Search This Blog

Friday, June 03, 2011

Security Management Weekly - June 3, 2011

header

  Learn more! ->   sm professional  

June 3, 2011
 
 
Corporate Security
  1. "Sony, Epsilon Back Security Efforts" Proposed Federal Data Breach Reporting Standards
  2. "NYC Hotel to Buy 'Panic Buttons' for Housekeepers"
  3. "Atlanta Fed Staffer Questions Value of PCI Guidelines" Payment Card Industry Data Security Standards
  4. "Rising Violence Shows Hospitals Should Boost Security, Experts Warn"
  5. "Lockheed Martin Suffers Massive Cyberattack"

Homeland Security
  1. "Pistole Emphasizes TSA Focus on Unknown Travelers, Cargo as High Risk"
  2. "Yemen's Chaos Is Good News for Al Qaeda"
  3. "DHS Intelligence Office Boosting Info Sharing, Standardizing Practices"
  4. "Top Court Rules for Former Attorney General" Lawsuit Over Use of Material Witness Warrants
  5. "Pentagon: Online Cyber Attacks Can Count as War"

Cyber Security
  1. "Gmail Hack Targeted White House"
  2. "Beijing Fires Back at Google" Gmail Security Breach
  3. "Google Mail Hack Blamed on China"
  4. "India Tightens Security Rules for Telecom Equipment"
  5. "Lockheed Cyberattack Exposes Flaws"

   

 
 
 

 


Sony, Epsilon Back Security Efforts
Wall Street Journal (06/03/11) Schatz, Amy

Officials from Sony and Epsilon Data Management, two companies that have suffered high-profile data security breaches recently, appeared at House Energy and Commerce Committee hearing on Thursday to endorse efforts to develop a national standard for notifying consumers when hackers access their information. Under legislation proposed by a bipartisan group of lawmakers, companies would be required to inform customers about data breaches within a short period of time after they take place. There are currently no federal rules governing when companies must inform consumers about data breaches, with the exception of data breaches involving electronic health records. However, most states have such rules already in place. In addition to endorsing national data breach notification standards, the officials from Sony and Epsilon also defended how they handled the disclosure of their data breaches. Sony Network Entertainment International President Tim Schaaff said his company could not have informed consumers about the breach any earlier than it did because it needed to learn more about the extent of the hack first.


NYC Hotel to Buy 'Panic Buttons' for Housekeepers
Associated Press (06/01/11)

New York City's Pierre Hotel is promising to purchase "panic buttons" for its staff and begin sexual harassment training for all employees following the alleged sexual assault of a housekeeper on May 29. According to authorities, Mahmoud Abdel Salam Omar, a businessman and the former chairman of a large Egyptian bank, locked the housekeeper in a room at the hotel and sexually assaulted her. Omar has denied the charges against him. As a result of the alleged attack, housekeepers at The Pierre Hotel will now be given wireless devices to alert hotel management if they are assaulted. New York City's Sofitel Hotel, which was the scene of last month's alleged sexual assault of a housekeeper by former International Monetary Fund leader Dominique Strauss-Kahn, has also promised to issue the devices to its housekeepers. In addition, the New York Hotel and Motel Trades Council has said that it will push for the devices in its contract negotiations with 150 hotels in 2012. However, hotel security expert Anthony Roman said that panic buttons are not a panacea and that they come with their own set of complications. Roman said the devices must be small and inconspicuous so the attacker cannot remove them easily. They must also have a locating feature that works indoors so that security can find an employee in distress.


Atlanta Fed Staffer Questions Value of PCI Guidelines
Finextra (06/01/11)

The value of PCI data security council guidelines is being called into question by the Federal Reserve Bank of Atlanta's Cindy Merritt, who says that compliance with the guidelines is difficult because U.S. payment cards primarily use magnetic stripe technology. "As [card hacking] schemes become increasingly sophisticated ... these guidelines will likely be less and less effective—a possibility that should give the industry pause to reconsider the value of PCI compliance guidance in light of risk mitigation alternatives, such as a migration to chip and PIN card technology," Merritt says. She concedes that a U.S. transition to EMV would be costly and arduous, but with so many countries migrating to EMV, criminals are expected to focus on the United States, causing a spike in skimming-related losses. Last year Merritt's colleague Richard Oliver warned that U.S. dependence on mag-stripe cards threatens to isolate the country in a world that is increasingly moving to chip and PIN. However, traction for a U.S. chip and PIN migration appears to be increasing, with a retailer push and the Defense Department weighing the possibility of adding EMV-compliant prepaid payment capabilities to its ID card for military personnel and staff.


Rising Violence Shows Hospitals Should Boost Security, Experts Warn
Los Angeles Times (05/31/11) Shrieves, Linda

Violence at U.S. hospitals is on the rise. According to the Joint Commission, a non-profit organization that is responsible for the accreditation of U.S. hospitals, there have been 256 assaults, rapes, or homicides at hospitals and health-care facilities since 1995, 110 of which have taken place since 2007. Among the most recent cases of violence was the May 26 murder of a doctor at an Orlando hospital. The murder is believed to have been carried out by a disgruntled patient who subsequently killed himself. Healthcare security consultant Russell Colling says that security needs to be improved at hospitals in order to prevent acts of violence. One thing that can be done to improve hospital security, Colling said, is to more closely monitor visitors. In addition, visitors should be given a temporary badge, asked to provide a photograph, and undergo a brief background check. However, some say that it can be difficult to identify suspicious visitors because hospitals receive so many visitors each day. As a result, many security experts say that the best way to improve security at hospitals is to educate employees about when a patient's behavior may become violent, and to educate them to inform security if they believe that they are in danger.


Lockheed Martin Suffers Massive Cyberattack
InformationWeek (05/31/11) Schwartz, Matthew

The defense firm Lockheed Martin reports that it suffered a "significant and tenacious attack" on its network, and hackers responsible for breaking into RSA Security in March are suspected to have carried out the attack. Lockheed Martin says its computer security team took "aggressive actions to protect all systems and data", and that its systems remained secure, with no customer, program, or employee data having been compromised. The company says it is keeping the relevant U.S. government agencies informed about the situation, working "round the clock to restore employee access to the network" Hackers reportedly exploited Lockheed's VPN access system, which allows employees to log in remotely by using their RSA SecurID hardware tokens. Attackers apparently possessed the seeds--factory-encoded random keys--used by at least some of Lockheed's SecurID hardware fobs, as well as serial numbers and the underlying algorithm used to secure the devices. That suggests that whoever attacked Lockheed Martin may also have been behind the successful breach in March of EMC's RSA division, which manufactures SecurID. Lockheed Martin's swift detection of the attack has apparently helped avert potential disaster. "The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it," says security blogger Robert Cringely, aka Mark Stephens, who broke news of the attack. "A breach like this is very subtle and not easy to spot."




Pistole Emphasizes TSA Focus on Unknown Travelers, Cargo as High Risk
Homeland Security Today (06/03/11) McCarter, Mickey

Transportation Security Administration (TSA) chief John Pistole discussed a variety of his topics during his testimony before the House Homeland Security Transportation Security Subcommittee on Thursday, including his agency's plan to create a trusted traveler program. Under such a program, TSA would use extra information airline passengers provide about themselves and their travel habits to determine whether or not they need to go through additional security screening. The trusted traveler program will first include pilots working for U.S. airlines. TSA is currently in the process of developing methods for identity-based screening of pilots under the Crew Personnel Advanced Screening System. This system will eventually be expanded to include flight attendants after it is tested on pilots, Pistole said. In addition to discussing the trusted traveler program, Pistole also talked about the intelligence that was gathered during the raid on Osama bin Laden's compound in Pakistan last month. The intelligence has shown that al-Qaida was interested in attacking the U.S. rail system. Pistole noted that while the security measures that are used to protect the aviation sector may not be practical in protecting the rail system, the TSA would work to prevent terrorists from attacking trains by deploying more uniformed officers, canine teams, and closed circuit television surveillance systems.


Yemen's Chaos Is Good News for Al Qaeda
Los Angeles Times (06/03/11) Dilanian, Ken

Current and former U.S. officials say that the growing violence in Yemen could spell trouble for American counterterrorism efforts in the country. One reason why the violence could hurt U.S. counterterrorism efforts is the fact that the Yemeni forces that are charged with going after Islamic militants are now focused on protecting Yemeni President Ali Abdullah Saleh's regime. As a result, the U.S. has lost support for its spying and special military operations in Yemen. In addition, the violence has given al-Qaida in the Arabian Peninsula the chance to recruit new members and plot attacks, the officials noted. Christopher Boucek, a Yemen expert at the Washington, D.C.-based Carnegie Endowment for International Peace, said that al-Qaida is taking advantage of the increasing amount of ungoverned territory in Yemen to plot and plan attacks, train terrorists, and mount operations. However, Edmund Hull, who served as the U.S.'s ambassador to Yemen from 2001 to 2004, said that al-Qaida does not need to control Yemeni territory to plan attacks. He added that the group is instead trying to create a safe haven in Yemen like it had in Afghanistan before the Taliban was removed from power. Hull noted that the U.S.'s best option for reversing the situation in Yemen is to hasten Saleh's removal from power. The longer Saleh remains in power, Hull said, the more ungoverned territory al-Qaida will be able to occupy.


DHS Intelligence Office Boosting Info Sharing, Standardizing Practices
Homeland Security Today (06/02/11) McCarter, Mickey

Caryn Wagner, the Department of Homeland Security's undersecretary of intelligence and analysis, testified before the House Homeland Security Subcommittee on Counter-terrorism and Intelligence on Wednesday about the ongoing effort to analyze information found in last month's raid on Osama bin Laden's compound. As part of that effort, DHS has added more analysts to its Terrorism Task Force, Wagner said. Meanwhile, DHS' Office of Intelligence and Analysis is sharing information gathered in the raid with state and local law agencies. DHS and the FBI have already used the intelligence gathered in the raid to issue a dozen joint intelligence bulletins dealing with specific sectors or regions that may be targeted. In addition, the Office of Intelligence and Analysis has been providing state and local fusion centers with personnel, training, and resources that have allowed these centers to improve their situational awareness and intelligence products, Wagner said. Finally, Wagner noted that fusion centers have been actively participating in the "See Something, Say Something" campaign, which urges citizens to report suspicious activity.


Top Court Rules for Former Attorney General
Wall Street Journal (06/01/11) Bravin, Jess

The U.S. Supreme Court has dismissed a lawsuit that claims that former Attorney General John Ashcroft abused his authority to use material witness warrants following the Sept. 11 terrorist attacks. The lawsuit, which was brought by former University of Idaho football player Abdullah al-Kidd, claimed that Ashcroft told officials at the Justice Department to use the warrants to lock up terrorism suspects when there was no probable cause to arrest them under traditional warrants. A material witness warrant was used to arrest al-Kidd--who had come to the attention of government officials during an investigation into possible terrorist activity--in March 2003 because officials believed that his testimony was vital to the prosecution of a Saudi graduate student at the University of Idaho who had been accused of engaging in visa fraud and other crimes. After being arrested, al-Kidd was subsequently kept in custody for more than two weeks and was put on supervised released for 14 months, though he was never called to testify against the Saudi graduate student. In the majority opinion written by Justice Antonin Scalia, the Supreme Court said that Ashcroft could not be sued by al-Kidd because at the time of al-Kidd's arrest, the courts had not yet clearly established that the use of a material witness warrant as a substitute for a traditional warrant in arresting a terrorism suspect violated the Constitution's prohibition against unreasonable searches and seizures.


Pentagon: Online Cyber Attacks Can Count as War
Wall Street Journal (05/31/11) Gorman, Siobhan

The Pentagon has concluded for the first time that computer sabotage coming from another country can constitute an act of war, a finding that would allow the United States to retaliate with conventional forces. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," says a military official. The Pentagon's first formal cyber strategy, unclassified portions of which are expected to become public in early June, represents an early attempt to address an environment in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways, or pipelines as a hostile country's military. Recent attacks on the Pentagon's own systems have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. Lockheed Martin, a major military contractor, has just acknowledged that it has been the victim of an infiltration. The cyber strategy will state the importance of synchronizing U.S. cyber-war doctrine with that of its allies, and will set out principles for new security policies. Pentagon officials believe the most-sophisticated computer attacks require the resources of a government, citing the example of the weapons used in a major technological assault, such as taking down a power grid, that would likely have been developed with state support. Military planners believe the best way to deter major attacks is to hold countries that build cyber weapons responsible for their use.




Gmail Hack Targeted White House
Wall Street Journal (06/03/11) Barrett, Devlin; Gorman, Siobhan

A U.S. official says that White House employees were targeted in the recent Gmail security breach. In that attack, individuals based in China used phishing e-mails to trick hundreds of Gmail users to provide them with their passwords so that they could read their e-mails. According to lawmakers and security experts, the hackers may have targeted the White House employees because they believed that they were using their personal Gmail accounts to conduct administration business. White House officials, regardless of which administration they work for, have a history of using personal e-mail accounts to conduct administration business so that they do not have to turn those messages over to congressional investigators, release them in response to a Freedom of Information Act request, or keep them for historic archives. However, the Obama administration has said that no official messages were compromised during the breach. In addition to reading the e-mails of the White House officials, the hackers may have also been trying to break into the Gmail accounts in order to penetrate the officials' home computers, which in turn would have allowed them to access communications with the White House, said former homeland security official Stewart Baker. The FBI and the Department of Homeland Security are continuing to investigate the breach. It remains unclear which White House officials were affected.


Beijing Fires Back at Google
Wall Street Journal (06/03/11) Areddy, James T.

Google continues to blame China for a series of cyberattacks that attempted to access the Gmail accounts of users including Chinese human rights activists and U.S. government officials. According to Google, the latest of these attacks originated in the Shandong province city of Jinan. Phishing emails from that area were sent to Gmail users in an attempt to hack the accounts. Google did not specifically accuse the Chinese government of being involved, though the company pointed out that Jinan is home to the headquarters of one of the People's Liberation Army's (PLA) military commands and technical reconnaissance bureaus. The Chinese government denies involvement in the attack. However, it has recently acknowledged the existence of an Internet information office designed to strengthen regulation of the Web as well as a long-rumored military unit devoted to cyberspace. Whether the government was involved or not, tensions between Google and China have continued to escalate over these types of attacks. Google has moved its mainland Chinese search service to Hong Kong and now refuses to censor search results, leaving that task to government Internet filters. While China says that its users are often victimized by cyberattacks, a report from Symantec found that 28.2 percent of the types of phishing attacks that Google users encountered in 2010 came from Chinese computer users. It also found that many of those attacks were designed to look like they came from different countries.


Google Mail Hack Blamed on China
Wall Street Journal (06/02/11) Efrati, Amir; Gorman, Siobhan

Google has revealed that the Gmail accounts of hundreds of prominent individuals, including some senior U.S. officials, were targeted by a phishing attack that seems to have originated in China. According to Google and independent researcher Mila Parkour, who wrote a blog post about the attack in February, the victims--including government and military officials, Asian officials, Chinese activists, and journalists--received e-mails that seemed to come from their contacts or State Department or Defense Department employees. These e-mails contained links to a fraudulent Gmail page in which victims were asked to enter their passwords. The individuals behind the attack were then able to access the victims' Gmail accounts so that they could read and forward their e-mail. Google has not said who was victimized by the attack, which is believed to have begun more than a year ago, though Parkour noted that all of the targeted individuals were working on issues associated with defense, political affairs, national security, and defense and military personnel. While Google did not say that the Chinese government was involved in the attack, iSEC Partners Chief Technology Officer Alex Stamos said that the attack's targets were people who would only be of interest to the Chinese government.


India Tightens Security Rules for Telecom Equipment
Wall Street Journal (06/01/11) Krishna, R. Jai

India's Department of Telecommunications (DOT) has announced that telecom providers will be fined up to $11.1 million for any security breaches of their data. In order to prevent such breaches, telecom companies have been asked to submit prevention policies to the DOT within 30 working days. The new regulations also say companies may only import equipment certified by Indian or international standards until March 31, 2013. After that time equipment will need to be certified by Indian labs. Additionally, telecom operators are now required to hire only Indians as chief technical officers, chief information officers, and nodal executives in charge of security networks. Finally, the regulations require telecom companies to create monitoring facilities and inform the DOT within the next 12 months about the establishment of those facilities while phone companies will be required to keep all call and data records for 12 months and give the DOT access to those files.


Lockheed Cyberattack Exposes Flaws
Financial Times (05/31/11) Menn, Joseph

The hacking attack against U.S. defense contractor Lockheed Martin suggests that government and private efforts to protect military secrets are struggling with cybersecurity. Lockheed did not confirm that the raid on its data built on a March breach at RSA -- the company that provides tokens authorizing computer access by remote users at Lockheed and many other companies and agencies -- but many analysts said that it was likely, because one of Lockheed’s first acts had been to disable the remote logins. Analysts expressed concern that, like others in the defense industry, Lockheed had previously acted to make itself less dependent on the rapidly-changing numeric passwords the RSA tokens produced. The RSA breach began with e-mails sent to its staff with an attachment that contained a hidden remote-access program that took advantage of a security flaw in Adobe's Flash software for viewing content. Without saying exactly what had been taken, RSA warned that the stolen information could be used in future attacks on its SecurID token customers. Analysts said it appeared the hackers had obtained the "seed" numbers used to generate passwords. If they combined that with administration information kept by customers associating tokens with specific employees, the passwords could be duplicated. The National Security Agency declared not long after the RSA attack that the tokens should no longer be deemed sufficient to grant access to "critical infrastructure." Defense contractors including Lockheed began requiring employees to put in extra personal passwords. The breach suggests that the extra passwords were not sufficient to repel hackers, a troubling sign for remote-access systems in defense and other industries.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: