Search This Blog

Friday, December 27, 2013

Security Management Weekly - December 27, 2013

header

  Learn more! ->   sm professional  

December 27, 2013
 
 
Corporate Security
  1. "Menendez: Make Stores Responsible" Data Security Breaches
  2. "Target Tangles Over PINs in Security Breach as Chase Scrambles"
  3. "Does Retail Security Take a Backseat During the 'Holiday IT Lockdown'?"
  4. "Target Payment Card Data Theft Highlights Lagging U.S. Security"
  5. "FDA Proposes Food Safety Rule to Thwart Terrorism"

Homeland Security
  1. "Egyptian Blast Raises Fears of Growing Terrorist Threat"
  2. "If Not the NSA, Who Should Store the Phone Data?"
  3. "Spy Agency Struggles to Make Sense of Data Flood" NSA
  4. "Kidnapped American Asks U.S. to Negotiate with al-Qaeda for His Release"
  5. "Edward Snowden, After Months of NSA Revelations, Says His Mission’s Accomplished"

Cyber Security
  1. "How Have Surveillance Practices Impacted Cyber Security Agenda, Private Sector?"
  2. "RSA Denies Taking $10m From NSA to Default Backdoored Algorithm"
  3. "Samsung Phone Studied for Possible Security Gap"
  4. "Cloud-Based Security Services Poised for Rapid Growth"
  5. "Federal Agencies to Hire More Cyber Defenders in 2014"

   

 
 
 

 


Menendez: Make Stores Responsible
Associated Press (12/27/13) Zezima, Katie

Sen. Robert Menendez (D-N.J.) said Thursday that he has asked the Federal Trade Commission (FTC) whether it has the authority to fine companies that experience data security breaches. Menendez made the comments in response to the recent data breach at Target, in which cybercriminals stole data on 40 million credit and debit card accounts used at the retailer's U.S. stores between Nov. 27 and Dec. 15. The Garden State's senior senator added that he believes the FTC may not be able to impose fines or other penalties on companies that suffer data breaches, given the fact that the agency did not fine the parent company of Marshall and T.J. Maxx after it experienced a security breach in 2006. If that is indeed the case, Menendez said, the FTC should recommend legislation that will help protect consumers' financial information from theft. He added that the security of the nation's electronic payment system is important because consumers depend on safe and secure transactions, particularly during the holiday shopping season. Menendez also addressed the issue of the Target data breach directly, saying that he may hold hearings about the incident. The breach, which is still under investigation by various law enforcement agencies, is the second-largest data breach in U.S. history.


Target Tangles Over PINs in Security Breach as Chase Scrambles
San Francisco Business Times (12/26/13) Calvey, Mark

Reuters reported Dec. 25 that encrypted personal identification numbers (PINs) were stolen during Target's card breach, citing an unidentified senior payments official who was familiar with the issue. That same official commented that a major bank was concerned that thieves would crack the encryption codes and make fraudulent withdrawals, which fits with the dramatic actions that JPMorgan Chase took in response to the breach. After cutting debit caps sharply, the bank opened some of its branches last Sunday to provide replacement debit cards to its customers on the spot. Target spokeswoman Molly Snyder told Reuters that "no encrypted PIN data was accessed" and that there was no indication that PIN data has been "compromised." To date, JPMorgan Chase has been the only bank to begin replacing all debit and prepaid cards impacted by the breach, and has done so whether or not fraudulent activity was reported. Target has told its Redcard holders that they will not be liable for any fraudulent charges, and has made changes to its fraud detection and authorizations procedures to better protect Redcard holders. In addition, the company is offering a year of free credit monitoring to each person impacted by the breach. The breach is expected to drive discussion about whether more sophisticated security technologies need to be adopted to protect cardholders.


Does Retail Security Take a Backseat During the 'Holiday IT Lockdown'?
SearchSecurity.com (12/23/13) Blevins, Brandon

In the wake of the massive breach of credit card data at Target, some cybersecurity experts are wondering whether retailers might overlook basic data security practices at their most important sales time. If so, they could be setting themselves up for serious risk and even some Payment Card Industry Security Standards Council (PCI SSC) compliance violations, says John Kindervag of Forrester Research. "Patching. Configuration updates. Firewall rule changes. Almost none of that happens" during the so-called "holiday IT lockdown," Kindervag observes. Tenable Network Security CEO Ron Gula agrees, pointing out that many retailers are so eager to keep their networks up and running during the holiday sales crunch that some may even halt IT audits and security assessments in November and December. Because of the lighter workload combined with the holidays, many IT staff choose this time to take vacations, leaving companies even more vulnerable in the face of an attempted data breach, Kindervag says. On the other hand, Zane Lackey, the director of security engineering for the Internet-based retailer Etsy, says his team uses the holiday season to work on security improvements the site plans to deploy in the new year. Arthur Wong, the senior vice president and general manager for HP's Enterprise Security Services, also suggests that companies increase security monitoring over the holidays while saving any audits--including those to ensure PCI Data Security Standards compliance--at other times.


Target Payment Card Data Theft Highlights Lagging U.S. Security
Reuters (12/22/13) Kerber, Ross

The recent theft of data on 40 million credit and debit cards from Target over the past several weeks illustrates the gaps in U.S. payment security. Unlike their counterparts in the European Union and Canada, U.S. businesses and banks have yet to move from payment systems that rely on cards with magnetic stripes to the Europay MasterCard Visa (EMV) system, which uses cards embedded with computer chips. Merchants and banks have balked at the use of the more secure EMV system, saying that it would cost too much to adopt the chip-enabled cards and the payment terminals to go with them. But retailers and banks may be more willing after the Target incident, says Rush Taggart, chief security officer of CardConnect, which helps stores process card payments. According to Taggart, the change to chipped cards "will happen over the next two years." Of course, it is worth noting that the chip system would not have prevented the initial data theft at Target, but the technology would have made the data much more difficult for the thieves to use because it is better at detecting counterfeit cards. For these reasons, some banks, including Citigroup and Wells Fargo, have already started offering chipped cards, but many merchants and banks still see the pitfalls of the current system as an acceptable cost of doing business. Whether that changes in the wake of the Target data theft remains to be seen.


FDA Proposes Food Safety Rule to Thwart Terrorism
Oregonian (OR) (12/20/13) Terry, Lynne

The Food and Drug Administration (FDA) issued a proposed rule on Dec. 20 that aims to prevent terrorists from targeting the nation's food supply. The rule, which is being issued under the Food Safety Modernization Act of 2011 and is open to public comment through March 31, calls for large food facilities to take steps to protect any points in processing that could be vulnerable to an attack. Such facilities would also be required to take steps to ensure their security measures are effective at preventing attacks. The rule, which would be phased in over a period of one to three years, would not apply to small farms, ranches, or other small businesses. FDA food safety chief Mike Taylor said it is important to take steps to protect against a possible attack on the nation's food supply because any such attack, while unlikely, could have serious public health and economic consequences.




Egyptian Blast Raises Fears of Growing Terrorist Threat
Wall Street Journal (12/27/13) El-Ghobashy, Tamer; Elmergawi, Leila; Bradley, Matt

A bomb blast near a municipal bus in Cairo on Thursday has sparked renewed fear that the deepening political polarization in Egypt is driving terrorism and pushing the insurgent battlefront from remote and sparsely populated areas into the densely populated heartland. Though Egypt's government did not assign blame for this attack, it did blame the Muslim Brotherhood for a bombing in Mansoura on Tuesday. However, the government has yet to provide any evidence that the Brotherhood was involved in the Mansoura bombing. The Brotherhood has denied that it was responsible for the attack in Mansoura, while the al-Qaida inspired group known as Ansar Bait Al-Maqdis has claimed responsibility for the Cairo attack. The government has also labeled the Muslim Brotherhood as a terrorist organization and has launched a crackdown on the once-powerful group. The country has been deeply divided since the July ouster of Egyptian President Mohammed Morsi by the military. Morsi, a member of the Muslim Brotherhood, many of the group's top leaders and some 1,000 other members are currently in jail in Egypt. The group's designation as a terrorist organization seems designed to allow the government to target the remaining supporters of the group, and has already resulted in the arrest of 20 Brotherhood sympathizers.


If Not the NSA, Who Should Store the Phone Data?
Washington Post (12/26/13) Nakashima, Ellen

President Obama has said he is willing to consider a proposal for ending the National Security Agency's controversial practice of storing telephone metadata, though there is resistance to the alternatives. One of those alternatives involves having the telecommunications industry hold the data in a database that could be searched by NSA when the need arises. But some in the telecommunications industry have said they are opposed to that idea, partly because they fear they will be inundated with requests for the data from a variety of law enforcement officials and private attorneys unless Congress passes legislation stating that the data can only be used for counterterrorism purposes. Telecommunications companies and civil libertarians also fear that cybercriminals could try to steal the data. Some in Congress, meanwhile, say that having telephone companies hold on to the data would not provide any clear benefit over the current system and could actually hurt the NSA's ability to meet its operational needs. Another proposal, creating a third-party entity to hold on to the data, also faces resistance on Capitol Hill because it is unclear whether any such organization would be able to provide adequate privacy protections. President Obama will make a decision about the proposal sometime next month.


Spy Agency Struggles to Make Sense of Data Flood
Wall Street Journal (12/26/13) Angwin, Julia

During a privacy conference in Lausanne, Switzerland, in September, retired National Security Agency (NSA) computer-code creator William Binney warned that the agency's analysts have so much information to handle that they simply cannot do their jobs effectively. Binney added that the large amount of information NSA is taking in is harming its ability to conduct legitimate surveillance. A 2012 internal NSA briefing document supports this assertion. The memo said that foreign cell phone location tracking efforts were outpacing the agency's "ability to ingest, process and store" the data. Proposals have been made to try to limit the amount of data the NSA is taking in through its surveillance programs. For example, the presidential review panel charged with considering possible reforms of the government surveillance program recommended ending the bulk phone record data collection and creating "smart software" that would be able to sort data as it is collected. Binney worked with Ed Loomis, who ran the Sigint Automation Research Center, on developing a system called ThinThread that would discard any data about U.S. citizens and scrape data from the Internet that was within "two hops" of a suspected terrorist. Binney has encouraged lawmakers and an oversight board to limit data collection to two hops and to create a technical auditing team that would verify the NSA's claims about the collection and usage of data.


Kidnapped American Asks U.S. to Negotiate with al-Qaeda for His Release
Washington Post (12/26/13) Londono, Ernesto

Al-Qaida has released a video of Warren Weinstein, the Pakistan director of USAID contractor J.E. Austin Associates who was captured by the group in Lahore, Pakistan on August 13, 2011. In the video, Weinstein calls on the United States to consider releasing al-Qaida operatives in custody in exchange for his safe return. Al-Qaida leader Ayman al-Zawahri said in 2011 that Weinstein would be released if imprisoned members of the terrorist group and the Taliban were allowed to go free, and if the U.S. ended its campaign of drone strikes. The video appears to have been created by al-Qaida's media production outlet, As-Sahab, and was e-mailed anonymously to several journalists. The e-mail also included a note allegedly written by Weinstein dated Oct. 3. Whether the video was made at that time as well is unknown. The State Department, which received a copy of the video from the Washington Post, said U.S. officials are "working hard to authenticate" it. The Obama administration has said that it will not negotiate with al-Qaida for Weinstein's release, as government policy usually forbids negotiations with kidnappers.


Edward Snowden, After Months of NSA Revelations, Says His Mission’s Accomplished
Washington Post (12/24/13) Gellman, Barton

In an interview with the Washington Post, former National Security Agency (NSA) contractor Edward Snowden said he accomplished what he had set out to achieve by leaking documents about the federal government's surveillance programs. Snowden said he was motivated to leak the documents for several reasons: one, because the lawmakers and judges charged with overseeing NSA surveillance failed to provide proper oversight; two, because he was disturbed about the extent of the surveillance being performed; and three, because he wanted to start a public debate about the appropriateness of those surveillance measures. Snowden said he first raised his concerns about NSA surveillance in October 2012, when he showed 17 co-workers--including four of his superiors at NSA--a map that showed that the agency was collecting more data on Americans in the U.S. than it was on Russians living in Russia. However, an NSA spokeswoman denied that Snowden ever brought his concerns about the agency's surveillance programs to anyone's attention. Shortly after those alleged conversations, Snowden began contacting reporters, though he did not begin providing them with classified documents until several months later. Snowden admitted in the interview that he has more documents, but flatly denied providing any information to the Chinese or the Russians. U.S. officials have said that the release of the documents has hurt intelligence efforts, though Snowden maintains that the documents needed to be released in order to expose surveillance programs that he previously referred to as "a direct threat to democratic governance."




How Have Surveillance Practices Impacted Cyber Security Agenda, Private Sector?
PBS (12/26/13)

Two individuals with knowledge of the National Security Agency's surveillance programs and one cybersecurity expert recently discussed the impact those programs have had on the nation's cybersecurity agenda in a Dec. 26 roundtable discussion with Judy Woodruff on PBS. Woodruff spoke with Dmitri Alperovitch, the chief technology officer of cybersecurity company CrowdStrike as well as with former NSA head General Michael Hayden and author James Bamford, who has written extensively about the NSA. Alperovitch said the NSA scandal has had a "really damaging" impact on cybersecurity because it has made it difficult to "confront" the Chinese government on its alleged cyberespionage against U.S. targets. In addition to losing the "moral high ground" in such diplomatic conversations, Alperovitch also says that the government has lost the trust of many major technology companies. Hayden agrees, pointing out that the NSA surveillance scandal has unfairly hurt American tech businesses abroad for doing "for the American government the very same things that other national industries do for their governments." Going forward, Alperovitch worries that the breach of trust between the U.S. government and private companies could inhibit the private sector from collaborating and sharing information with the government about cybersecurity breaches and threats.


RSA Denies Taking $10m From NSA to Default Backdoored Algorithm
ZDNet (12/23/13) Duckett, Chris

RSA Security is denying reports that its Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), the default pseudorandom number generator used in RSA Security's encryption products, contained a backdoor for the National Security Agency (NSA). The denial comes after Reuters reported that NSA and RSA Security had a secret $10 million agreement that called for RSA to use Dual_EC_DRBG in its products and that NSA pushed for the number generator to be included in the National Institute of Standards and Technology's Recommendation for Random Number Generation Using Deterministic Random Bit Generators. RSA denied that there was ever any secret agreement with NSA, and also said that it decided to use Dual_EC_DRBG as the default pseudorandom number generator in its encryption products in 2004. The algorithm was also one of many that was made available to RSA Security's users, the company said. Dual_EC_DRBG has been criticized as being insecure for years. In November 2007, a security expert found that someone with knowledge of the algorithm's secret constants can predict the output of the random number generator after collecting only 32 bytes of output. That means anyone who wants to crack Dual_EC_DRBG can do so by monitoring just one Transport Layer Security (TLS) Internet encryption connection, the security expert wrote.


Samsung Phone Studied for Possible Security Gap
Wall Street Journal (12/23/13) Cheng, Jonathan

Cybersecurity researchers at Israel's Ben-Gurion University claim to have found a security gap in the Knox security platform used on Samsung's Galaxy S4 smartphone. According to Mordechai Guri, the researcher who discovered the alleged vulnerability, the gap would allow malicious software to record data communications, track e-mails, "easily intercept" secure data, and, in a worst case scenario, modify data or insert hostile code that could wreck havoc within a secured network. Dudu Mimran, the chief technical official for the Cyber Security Lab, said the vulnerability could be exploited by a relatively unsophisticated malicious app. Mimran added that even if a malicious app was installed outside the Knox container, it could be activated to record all data communications occurring within the container. The vulnerability appears to be legitimate, said Patrick Traynor, a computer-science professor and specialist in mobile security at Georgia Institute of Technology, and is "serious enough that it should be patched immediately." A Samsung spokesman noted that the company would be fully investigating the alleged security gap, but added that a preliminary investigation into the lab's claims showed that the threat was equivalent to known attacks. The spokesman noted that the breach carried out by the Israeli researchers appeared to have been conducted on a device that was not fully loaded with software a corporate client would use in conjunction with Knox.


Cloud-Based Security Services Poised for Rapid Growth
CSO Online (12/23/13) Mello Jr., John P.

The growing popularity of cloud computing has led many organizations to also use the cloud for security-based applications. Gartner says that comfort will drive a rapid growth in the market for cloud-based security services in the coming years, and it predicts the market for such services will jump from $2.1 billion in 2013 to $3.1 billion in 2015. As organizations move services from their data centers into the cloud, they want their security services to emulate other cloud offerings. "They're demanding next-generation, higher-class security services," says Trend Micro's Mark Nunnikhoven. "They want a security service that matches the attributes of the cloud—something that's smart and flexible." The rise of mobility and the distribution of users has driven a lot of the requirements for security in the cloud, adds Infonetics principal analyst Jeff Wilson. "It makes hijacking traffic and routing it through a secure cloud a reasonable thing to think about doing," Wilson says. He also notes that cloud-based services can help organizations manage problems too big for them to handle on their own, such as distributed denial-of-service attacks. "It's unreasonable for the average company to buy the infrastructure to mitigate a 100-gig sustained DDoS attack," Wilson says.


Federal Agencies to Hire More Cyber Defenders in 2014
Capital Business (12/22/13) Slye, John

The Department of Homeland Security is seeking to significantly expand its cyber workforce. A proposed amendment to the Homeland Security Act calls for the DHS Secretary to regularly evaluate the readiness and capacity of the agency’s cyber staff to meet its cybersecurity mission, form a five-year recruitment plan, and create 10-year projection of workforce needs. However, the Government Accountability Office reported this year that more than 20 percent of cybersecurity positions remain vacant at the National Protection and Programs Directorate, the primary DHS cyber division. In contrast, the U.S. Cyber Command and uniformed services cyber commands appear to have more staffing success. The Army is constructing a new cyber command center at Fort Meade to eventually staff 1,500, which would lead a worldwide cyber corps of 21,000 soldiers and civilians. Meanwhile, by 2017, the Air Force will add more than 1,000 uniformed cyber forces to its Space Command.


Abstracts Copyright © 2013 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: