Search This Blog

Friday, February 20, 2015

Security Management Weekly - February 20, 2015

header

  Learn more! ->   sm professional  

February 20, 2015
 
 
Corporate Security
Sponsored By:
  1. "JPMorgan Goes to War"
  2. "How Cyber Criminals Stole Up to $1B from Financial Services Companies"
  3. "Businesses Use Fake Scam Emails to Root Out Security Issues"
  4. "This Could Be the End of User Name and Password"
  5. "2013: Highest Rate of Employee Theft in 6 Years"

Homeland Security
  1. "NSA, Britain's GCHQ Allegedly Seized Encryption Keys for Millions of Phones"
  2. "U.S. Intensifies Effort to Blunt ISIS' Message"
  3. "Obama Administration to Allow Sales of Armed Drones to Allies"
  4. "Islamic State Secures New Haven in Libya"
  5. "Obama Administration Proposes Regulations on Commercial Drones Amid Security, Privacy Concerns"

Cyber Security
  1. "Three Months Later, State Department Hasn't Rooted Out Hackers"
  2. "U.S. Embedded Spyware Overseas, Report Claims"
  3. "January Marked by Java, Flash Vulnerabilities"
  4. "To Attract More Women, Cybersecurity Industry Could Drop Macho Jargon"
  5. "HP Predicts Major Cyberattack in Next Five Years"

   

 
 
 

 


JPMorgan Goes to War
Bloomberg (02/19/15) Robertson, Jordan; Riley, Michael A

JPMorgan Chase has built a vast security operation and staffed it increasingly with former military officers. The move comes after the massive breach of the bank's computers last summer. JPMorgan is convinced that it faces threats from governments in China, Iran and Russia, and that the U.S. government is not doing enough to help. James Cummings, a former head of the U.S. Air Force's cybercombat unit, oversees the bank's digital security staff of 1,000, along with Gregory Rattray, a former Air Force colonel. In the attack, the hackers did not steal easily marketable data such as credit card numbers or account passwords, but may have been looking for deep vulnerabilities in the bank's infrastructure or custom software to exploit later. Even with a security budget of a quarter of a billion dollars and an expensive system to capture data removed from the bank's network, there are lingering questions about the attack. And regardless of any failings in protection by the government, some security experts say a mini-NSA in Midtown Manhattan is not the answer.


How Cyber Criminals Stole Up to $1B from Financial Services Companies
Fox Business (02/16/15) Kent, Jo Ling

Russian cyber security firm Kaspersky Lab says it has uncovered an ongoing cyber theft campaign targeting more than 100 banks and other institutions in 30 countries that may have resulted in the theft of as much as $1 billion. Kaspersky says the hackers, whose locations and origins are unclear, used spear phishing emails to infect targets with malware that allowed them to lay low and gather information about how the targets handle and move money throughout their systems. Ultimately, the attackers would use this information to manipulate these same systems to steal money, often by hijacking ATM networks, causing ATMs to dispense cash that was collected by the hackers' associates. One victim lost $7.3 million to ATM fraud. Other attacks targeted the SWIFT financial network and Oracle databases to transfer funds out of bank accounts. Kaspersky says the attackers usually stole less than $10 million from any given target, which helped them go unnoticed. Only $300 million in losses have been confirmed, but Kaspersky suspects the true total is closer to $1 billion.


Businesses Use Fake Scam Emails to Root Out Security Issues
Associated Press (02/13/15)

A growing number companies are using fake phishing emails to test their employees' security savvy and to provide a teachable moment for those that have not yet learned how to respond to a suspicious email. Eighteen percent of users will visit a malicious link in a phishing email, according to Verizon's 2014 data breach report, and roughly one in four data breaches are caused by employees, according to a 2014 report from the Online Trust Alliance. Several companies such as Wombat Security and PhishMe actually offer fake phishing emails to enterprises as a service. PhishMe CEO and co-founder Rohyt Belani says that a mentality has built up in the security industry that users are "stupid" and the "weakest link," but he says the fault lies at the feet of the security industry, which he believes needs to do more to educate users and fake phishing emails provide a means of doing that. Randy Withrow, chief information officer at Pinnacle Financial Partners, says his company has seen significant improvement among its workers since it adopted Wombat's fake phishing email program. Successful phishing attempts have dropped by 25 percent at the company. Withrow says that workers will take it to heart when they fall for the fake phishing emails.


This Could Be the End of User Name and Password
Time (02/09/15) Calabresi, Massimo

The data breaches at JPMorgan Chase and Anthem likely will prompt New York Superintendent of Financial Services Benjamin Lawsky to impose new cyber-security rules on the banking and insurance industries -- a move that could put an end to the simple user name and password identity checks used to access computer networks at the heart of the financial system. Law enforcement officials say early investigations of the Anthem breach indicate that foreign hackers used a company executive's user name and password to access the personal data of 80 million people, and they note that the data theft could have been avoided if Anthem had implemented stronger identity verification methods. The Office of the Comptroller of the Currency says banks need to assess their own risks when determining whether additional verification methods should be used. Meanwhile, other regulators are worried that if New York's Department of Financial Services or another agency strengthens standards on its own, banks with national operations will be forced to contend with a patchwork of rules. However, Lawsky says, "We really need everyone to go to a system of multi-factor verification." Lawsky also plans to impose new requirements on third-party vendors.


2013: Highest Rate of Employee Theft in 6 Years
Security Magazine (02/15)

According to the 2013 Marquet Report on Embezzlement released in December 2014, Vermont topped the list of highest embezzlement risk states in the country for the third time in the last six years. It was followed by the nation's capital, West Virginia, Montana, South Dakota, Virginia, Idaho, Oklahoma, Texas, and Missouri. The research shows that the number of U.S. embezzlement cases rose 5 percent over the previous year. In total, 554 major cases -- those with more than $100,000 in reported losses -- were active in the United States in 2013. Only around 5 percent of major embezzlers were found to have a prior criminal history. The Marquet report went on to draw several conclusions, ranging from the reality that embezzlers are most likely to hold financial positions with enterprises to the most common embezzlement scheme being the forgery or unauthorized issuance of company checks. The study further determined that perpetrators typically begin embezzlement schemes in their early 40s. Finally, while females are more likely to embezzle on a large scale, males embezzle significantly more money on average.




NSA, Britain's GCHQ Allegedly Seized Encryption Keys for Millions of Phones
Washington Post (02/20/15) Nakashima, Ellen

The NSA and Britain's GCHQ allegedly hacked into Netherlands-based Gemalto, the world's largest manufacturer of SIM cards, to obtain encryption keys used to protect the cellphone communications of millions of customers worldwide. GCHQ reportedly targeted Gemalto employees and their emails to find individuals who might have access to the company's core networks and systems that generate the encryption keys. The multinational firm’s clients include AT&T, T-Mobile, Verizon and Sprint, as well as hundreds of wireless network providers around the world. It produces 2 billion SIM cards a year. The cards, which are chips barely larger than a thumbnail, are inserted into cellphones. Each card stores contacts, text messages, the user’s phone number and an encryption key to keep the data private. Gemalto produces the SIM cards for cellphone companies, burns an encryption key onto each and sends a copy of the key to the provider so its network can recognize an individual’s phone. Stealing the encryption keys makes it possible to eavesdrop on otherwise-encrypted communications without undertaking the more difficult challenge of cracking the encryption. It also avoids alerting the wireless company or the person using the phone.


U.S. Intensifies Effort to Blunt ISIS' Message
New York Times (02/17/15) Schmitt, Eric

The White House is stepping up its campaign to counter the Islamic State's propaganda machine, conceding that the terrorist group has been much more effective in attracting new recruits, garnering financing, and achieving global notoriety than the United States and its allies have been in thwarting it. At the core of the strategy is expanding the Center for Strategic Counterterrorism Communications to harness all the existing attempts at counter-messaging by much bigger federal departments, notably the Pentagon and Homeland Security. Additionally, this tiny State Department agency would be tasked with coordinating and amplifying similar messaging by foreign allies and nongovernment agencies, as well as by prominent Muslim academics and religious scholars who oppose the Islamic State, also known as ISIS or ISIL. The Islamic State and its supporters have been generating as many as 90,000 tweets and other social media responses a day for weeks now. U.S. officials this week admitted that they have a tough job ahead to blunt the group’s digital momentum.


Obama Administration to Allow Sales of Armed Drones to Allies
Washington Post (02/18/15) Ryan, Missy

On Tuesday the Obama administration announced a new policy to allow widespread export of armed drones, providing allies with the effective but highly controversial weapons. The new policy includes principles that foreign governments must follow if they are to receive the technology. So far, the United States has sold its armed drones only to Britain, but unarmed military drones, used primarily for intelligence, have been sold to more countries, such as NATO allies France and Italy. The new rules, which are still classified, will allow foreign governments’ requests for drones to be examined on a case-by-case basis, and sales will be subject to Cold War-era rules that require the governments to make a strong case for acquiring the aircraft. The nations that receive the drones also must agree to a set of “proper use” principles that promise to use the drones for national defense or other situations in which international law allow the use of force. The sold drones cannot to be used “to conduct unlawful surveillance or [for] unlawful force against their domestic populations,” a summary of the new policy said.


Islamic State Secures New Haven in Libya
Wall Street Journal (02/17/15) Trofimov, Yaroslav

The beheading of 21 Egyptian Christians by Islamic State (ISIS) militants demonstrates the group's increasing influence in Libya, where two rival governments have fought an increasingly violent civil war since last summer. Although long ignored in the West, the Libyan affiliate of ISIS has been growing for months, establishing control in and around the eastern city of Derna, and more recently taking over parts of former dictator Moammar Gadhafi’s hometown of Sirte, on the central coast. At the same time, the two rival governments have been focused on each other, supported by regional powers and largely ignoring an influx of foreign jihadists uniting with local extremists under ISIS. In its video of the deaths of the Egyptian Copts, released on Sunday, ISIS promised to conquer Rome, a threat certain to reinforce pressure in Europe for a military intervention to prevent the complete collapse of Libya, across the Mediterranean Sea from Italy. The killings also prompted Egyptian airstrikes on ISIS strongholds in Libya. The ISIS attack on Coptic Egyptians is meant to draw Egypt directly into the Libyan conflict, said Khalil al-Anani, an Egyptian scholar of Islamist movements at Johns Hopkins University.


Obama Administration Proposes Regulations on Commercial Drones Amid Security, Privacy Concerns
Fox News (02/16/15)

President Barack Obama announced in a presidential memorandum on Feb. 15 that he intends to regulate the use of small, commercial drones in response to safety and privacy concerns. Obama noted that such drones have become a more flexible and less costly alternative to piloted aircraft for public and private users, and could play “a transformative role” in urban infrastructure management, farming, military training, search and rescue, and disaster response. Federal Aviation Administration (FAA) on Sunday released preliminary rules in conjunction with the president's memorandum, although Obama gave federal agencies at least 90 days to start drafting guidelines. Federal officials expect drones to be used for aerial photography and mapping, crop monitoring, and inspecting tall structures such as bridges and cell towers, but the FAA proposal includes safety restrictions such as keeping drones within sight of operators at all times and no nighttime flights. Commercial operators would have to take an FAA-administered knowledge test and pass a Transportation Security Administration security check to fly small drones that weigh less than 55 pounds. A final version of the FAA proposal may still be two or three years away. Obama's memorandum also lays out measures for federal agencies, to guard against abuse of data collected in drone, and says that agencies must set polices that "prohibit the collection, use, retention or dissemination of data in any manner that would violate the First Amendment" or would lead to discrimination.




Three Months Later, State Department Hasn't Rooted Out Hackers
Wall Street Journal (02/20/15) Yadron, Danny

Three months ago, the State Department confirmed hackers had breached its unclassified email system, but the government has yet to remove them from the department's network. Every time investigators find a hacker tool and block it, the intruders change it slightly to elude defenses. Sources say it is not clear how much data the hackers have taken. They reaffirmed what the State Department said in November: that the hackers appear to have access only to unclassified email. Still, unclassified material can contain sensitive intelligence. The episode illustrates the two-way nature of high-technology sleuthing. For all of the U.S. government’s prowess at getting into people’s computers through the NSA and the military’s Cyber Command, the government faces challenges keeping hackers out of its own networks. The discrepancy points to a commonly cited problem with defending computers: Playing offense almost is always easier than playing defense. No official determination has been made about who is behind the breach. But five people familiar with the original intrusion said they had seen or been told of links suggesting involvement by the Russian government. The malware is similar to other tools linked to Moscow in the past. Two of the people said the intruders had taken State emails related to the crisis in Ukraine, among other things. In addition, the attack appears very similar to a fall breach of the White House’s unclassified email system, which some U.S. officials linked to Russia.


U.S. Embedded Spyware Overseas, Report Claims
New York Times (02/17/15) Perlroth, Nicole; Sanger, David E.

A new report by Russian cyber security firm Kaspersky Labs outlines the efforts of what it calls the "Equation Group," to infect, monitor, and sabotage computers around the world. The Equation Group is thought to be a euphemism for elements of the National Security Agency and U.S. Cyber Command. Kaspersky says the group is the most sophisticated cyber espionage group operating on the global scene and has been active for almost two decades. Its tools have strong similarities to Stuxnet, a computer worm used to destroy Iranian nuclear centrifuges that was revealed to be a joint program of the U.S. and Israel. Many of these tools focus on infecting a computer's firmware, which renders them almost impossible to detect and remove. Infecting the firmware allows the Equation Group to reinfect computers that have been wiped and grab encryption keys rendering all of a system's data readable. Infection rates are particularly high in Iran, Pakistan, and Russia, but Kaspersky says there are also targets in China, Afghanistan, and elsewhere. Other activities outlined by Kaspersky include efforts to map and subvert air-gapped systems that are disconnected from the Internet in an effort to keep them secure. Kaspersky says the Equation Group has been infecting computers since 2001 and dramatically stepped up its activities in 2008.


January Marked by Java, Flash Vulnerabilities
CSO Online (02/17/15) Korolov, Maria

Secunia has released a new report on security vulnerabilities disclosed during the months of November, December, and January. The worst vulnerabilities identified during this period were two zero-day vulnerabilities affecting Abode Flash and several vulnerabilities affecting Java, according to Secunia. One of the Flash vulnerabilities was exploited in a malvertizing campaign that used malicious advertisements to infected viewers' machines with malware. Meanwhile, the Java vulnerabilities were among the most persistent and troublesome for businesses because of the relative difficulty of fully patching systems across the enterprise. However, the Secunia report found the most vulnerable vendor was IBM, which, according to Secunia director of research Kasper Lindgaard, is because the company bundles all of the code libraries it uses together for its products. "So when, say, a new version of Java is released, IBM needs to release a new version of their products to fix Java in those products," Lindgaard says. Google also saw a large number of vulnerabilities, primarily affecting its Chrome Web browser, during the past three months. Secunia also made note of changes to Google's Project Zero disclosure policy, which previously gave vendors a 90-day grace period after Google informed them of a vulnerability it had discovered before it went public. Under its new policy, Google will not disclose a vulnerability at the end of the 90 days if a patch is imminent within two weeks.


To Attract More Women, Cybersecurity Industry Could Drop Macho Jargon
The Christian Science Monitor (02/16/15) Segran, Elizabeth

Women make up less than 20 percent of the information security workforce, and many women leave the industry before advancing their careers, according to a Ponemon Institute study. "We are not innovating as quickly as we need to be because there aren't enough women in this field," says Intel Security chief privacy officer Michelle Dennedy. Although there are several efforts to support women in cybersecurity and encourage more female computer science students to pursue the field, achieving gender diversity will require the entire industry to talk differently about security. Cybersecurity parlance often mirrors the language of combat, but the field also relies on understanding human emotion, which tends to come more naturally to women. For women just starting in the field, the adversarial language of attack and combat often alienates female students who otherwise may pursue careers in security, according to the researchers. Only 18 percent of computer science degrees are awarded to women, and in the subfield of cybersecurity that figure is less than 10 percent, a gender gap that has also impacted women's experience in the classroom. The private sector is trying to set up programs to support women in cybersecurity. For example, Intel Security has launched a $300,000 diversity initiative to bring more women to the company.


HP Predicts Major Cyberattack in Next Five Years
ComputerWeekly.com (02/10/15) Ashford, Warwick

Hewlett-Packard's Andrzej Kawalec says HP predicts a catastrophic cyberattack in the next five years, causing "significant and lasting damage to a major world economy through physical and economic impacts." He also says HP predicts there will be hurdles with creating a robust single digital online identity and managing the security of information shared online via social media, in the cloud, and via devices linked to the Internet of Things. Kawalec says another significant challenge in the next five years will be ensuring regulatory and privacy concerns are addressed without impairing cross-border trade or exposing industry to financial risk. He emphasizes organizations should dedicate more time and effort on gaining insight on adversaries and how to disrupt them. Organizations also should identify their risk to determine how best to protect their information assets. Furthermore, they should increase collaboration and sharing of information to gain a cohesive view of threats and broaden cybersecurity capabilities beyond the enterprise. Looking at the year ahead, Kawalec says HP expects a major mobile exploit in the next 10 to 12 months as adversaries continue to collaborate faster and more efficiently, unencumbered with regulations. Other areas he says needs addressing are managing open source software within organizations and security vulnerabilities within supply chains.


Abstracts Copyright © 2015 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: