Wednesday, November 27, 2013

Security Management Weekly - November 27, 2013

header

  Learn more! ->   sm professional  

November 27, 2013
 
 
Corporate Security
Sponsored By:
  1. "Malls Work on Their Security, but Keep It in the Background"
  2. "Keys to Keeping the Peace on Black Friday"
  3. "Md. Woman Admits Stealing Millions From D.C. Nonprofit"
  4. "Report: Thanksgiving Weekend a Boon Recently for Cargo Thieves"
  5. "Risk-Nado: Security's Risk Mitigation Focus Creates a Management Risk-Nado"

Homeland Security
Sponsored By:
  1. "Microsoft, Suspecting NSA Spying, to Ramp up Efforts to Encrypt its Internet Traffic"
  2. "Connecticut Report: Motive Still a Mystery in Newtown Elementary School Massacre"
  3. "Five Years On, Mumbai ‘Still Not Safe’"
  4. "Spies Worry Over 'Doomsday' Cache Stashed by Ex-NSA Contractor Snowden"
  5. "NSA Infected 50,000 Computer Networks with Malicious Software"

Cyber Security
  1. "Symantec Chief Warns Over Cyber Threat to Intellectual Property" Near Field Communication
  2. "Study: Companies Are Not as Secure as They Think"
  3. "Researchers Use Shopping Cart to Put Mobile, NFC Payment Theft on Wheels" Near Field Communication
  4. "Million-Dollar Robbery Rocks Bitcoin Exchange"
  5. "U.S. Government Rarely Uses Best Cybersecurity Steps"

   

 
 
 

 


Malls Work on Their Security, but Keep It in the Background
New York Times (11/27/13) Kaysen, Ronda

Mall operators in the U.S. are increasingly adopting more subtle security measures to balance the need to maintain an inviting environment that draws in customers with the need to protect them from mass shootings and other threats. For instance, some mall operators are now offering their employees evacuation training sessions, while others are installing shatter-proof windows and bomb-resistant trash cans. Closed-circuit television security systems are increasingly being expanded as well. In addition, more and more malls are asking local emergency response teams to speak to their employees and to hold drills after business hours so they can prepare for different types of security threats. International Council of Shopping Centers spokesman Malachy Kavanagh said such a training session was invaluable to law enforcement agencies in the Portland, Ore., area when they responded to a shooting at Clackamas Town Center last December. Kavanagh said the training allowed offers to corner the shooter because they knew the mall's layout. Such subtle security measures are appealing to mall operators because metal detectors, armed guards, bag screenings, and other strategies used by law enforcement agencies to prevent attacks may discourage consumers from visiting their shopping centers.


Keys to Keeping the Peace on Black Friday
Security InfoWatch (11/26/13) Griffin, Joel

Retail security professionals face several unique challenges associated with Black Friday sales that are not handled on a regular basis. Crowd control is likely the most significant challenge, as it is vital to the safety of shoppers and store employees. Since a Wal-Mart employee was trampled to death by customers in 2008, the Occupational Safety and Health Administration (OSHA) has sent a letter to retailers nationwide each year that includes a list of crowd management guidelines. OSHA recommends that crowd management plans should, at minimum, include trained, on-site security personnel or police officers; barricades or rope lines to guide crowd flow; the implementation of crowd control measures before customers arrive at stores; emergency procedures; ways to explain approach and entrance procedures to customers; not allowing more customers into the store if the maximum occupancy level has been reached; and not blocking or locking exit doors. Retail security experts, meanwhile, recommend that retailers have employees who are not assigned to check-outs monitor the store for stockpiles, trip hazards, and traffic blocks and maintain traffic flow. Other recommended security measures not related to crowd control include assigning seasonal employees to positions that do no involve contact with credit cards or money and implementing tight stockroom and cash controls.


Md. Woman Admits Stealing Millions From D.C. Nonprofit
Washington Post (11/26/13) Marimow, Ann E.; Flaherty, Mary Pat

A former administrative assistant at the Washington, D.C.-based Association of American Medical Colleges (AAMC) pleaded guilty in federal court on Monday to stealing more than $5 million from the nonprofit organization over an eight-year period. Ephonia Green's long-running embezzlement scheme consisted of opening bank accounts in the names of companies that closely resembled those of legitimate AAMC vendors and creating phony invoices in the names of legitimate groups. Green then approved those invoices for payment, with the checks to be returned to her. Green's scheme started small, with all the checks cashed between July 2005 and September 2006 being for less than $5,000. However, Green stole nearly $218,000 between January and April 2009 through just four checks. She also issued checks worth nearly $1.4 million for payments to Couture Miss Bridal & Formal, a bridal business that she ran on the side. The scheme dissolved in July, after a bank with held payment on a $113,000 check and alerted the association, which then fired Green, informed federal authorities, and hired a outside attorney and forensic accountants. As part of her plea, Green will repay the association $5.1 million and could face up to 51 months in prison. A sentencing hearing has been set for Feb. 28.


Report: Thanksgiving Weekend a Boon Recently for Cargo Thieves
Security InfoWatch (11/25/13)

A recent bulletin from FreightWatch International shows that cargo theft is more common over Thanksgiving weekend than it is during the rest of the year. The bulletin noted that there have been an average of 10.5 thefts per day over Thanksgiving weekend in the last three years, which is more than three times the annual average of 2.6 thefts per day during those years. The report emphasized that organizations involved in shipping consumer goods need to increase their security during the holiday weekend. FreightWatch recommends that companies ensure that they have up-to-date security protocols that are in line with industry best practices for in-transit and warehouse operations, as both are heavily targeted during the holiday. Companies are also being urged to use covert GPS tracking devices with active monitoring programs to help reduce the threat of theft and to aid in the recovery of any shipment that does get stolen.


Risk-Nado: Security's Risk Mitigation Focus Creates a Management Risk-Nado
Security Magazine (11/13) Vol. 50, No. 11, P. 18 McCourt, Mark

The annual survey for review of Security 500 organizations covered many critical issues, including best practices, risk, and resilience program layering, but Security Magazine chose to analyze the areas that were most frequently mentioned as ones were budget and resources were being more heavily allocated for 2014, including workplace violence. Workplace violence became the number one area of focus in 2013, and is posed to remain in that position despite significant investments in educational programs, enhanced access program, and zero tolerance policies. Though there are four types of workplace violence that have been identified by the FBI, the 2013 Security 500 survey determined that only one type--violence acts against employees by customers or others for whom the organization provides services--received significant mention from survey respondents because it is becoming more common in a variety of industries after previously being an issue primarily in healthcare. Leading security enterprises are introducing numerous policies dealing with workplace violence, including training, support for victims, and the use of external resources to support zero tolerance programs and employees. Other major areas covered by the survey included budgets; cyber crime; physical security; enterprise resilience; the hiring, training, and retention of employees; and brand and intellectual property.




Microsoft, Suspecting NSA Spying, to Ramp up Efforts to Encrypt its Internet Traffic
Washington Post (11/27/13) Timberg, Craig; Gellman, Barton; Soltani, Ashkan

Top Microsoft executives will reportedly hold a meeting this week to discuss an effort to encrypt Microsoft's Internet traffic. People who are familiar with the plans, which reportedly involve implementing encryption across all of Microsoft's consumer and business services, say the meeting will focus on what encryption initiatives to deploy as well as the timetable for adopting encryption. Microsoft is considering implementing encryption due to concerns that the National Security Agency (NSA) may be accessing its services and potentially violating the privacy of its customers. Company officials have said they have no independent verification that Microsoft is being targeted by the NSA, though documents released by Edward Snowden indicate that the agency may be conducting surveillance on Microsoft's Internet traffic. Two slides that describe surveillance operations against Google and Yahoo--in which NSA was reportedly intercepting traffic inside the private networks of those companies--also include references to Microsoft Hotmail and Windows Live. Snowden also released a 2009 e-mail from a senior NSA official that said the now-discontinued Microsoft Passport service was one of four "realms" the agency had the ability to search. NSA said Tuesday it is only interested in targeting the communications of "valid foreign intelligence targets" and that it does not access online communications or services that are of no interest from a foreign intelligence standpoint.


Connecticut Report: Motive Still a Mystery in Newtown Elementary School Massacre
Washington Post (11/26/13) Branigin, Will

Connecticut State's Attorney Stephen J. Sedensky III on Monday released his report on the investigation of last year's fatal shooting at Sandy Hook Elementary School. The report described the incident in which suspect Adam Lanza, killed his mother with a .22-caliber rifle. He then drove to the elementary school, from which he graduated, where he shot and killed 20 children and six adults before committing suicide. While Sedensky's investigation found no motive for the crime, he did, acknowledge that Lanza suffered from "significant mental health issues." The investigation also concluded that Lanza worked alone and was "solely criminally responsible for his actions," which means that there will be no criminal case brought in Connecticut. The report also found that Lanza had experience with guns and ammunition and that he had "an obsession with mass murders," including the 1999 Columbine High School shootings. However, there was no way of knowing that he would act on that obsession by targeting a school, the report found. Additionally, investigators found that all of the guns used in the Dec. 14 shooting were legally purchased by Mrs. Lanza. The release of the report marks the end of the investigation into the Sandy Hook massacre.


Five Years On, Mumbai ‘Still Not Safe’
Wall Street Journal (11/26/13) Acharya, Nupur; Machado, Kenan

A number of residents of Mumbai, the Indian city that is marking the five year anniversary of the November 26, 2008 terrorist attack, say they are not convinced the security measures that have been put in place in the aftermath of that attack would prevent a similar incident from taking place. The attack consisted of a small group of assailants armed with AK-47s and grenades who targeted the Chhatrapati Shivaji Terminus train station; the Taj Mahal Palace & Tower, the Oberoi, and the Trident hotels; the Chabad-Lubavitch Jewish center; as well as a hospital and cafe. More than 160 people were killed as the attackers stayed holed up in those locations for three days. In response to the attack, hotels in Mumbai have erected outdoor security barriers and have implemented stringent security scans of guests. Police, meanwhile, are more visible and are now permanently deployed at high-profile locations. But some Mumbai residents say the security measures that have been put in place since 2008 are insufficient, in part because security forces are still not as visible as they could be. However, some in Mumbai say they are not sure that more can be done to prevent another attack like the one in 2008, partly because the Indian government and security forces are having a difficult time keeping up with the high rate of growth in India.


Spies Worry Over 'Doomsday' Cache Stashed by Ex-NSA Contractor Snowden
Reuters (11/25/13) Hosenball, Mark

Intelligence officials in the U.K. and U.S. have voiced concerns over a "doomsday" cache of highly classified, heavily encrypted material that former National Security Agency (NSA) contractor Edward Snowden is believed to have stored on a data cloud. The cache contains documents generated by the NSA and other agencies that have the names of U.S. and allied intelligence personnel, including those of employees working for Britain's Government Communications Headquarters (GCHQ). Two sources briefed on the matter noted that the material is protected by very sophisticated encryption. The sources also said that the multiple passwords that are needed to decrypt the material are held by at least three different people and are valid for only a brief time period each day. The cache has been described as Snowden's "insurance policy" against arrest or physical harm. Guardian reporter Glenn Greenwald has said that Snowden has arranged to have many different people worldwide gain access to the documents in the data cloud if anything happens to him. It remains unclear whether any intelligence agencies know where the material is stored or if they have tried to unlock it, though a former senior U.S. official said that the Chinese and Russians have cryptographers skilled enough to open the cache if they find it. It is not known if any of the material is still in Snowden's possession, though he has stated that it is not.


NSA Infected 50,000 Computer Networks with Malicious Software
NRC (11/23/2013) Boon, Floor; Derix, Steven; Modderkolk, Huib

The National Security Agency (NSA) allegedly infected more than 50,000 computer networks around the world with malicious software designed to steal data, according to documents leaked by former NSA contractor Edward Snowden. The documents note that the NSA used "Computer Network Exploitation" (CNE) to install malware on the networks beginning in 1998. These hacking efforts are reportedly headed up by the NSA's Tailored Access Operations (TAO) unit, which employs over 1,000 hackers. Specific countries targeted by the TAO, according to the documents released by Snowden, include Venezuela, Brazil, and Belgium. The documents also show that once the malware is installed in a network, the TAO can remotely turn it on and off to avoid detection. The NSA has declined to comment on this latest leak.




Symantec Chief Warns Over Cyber Threat to Intellectual Property
Financial Times (11/25/13) Kuchler, Hannah

Intellectual property theft is a more serious threat than cyberwar or attacks from rogue hackers, warns Symantec CEO Steve Bennett. "What I’m most concerned about for the world is the economic threat if intellectual property is transferred from IP creators to countries with lower costs," says Bennett, who was recently appointed to the U.S. national security telecommunications advisory committee. He notes that even Western companies use cyberattacks to steal intellectual property, which could adversely impact the global economy and undermine innovation. Bennett urges companies and governments to share more data about attackers to fight against "black hat" hackers. Kroll estimates that the number of companies affected by external cyberattacks designed to steal commercial secrets doubled in the year 2012-13 compared with the previous fiscal year. Kroll notes that information theft is the second most common type of fraud following the physical theft of assets.


Study: Companies Are Not as Secure as They Think
CSO Online (11/25/13) Gonsalves, Antone

In a recent survey of 1,000 IT professionals and companies, CompTIA found that more than 80 percent believed their current level of security was completely or mostly satisfactory, despite the fact that only 13 percent of the respondents had made significant improvements to their security approach over the last two years. During that time, many organizations have adopted cloud computing, bring-your-own-device practices, and expanded their use of social media, all of which would require new technologies and policies to secure. Without such changes, a company's security is likely insufficient. Many companies remain firmly focused on hacking and malware, seeing those as the most persistent threats. However, the landscape has changed with the rise of advanced persistent threats, denial of service, IPv6 attacks, and mobile malware. The survey notes that many organizations must step back and reevaluate their security strategies, beginning at the top and down through all levels of the organization. In the 11 years that CompTIA has been conducting the survey, employee mistakes have always been a major cause of security breaches. In the most recent report, more than half of the respondents said human error has become a larger problem over the last two years.


Researchers Use Shopping Cart to Put Mobile, NFC Payment Theft on Wheels
ZDNet (11/25/13) Blue, Violet

A recently published paper called "Eavesdropping Near-Field Contactless Payments: A Quantitative Analysis" detailed efforts by researchers from the University of Surrey to assess the ease and efficacy of eavesdropping attacks against contactless payment transactions, such as those involving Near Field Communication (NFC). The researchers' efforts showed that contactless payments are more vulnerable then previously believed, and that data from such transactions can be stolen more easily and reliably than has been previously done. Researchers constructed an easily concealable antenna from low-cost electronics, a DAQ card and a shopping cart, which allowed them to capture sensitive data from contactless payment cards. The security researchers said that the receiver could be assembled at low cost and easily concealed in a backpack. The system produced "consistently good results" and "performed well across most distances," prompting researchers to comment that an attacker "shopping for credit card data" would have to do no more than stand in line with a shopping cart while the victim paid for his or her purchase. The researchers next plan to extend their experiment to smartphones using NFC.


Million-Dollar Robbery Rocks Bitcoin Exchange
Network World (11/25/13) Gold, Jon

The Denmark-based digital wallet provider Bitcoin Internet Payment Services (BIPS) reported Nov. 25 that cybercriminals walked away with more than $1 million worth of the bitcoin currency over the past several days. The company says it was hit by a distributed denial-of-service attack earlier this month, which was followed by a breach that disabled several security systems that allowed the robbers to access the funds in question. In response to the attack, BIPS has stopped processing consumer payments temporarily and warned users to transfer funds to a different service. This is the third major theft of bitcoins so far this month. Approximately $1.4 million was stolen several weeks ago from an Australian who operated an online wallet service called Inputs.io, and more than $4 million was stolen from a Chinese digital exchange two weeks ago. Other thefts have also targeted consumer exchanges in the Czech Republic and Poland, although the sums taken were smaller.


U.S. Government Rarely Uses Best Cybersecurity Steps
Reuters (11/22/13) Selyukh, Alina

The President's Council of Advisors on Science and Technology (PCAST) on Friday released a report saying the U.S. government should serve as a role model for other organizations by following best practices for cybersecurity. "The Federal Government rarely follows accepted best practices," the report says. "It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems." Among the recommended best practices are using software that updates automatically, implementing secure browsers, and discontinuing unsupported and insecure operating systems. The report also says regulatory agencies should promote best practices among the industries they regulate. For example, the report says the Securities and Exchange Commission should require publicly held companies to disclose cybersecurity risk factors as investment risks, and the National Institute of Standards and Technology should collaborate with Internet providers on best practices. Meanwhile, University of Texas at Austin professor William Press, a member of the PCAST group of U.S. scientists and engineers who make policy recommendations to the administration, says data shared between private companies "should not be and would not be accessible to the government."


Abstracts Copyright © 2013 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment