights into the way boards and executives handle such events, so security leaders should absorb what they say and make note of what they do not say. The next matter to consider is whether executives have anything in their emails and files that could get them dismissed if they were exposed. It is important to note what they say, because it will signify what the security team needs to protect. The security leader should explain that while a lack of focus on security may have played a role Pascal's departure, it had less impact than such leaked information as salaries, contracts, scripts, and emails. The final question to consider is, in the event of a breach at the organization, what should the leaders' priorities be? The aim is to introduce an "assume breach" approach and underscore the importance of speed of detection and accurate response. By understanding these priorities, the security team will be better able to coordinate such things as prevention, detection, and response.




U.S. Leads Western Exodus Out of Yemen
Wall Street Journal (02/12/15) Almasmari, Hakim; Schwartz, Felicia

The United States and other Western nations shut their embassies in Yemen as demonstrations swelled amid mounting political tensions. Thousands demonstrated on Wednesday both for and against the Houthi rebels, who dissolved Yemen’s parliament and took over the government on Feb. 6 after their militants overran the capital San’a in September. The United States cited deteriorating security on Tuesday night when it announced it would close its embassy, with the U.K., France, Germany, and Italy following suit on Wednesday. The United States first began reducing staff in November, though the embassy remained open and continued to provide consular services until late January, when the facility closed to the public. The United States continued evacuating staff in recent weeks and ceased remaining operations on Tuesday. Still, some Yemenis said security in San’a was better than it has been in some time, despite the protests and reports of isolated violence by Houthi militants against protesters. And the U.S. evacuation appeared abrupt. Some U.S. Embassy officials left their cars at the VIP entrance of the San’a airport with their keys in the ignition, said two airport officials, suggesting a hasty departure. Yemen’s instability raised concerns over U.S. counterterrorism operations there against the Yemen-based al Qaeda in the Arabian Peninsula, or AQAP, one of the militant group’s deadliest offshoots. "The coup in Yemen and the deteriorating security situation in San’a are particularly concerning because they will hinder the United States’ campaign against al Qaeda in the Arabian Peninsula, which publicly claimed responsibility for the recent terrorist massacre in Paris," Rep. Devin Nunes, (R-Calif.), the new chairman of the House Intelligence Committee, said on Wednesday. "AQAP is a direct threat to the U.S. homeland that we must continue to hunt down with unrelenting persistence."


Withdrawing Troops, Obama Calls for Vigilance on Ebola
New York Times (02/12/15) P. A7 Shear, Michael D.; Davis, Julie Hirschfeld

The United States will withdraw nearly all troops from the fight against Ebola in West Africa, President Obama announced on Wednesday, adding that America was moving on to "the next phase." Civilian government employees, U.S. volunteers, and about 100 military members will stay in West Africa to keep helping an effort that has gone from containment to eradication of the virus. This announcement could bring vindication for the Obama administration, which was criticized for a slow initial response to the Ebola outbreak, but also raises questions about whether Obama is prematurely claiming success. There is evidence that the spread of Ebola has slowed significantly, with fewer cases reported in Liberia, but Obama’s advisers say that Ebola will remain a concern until it is eradicated, a goal that remains distant for public-health officials. The World Health Organization reported that the number of new Ebola cases in Guinea, Liberia, and Sierra Leone totaled 144 in the week ended Feb. 8, compared with 124 in the previous week, making it the second consecutive week that the number of new cases have grown, after a downward trend.


U.S. Is Closing Its Embassy in Yemen as Security Concerns Mount
Washington Post (02/11/15) Miller, Greg

The United States has decided to close its embassy in Yemen amid mounting concerns over deteriorating security in the country's capital city of Sanaa. Shiite rebels have seized control of the government there, ousting a key U.S. counter­terrorism ally. The U.S. State Department said late Tuesday that embassy operations and personnel have been "temporarily relocated," adding that "we will explore options for a return . . . when the situation on the ground improves." The State Department has reportedly formed a task force to oversee the exits of dozens of diplomatic officials from the embassy's compound -- a facility that has also served as a base of operations for the CIA and other American spy agencies involved in operations against the local al-Qaeda ­affiliate. Great Britain and France have decided to shutter their embassies, too.


U.N. Moves to Choke Off Islamic State's Cash
Wall Street Journal (02/13/15) Lauria, Joe

The United Nations Security Council has unanimously adopted new measures further tightening financial sanctions on the Islamic State (IS) and other militant groups in Iraq and Syria. The new measures seek to choke off revenues the groups derive from the smuggling of oil and antiquities and the ransoming of kidnapped hostages, in part by asking governments to help the U.N. expand its list of sanctioned individuals by providing the Security Council with the names of people who trade illicitly with IS, and to repor within 120 days if they intercept oil, arms, and antiques being sold by the group. The new measures specifically address the illicit trade in antiques that has cropped up in Syria by prohibiting anyone from trading in antiques with Syrian militants. A similar ban on Iraqi antiques has been in place since 2005. The measures also add man-portable surface-to-air-missiles to the list of arms nations are prohibited from providing to both IS and the Nusra Front, al-Qaida's franchise in Syria, and reaffirm a June 2014 ban on financial transactions with terrorist groups, including the payment of ransoms.


British Court Says Spying on Data Was Illegal
New York Times (02/07/15) Scott, Mark

British intelligence services' electronic mass surveillance of cellphone and other online communications data was conducted unlawfully, according to a Friday ruling made by the court that oversees intelligence agencies in Britain. The ruling relates to information shared between British security agencies and the NSA before Dec. 2014. Although privacy campaigners claimed the decision as a victory, many experts said the British and American intelligence agencies would continue to share information obtained with electronic surveillance, even if they had to slightly alter their techniques to comply with human rights law. "It’s a real landmark case," said Ian Brown, a professor of information security and privacy at the University of Oxford. "This will not stop intelligence agencies from sharing information. But it’s unlikely they will be able to conduct large-scale uncontrolled intelligence activities without more oversight."




White House to Create New Division to Streamline Cyberthreat Intelligence
Wall Street Journal (02/11/15) P. A4 Paletta, Damian; Yadron, Danny

On Feb. 10, the Obama Administration announced that it would create a new office, the Cyber Threat Intelligence Integration Center (CTIIC), to sort through intelligence data on cyberthreats. The agency will integrate intelligence from a variety of agencies and distribute that information more broadly throughout the federal government. CTIIC, which will be a new division of the Office of the Director of National Intelligence, will determine what amount of intelligence data on possible threats can be shared with the public sector, and many expect the new center to streamline coordination to protect the United States from cyberattacks. However, some critics point out that there is no single agency in charge of coordinating the government cybersecurity policy, and others are concerned about privacy given that there are no clear guidelines in place.


Report Sees Weak Security in Cars' Wireless Systems
New York Times (02/09/15) Kessler, Aaron M.

A new report from Sen. Edward J. Markey (D-Mass.) finds that even as automakers are adding more systems that involve the use of wireless technology and driver data, they are failing to secure these systems and data. Markey's office received information from 16 automakers and found that the majority lack systems that are capable of detecting breaches or responding to them quickly. The new report touches specifically on systems that are potentially vulnerable to hijacking by hackers and the collection and security of drivers' personal information. Markey's office found that at least nine of the 16 automakers use third-party companies to collect vehicle data, and that some transmit data to third-party data centers, which can potentially make drivers' data more vulnerable. Vehicles gather all sorts of data that could be valuable to hackers, including location and travel data. Even more advanced technology is expected to make its way into cars in the next few years, including systems that will communicate certain information with nearby vehicles and greater Internet connectivity in various vehicle systems. Markey's report calls for the establishment of federal rules about permissible use of drivers' data.


Debate Deepens Over Response to Cyberattacks
Wall Street Journal (02/09/15) P. A4 Paletta, Damian; Nissenbaum, Dion; Yadron, Danny

Lawmakers and regulators continue to debate the nation's response to the swath of cyberattacks hitting not only entertainment companies and retailers, but also a health insurer. Some have suggested the use of counterattacks to disable or limit the networks of the perpetrators. White House officials and some technology experts say that these "offensive" cyberattacks could have spillover as it is hard to target specific hackers. Meanwhile, President Barack Obama plans to meet with business leaders in California and urge them to work more closely with the government to improve their cyber defenses, and the administration already has drafted a new executive order to encourage more information sharing between companies and the government about cybersecurity threats. Ashton Carter, the White House's nominee for secretary of the Department of Defense, said during his confirmation hearing, "We ... need to improve our abilities to respond. And those responses can be in cyberspace or in other ways, but certainly they should include the option to respond in cyberspace." However, he did warn that the government should not reveal the extent of its "capability to respond" to "potential aggressors." Meanwhile, businesses can not retaliate in kind to cyberattacks, and the government has relied heavily on sanctions or criminal indictments as a response.


Senators to Push Privacy, Security Legislation for IoT
IDG News Service (02/11/15) Gross, Grant

Democratic members of the Senate Commerce, Science and Transportation Committee are examining legislation that would enforce privacy and security standards for connected devices. The legislation would require manufacturers of wireless access points on connected cars to use penetration-testing technology, and car manufacturers or security vendors to be able to detect and respond to hacking attempts in real time. Senator Edward Markey (D-Mass.) released a report recently concluding that most auto manufacturers selling vehicles in the U.S. have "massive holes" in their data security. Only two of 16 car companies that responded to information requests from Markey's office said they have capabilities to respond to a hacking attack in real time, he said during a hearing. New cars are now "computers on wheels," Markey said, and hacked vehicles can be dangerous. The bill under study will also require car makers to explain their data collection practices to drivers and allow them to opt out of data collection without having to disable navigation. Auto makers that can build software to track vehicle performance and other information "should have the same geniuses in those companies to build in protection for security and privacy," Markey said. "If you can figure out an algorithm that sends information around the world in the blink of an eye, you should be able to figure out an algorithm that provides consumers the security and privacy they need." The Alliance of Automobile Manufacturers said it has not yet fully reviewed Markey's report, but its members take several steps to protect security and to tell customers about the data they collect.


Uncovering Security Flaws in Digital Education Products for Schoolchildren
New York Times (02/09/15) Singer, Natasha

The world of educational software and technology has been gripped in recent years by an enthusiastic embrace of big data, with the idea that teachers, parents, administrators, and students themselves can gain better insight into a students' academic progress by gathering together and analyzing large amounts of data. This has resulted in a proliferation of new products and services that rely on the collection and storage of students' data, but in the rush to capitalize on the new trend, many say security is being forgotten. Experts have found serious security flaws ad vulnerabilities in a wide range of educational products catering to all levels of education from K-12 to college and from start-ups and more established players. Software engineer Tony Porterfield received a mixed reaction from educational software vendors when he contacted them about vulnerabilities in their products. Some, like education giant Pearson, reacted promptly and thoroughly, while others failed to take any action at all. Some are calling for an overhaul of federal student data protection laws to bring them inline with the new reality of data-driven apps and software. "Bottom line, both the Federal Trade Commission and the Education Department could and should ramp up their student privacy enforcement," says Khaliah Barnes of the Electronic Privacy Information Center.


Abstracts Copyright © 2015 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: