Friday, May 27, 2011

Security Management Weekly - May 27, 2011

header

  Learn more! ->   sm professional  

May 27, 2011
 
 
Corporate Security
  1. "LAPD Chief 'Absolutely' Confident Police Arrested Correct Suspect in Bryan Stow Beating"
  2. "PIN Pads Exposed, Expert Says"
  3. "Bank of America Data Leak Destroys Trust"
  4. "Security Expert: Somali Pirates Adapting to Global Response"
  5. "US Authorities Seize More Domain Names in a 'Piracy' Crackdown"

Homeland Security
  1. "U.S. Gains Entry to Bin Laden's Pakistan House"
  2. "Taliban Say They Won't Hit Nuclear Arsenal" Pakistan
  3. "Headley Reveals Pakistan Links to Mumbai Attacks"
  4. "Taliban Raid Raises Concern Over Pakistan Nukes"
  5. "Spy, Military Ties Aided Bin Laden Raid"

Cyber Security
  1. "Hackers Steal Hotmail Messages Thanks to Web Flaw"
  2. "Homemade Cyberweapon Worries Federal Officials"
  3. "U.S. International Cyberspace Policy Sounds Good; Will Be Hard to Implement"
  4. "Stanford Computer Scientists Find Internet Security Flaw"
  5. "Senate Debates President's Power During Cyber-Attack"

   

 
 
 

 


LAPD Chief 'Absolutely' Confident Police Arrested Correct Suspect in Bryan Stow Beating
Los Angeles Times (05/27/11) Rubin, Joel

Los Angeles Police Department Chief Charlie Beck on May 26 reaffirmed his belief that Giovanni Ramirez, who was recently arrested for the near-fatal beating of San Francisco Giants fan Bryan Stow at Dodger Stadium, is the primary suspect and principal assailant in the attack. Beck also said the Los Angeles Police Department would present its case to prosecutors "in the near future." Ramirez, a 31-year-old gang member, "is, and was, and has been our primary suspect [in] the Stow beating," Beck said. Ramirez is believed by police to be one of two men who assaulted Stow, a Santa Clara paramedic, after the Dodgers' opening day game March 31. Stow suffered brain damage and remains in critical condition at San Francisco General Hospital. With the second assailant and a woman who drove the men away from the stadium still at large, Beck emphasized that the investigation remained active, with 20 detectives assigned to it and a $250,000 reward still available. Deputy Chief Jose Perez declined to discuss claims made by an attorney representing Ramirez's relatives that Ramirez was not at the opening day game and that several people could provide an alibi for him.


PIN Pads Exposed, Expert Says
ISO & Agent Weekly (05/25/11) Fitzgerald, Kate

The breach at Michaels Stores resulting from tampering of PIN pad terminals has called the devices' safety into question, with payment security experts warning that many retailers' terminals are vulnerable to similar intrusions. The PCI Security Standards Council says that all the U.S. payment terminals it certifies are designed to be tamper-proof. In 2009 the council issued recommendations and guidelines to prevent the skimming of card data from payment terminals, but the group has conceded that thieves are following new strategies to steal data at various points in the payment cycle. Thales e-Security's Jose Diaz reports that although it is impossible to safeguard against unknown new tampering approaches, many merchants are still missing fundamental processes to determine whether their terminals have been interfered with. "Fraudsters have become very sophisticated at taking payment terminals apart and figuring out ways to capture payment card data and PINs," Diaz notes. He also says that "most merchants lack solid processes for securing terminals so thieves can't get their hands on terminals in the first place." Diaz says the challenge lies in installing terminals in such a manner and in locations as to make criminal access impossible while also ensuring that tampering will be detected by security and tracking systems.


Bank of America Data Leak Destroys Trust
Los Angeles Times (05/24/11) Lazarus, David

Bank of America is beginning to inform roughly 300 customers in California and other Western states that their accounts were breached in an incident that it learned about a year ago. The security breach was carried out by a BofA employee who had leaked the customers' confidential information, including their Social Security numbers, bank account numbers, and driver's license numbers, to a group of scammers. In at least one case, the scammers ordered checks for the customers' checking accounts and arranged to pick up the checks at a UPS outlet. The scammers also called Verizon and had one victim's phone calls forwarded to their cell phone so that BofA could not contact the victim to inform him that fraudulent checks were being used. In addition, the thieves called BofA and initiated a funds transfer from one of the victim's checking accounts that they had not yet accessed to another account that they had checks for. The security breach resulted in total losses of more than $10 million. A total of 95 suspects have been arrested in connection with the case.


Security Expert: Somali Pirates Adapting to Global Response
BestWire (05/23/11)

Maritime security expert Tim Hart says that Somali-based pirates are proving able to adapt to international efforts to contain them since they gained broad attention in 2007 and 2008. "They have evolved, and they have countered any response that's really faced them," Hart said, echoing the insurance industry's wide-held belief that Somali pirates have become a more sophisticated threat and more needs to be done to stop them. According to Marine and Underwriting Security Consultants (MUSC), during the first quarter of 2011 pirates were paid around $65 million in ransoms, up from $39 million in the first quarter of 2009. MUSC also estimates that at least 18 commercial vessels and about 500 hostages are currently in the hands of Somali pirates. Also, the consultancy said the average ransoms rose from $2.1 million in the first quarter of 2009 to $4.6 million in the first quarter of 2011. Hart said that because pirates have been so successful, it has caused others to want to get involved in piracy as well. Hart said the use of large mother ships, has enabled the pirates to expand their base. Because the ships allow pirates to store more weapons and fuel, accommodate hostages and more easily evade the attention of navies, their use has increased significantly in the past few years. While new security techniques have been introduced, the highly-adaptable pirates have quickly learned the tactics and what they can do to prevent or limit exposure to such methods. Hart has predicted that pirates will become even more bold then they are now.


US Authorities Seize More Domain Names in a 'Piracy' Crackdown
Inquirer (UK) (05/23/11) Wilson, Dean

The U.S. Department of Justice and Immigration and Customs Enforcement (ICE) have seized several domain names as part of the latest round of its joint operation known as Operation in Our Sites. Among the domain names that were seized were re1ease.net and watchnewfilms.com, both of which linked to movie streaming Web sites and were consequently accused of engaging in piracy, and dvdcollectionsale.com, dvdsetsonline.com, and newstylerolex.com, all of which are accused of selling counterfeit products. The seizure of the domains took place after the seizure of 100 other domain names during the previous three rounds of Operation in Our Sites. However, half of the companies whose domains have been seized are now operating under a different name, according to Torrentfreak. Still, ICE claims that Operation in Our Sites will help deter online piracy.




U.S. Gains Entry to Bin Laden's Pakistan House
Wall Street Journal (05/27/11) Gorman, Siobhan

The U.S. and Pakistan have reached an agreement that will allow forensics experts from the CIA to search Osama bin Laden's compound for the first time since the al-Qaida leader was killed on May 2. When they search the compound on Friday, CIA forensics experts will look for hidden clues about bin Laden's and al-Qaida's activities. The search could also provide officials with information about the security measures that were installed at the compound, as well as the reasons why those security measures were used. The search is being made possible thanks to a deal that was reached last week between CIA Deputy Director Michael Morell and Pakistani intelligence Chief Lt. Gen. Ahmed Shuja Pasha. Although the deal was forged last week, the complex logistics associated with searching the compound--including bringing forensic equipment capable of looking through walls and examining other materials found at the home--has delayed the searches until now. Despite the agreement between the U.S. and Pakistan, relations between the two countries remain strained. U.S. officials believe that some Pakistani officials were hiding bin Laden, while Pakistani officials have said that Washington's decision to keep the raid on bin Laden's compound a secret resulted in embarrassment for Pakistani leaders.


Taliban Say They Won't Hit Nuclear Arsenal
Wall Street Journal (05/26/11) Rosenberg, Matthew; Tohid, Owais

A spokesman for the Pakistan Taliban said Wednesday that his group has no plans to target Pakistan's nuclear weapons. The statement by the spokesman comes as U.S. and other Western officials are expressing concern about the security of Pakistan's nuclear arsenal. Officials in Western nations are worried because the Pakistani military has limited their access to its nuclear program out of fear that either an allied nation or an enemy could take the weapons away. In addition, some have expressed concern about the Taliban's ability to breach highly-secure areas like the naval air station that the group attacked on Sunday in Karachi. However, the Pakistan Taliban spokesman said that those concerns were being used by the U.S. to put pressure on Pakistan to fight the Taliban. Pakistan has said that its nuclear arsenal is safe, and that facilities that are used to store the weapons are well protected. Pakistan also performs thorough checks to prevent political and religious extremists from accessing its nuclear program. It remains unclear whether the Pakistan Taliban is being sincere in pledging not to attack Pakistan's nuclear arsenal. Even if it is, al-Qaida and other Islamist groups in Pakistan have expressed an interest in obtaining nuclear weapons.


Headley Reveals Pakistan Links to Mumbai Attacks
Associated Press (05/25/11)

David Headley on Tuesday testified for the second day in the trial of Tahawwur Rana, who has been charged in connection with the 2008 terrorist attacks in Mumbai. During his testimony, Headley told the jury in Chicago that Pakistan's Inter-Services Intelligence (ISI) agency and the Pakistani militant group Lashkar-e-Taiba worked together on the Mumbai attacks. Headley, who has admitted to helping prepare for the Mumbai attacks, noted that he was recruited by a member of ISI to take part in the attacks and that he met with individuals from both Lashkar-e-Taiba and ISI a month before the rampage took place. Headley's claim that ISI and Lashkar-e-Taiba were working together could have a number of ramifications, including an increase in tensions between Pakistan and India and the U.S. and Pakistan. In fact, Headley's testimony could spell the end of strategic cooperation between the U.S. and Pakistan, said Bruce Riedel, a former White House adviser on the Middle East and South Asia. In addition, Headley's testimony could raise additional concerns about Pakistan's commitment to counterterrorism efforts and ISI's ties to terrorist groups. Pakistan, for its part, has denied claims that ISI was behind the Mumbai attacks, as well as claims that the agency has links to Lashkar-e-Taiba.


Taliban Raid Raises Concern Over Pakistan Nukes
Bloomberg (05/24/11) Anwar, Haris; Anis, Khurrum; Rupert, James

Monday's attack on a Pakistani naval base in Karachi by 15 Taliban militants has raised concerns about the security of Pakistan's nuclear arsenal. Some have said that the attack, which was the deepest strike into a Pakistani armed forces facility since a 2009 militant raid on a building in the army's general headquarters in Rawalpindi, shows that the Pakistani military is unable to protect the nation's 70 to 120 nuclear warheads. Those warheads are managed through the Pakistani military's Strategic Plans Division, which is made up of roughly 10,000 members and is generally separate and independent from the rest of the army. According to Muhammad Waseem, a political science professor at the Lahore University of Management Sciences, there will continue to be suspicions that Pakistan cannot protect its nuclear weapons from security threats. However, it is not likely that militants will take control of Pakistan's nuclear arsenal, although they could certainly attempt to launch attacks on nuclear installations, said Rashid Khan, a professor of international relations at Pakistan's University of Sargodha. Khan added that he is surprised at how skillful and tactical militants have been in launching attacks like the one that took place on Monday. Meanwhile, Monday's attack has also raised concerns that Pakistan is not prepared to deal with internal security threats, and that it is instead more focused on external threats like the threat from India.


Spy, Military Ties Aided Bin Laden Raid
Wall Street Journal (05/23/11) Gorman, Siobhan; Barnes, Julian E.

Although the U.S. military and the nation's intelligence community have been wary of each other in the past, the two engaged in a large amount of cooperation with one another during the planning for the raid on Osama bin Laden's compound in Pakistan earlier this month. After laying out the CIA's best intelligence case for why bin Laden was likely at the compound, CIA Director Leon Panetta invited Adm. William McRaven to the agency's headquarters in January to show him photos and maps that indicated bin Laden's location. McRaven then analyzed the pros and cons of an attack on the compound and spent days working with the CIA on the planning for the operation. In February, several Pentagon officials--including chief counterterrorism adviser Michael Vickers, Vice Chairman of the Joint Chiefs of Staff Gen. James Cartwright--met with Panetta, McRaven, and top CIA officials to hear an intelligence assessment and to review options for an attack on bin Laden's compound. Those options included a bombing strike carried out with a B-2 stealth bomber, a helicopter raid with U.S. special operations, and a raid carried out with the cooperation of the Pakistanis. The helicopter raid was ultimately chosen by President Obama. This cooperation between the military and the nation's intelligence community underscores how the U.S. is using secret, unilateral missions carried out by a militarized spy operation to fight terrorism. However, officials and experts believe that this strategy will not be used that often because no one in the government thought such a strategy was realistic in the past.




Hackers Steal Hotmail Messages Thanks to Web Flaw
IDG News Service (05/24/11) McMillan, Robert

Cybercriminals recently spent more than a week skimming email messages from Hotmail users' accounts through a programming glitch in Microsoft's Web site. Trend Micro says that hackers disseminated specially crafted email messages to several thousand victims. On May 12, Trend Micro found a message sent to a victim in Taiwan that resembled a Facebook notification alert. The Chinese-language email seemed to be advising victims that someone had hacked into their Facebook accounts from a new location, but it was actually a ploy. Concealed in the email message was a specially written script that forwarded the victim's email messages to the hacker. For the attack to be successful, the victim had to be logged into Hotmail, but the script would run even if the victim simply previewed the message. The attack worked because Microsoft shared a similar Web programming vulnerability, called a cross-site scripting flaw, on its Web site. "The script triggers a request that is sent to the Hotmail server," Trend Micro writes in an online post. It subsequently "sends all of the affected users email messages to a certain email address."


Homemade Cyberweapon Worries Federal Officials
Washington Times (05/24/11) Shaun, Waterman

Security researchers Dillon Beresford and Brian Meixell recently developed a cyber weapon similar to the Stuxnet computer worm that disrupted Iran's nuclear program computer systems last year. The researchers' ability to develop the program working at home on laptops has raised concerns at DHS, which has asked the researchers to cancel their planned presentation of the technology at a computer security conference next week. DHS officials are worried that if the researchers' method is made public, other hackers will replicate the malicious software and cripple federal computer controls. The software was tested on equipment made by Siemens, and while Beresford worked with DHS officials on ways to protect industrial computer programs, he says Siemens' officials have been slow to respond to the hole in their security systems. "They requested that I not share the data, but it was absolutely my decision to cancel," Beresford says. The researchers' work is alarming because experts initially believed that it would take significant resources and access to detailed information on the intended target to duplicate the Stuxnet worm and it increases fears about the proliferation of advanced cyber weapons.


U.S. International Cyberspace Policy Sounds Good; Will Be Hard to Implement
Network World (05/23/11) Greene, Tim

Although ambitious, some experts say the White House's recently issued International Strategy for Cyberspace could be difficult to deploy, as some of its objectives conflict and pose seemingly unbeatable technical challenges. The strategy has been touted by U.S. Secretary of State Hillary Rodham Clinton as a framework to devise, implement, and coordinate policies that address all cybersecurity issues. "As we work to achieve a cyberspace that is open, interoperable, secure, and reliable, there is no one-size-fits-all, straightforward route to that goal," Clinton says. However, some experts say the strategy's goals are conflicting. For example, the policy urges support for free expression and commerce through the Internet while also denying those benefits to criminals and terrorists, with the challenge being to distinguish citizens from criminals while maintaining online privacy. Participants at a recent cybersecurity and privacy protection panel at the Massachusetts Institute of Technology CIO Symposium stressed that the government should get more involved with safeguarding Web infrastructure. Security consultant Jeffrey Carr says that although the White House strategy calls for shielding critical infrastructure, U.S. statutes calling for such measures lack force. Another problem is that the ideal of unfettered Internet use is contradicted by the fact that governments usually do what is in their own best interest.


Stanford Computer Scientists Find Internet Security Flaw
Stanford Report (CA) (05/23/11) Fellet, Melissae

Stanford University researchers have found a security flaw in audio-based completely automated public Turing test to tell computers and humans apart (CAPTCHAs), which are designed to provide Internet security for the visually impaired. Audio CAPTCHAs require users to listen to a string of spoken letters or numbers disguised with background noise. However, Stanford professor John Mitchell and postdoctoral fellow Eli Bursztein developed Decaptcha, a program that can understand commercial audio CAPTCHAs used by Digg, eBay, Microsoft, Yahoo, and reCAPTCHA. During testing, Decaptcha was able to decode Microsoft's audio CAPTCHA about 50 percent of the time. In addition, it broke about one percent of reCAPTCHA's codes, and even this small a success rate can result in a major security breach for Web sites such as YouTube and Facebook, which get hundreds of millions of page views a day. Decaptcha can recognize the distinct sounds of each letter and number, and compares the sounds it hears in audio CAPTCHAs to those sounds stored in its memory. The researchers created four million audio CAPTCHAs mixed with white noise, echoes, or music, and found that music gave the computer systems the most trouble.


Senate Debates President's Power During Cyber-Attack
Washington Times (05/23/11) Waterman, Shaun

The Senate Homeland Security and Governmental Affairs Committee held a hearing on May 23 to discuss the cybersecurity proposal that the Obama administration recently submitted to Congress. The proposal uses the Communications Act of 1934, which gives the president the power to take over radio stations in the event of a national emergency, to grant the president the authority to protect vital computer and communication networks from cyberattacks. Sen. Susan Collins (R-Maine) criticized the approach, saying that the administration was relying on obsolete but potentially broad authorities granted to the president under the Communications Act. Collins also criticized the Obama administration for wanting to release security assessments for the nation's most important computer networks in order to pressure the private sector companies that own them into implementing better security. Meanwhile, Sen. Joe Lieberman (I-Conn.), the chairman of the committee, said that it would better if Congress passed a new law that dealt with the president's authority to respond to cyberattacks. Also appearing at the hearing was Phillip Reitinger, the Department of Homeland Security's undersecretary for infrastructure protection, who said that while the authority granted to the president under the 1934 Communications Act does not specifically deal with cyberattacks, the statute does nonetheless provide the president with the authority he needs to respond to such threats.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment