Search This Blog

Friday, November 22, 2013

Security Management Weekly - November 22, 2013

header

  Learn more! ->   sm professional  

November 22, 2013
 
 
Corporate Security
Sponsored By:
  1. "French Newspaper Shooting Suspect Arrested"
  2. "Jump in Shoplifting Hurt Penney"
  3. "Barneys Report Counters Profiling Allegations" Barneys New York
  4. "US Employee Prescription Drug Use Booms as Workers Evade Positive Marijuana and Cocaine Tests"
  5. "7 Simple Ways You Can Protect Your Ideas From Theft"

Homeland Security
  1. "NSA Surveillance Challenge Lands in Federal Court"
  2. "James 'Whitey' Bulger Set to Appeal Conviction"
  3. "Beirut Attack Marks Militant Resurgence"
  4. "Snowden Likely Used SSH Keys to Access Classified NSA Data: Venafi" Secure Shell
  5. "NSA Repeatedly Broke, Vowed to Obey Surveillance Rules, Court Records Show"

Cyber Security
  1. "Mobile Malware, Virtual Currency Dominated 3rd Quarter Cyber Threats, McAfee Reports"
  2. "Carriers Reject Kill Switch for Stolen Smartphones"
  3. "Pentagon Tightens Cybersecurity Rules for Defense Contractors"
  4. "Standards Bodies Set Sights on Biometrics, Online Authentication"
  5. "FBI Warns of Anonymous Hacks Into Federal Systems"

   

 
 
 

 


French Newspaper Shooting Suspect Arrested
Associated Press (11/21/13) Schaeffer, Jeff

French police on Wednesday arrested the suspected gunman behind four recent attacks in Paris, including shootings at media outlets and a bank. Authorities say DNA evidence indicates that Abdelhakim Dekhar was behind Monday's shooting at the offices of the newspaper Liberation, a shooting outside the bank Societe Generale a few hours later, and a similar shooting incident three days before at the news network BFM-TV. According to French Interior Minister Manuel Valls, Dekhar apparently tried to kill himself with pills before he was arrested. Paris judicial police chief Christian Flaesch said Dekhar was taken to the hospital where "he is incarcerated but in a medical environment." Flaesch noted that the suspect was found after a witness told police that a man who had stayed at his house resembled the images in the video footage and photos of the shooter that had been released by authorities.


Jump in Shoplifting Hurt Penney
Wall Street Journal (11/20/13) Kapner, Suzanne

J.C. Penney Chief Executive Mike Ullman said Wednesday that shoplifting at his company's stores spiked in the third quarter, taking a full percentage point off the chain's profit margins. The increase in shoplifting has been attributed to several factors, including the transition to a new inventory tracking system that used radio frequency identification (RFID) tags. It was hoped that the RFID tags would make it easier to manage inventory, though the company found that it had to remove the security sensor tags that are designed to prevent the theft of merchandise as they would have interfered with the radio frequency tags. During this transition, Penney also introduced a new return policy that did not require customers to have their receipts. However, this combination of changes resulted in people entering the store, grabbing armloads of merchandise, taking them to a cash register and returning them, said a person familiar with the issue. In January, Penney scaled back its RFID ambitions, due to increasing thefts. The company has also begun retagging items with the anti-theft sensor tags and has altered its return policy so that customers only receive store credit if they return goods without a receipt and cannot provide the credit card used to make the original purchase.


Barneys Report Counters Profiling Allegations
Associated Press (11/19/13)

The Associated Press on Tuesday obtained a five-page report that examined the policies and procedures in place at Barneys New York after complaints were filed in October by two African-American customers who accused the store of racial profiling. The complaints were filed by Trayon Christian and Kayla Philips after police detained them on suspicion of credit card fraud when they lawfully purchased expensive items from the store. According to the review, which was carried out by U.S. Commission on Civil Rights member Michael Yaki at the request of Barneys, the luxury store does not have either a written or unwritten policy to profile customers based on race, nor did the store "request, require or initiate the actions of the New York Police Department" against either Christian or Phillips. Employees interviewed by Yaki said they did not suggest that either customer should be questioned by police, nor did they take any action on the belief that either Christian or Phillips had committed a crime. The NYPD, however, has said its officers took action after conferring with store employees. NYPD internal affairs officers are conducting investigations of both encounters. Yaki is working on a second report that will take a broader look at store policies and any recommendations regarding those policies.


US Employee Prescription Drug Use Booms as Workers Evade Positive Marijuana and Cocaine Tests
International Business Times (11/18/13) Brinded, Lianna

A new study by Quest Diagnostics has found that U.S. workers are becoming more knowledgeable about how to game pre-employment drug screening. Quest found that the percentage of positive employee drug tests in the U.S. has fallen drastically from 13.6 percent in 1988 to 3.5 in 2012. However, new statistics from the Department of Health and Human Services found that 8.9 percent of full-time and 12.5 percent of part-time employees over the age of 18 had used illegal drugs last year, and that 68 percent of the nation's 21.5 million illegal drug users were either full- or part-time employees. These figures are what led Quest to believe that workers must be finding ways to cheat on drug tests. Meanwhile, Quest reported that the number of positive tests for prescription drugs, including Vicodin, OxyContin, and Adderall rose significantly in just the past few years. While these drugs may be used legally, Quest's director of drug-testing technology says they can still affect workplace safety. Investigators say between 65 percent and 80 percent of positive test results for amphetamine and opiate use are disregarded when employees have legal prescriptions for these drugs.


7 Simple Ways You Can Protect Your Ideas From Theft
Forbes (11/18/13) Hendricks, Drew

There are a number of ways that businesses and individuals seeking investors, partners, or employees to support their ideas or discoveries can prevent those associates from marketing that innovation as their own. The first is for entrepreneurs to avoid giving away too much information about the idea and to listen to their instincts about who to trust or not. Entrepreneurs should perform a little research into the people they are pitching their ideas to and extensively document all of those interactions. Beyond those informal measures, there are a multitude of avenues to take that will formally protect intellectual property in the business world. The first is a good non-disclosure agreement, although many investors or clients might take issue with signing one before hearing an idea. Entrepreneurs may want to instead put a confidentiality statement in their business plans instead of formally requesting that investors or clients sign anything. It is also not a bad idea to apply for a provisional patent, which lasts 12 months. After that there is no way to extend it without undergoing the formal patenting process. Entrepreneurs can, however, trademark their company's name, which will provide some measure of protection to the ideas with which it is associated. While not as strong as a patent, trademarks can show that a business idea was in development during a certain period to ward off any dispute.




NSA Surveillance Challenge Lands in Federal Court
ABC News (11/22/13) De Vogue, Ariane

A hearing on the lawsuit filed by the American Civil Liberties Union (ACLU) against the National Security Agency (NSA) over its telephone metadata collection program is scheduled to be heard on Nov. 22. Before the merits of the ACLU's lawsuit can be decided, however, it will need to overcome government arguments that it does not have standing to challenge the surveillance program. But ACLU attorney Jameel Jaffer said the organization believes some of its conversations with clients may have been compromised and that it has the right to be in court because it is a client of Verizon, which has turned over records to the NSA. The ACLU's lawsuit claims that the collection of metadata infringes on Americans' privacy because it allows the government to determine who they are calling. The ongoing surveillance, the ACLU argues, both exceeds the authority granted under the Patriot Act and violates the First and Fourth Amendments. Government lawyers stressed in court papers that the program operates under orders from the Foreign Intelligence Surveillance Court and is subject to "stringent supervision and oversight" from all three governmental branches. No content of calls is collected, nor is it listened to or recorded, said the government. The government also believes that the surveillance could have prevented the Sept. 11 attacks had it been in place in 2001.


James 'Whitey' Bulger Set to Appeal Conviction
Associated Press (11/22/13)

A notice of appeal was filed by attorneys for James "Whitey" Bulger in federal court on Nov. 20 challenging the former Boston crime boss' conviction on racketeering charges. The appeal was expected as the lawyers had said that Bulger saw his trial as a "sham" since he was not allowed to argue that he had been given immunity to commit crimes by a now-deceased federal prosecutor. In August, Bulger was convicted in a broad racketeering case and was sentenced on Nov. 14 to two consecutive life terms. Bulger, who served as an informant for the FBI and was protected by corrupt Boston FBI agents, did not testify at his trial nor did he speak at the two-day sentencing hearing. Bulger was arrested in Santa Monica, Calif., in 2011 after being a fugitive following a tip-off in 1994 from a former FBI agent that he was about to be indicted.


Beirut Attack Marks Militant Resurgence
Wall Street Journal (11/21/13) Abi-Habib, Maria

There are concerns among some in Lebanon that the attack on the Iranian Embassy in Beirut on Tuesday is a sign that al-Qaida inspired extremists are becoming more of a threat. The attack-- which consisted of two suicide bombings that killed 25 people and injured 147 others--was carried out by the Abdullah Azzam Brigades, a Sunni Islamist militant group funded by Saudi donors who want to help overthrow Syrian President Bashar al-Assad. The Saudi donors are also providing funding to groups such as the Abdullah Azzam Brigades in order to help carry out attacks against al-Assad's Shiite allies, Iran and Hezbollah. Lebanese parliamentarian Nohad Machnouk said the involvement of the Abdullah Azzam Brigades in Tuesday's bombings is a sign that the Syrian civil war has spread into Lebanon. But other factors have also played a role in the growth of militant groups in Lebanon, including the radicalization of Sunni Muslims in the country. This radicalization is particularly problematic around the northern city of Tripoli, where many residents are openly hostile to the Lebanese government. The impoverished, angry environment of this area has been fertile soil for al-Qaida, which now has officially-recognized affiliates in northern Lebanon. Lebanon's government has done little to stop the growing militancy, in part because some political leaders are worried about damaging their base of support if they crackdown on militant groups.


Snowden Likely Used SSH Keys to Access Classified NSA Data: Venafi
eWeek (11/20/13) Lemos, Robert

Security researchers at the certificate management firm Venafi have posted an analysis of how they believe Edward Snowden was able to gain access to certain servers and top-secret information he did not have the clearance to access while at the National Security Agency (NSA). The report speculated that Snowden had likely used authentication keys to give his account privileged access to other network servers. These keys, known as secure shell (SSH) keys, are often used by system administrators to log into remote computers without a password. The most significant clue the company had in making this hypothesis was NSA chief Gen. Keith Alexander's statement that Snowden had "fabricated digital keys" to gain access to classified systems. Venafi CEO Jeff Hudson commented that by fabricating these keys, Snowden gave himself the ability to access other systems, elevating the privileges he had already been given. Hudson noted that the NSA was not aware of the keys and was unable to detect anomalies or respond to an attack, and suggested that the NSA should share further details about Snowden's breach to help other companies and organizations who might face similar threats from insider attacks.


NSA Repeatedly Broke, Vowed to Obey Surveillance Rules, Court Records Show
Associated Press (11/19/13)

According to more than 1,000 pages of newly declassified files about the National Security Agency's phone data collection program, the NSA reported its own violations of surveillance rules to a U.S. intelligence court. Among the files that were released were intelligence court records from 2009, in which U.S. District Judge John D. Bates of the intelligence court said that although NSA made repeated assurances it would obey the court's rules, the agency acknowledged that it improperly collected material through the surveillance program. Some of the heavily censored files released by the Obama administration on Nov. 18 were declassified to show that even when records were improperly collected by NSA employees, those problems were reported and new procedures introduced to prevent reoccurrences. Included in the documents were training slides for NSA analysts warning them that they were only allowed to search the database for numbers they suspected were associated with terrorism based on "some minimal level of objective justification" rather than just a hunch. The slides also said that Americans whose only suspicious actions were protected under the First Amendment should not have their phone records examined.




Mobile Malware, Virtual Currency Dominated 3rd Quarter Cyber Threats, McAfee Reports
Homeland Security Today (11/13) Kimery, Anthony

McAfee Labs' third-quarter threats report found that mobile malware, signed malware, spam spikes, and virtual currencies were the four largest cyber threats in the third quarter of 2013. According to the report, new PC malware sample growth between July and September was relatively steady, with 20 million new samples added to McAfee's database, bringing the total to more than 170 million. The Android malware stockpile increased by nearly 700,000 samples to a total of 2.8 million, the report noted. Leveraging information from the McAfee Global Threat Intelligence (GTI) network, the McAfee Labs team identified a number of trends in the third quarter of 2013, inlcuding Digitally signed malware, samples of which increased 50 percent to more than 1.5 million new samples; new mobile malware families, including one entirely new family of Android malware that McAfee Labs researchers identified, Exploit/MasterKey.A, which allows an attacker to bypass apps' digital signature validation; the use of new digital currencies by cybercriminals to both execute illegal transactions and launder profits; and a 125 percent spike in spam. "The third quarter also saw notable events in the use of virtual currencies, such as Bitcoin, for illicit activities such as the purchase of drugs, weapons and other illegal goods on websites such as Silk Road," McAfee said. "The growing presence of Bitcoin-mining malware reinforced the increasing popularity of the currency."


Carriers Reject Kill Switch for Stolen Smartphones
Associated Press (11/20/13) Collins, Terry

According to San Francisco District Attorney George Gascon, the nation's biggest wireless carriers have rejected a proposal made by Samsung Electronics for smartphone manufacturers to install a built-in anti-theft measure called a "kill switch" that would make lost or stolen devices inoperable. AT&T, Sprint, T-Mobile, U.S. Cellular, and Verizon Wireless all said that Absolute LoJack anti-theft software should not be preloaded onto smartphones as a standard feature due to the potential for hackers to access the kill switch and disable someone's phone, including devices belonging to entities like the departments of Defense and Homeland Security. However, Gascon said e-mails between a senior vice president at Samsung and a software developer suggest that carriers may be rejecting the proposed technological solution as a way to force customers to purchase insurance on their phones. Meanwhile, Apple has announced that an "activation lock" designed to prevent thieves from turning off the Find My iPhone application would be part of its iOS 7 software. Ojas Rege, the vice president of strategy at the technology security company Mobile Iron, called the activation lock the first kill switch that protects users from smartphone thieves and said other manufacturers should include similar technology in their products.


Pentagon Tightens Cybersecurity Rules for Defense Contractors
Reuters (11/19/13)

The Pentagon announced on Nov. 19 that it has approved new regulations for defense contractors that require them to improve cybersecurity measures and report any cyberattacks that result in the theft of controlled technical information. The change was made as part of an amendment to defense acquisition rules that require defense contractors to use established information security standards on unclassified networks and to report security breaches that result in the loss of information from those networks. The new regulations, which were put in place after Defense Secretary Chuck Hagel issued a memo on Oct. 10 calling for tighter security measures to protect technical data, will apply to all new contracts that use or create unclassified but valuable technical information. The changes were made in response to multiple cyberattacks against the military and defense contractors that resulted in an estimated loss of more than $1 trillion in intellectual property and competitiveness over the past decade.


Standards Bodies Set Sights on Biometrics, Online Authentication
Pymnts.com (11/19/13) Green, Jeffrey

At least two initiatives have been launched in the online and mobile authentication arena to develop standards for biometrics that could eventually eliminate the need for usernames and passwords. French standards-setting body Natural Security says it will form an alliance comprising banks, retailers, payment providers, vendors, and IT communities to facilitate the creation of secure wireless biometric authentication and payment solutions. Natural Security's initiative is expected to complement those of the Fast Identity Online (FIDO) Alliance, which was formed in July 2012 "to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords." Since FIDO's official launch in February 2013, its membership has expanded to more than 50 organizations, including BlackBerry, Google, Lenovo, MasterCard, and PayPal. FIDO seeks to obtain broad acceptance and use of a standard for secure devices and browser plug-ins so any website or cloud application may be compatible with existing and future FIDO-enabled devices used for online security.


FBI Warns of Anonymous Hacks Into Federal Systems
Federal Computer Week (11/18/13) Mazmanian, Adam

Anonymous is being blamed for a string of infiltrations into federal networks, including the theft of personal information on more than 104,000 government employees, contractors, and others, according to a Reuters report. The Federal Bureau of Investigation has warned that attacks have already hit the Departments of Energy and Health and Human Services, the Army, and possibly other federal agencies, according to an internal memo cited in the Reuters report. "It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed," the memo states. The hackers were able to gain entry into the computer systems via a flaw in Adobe's ColdFusion Web development software. The FBI says the attacks are in retaliation for criminal prosecutions against hackers.


Abstracts Copyright © 2013 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: