Search This Blog

Friday, May 08, 2015

Security Management Weekly - May 8, 2015


  Learn more! ->   sm professional  

May 8, 2015
Corporate Security
Sponsored By:
  1. "SEC: CCO Should Have Active Role In Cybersecurity"
  2. "With IoT Projects Come Financial Benefits, But Also Security Risks"
  3. "Illegal-Arrest Charge Ripples Beyond Baltimore"
  4. "Report: Germanwings Crash Co-Pilot Tried Slow Descent Before"
  5. "SXP Settles Quantlab Code-Theft Claim as Founders Go On Trial"

Homeland Security
  1. "One of Texas Gunmen Previously Had Drawn FBI's Attention"
  2. "NSA Phone Program Is Illegal, Appeals Court Rules"
  3. "French Leader, Gulf States Discuss Security"
  4. "Senate Easily Passes Bill for a Voice on Iran Nuclear Accord"
  5. "A Test Case for 'Deradicalization'"

Cyber Security
  1. "Internal Revenue Service Joins Cybercrime Hunt With New Investigation Team"
  2. "Lawmakers in France Move to Vastly Expand Surveillance"
  3. "Rombertik Malware: Evasive, Layered, Out to Steal"
  4. "Intense Debate Over Security and Privacy Is Coming in the Senate"
  5. "Canada Lawmakers Vote to Ramp Up Spy Agency Powers"




SEC: CCO Should Have Active Role In Cybersecurity
Think Advisor (05/07/15) Waddell, Melanie

The chief compliance officer (CCO) should have an “active role” in discussing a firm's cybersecurity threats not only with technology personnel but also with management, outside vendors and even fund boards, David Joire, senior counsel in the Securities and Exchange Commission's Division of Investment Management (IM), said Thursday at ICI's annual conference. Joire said that the SEC's Office of Compliance Inspections and Examinations isn't the only division providing guidance to firms on cybersecurity, pointing to the IM division's recently released guidance to help advisers and funds address their cyber risks. The guidance provides “high-level advice on risk management, but more importantly around the compliance aspect,” he said, noting the three rules addressed in the guidance: Regulation S-P (Privacy of Consumer Financial Information); Regulation S-ID (identity theft), and Rule 38a-1, which includes business continuity requirements. The Department of Justice's Cyber Unit released its own guidance detailing best practices for response to and reporting of cyber incidents.

With IoT Projects Come Financial Benefits, But Also Security Risks
Computerworld (05/06/15) O'Connor, Fred

Internet of Things projects can help companies operate more efficiently, but they also give hackers additional targets to attack. Many speakers appeared at the LiveWorx conference in Boston to discuss how companies are handling IoT security issues. Sunder Somasundaram, director of global IoT sales at AT&T, said corporate security policies focus on security hardware that workers use, but with IoT, the security perimeter extends to devices operating outside of an office that link to critical systems. However, Syed Hoda, CMO at ParStream, which provides a data analytics platform for IoT systems, said some businesses over-think security. "There's some data you have that nobody really cares about," Hoda said. The focus should be on securing data that can damage a company. Companies should look at how data travels through their IoT networks and figure how to keep it safe, noted Alan Atkins, vice president and global head of IoT at Wipro. Hoda added that in order for companies to reap benefits from IoT projects, they need to use the data they collect quickly. ParStream research shows that companies that were faster to react to the data saw returns on investment.

Illegal-Arrest Charge Ripples Beyond Baltimore
Wall Street Journal (05/04/15) Calvert, Scott; Palazzolo, Joe

Three of the six Baltimore police officers involved in last month's arrest of Freddie Gray, who died of injuries sustained while in custody, have been charged with false imprisonment. While this charge did not receive as much attention as the charges of second-degree murder or involuntary manslaughter, many experts say it could have effects among police departments across the nation. State's Attorney Marilyn Mosby's use of the charge could make arresting officers more careful and reduce improper arrests. Some argue that too much hesitation among police officers could allow criminals to get away. Baltimore lawyer Nick Panteleakis notes that bringing false imprisonment charges in this case shuts down a defense by officers that they had to use force against Gray because he was resisting arrest, as the state of Maryland allows any citizen to resist an illegal arrest. Panteleakis said that Mosby, who recently took office as Baltimore state's attorney, has pledged to hold police to a higher standard.

Report: Germanwings Crash Co-Pilot Tried Slow Descent Before
New York Times (05/06/15)

Andreas Lubitz, the co-pilot of Germanwings Flight 9525, appears to have practiced a controlled descent on his flight into Barcelona, two hours before he crashed the A320 jet into a mountainside on the return flight to Dusseldorf, air accident investigators said. The Bureau of Investigations and Analyses said that on March 24, during the outbound flight to Barcelona from Dusseldorf, the co-pilot programmed the plane for sharp descent multiple times while the pilot was out of the cockpit before resetting the controls. The report says Lubitz put the engines on idle, which gives the plane the ability to quickly descend. It is unusual for a pilot to set a plane for such a low altitude, but the report says that Lubitz did so while he was being asked by air traffic controllers to bring the plane down for its scheduled descent to Barcelona. Aviation experts said the findings were unusual. Antoine Amal, a top official in France's main pilots union SNPL said, "the process of going up and down with the selected altitude is not normal, but I can't tell you what was going on in his head." The BEA said investigators are looking at "compromises" made on security after the Sept. 11 attacks in the United States, notably on cockpit door locking systems meant to protect pilots from terrorists.

SXP Settles Quantlab Code-Theft Claim as Founders Go On Trial
Bloomberg (05/04/15) Calkins, Laurel Brubaker

SXP Analytics and a group of its programmers avoided trial with a last-minute settlement of claims they used Quantlab Technologies's high-frequency trading computer code to start the company. Two SXP founders, however, pressed ahead with proceedings. SXP agreed to pay $28.5 million to resolve complaints about its role in the alleged conspiracy, according to court papers filed Sunday. Andriy Kuharsky, a quantitative research scientist who partly developed the computer code, went on trial. His lawyer asked prospective jurors not to make the scientist pay any of the $64 million damages Quantlab claims the conspiracy caused. “We're not going to deny Mr. Kuharsky had more of these files than he should have,” David Holmes, Kuharsky's lawyer, told jurors, adding that the files weren't used to create SXP trading code and Kuharsky never made any money off the strategy. Emmanuel Mamalakis, a Wisconsin entrepreneur who recruited the two former Quantlab researchers and bankrolled SXP, also went on trial. Acting as his own attorney, Mamalakis asked potential jurors not to confuse Quantlab's allegations against him with those against his former business partner, as there have been findings of “liability on one that have not been found on the other.” U.S. District Judge Keith Ellison ruled on April 27 that Kuharsky and Godlevsky were liable for misappropriating trade secrets as punishment for having destroyed so much computer evidence that the judge said it may be impossible to ever learn what happened with the code.

One of Texas Gunmen Previously Had Drawn FBI's Attention
Wall Street Journal (05/05/15) Frosch, Dan; Campoy, Ana

Law-enforcement officials have identified the gunmen involved in a shooting at a community center in Garland, Texas, on Sunday, one of whom was the subject of a prior federal investigation in Phoenix.  Elton Simpson and Nadir Soofi were gunned down by a police officer after they opened fire on their way into the building, where about 200 people were attending an event featuring Muhammad cartoons.  Although police had been monitoring social media for threats to the event, they had not received any indication of the specific attack, according to Joe Harn, spokesman for the Garland Police Department.  Simpson was convicted in 2011 of making a false statement to the FBI after prosecutors said he had planned to join Islamic militant groups in Africa, and then lied about those plans.  Federal judge Mary H. Murguia, however, ruled that prosecutors had not established that Simpson's potential travel plans were “sufficiently 'related' to international terrorism” and sentenced him to three years of probation.  Simpson and Soofi shared a Phoenix residence and attended the same mosque.  Police have not provided information about when or how the suspects had arrived in Texas or how, but suitcases were found in their car, along with more rounds of ammunition.

NSA Phone Program Is Illegal, Appeals Court Rules
Wall Street Journal (05/08/15) Barrett, Devlin; Paletta, Damian

A federal appeals court on Thursday ruled that a National Security Agency (NSA) program that collects the phone records of millions of Americans is illegal, less than a month away from a congressional deadline to extend the program. The three-judge panel of the Second U.S. Circuit Court of Appeals in New York cut apart the legal theories that have been used to justify the mass surveillance program, finding that the legal language of the Patriot Act did not allow for data gathering on the scale practiced by the NSA. The judges wrote in their decision that, "the statutes to which the government points have never been interpreted to authorize anything approaching the breadth of the sweeping surveillance at issue here." However, the judges did not order the collection to stop, noting that pending action in Congress will force action on the matter one way or the other. Lawmakers are currently deadlocked over whether to reauthorize the controversial Section 215 of the Patriot Act that is used to justify bulk collection, or modify it through legislation called the USA Freedom Act. However, neither side has a clear advantage, and if action is not take one way or the other soon, Section 215 could simply expire.

French Leader, Gulf States Discuss Security
Wall Street Journal (05/06/15) Al Omran, Ahmed; Solomon, Jay

French President François Hollande met with the leaders of several Persian Gulf states, including Saudi Arabia, on Tuesday, in what appears to be a subtle snub of Washington.  The meeting came days before a U.S.-Arab summit in Washington, when President Obama will try to achieve support for a nuclear agreement with Iran.  Saudi Arabia and its key Arab allies have been skeptical of such a deal, which the Obama administration is looking to reach by the end of June.  According to David Ottaway, a senior scholar at Washington's Woodrow Wilson International Center for Scholars, Hollande's presence in Riyadh is a message to the United States that the Gulf states have other allies, though the Gulf Cooperation Council knows that France cannot provide a complete security alternative.  “What they want is reassurance the U.S. will be at their back if Iran threatens,” Ottaway said.  Among those countries participating in negotiations with Iran, France is more critical of the effort, and has publicly shared the Gulf states' concerns.  France says it has agreed with Saudi Arabia to upgrade a security pact between the two nations.

Senate Easily Passes Bill for a Voice on Iran Nuclear Accord
New York Times (05/08/15) P. A1 Steinhauer, Jennifer

The U.S. Senate has passed a bill that would give Congress a voice in any nuclear agreement involving the United States and Iran, a move to curb expanding presidential authority. The bill was approved 98 to 1, after months of negotiations, White House resistance, the federal indictment of one of its sponsors, and a partisan feud over a speech to Congress by Prime Minister Benjamin Netanyahu of Israel. If implemented, the legislation would require that the administration send the text of a final accord, as well as classified material, to Congress once it was completed. The lifting of sanctions on Iran would also be halted, pending a 30-day congressional review that would end in a possible vote to allow or forbid the lifting of congressionally imposed sanctions. President Obama could still achieve an Iran deal beyond the review period. The move demonstrates how Congress is attempting to become more assertive on foreign policy, although it is still divided about the use of military force against countries struggling against violent Muslim extremists.

A Test Case for 'Deradicalization'
Wall Street Journal (05/06/15) Jordan, Miriam; Audi, Tamara

A trial program that hopes to "deradicalize" Americans drawn to Islamic extremism is being tested on Abdullahi Yusuf, a U.S. teenager who tried to travel to the Middle East to fight with extremist groups. Yusuf was sentenced earlier this year to a program to reintegrate him into U.S. society and his immigrant community in Minneapolis. If the program is successful, his sentence may be reduced, and the program expanded to other would-be jihadists. The program's curriculum includes writings of Martin Luther King Jr., readings of the U.S. Constitution, and discussions about life and literature with a fellow Somali-American. Experts believe that this is the first such effort in the United States to try to turn a young person connected to a terror prosecution away from an extremist Islamist ideology. Deradicalization efforts have been attempted in other nations, but even their supporters say that the effectiveness is uncertain due to lack of data and cultural differences.

Internal Revenue Service Joins Cybercrime Hunt With New Investigation Team
Wall Street Journal (05/06/15) Viswanatha, Aruna

The Internal Revenue Service has established a new criminal-investigation team, consisting of about 12 agents, that will address the increasing number of identity-theft cases, often involving hackers stealing personal information to collect tax refunds. The past year and a half have seen more investigations occur in the cyber realm, creating a need for more digital expertise at the IRS. The new unit will draw on existing computer specialists and other IRS criminal-investigation agents, but it is being formed as the agency is seeing budget cuts. Agency data show that nearly all of the 1,063 identify-theft cases that it initiated in the last fiscal year involve some digital element. Richard Weber, head of criminal investigations at the IRS, said his team has found connections to countries such as Nigeria, Russia, and Romania. Recent intelligence also shows that criminal groups have begun to accumulate data in preparation for the 2016 tax filing season.

Lawmakers in France Move to Vastly Expand Surveillance
New York Times (05/06/15) P. A1 Rubin, Alissa J.

The French Parliament's lower house on Tuesday overwhelmingly approved a bill to give authorities more domestic spying abilities than ever, with very little judicial oversight.  The bill will move on to the Senate, where it seems likely to pass in the aftermath of the terrorist attacks in Paris in January that left 17 people dead.  The new law would give France's intelligence services the right to gather potentially unlimited electronic data, as authorities try to keep track of those citizens who travel to and from Iraq and Syria to wage jihad, often recruited online.  Intelligence services would have permission to tap mobile phones, read emails, and force Internet companies to comply with government requests to examine virtually all of their subscribers' communications.  Intelligence services also could request the right to hide microphones in a room or on cars, or to use antennas to capture telephone conversations or text messages.  The new law also would create a 13-member National Commission to Control Intelligence Techniques, which would have to examine requests to begin surveillance, though their recommendations could be overridden by the prime minister.

Rombertik Malware: Evasive, Layered, Out to Steal (05/06/15) Owano, Nancy

Ben Baker and Alex Chiu at Cisco Talos have identified new malware called Rombertik and reverse-engineeried it, finding there were several layers "of obfuscation and anti-analysis functionality." The researchers say Rombertik was designed to evade static and dynamic analysis tools, and if the sample became aware it was being analyzed or debugged, it would destroy the master boot record. "If Rombertik detects an instance of Firefox, Chrome, or Internet Explorer, it will inject itself into the process and hook API functions that handle plain text data. Once accomplished, Rombertik is then able to read any plain-text data the user might type into their browser and capture this input before it gets encrypted if the input is to be sent over HTTPS," say Baker and Chiu. Attackers use social-engineering tactics to trick users into downloading, unzipping, and opening attachments. One example is an organization making a business pitch to work with an enterprise, inviting the potential victim to check out an attachment to see if the two businesses are aligned for a successful relationship. The attachment may appear to be a PDF file, but is actually a .SCR screensaver executable file containing Rombertik. "Once the user double clicks to open the file, Rombertik will begin the process of compromising the system," according to Baker and Chiu.

Intense Debate Over Security and Privacy Is Coming in the Senate
Washington Examiner (DC) (05/04/15) Mitchell, Charlie

Bipartisan cybersecurity legislation looked ready to step into the spotlight after passing through the House of Representatives in April, but the progress has been put on hold after the bill never made it to the Senate floor for the entire month. The U.S. Chamber of Commerce, the Financial Services Roundtable, the American Bankers Association, energy groups, retailers, and many others have been trying to get the legislation pushed through to the White House without success. According to the Chamber of Commerce the goal of the bill is to "help companies achieve timely and actionable situational awareness to improve the business community's and the nation's detection, mitigation, and response capabilities." All of the bill's backers have urged immediate action, but none has been taken. Still, some oppose the bill because of concerns about the adequacy of privacy protections covered. With that, a debate over cybersecurity and privacy will commence in the Senate, but the bill must first be brought to the floor.

Canada Lawmakers Vote to Ramp Up Spy Agency Powers
Agence France-Presse (05/07/15)

Canadian lawmakers have passed an extremely controversial anti-terror law dramatically expanding the powers and reach of Canada's spy agency, allowing it to operate overseas for the first time. The new law criminalizes the promotion of terrorism, makes it easier for police to arrest and detain individuals without charge, and expands the Canadian Security Intelligence Service's (CSIS) mandate to include actively thwarting terror plots and spying outside Canada.

Abstracts Copyright © 2015 Information, Inc. Bethesda, MD

  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: