Search This Blog

Friday, August 30, 2013

Security Management Weekly - August 30, 2013

header

  Learn more! ->   sm professional  

August 30, 2013
 
 
Corporate Security
Sponsored By:
  1. "NSA Paying U.S. Companies for Access to Communications Networks"
  2. "Caught on Camera: How Video Surveillance Can Protect Your Business"
  3. "Facebook: Government Agents in 74 Countries Demanded Data on 38,000 Users So Far This Year"
  4. "New Michigan Law Makes Shoplifting a Crime That Results in Prison Time"
  5. "Three Apple Patents Being Reexamined by USPTO on Anonymous Requests" U.S. Patent and Trademark Office

Homeland Security
Sponsored By:
  1. "Secret Budget Details U.S. Spy Operation" National Intelligence Program
  2. "DNI to Release Surveillance-Request Data" Director of National Intelligence
  3. "Pentagon Not Likely to Attack Syria's Chemical Weapons Depots"
  4. "NSA Broke UN Video-Conferencing Encryption, Eavesdropped on Deliberations"
  5. "Study: U.S. Nuclear Reactors Vulnerable to Terror Attack"

Cyber Security
Sponsored By:
  1. "Expect More Web Hacking if U.S. Strikes Syria: Cybersecurity Expert"
  2. "iOS and Android Weaknesses Allow Stealthy Pilfering of Website Credentials"
  3. "Napolitano Warns Large-Scale Cyberattack on U.S. is Inevitable"
  4. "Sept. 23 Deadline Looms for Business Compliance With HITECH Act on Patient Privacy" Health Information Technology for Economic and Clinical Health Act
  5. "Popular Download Management Program Has Hidden DDoS Component, Researchers Say" Distributed Denial of Service

   

 
 
 

 


NSA Paying U.S. Companies for Access to Communications Networks
Washington Post (08/30/13) Timberg, Craig; Gellman, Barton

The National Security Agency (NSA) is paying hundreds of millions of dollars a year to U.S. companies for secret access to their communications networks, targeting foreign enemies, but also sweeping large volumes of American phone calls, emails, and other communications. The majority of the spending goes to participants in a Corporate Partner Access Project for major U.S. telecommunications providers. The project calls for the NSA to tap into "high volume circuit and packet-switched networks," according to a spending blueprint for fiscal 2013, which showed that the program was expected to cost $278 million this year, down from $394 million in 2011. However, privacy advocates say the multimillion-dollar payments could create a profit motive to offer more than the required assistance. "It turns surveillance into a revenue stream, and that’s not the way it’s supposed to work," says Electronic Privacy Information Center executive director Marc Rotenberg.


Caught on Camera: How Video Surveillance Can Protect Your Business
Yahoo! Small Business Advisor (08/28/13) Heyden, Karine

Though there are obvious benefits to safeguarding business premises against in general intruders, theft and vandalism after hours, there are also several ways in which video surveillance can help protect a business during the work day. Though some may think this approach is only suited to bug business, small business are reaping the benefits of video surveillance. Not only can video surveillance help identify those coming and going during business hours, but it can also be used after any unfortunate event inside the shop to help identify those involved. Images or descriptions provided through such surveillance can be sent to area police to help them identify suspected shop lifters or burglars in the area, which can help result in their capture. Video surveillance can also provide verification of information and evidence to help black fraudulent claims, as when a customer returned to a shop claiming to have left her purse and then when it was not produced, demanded the amount of money allegedly in it. The shop-girl was able to use the video surveillance tapes to show herself serving the customer, and the customer putting her goods and purse into the shopping bad. The customer left, but the shop-girl was able to provide stills from the video to the police to give to other area shops along with a report of the scam. Video surveillance also helps provide protection for a business' clients and staff, as it helps monitor the area against potential passing threats such as muggers, and helps to protect staff against potential violence from clients or others who enter the store.


Facebook: Government Agents in 74 Countries Demanded Data on 38,000 Users So Far This Year
Associated Press (08/27/13)

Facebook revealed on August 27 that during the first half of 2013, government agents from 74 countries demanded that the company provide information on around 38,000 Facebook users, though nearly half of the orders were made by authorities in the United States. Like Google and Microsoft, the social-networking giant is beginning to release figures on how often governments seek information about its customers, and, also similarly, it is hard to determine much from Facebook's data. The company has been criticized for helping the National Security Agency secretly collect data on customers, as it has turned over some data in response to around 60 percent of that agency's requests. The report did not make it clear how many of the approximately 26,000 government requests on 38,000 users were for law-enforcement purposes and how many were for intelligence gathering, as the federal government forbids companies from revealing exact numbers. Colin Stretch, Facebook's general counsel company said in a blog post that "We fight many of these requests, pushing back when we find legal deficiencies and narrowing the scope of overly broad or vague requests. When we are required to comply with a particular request, we frequently share only basic user information, such as name." Facebook said that it plans to release what figures it can on a regular basis.


New Michigan Law Makes Shoplifting a Crime That Results in Prison Time
MLive.com (08/22/13) Deiters, Barton

In Michigan, the newly passed Organized Retail Crime Act, sponsored by Genesee County State Rep. Joseph Graves, has moved shoplifting from being considered a misdemeanor to being seen as a felony, that would be punishable by up to five years in prison. In particular, the law targets those who steal goods with the express intent of reselling them. According to Grandville Police Department Sgt. Detective Renee Veldman, the statute has been a welcome addition to the tools used by law enforcement. The Michigan Retailers Association spearheaded getting the law passed in 2012 in order to fill a gap that existed between the petty thefts of single items and the more sophisticated criminals who are looking to make a profit, according to William Hallan, vice president for governmental affairs and general counsel. Hallan, is on the Organized Retail Crime Advisory Board, which has been tasked by Gov. Rick Snyder to monitor the effectiveness of the new law over time. He warned that organized criminals often become more aggressive and would be even more willing to turn to violence.


Three Apple Patents Being Reexamined by USPTO on Anonymous Requests
Apple Insider (08/22/13) Campbell, Mikey

The U.S. Patent and Trademark Office has decided to comply with anonymous requests to reexamine a total of three Apple patents, all of which pertain to litigation with Samsung. The first two patents up for reexamination are iPhone design properties, one successfully used in the Apple v. Samsung court trial and another from Apple's recent win of an import ban from the U.S. International Trade Commission. The patent asserted to the ITC was unsuccessful, though Apple still has a chance to reassert the property in an appeal. Apple's two design patents are nearly identical, each showing drawings of the original iPhone. The new questions of patentability are also similar, with the USPTO citing three Japanese patents as prior art references. The three patents were not taken into consideration when the USPTO first examined Apple's designs, which the anonymous requesting party now claims are obvious. "Each of the three [Japanese prior art] references include a rectangular front face having a rectangular screen, a border space around the screen, and an oblong shaped speaker opening above the screen," the USPTO notice states. The anonymous requester is combining the three Japanese patents other references to invalidate Apple's properties. The USPTO has yet to issue a first Office action to reject claims from either Apple patent. The third Apple patent is currently being asserted in separate cases against Samsung and Motorola.




Secret Budget Details U.S. Spy Operation
Washington Post (08/30/13) Gellman, Barton; Miller, Greg

The U.S. government's top-secret $52.6 billion "black budget" for fiscal 2013, obtained from former ­intelligence contractor Edward Snowden, maps a bureaucratic and operational landscape that has never been subject to public scrutiny. Although the government has annually released its overall level of intelligence spending since 2007, it has not divulged how it uses the money or how it performs against the goals set by the president and Congress. The 178-page budget summary for the National Intelligence Program details the successes, failures, and objectives of the 16 spy agencies that make up the U.S. intelligence community. The summary describes cutting-edge technologies, agent recruiting and ongoing operations. While U.S. spy agencies have built an intelligence-gathering colossus since the attacks of Sept. 11, 2001, they remain unable to provide critical information to the president on a range of national security threats, according to the budget. The budget summary reveals that spending by the CIA has surged past that of every other spy agency, with $14.7 billion in requested funding for 2013. The figure vastly exceeds outside estimates and is nearly 50 percent above that of the National Security Agency, which conducts eavesdropping operations and has long been considered the behemoth of the community. Long before Snowden's leaks, the U.S. intelligence community worried about “anomalous behavior” by employees and contractors with access to classified material, according to the budget summary. The NSA planned to ward off a “potential insider compromise of sensitive information” by re-investigating at least 4,000 people this year who hold high-level security clearances.


DNI to Release Surveillance-Request Data
Politico (08/29/13) Romm, Tony

Amid rising backlash to the U.S. government's secret surveillance efforts, the Obama administration announced Thursday it would release aggregate data annually about its requests for phone call logs and Internet chats. The requests include those issued under the controversial Foreign Intelligence Surveillance Act as well as the government's use of National Security Letters. Director of National Intelligence James Clapper said in a statement that the yearly disclosures would include the government's "total number of orders issued during the prior 12-month period, and the number of targets affected by these orders." Meanwhile, Google and Microsoft have petitioned the Foreign Intelligence Surveillance Court to allow them to explain more about the access they give to the federal government. The court has granted six extensions to the Justice Department to enable it to negotiate with the companies. The latest 10-day deadline extension expires on Friday.


Pentagon Not Likely to Attack Syria's Chemical Weapons Depots
Homeland Security News Wire (08/28/13)

According to administration officials, the coming U.S. military strike against Syria, which could be launched as early August 29, will aim not to change the regime, but to punish the use of chemical weapons, and to "deter and degrade" the ability of the Assad regime to use chemical weapons in the future. Though the attack will not be focused on chemical weapons storage sites, due to concerns that targeting these sites could result in the release of toxic clouds into the air, potentially creating an environmental and humanitarian disaster. An official said that while suspected chemical weapons depots are tempting targets, "Our interest is in keeping the chemical weapons secured. You hit a bunker that holds chemical weapons and all of a sudden you have chemical weapons loose." Israeli intelligence analysts disagree with this concern, as they are of the opinion that Assad's chemical depots can – and should – be attacked. According to Israel, not only do Western intelligence agencies know the locations of at least 90 percent of the Syrian chemical weapons bases, they also know that the components of the chemical weapons are stored separately and are only assembled when a strike order is given, so an attack on such a facility will not trigger a chemical reaction. It is not clear if Israel will be able to change the U.S. viewpoint, but it is clear that if Assad retaliates against Israel following an American strike on Syria, Israel will not hesitate to attack these storage facilities.


NSA Broke UN Video-Conferencing Encryption, Eavesdropped on Deliberations
Homeland Security News Wire (08/26/13)

On Sunday, German newspaper Der Spiegel reported that secret documents from the National Security Agency (NSA) showed that in 2012, the agency broke the encryption used to secure the internal video conferencing at the New York headquarters of the United Nations. One of the document's cited in the report claimed that breaking the encryption allowed the agency to benefit from "a dramatic improvement of data from video teleconferences and the ability to decrypt this data traffic." According to the Spiegel report, following the European Union's U.S. delegation's into new offices in New York in September 2012, the NSA began eavesdropping on the organization's headquarters for an operation codenamed "Apalachee." Within three weeks of breaking the encryption, the report noted, the NSA had increased the number of decrypted communications from twelve to 458, and later determined that the Chinese secret service was also eavesdropping on the UN.


Study: U.S. Nuclear Reactors Vulnerable to Terror Attack
Security Director News (08/20/13)

According to a new report from the Nuclear Proliferation Prevention Project at the University of Texas at Austin, which conducted a security assessment of the United States' 104 commercial nuclear-power reactors under contract for the Pentagon, the level of security at these plants is not adequate against large-scale, credible terrorist threats. The study noted that while some government nuclear facilities are properly protected, others are not, and called on the government to require all high-consequence nuclear targets to have sufficient protection. Study authors Lara Kirkham and Alan Kuperman noted the despite the fact that some nuclear-power plants are vulnerable to attack from the sea, they are not require to defend against such attacks. Three of the civilian research reactors fueled with weapons-grade uranium, the study said, will be using that material for another decade at least, but are not protect against a terrorist attack in the same way as military facilities holding the same material. Currently, the nation's civilian reactors are only required to prepare for smaller-scale attacks, though Kuperman noted that the government is not providing additional protection against a realistic 9/11-style attack. The report is available online, at
http://blogs.utexas.edu/nppp/files/2013/08/NPPP-working-paper-1-2013-Aug-15
.pdf





Expect More Web Hacking if U.S. Strikes Syria: Cybersecurity Expert
Los Angeles Times (CA) (08/28/13) Puzzanghera, Jim

Cybersecurity expert Adam Meyers, vice president of intelligence for CrowdStrike, said on Wednesday that the Syrian Electronic Army, a hacker group that has taken the credit for outages on the websites of sever new organizations, including the New York Times, will likely increase its hacking activity if military strikes against Syria are launched by the U.S. This hacker group supports President Bashar Assad and wants to keep people from viewing any information about the Assad regime that it deems negative, and does so by launching hacking attacks on news and social media sites. Meyers commented that "They’re gearing up to continue the campaign, and if the hammer starts to come down on the current regime, they’re going to start desperately trying to provide positive messaging and negatively impact those speaking badly about the regime." The tactic known as spear phishing was used to gain access to the user name and password of a sales partner at an Australian Internet company MelbourneIT, and from that access, the hackers were able to prevent computers from accessing the New York Times website for large parts of Tuesday and into Wednesday.


iOS and Android Weaknesses Allow Stealthy Pilfering of Website Credentials
Ars Technica (08/27/13) Goodin, Dan

Microsoft and Indiana University researchers have found an architectural weakness in both the iOS and Android mobile operating systems that makes it possible for hackers to steal sensitive user data and login credentials for popular email and storage services. The researchers, in a paper to be presented at the ACM Special Interest Group on Security, Audit and Control's (SIGSAC) Computer and Communications Security Conference in November, found that both operating systems fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission. The same-origin policy is a basic security mechanism enforced by desktop browsers, but the protection is absent from many iOS and Android apps. The researchers demonstrated the threat by creating several hacks that carry out cross-site scripting and cross-site request forgery attacks. "The problem here is that iOS and Android do not have this origin-based protection to regulate the interactions between those apps and between an app and another app's Web content," says Indiana University professor XiaoFeng Wang. The researchers created a proof-of-concept app called Morbs that provides OS-level protection across all apps on an Android device. Morbs works by labeling each message with information about its origin that could make it easier for developers to specify and enforce security policies based on the sites where sensitive information originates.


Napolitano Warns Large-Scale Cyberattack on U.S. is Inevitable
The Hill (08/27/13) Yager, Jordy

Outgoing Homeland Security Secretary Janet Napolitano expects her successor to move quickly to strengthen U.S. cyberdefense. "Our country will, at some point, face a major cyber event that will have a serious effect on our lives, our economy, and the everyday functioning of our society," Napolitano says. While terrorist threats to the country have not been eliminated, the ability for the United States to stop attacks rapidly increases with each uncovered plot. "For every attack we experience, every threat we face and every piece of intelligence we come across, we learn; we assess our preparations and capabilities; we make changes; we become more flexible in the actions we take; and we get stronger and more nimble," Napolitano says.


Sept. 23 Deadline Looms for Business Compliance With HITECH Act on Patient Privacy
Computerworld (08/26/13) Vijayan, Jaikumar

Organizations that handle healthcare data, including online storage vendors and cloud service providers, must comply with new security and privacy requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act by Sept. 23. The HITECH Act includes new breach notification standards and restrictions on the use and disclosure of protected health information. In addition, organizations must ensure that business associates and subcontractors are compliant with the privacy and security requirements of the Health Insurance Portability and Accountability Act. Covered entities also must provide updated patient privacy notices that describe patient data rights and how data can be used and shared. The new rules will hold business associates of healthcare providers, such as cloud service providers, directly responsible for protecting patient data, even if the vendor is only storing the data.


Popular Download Management Program Has Hidden DDoS Component, Researchers Say
IDG News Service (08/22/13) Constantin, Lucian

Newer versions of Orbit Downloader, a popular Windows program for downloading embedded media content and other file types, turns computers into bots and uses them to send distributed denial-of-service (DDoS) attacks, according to ESET. ESET researchers say once it is downloaded on the program's official website, Orbit Downloader, beginning with version 4.1.1.14, silently downloads and uses a Dynamic Link Library component that has DDoS functionality. An encrypted configuration file containing a list of sites and Internet Protocol addresses to serve as targets for attacks is downloaded from the same site, ESET says. Once they found the DDoS component, the ESET researchers investigated junk programs installed by Orbit Downloader. "The developer [of Orbit Downloader], Innoshock, generates its revenue from bundled offers, such as OpenCandy, which is used to install third-party software as well as to display advertisements,” the researchers say, noting that the practice has become standard for free programs. However, they say, “what is unusual, though, is to see a popular utility containing additional code for performing denial-of-service attacks."


Abstracts Copyright © 2013 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: