Search This Blog

Friday, September 27, 2013

Security Management Weekly - September 27, 2013

header

  Learn more! ->   sm professional  

September 27, 2013
 
 
Corporate Security
Sponsored By:
  1. "Navy Yard Shooting Leads to Contract Shake-Up"
  2. "Crafting a Comprehensive Workplace Violence Policy: ASIS Session Covers Active Shooter Trends"
  3. "Officials Expect Tighter Security After Mall Attack in Kenya"
  4. "Man Accused of Plot to Shoot Up Salt Lake Mall" Utah
  5. "Getting the Goods" Cargo Theft

Homeland Security
  1. "Somali Militants Tap Global Recruiting Network"
  2. "Navy Yard Shooter Aaron Alexis Driven by Delusions"
  3. "NSA: Surveillance Court Says No Upper Limit on Phone Records Collection"
  4. "Kenya Begins Clearing Besieged Shopping Mall"
  5. "Pentagon Says Navy Yard Shooter Lied in Screening"

Cyber Security
  1. "ASIS 2013: Staying Safe as a Business Traveler" Security of Data on Mobile Devices
  2. "Data Broker Giants Hacked by ID Theft Service"
  3. "Research Shows IT Blocking Applications Based on Popularity Not Risk"
  4. "Senate Working on Counterpart to CISPA Cybersecurity Bill" Cyber Intelligence Sharing and Protection Act
  5. "'Watering Holes' Join Java as a Major Threat to Corporate Security, Says F-Secure"

   

 
 
 

 


Navy Yard Shooting Leads to Contract Shake-Up
Wall Street Journal (09/26/13) Nissenbaum, Dion; Barrett, Devlin

Hewlett-Packard (HP) terminated its contract with The Experts, an IT subcontractor and former employer of Washington Navy Yard gunman Aaron Alexis, on Sept. 25. HP said its decision was based on The Experts' failure to address Alexis' serious mental health issues. Police reports indicate that Alexis reported hearing voices and experiencing delusions while contracting for The Experts at a Navy base in Rhode Island. Instead of insisting Alexis seeks treatment after the incident, The Experts gave him a few days off and then sent him on to the Washington Navy Yard, an action that HP said "failed to meet [its] expectations of its subcontractors." The Experts has responded to HP's criticism, saying it had no more information about Alexis' mental health than HP itself, pointing out that an HP site manager had closely supervised Alexis while he was in Rhode Island.


Crafting a Comprehensive Workplace Violence Policy: ASIS Session Covers Active Shooter Trends
SecurityInfoWatch.com (09/25/13) Griffin, Joel

In his Sept. 24 speech at the ASIS 2013 conference, Andre Simmons, a unit chief for one of the FBI's behavioral analysis units, discussed warning signs for employees who may be prone to workplace violence and how companies can prevent and prepare for potential violence. “You have to keep an open mind about evaluating the potential threat,” he explained, referring to the need for security managers to not simply focus on the potential threat from firearms but to take into consideration the entire threat landscape. Simmons also gave a list of possible "triggers" for violent attacks which can include a problem related to an intimate relationship in a workplace or campus setting; retaliation for a perceived slight; refusal of sexual advances; academic or professional stress or failure; sexual violence; or an overflow of domestic violence into the workplace. He also warned that many potential shooters may seem quiet and polite until the attack. However, employers can prevent violence by training management to be aware of domestic violence in particular, including how to recognize signs of abuse or abusers, and implementing workplace violence prevention education, said Forest Advisors Senior Vice President Pam Paziotopoulos. Companies may additionally be well served by assembling workplace threat assessment teams, with representatives from security, human resources, union organizations, and other stakeholders, Paziotopoulos said.


Officials Expect Tighter Security After Mall Attack in Kenya
Post-Bulletin (MN) (09/25/13) Fate, Kay

Experts predict that following the deadly attack on a mall in Nairobi, Kenya, other malls worldwide will increase their security measures. However, International Council of Shopping Centers spokesman Malachy Kavanagh said that most malls will not go into details on their improved security measures. Kim Bradley, manager of Rochester, Minn.'s Apache Mall, agreed and said that the mall does not discuss its public safety measures because doing so would compromise those security measures. However, she did say that the mall has a customized public safety program that entails different measures for various types of potential security risks. She noted that while some of the mall's security measures would be visible, like the trained security team or the mall's relationship with local law enforcement, there will definitely be other measures that will not be as visible. Kavanagh also commented that following the Kenya attack, he believes that the U.S. Department of Homeland Security to get into contact with corporate security heads at all U.S. malls, and that there will be increased coordination between malls and local police departments.


Man Accused of Plot to Shoot Up Salt Lake Mall
Associated Press (09/24/13) Foy, Paul

Jail records show that Jack H. Stiles was booked into the Salt Lake County, Utah, jail on Sept. 23, where he remains on $1 million bail, after being accused of plotting an attack at the City Creek outdoor shopping center in Salt Lake City. Utah police first learned of Stiles' plan on Aug. 12, after Stiles told a crisis counselor at the hospital where he was being treated that he was preparing to "kill as many people as possible" on Sept. 25, the anniversary of his mother's death. Charging documents do not say why Stiles was at the hospital, why he wanted to commit the shooting, if he offered a reason, or why the anniversary was a motivating factor for his planned actions. According to court documents, Stiles planned to buy two guns with silencers and carry five extra ammunition magazines when he committed the attack. He also allegedly planned to open fire at the shopping center, at a movie theater across town, and to wire a bomb to the undercarriage of a transit bus. Investigators noted that while they were not able to say if Stiles was capable of carrying out his plan, they took the threat seriously. Prosecutor Sim Gill noted that Stiles may suffer from a mental disorder.


Getting the Goods
Security Management (09/13) Vol. 57, No. 9, P. 78 Chapa, Lilly

FreightWatch International Supply Chain Intelligence Center's 2013 Global Cargo Theft Assessment detailed statistics on cargo theft based on data FreightWatch collected, as well as data from law enforcement and industry reports. The report's raw numbers indicated that the U.S. and Russia were the two countries most at risk for cargo theft. When looking at the techniques used by thieves, as well as the goods they targeted, the annual report showed wide variations by country, which were also found in the governmental and law enforcement responses to cargo thefts. J.J. Coughlin, the chairman of the Southwest Transportation Security Council, noted that government and law enforcement response to the problem of cargo theft is often underwhelming as they struggle with lack of education and resources, as well as legal technicalities, sparse reporting, and a lack of specific statutes. In the absence of full law enforcement engagement, the industry has built its own response network in the U.S., including eight regional cargo security councils which focus on educating law enforcement officials and corporations on trends in cargo theft. There are steps companies can take to reduce their risk of cargo theft, says security consultant Jim McGuffey, including conducting background checks on anyone scheduled to come into contact with cargo during the distribution process, training staff in basic security procedures, and implementing and following policies for maximizing cargo security.




Somali Militants Tap Global Recruiting Network
Wall Street Journal (09/27/13) Wonacott, Peter

Al-Shabaab is carrying out a worldwide recruitment effort in order to bring in new militants to replace those who die in attacks or decide to leave the group. The recruitment efforts involve a number of different methods, including the use of videos for people who are curious about the al-Qaida-allied group or small financial rewards for poor recruits. However, al-Shabaab also forces some men to join its ranks, threatening them and their families with physical violence if they refuse. Most al-Shabaab recruits from outside of Somalia come from the Somali refugee camps in Kenya, as well as Somali enclaves near Nairobi and slums for impoverished Kenyans. But the Somali diaspora in the U.S. has also been a source of new recruits for al-Shabaab. Federal authorities in Minnesota, which has the nation's largest population of Somalis, recently discovered videos that glamorize the conflict in Somalia in an attempt to encourage people to join al-Shabaab. The FBI has already been investigating a number of people who have left Minnesota to join up with al-Shabaab. At least one Briton may have also joined al-Shabaab in the last several years, authorities say. The global scope of al-Shabaab's recruitment efforts was evident during the recent Nairobi mall attack, which was carried out by militants from several different countries, possibly including the U.S. and the U.K.


Navy Yard Shooter Aaron Alexis Driven by Delusions
Washington Post (09/26/13) Hermann, Peter; Marimow, Ann E.

The FBI said Sept. 25 that clues about the mental state and motivations of Washington Navy Yard gunman Aaron Alexis were found in his electronic documents and on inscriptions made on the shotgun used during the shooting rampage on Sept. 16. The FBI said Alexis was delusional and thought he was being controlled by low-frequency electromagnetic radio waves for a three-month period. Alexis wrote in one of the documents that the radio-wave "attacks" drove him to carry out the shooting rampage, though officials say that there were other triggers for the rampage as well. Other information from Alexis' electronic devices suggested that he was "prepared to die during the attack and that he accepted death as the inevitable consequence of his actions." In addition, a gun used by Alexis during the rampage had the words "My ELF weapon!" scratched into it, which may also have been a reference to the low-frequency electromagnetic attacks Alexis believed he was being subjected to. Valerie Parlave, the assistant director in charge of the FBI's Washington Field Office, told reporters that investigators were still working to fully understand Alexis' "pathway to violence," noting that while he had a performance issue at work that was addressed Sept. 13 there is no indication that Alexis had targeted "anyone he worked for or worked with."


NSA: Surveillance Court Says No Upper Limit on Phone Records Collection
IDG News Service (09/26/13) Gross, Grant

The U.S. Foreign Intelligence Surveillance Court (FISC) has not placed any limits on the amount of telephone records the National Security Agency (NSA) can collect, said NSA Director Gen. Chief Keith Alexander on Sept. 26. According to his testimony before the Senate Select Committee on Intelligence, the NSA's ultimate goal is to collect as many records as possible and put them in a searchable "lock box." However, while the NSA does intend to collect call metadata, it does not hope to keep mobile phone location data, Alexander says. In any case, the agency would need explicit permission from FISC and Congress before it could do so. Despite Alexander's assurances, not all members of Congress are convinced of the NSA's sincerity. Sen. Ron Wyden (D.-Ore.) says the intelligence community has only itself to blame if the public does not trust it. “The leadership of your agencies built an intelligence collection system that repeatedly deceived the American people. Time and time again, the American people were told one thing about domestic surveillance in public forums, while government agencies did something else in private," Wyden argues.


Kenya Begins Clearing Besieged Shopping Mall
Wall Street Journal (09/25/13) Vogt, Heidi; Bariyo, Nicholas; Gorman, Siobhan

Kenyan soldiers launched a massive assault on the Westgate mall in Nairobi, Kenya, on Tuesday night, bringing an end to the four-day standoff with al-Shabab militants who had attacked the shopping center and had taken a number of shoppers hostage. The troops sought to bring an end to the siege by firing rocket-propelled grenades at the militants, though in doing so they triggered explosives that al-Shabab had placed inside the mall. The resulting explosion caused three of the mall's floors to collapse, which means that anyone inside the building likely did not survive, a Kenyan Defense Forces official said. Five militants were killed in the assault on the mall. Kenyan officials also have 11 other militants in custody. Authorities are trying to determine whether any of those 11 individuals or any of the other militants who carried out the attack are from the U.S. or the U.K. as has been reported. So far there is no evidence that any Americans were involved in the attack. Meanwhile, some security analysts say that al-Shabab--which says it carried out the attack on the mall in retaliation for Kenya's involvement in peacekeeping operations in Somalia--might have had the help of al-Qaida in carrying out the assault. The attack was so large in size, they say, that al-Shabab would have needed al-Qaida to provide it with recruits, funding, and logistical help.


Pentagon Says Navy Yard Shooter Lied in Screening
Wall Street Journal (09/24/13) Nissenbaum, Dion

The Pentagon released documents on Sept. 23 showing that the suspect in last week's Washington Navy Yard shooting lied during his security screening process. The suspect, Aaron Alexis, initially underwent background checks for a security clearance when he joined the Navy reservists in 2007. According to the documents, Alexis did not disclose information about a 2004 arrest in Seattle in which he had been charged with shooting out the tires on a car following a dispute. Investigators turned up the arrest anyway, but Alexis still did not disclose that he had used a gun, saying instead that he had "deflated" the car's tires. Investigators requested more information on Alexis but were denied access by the Seattle Police Department. Despite failing to uncover the full truth of Alexis' past, the U.S. Office of Personnel Management concluded that the contractor performing the background check, US Investigation Services (USIS), did its duty in this case. The Pentagon, meanwhile, has asked the OPM to include all available arrest records in reports for all security clearances in order to prevent similar incidents in the future. That change would not have made a difference in the case of Alexis, since OPM was unable to obtain records about his arrest in Seattle from law enforcement officials there.




ASIS 2013: Staying Safe as a Business Traveler
SecurityInfoWatch.com (09/26/13) Griffin, Joel

Speaking at a Sept. 25 session at ASIS 2013, Ron Lander, chief specialist at the technology consulting firm Ultrasafe Security Specialists, and independent security consultant Matt Antkowiak called on business travelers to make changes to ensure better data security while they are on the road. Mobile devices are particularly vulnerable, they maintain, so travelers should at least have a password to prevent unauthorized access. These passwords should not be any easier to guess than those on other computers or devices, they warn. They also encouraged travelers to avoid letting someone borrow their charger since devices can be used to extract data from chargers. While travelers should be careful at all times, airports require particular caution, they said. In general, Lander recommends turning off GPS or Bluetooth systems when not in use, not leaving mobile devices unattended, updating all operating systems and firmware, and using the latest anti-virus software.


Data Broker Giants Hacked by ID Theft Service
Krebs on Security (09/25/13) Krebs, Brian

A seven-month investigation by KrebsOnSecurity has found that the identity theft service ssndob[dot]ms (SSNDOB) has infiltrated the internal systems of several large data brokers in the United States. The investigation found that SSNDOB used a well-disguised botnet to control at least five infected systems at different U.S.-based business and consumer data aggregators, including LexisNexis, Dun & Bradstreet, and Kroll Background America. KrebsOnSecurity's initial review of the bot program on the hacked servers using Virustotal.com did not identify the bot as malicious, instead giving it a clean bill of health, though a later review showed that it was detected by six of the 46 anti-malware tools used by Virustotal. Each company noted that it was working with federal authorities and third-party forensic firms to figure out how far the breaches reach, and whether any sensitive information was accessed and removed from their networks. Registration records from SSNDOB--which sells the personal data of U.S. residents, including their Social Security numbers and birthdates--show the majority of registered users are located in the Russian Federation, the United Kingdom, and the United States, though hacks or proxies may have been used to cover actual locations. The investigation found some evidence that at least a dozen high-volume SSNDOB users have been operating third-party identity theft services.


Research Shows IT Blocking Applications Based on Popularity Not Risk
CSO Online (09/25/13) Ragan, Steve

Most enterprises block cloud-based apps and services based on name recognition and concerns about productivity rather than risk, according to a new study by Skyhigh Networks. Skyhigh examined collective data from some 3 million users spread across 100 companies and found that while popular apps such as Netflix, StumbleUpon, and Skype are frequently blocked, many others posing serious risks remain available. Even among apps and services that pose a genuine security risk, well-known apps will be blocked while less popular alternatives are not. File sharing apps, for example, pose very real security risks in the financial, technology, and medical sectors. But although many companies in those sectors did block popular sharing services such as Google Drive, Dropbox, and iCloud, they failed to block direct alternatives such as SendSpace, MovShare, and WeTransfer. IT departments also grossly underestimate the number of cloud apps being used on their networks, citing numbers just a fraction of the average 545 cloud services being used by a given organization. Skyhigh CEO Rajiv Gupta says the study demonstrates that "there are no consistent policies in place to manage the security, compliance, governance, and legal risks of cloud services."


Senate Working on Counterpart to CISPA Cybersecurity Bill
The Hill (09/24/13) Sasso, Brendan

Senate Intelligence Committee chair Dianne Feinstein (D-Calif.) has written a draft bill of legislation that would encourage cyberattack information-sharing between companies and the government, as a Senate counterpart to the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the House in April. CISPA aims to eliminate legal obstacles to companies sharing cyberattack information and enable the government to offer more information to the private sector. However, privacy groups caution that CISPA would provide the government with a new source of volumes of private data. Although the White House encouraged Congress to pursue information-sharing legislation, it threatened to veto CISPA on the grounds of insufficient privacy protections. Concerns about National Security Agency surveillance are likely to complicate the passage of cybersecurity legislation this year.


'Watering Holes' Join Java as a Major Threat to Corporate Security, Says F-Secure
ZDNet (09/23/13) Schofield, Jack

F-Secure's Threat Report for the first half of 2013 found that Java in the browser is the top vector for PC-based attacks, Android is the most attacked mobile platform, and Mac malware is growing rapidly. But the most notable security occurrence of early 2013, according to F-Secure, is the hacking and breach of several Internet giants—including Apple, Twitter, Facebook, and Microsoft—and of numerous Silicon Valley companies via a watering hole at iPhone Dev Software Development Kit. Instead of launching a direct attack, the goal is to exploit a third-party website where employees usually visit and chat. Researchers say Facebook and other major tech companies were compromised in this way using a zero-day Java exploit by way of a mobile developer website. Another significant development was found in what F-Secure calls advanced persistent threat attacks, which typically involve a carefully developed exploit document being delivered—usually through social engineering—to a user, or users, in a targeted organization or industry. Many such attacks are directed at military personnel and people in the defense industries, aerospace, and the energy sectors who have some type of correspondence with Asian nations, particularly China and India, F-Secure says.


Abstracts Copyright © 2013 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: