Search This Blog

Friday, June 19, 2015

Security Management Weekly - June 19, 2015


  Learn more! ->   sm professional  

June 19, 2015
Corporate Security
Sponsored By:
  1. "Flash Audit: 'Serious Concerns' About Personnel Computer Fix"
  2. "Security Clearance Companies Still Sacrifice Thoroughness, Workers Say"
  3. "St. Louis Cardinals Investigated for Hacking Into Houston Astros’ Database"
  4. "Pindrop Security Reveals Financial and Retail Institution Call Centers See 30 Percent Rise in Phone Fraud"
  5. "Password Manager LastPass Warns of Breach"

Homeland Security
Sponsored By:
  1. "Church Massacre Suspect Held as Charleston Grieves"
  2. "Report Says UN Not Equipped to Tackle Today's Challenges"
  3. "Top U.S. Officials Consider Bigger American Role in Iraq"
  4. "As Stress Drives Off Drone Operators, Air Force Must Cut Flights"
  5. "Russia Says It Would Match Any U.S. Military Buildup in Eastern Europe"

Cyber Security
Sponsored By:
  1. "White House Rushes to Strengthen Cyber Defenses as Hack Fallout Grows"
  2. "Vast Data Warehouse Raises Health Overhaul Privacy Concerns"
  3. "News and IoT Sites Flunk Security and Privacy Tests"
  4. "Canadian Government Servers Hit by Cyberattack, Minister Says"
  5. "Mobile App Data Flaw Leaves ‘Billions’ of Records at Risk: Security Researchers"




Flash Audit: 'Serious Concerns' About Personnel Computer Fix
Associated Press (06/19/15)

The Office of Personnel Management's (OPM) independent watchdog tried to warn the public about the agency's cybersecurity failures for years. In a "flash audit," the Inspector General Patrick McFarland raised "serious concerns" about a proposed $91 million computer overhaul of OPM networks, stating it had not followed management guidelines and relied on a no-bid contract to a single vendor. Office director Katherine Archuleta, said that her agency's computer systems were so old they needed an immediate modernization. McFarland noted that agency leaders launched the project with crucial questions unanswered, including the cost. He questioned the $91 million estimate by the agency. He added that it is likely that the project will "fail to meet the objectives of providing a secure operating environment for OPM systems and applications." Several critical agency applications run on OPM's aging mainframe computers, McFarland said. He noted that these applications need to be renovated to be compatible with OPM's proposed new IT architecture, adding that a much smaller migration of a single system cost $30 million and took two years to complete.

Security Clearance Companies Still Sacrifice Thoroughness, Workers Say
Washington Post (06/15/15) Davenport, Christian

Companies that conduct background checks for government security clearances work largely on a quota system that pressures investigators to get through cases quickly, internal company documents show.  Such demands can make investigations rushed and incomplete, according to interviews with current and former investigators.  These security companies also are struggling to pick up the huge workload left behind when the government's Office of Personnel Management declined to renew USIS's contract last fall.  At KeyPoint Government Solutions and CACI, field workers are required to meet pre-determined numbers that dictate how many interviews they must conduct every day, which the workers say puts quantity over quality when deciding who should have access to classified material.  The payment system in the government's contracts with these security companies is still structured so contractors get paid more quickly the faster they turn over the cases to the federal government, with a financial penalty if they miss a deadline.  One anonymous investigator who worked at both USIS and KeyPoint said that he left both jobs due to the importance of speed over thoroughness. Investigators for the companies argue that they should have more time and freedom to follow leads without worrying about quotas.

St. Louis Cardinals Investigated for Hacking Into Houston Astros’ Database
New York Times (06/17/15) Schmidt, Michael

The FBI is reportedly probing whether employees of the St. Louis Cardinals illegally accessed the Houston Astros’ private database of baseball player information. The investigation centers on the Astros’ internal computer system, called Ground Control, in which team employees keep notes on players and trade discussions. Some of the data relating to potential trades in 2013 was released anonymously online last year, prompting Major League Baseball to ask the FBI to investigate. That probe has reportedly led investigators to suspect employees of the Cardinals. The investigation is focused on mid-to-low-level staff in the Cardinals’ front office, but it is continuing and no final conclusions have been reached, according to one person familiar with the situation. Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager, who had been a successful and polarizing executive with the Cardinals until 2011. When Luhnow and some of his subordinates joined the Astros, at least one of them apparently used a password that was the same or similar to one they had used with the Cardinals. While he was with the Cardinals, Luhnow used a similar database to track players and potential trades. The Cardinals personnel under investigation have not been put on leave, suspended, or fired. The Astros’ breach marks the first known instance that workers at a major professional U.S. sports team were suspected of swiping another team’s computer data.

Pindrop Security Reveals Financial and Retail Institution Call Centers See 30 Percent Rise in Phone Fraud
Dark Reading (06/17/15)

A new report on call-center fraud has found a 30-percent rise in enterprise attacks and more than 86.2 million attacks per month on U.S. consumers. Pindrop Security, which provides call center anti-fraud and authentication solutions, announced the findings in its annual Phone Fraud Report, in which researchers analyzed several million calls. Large financial institutions' call centers are exposed to an average $9 million in potential fraud each year, and increasing significantly since 2013. The report found that banks experience a fraud call rate of one in every 2,650 calls. More than 86.2 million calls per month in the United States are phone scams. “These attackers are sophisticated, using a variety of tactics, including automation, working in criminal rings and using both the phone and cyber channel to make tracking their actions more difficult,” said Matt Garland, vice president of research at Pindrop Security.

Password Manager LastPass Warns of Breach
Krebs on Security (06/16/15)

Users of LastPass, which allows users to centrally manage all of their online passwords, should change their master password after the company disclosed Monday that intruders had broken into its databases. The hackers stole data such as user email addresses and password reminders. LastPass said in an alert on its blog that there was no evidence that its encrypted user vault data was taken, or that user accounts were accessed. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side,” the company said. “This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.” Passwords are “hashed” by taking the password and running it against a mathematical algorithm that turns it into a string of gibberish numbers and letters. By adding a unique element, or “salt,” to each user password, database administrators can complicate things for potential attackers who may rely on automated tools to crack user passwords.

Church Massacre Suspect Held as Charleston Grieves
New York Times (06/19/15) Corasaniti, Nick ; Perez-Pena, Richard; Alvarez, Lizette

Fourteen hours after the massacre at Emanuel African Methodist Episcopal Church, in which nine people died, the police in Shelby, N.C. arrested Dylann Storm Roof. Witnesses said Roof sat with church members for an hour and then started venting against African-Americans and opened fire on the group. Rev. Clementa C. Pinckney, the church pastor and a prominent state senator, was among those killed. Witnesses to the killings said the gunman asked for the pastor when he entered the church and sat down next to Pinckney during the Bible study. The church has the oldest black congregation south of Baltimore, according to the National Park Service, and its website calls it the oldest A.M.E. church in the South. At least three bomb threats were made June 18 that forced the evacuation of buildings around Charleston, included churches. In a photo on his Facebook page, Roof wears symbols of two former white supremacist governments, the fags of apartheid-era South Africa, and of Rhodesia, the nation that became Zimbabwe. Other photos show Roof leaning against a car with a license plate that reads Confederate States of America. Police said it was a tip from a commuter that led to the arrest. Jail officials said Roof would make a court appearance on the afternoon of June 19.

Report Says UN Not Equipped to Tackle Today's Challenges
Associated Press (06/16/15) Lederer, Edith M. ; Corder, Mike

In order to tackle global challenges, the United Nations and other international institutions need to change, a high-level commission said in a report. The Commission on Global Security, Justice and Governance issued a series of proposals aimed at reforming the U.N. and putting greater focus on preventing conflicts. The report stated that the "small, dense, interconnected world cannot prosper if more than a billion inhabitants fail to cross a basic threshold for a safe, dignified life, or if rising sea levels, extreme drought, powerful floods and storm surges, trafficking gangs, and networks of violent extremists threaten the security, well-being, and survival of millions." It added that economic shocks and cyber attacks are likely to have long-lasting consequences. The commission urged for a global network of cybercrime centers to help deal with cyber attacks. Additionally, it called for improved coordination between the Group of 20 major economies, the World Bank, and the International Monetary Fund to prevent the spread of cross-border financial shocks.

Top U.S. Officials Consider Bigger American Role in Iraq
Wall Street Journal (06/18/15) Nissenbaum, Dion

The U.S. military could take on a more active role in the fight against Islamic State (ISIS), Defense Secretary Ash Carter and Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, suggested Wednesday. The two top defense officials said that they might support a higher-risk role for U.S. troops in Iraq, in which troops would join Iraqi forces on the front lines to help direct airstrikes. Although such a move has been under discussion, President Barack Obama has been resistant. Carter and Dempsey noted that it would be a mistake to send more U.S. troops just as a substitute for local Iraqi forces, as the Iraqi government needs to rebuild its own military. Some lawmakers have been calling for Congress to debate and vote on the use of ground troops in Iraq and Syria in the fight against ISIS militants. In a new plan approved by Obama last week, the U.S. military will send 450 more troops to Iraq to establish a new training base in an ISIS stronghold near Baghdad, where U.S. troops hope to train thousands of Sunni fighters to help push ISIS out of Ramadi.

As Stress Drives Off Drone Operators, Air Force Must Cut Flights
New York Times (06/17/15) P. A1 Drew, Christopher; Philipps, Dave

Although U.S. military and intelligence officials are demanding more drone flights over combat zones, the Air Force is cutting back as operators are experiencing burnout. The Air Force plans to cut the number of flights by armed surveillance drones to 60 a day by October, after a recent peak of 65, in response to the departure of crew members. Col. James Cluff recently said that many Air Force pilots feel “undermanned and overworked” due to alternating day and night shifts, and few academic breaks or promotions. A drone training program also produces only about half of the new pilots needed because instructors have been reassigned to the flight line. The past decade has seen drone missions increase tenfold, pushing operators to meet demand for streaming video of insurgent activities in areas such as Iraq, Afghanistan, Somalia, Libya, and Syria. The cut in drone flights also may affect the CIA, which has used Air Force pilots in drone missile attacks on terrorism suspects in Pakistan and Yemen, and military advances by the Islamic State have placed greater importance on aerial surveillance and counterattacks.

Russia Says It Would Match Any U.S. Military Buildup in Eastern Europe
Washington Post (06/15/15) Demirjian, Karoun

A Russian general on Monday said that Russia would swiftly respond to any moves by the United States to build up military resources in the Baltic states. The comments from Russian army Gen. Yury Yakubov followed statements from U.S. officials on Saturday that the Pentagon is considering storing heavy weaponry, including tanks and other vehicles, in Baltic countries including Lithuania, Latvia, Estonia, Poland, Romania, Bulgaria, and Hungary. Yakubov characterized the proposal as, “the most aggressive step since the Cold War,” and said that should Russia would move to reinforce its entire western border should it detect such a buildup of U.S. equipment in the Baltics or Eastern Europe. Several of the Baltic states and other Eastern European members of NATO have been calling for the U.S. to increase its military presence in the region since Russia’s annexation of Crimea last year and its ongoing support of pro-Russian rebel forces in Ukraine. However, U.S. Defense Secretary Ash Carter has said that plans to fortify Eastern Europe have yet to get the green light from the Department of the Defense. Such a move would be unprecedented, as the U.S. has not sent heavy weapons to the NATO states that are former Soviet republics.

White House Rushes to Strengthen Cyber Defenses as Hack Fallout Grows
The Hill (06/12/15) Hattem, Julian

After a hack hit federal systems, the White House announced details of a new push to increase government cybersecurity systems. As part of a 30-day “cybersecurity sprint” to improve government defenses, agencies across the administration must patch critical vulnerabilities, speed up the adaption of multi-factor authentication, and much more. Additionally, U.S. Chief Information Officer Tony Scott is leading a month long review of the government’s cyber policies and practices, along with officials from the Pentagon, Department of Homeland Security, and National Security Council. Some have criticized the administration for not taking a stronger approach in response to the latest hacking revelations, which officials said come from China. Foreign hackers may be able to use data stolen from government servers to blackmail employees. Senate Armed Services Chairman John McCain (R-Ariz.) stated that the administration “has not made a policy decision” about how to respond to cyber incidents, which he found troubling.

Vast Data Warehouse Raises Health Overhaul Privacy Concerns
Associated Press (06/16/15) Alonso-Zaldivar, Ricardo

The personal information of millions of people who seek coverage under President Barack Obama's health care law, including those who open an account on, but don't sign up for coverage, is stored forever in a government data warehouse. At a time when major breaches have become common, it has raised concerns about privacy and the government's judgment on technology. Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, noted that "the more data you keep, the more harm an attacker or unauthorized person can do." The health care system, known as MIDAS (Multidimensional Insurance Data Analytics System), is described on a federal website as the "perpetual central repository" for information that the Affordable Care Act authorizes federal agencies to collect. One document says that data in MIDAS is "maintained indefinitely at this time." The Obama administration argues that MIDAS is essential to the operation of the health care law's insurance markets and meets federal security and privacy standards.

News and IoT Sites Flunk Security and Privacy Tests
CSO Online (06/16/15) Korolov, Maria

In a security and privacy audit of top consumer-oriented websites, news and Internet of Things websites scored the worst, according to a report released by the Online Trust Alliance. Only 20 percent of sites in the Internet of Things category passed the audit, and only 8 percent of news sites passed. Social sites did the best, with 58 percent passing. The IoT category consists of 25 leading sites related to wearable technology and 25 related to home automation. Craig Spiezle, executive director and president at the Bellevue, Wash.-based Online Trust Alliance, said these companies "have clearly not invested in security and privacy as much as other sectors." He said one reason could be that these companies are just starting out and "they haven't yet started to consider security and privacy holistically." Sites were ranked in three categories which included, how well their domains were protected, how well their servers and sites were protected, and on their privacy policies. IoT sites scored the worst when it comes to security servers and domains while news sites scored the worst on privacy. Twitter received the highest score of any sector for the third year in a row. American Greetings achieved the highest ranking in the retail sector.

Canadian Government Servers Hit by Cyberattack, Minister Says
Wall Street Journal (06/18/15) Macdonald, Alistair; King, Carolyn

Several Canadian government websites and servers were taken down in a cyber attack on Wednesday, with the hacking group Anonymous taking responsibility in what it said was retaliation for a new anti-terrorism law passed by Canada’s politicians. The general website for government services,, as well as the site of Canada’s spy agency, the Canadian Security Intelligence Service (CSIS), were among those affected. The government said the attack also affected email and internet access but that it was working to restore the services. In a video posted on YouTube, Anonymous said the anti-terrorism law violated human rights and targeted people who disagree with the government. Bill C-51, or the Anti-terrorism Act, 2015, would broaden the mandate of CSIS, giving the agency new powers to disrupt perceived security threats. The legislation would also make it easier for federal agencies to increase surveillance and share information about individuals.

Mobile App Data Flaw Leaves ‘Billions’ of Records at Risk: Security Researchers
Insurance Journal (06/17/15) Wagstaff, Jeremy

Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users' personal information vulnerable to hackers. A team of German researchers found 56 million items of unprotected data in the applications it studied in detail, which included games, social networks, and more. Siegfried Rasthofer, part of the team from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology, said "in almost every category we found an app which has this vulnerability in it." Another security researcher working separately, Colombian Jheto Xekri, said he had found the same flaw. Team leader Eric Bodden said the issue is the way developers authenticate users when storing their data in online databases. Many apps use services like Amazon’s Web Services or Facebook’s Parse to store or back up users’ data. Developers often choose the default option when protecting their data, based on a string of letters and numbers embedded in the software's code, called a token. Bodden said attackers can tweak those tokens in the app, which gives them access to the private data of all users of that app stored on the server.

Abstracts Copyright © 2015 Information, Inc. Bethesda, MD

  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: