Search This Blog

Friday, January 31, 2014

Security Management Weekly - January 31, 2014

header

  Learn more! ->   sm professional  

January 31, 2014
 
 
Corporate Security
Sponsored By:
  1. "Target Traces Security Breach to Stolen Vendor Credentials"
  2. "Columbia Mall Gunman Was Known in Store Where Killings Occurred, Employee Says" Maryland
  3. "Mall Security in the Spotlight in Wake of Shootings"
  4. "Homeland Security Details Super Bowl Safety Plan"
  5. "Training Security Officers for Better Access Management"

Homeland Security
  1. "NSA Choice is Navy Expert on Cyberwar"
  2. "DNI: Post-Snowden Surveillance Changes Hurt Security" Director of National Intelligence
  3. "Snowden Leaks Assailed in Senate Hearing on National Security"
  4. "Spy Agencies Tap Data Streaming From Phone Apps"
  5. "U.S. Lets Tech Firms Reveal More About Surveillance"

Cyber Security
  1. "Yahoo Mail Targeted in Hacking Attempt"
  2. "Wikipedia Dodges Critical Vulnerability that Could Have Let Attackers Take Over"
  3. "Security Professionals Identify IT Risks Associatied With Cloud Computing"
  4. "The National Guard Takes on Hackers"
  5. "Air Force Researchers Plant Rootkit in a PLC" Programmable Logic Controller

   

 
 
 

 


Target Traces Security Breach to Stolen Vendor Credentials
ZDNet (01/30/14) Osborne, Charlie

Target spokeswoman Molly Snyder confirmed that the company's ongoing investigation into the recent data security breach has revealed that hackers were able to gain access to Target's systems by using a vendor's credentials which they had stolen. The stolen credentials could have been used by a number of different vendors to access a variety of platforms. Target has not revealed which vendor the credentials were stolen from or how they were stolen. The portal in question has had its access to Target's computer systems limited for the duration of the investigation. Two systems, a human resources Web site and a supplier database, had their access restricted following the discovery of the hack, but Target has stated that the system used by the hackers was not related to payment areas. As yet, the investigation has not determined how the hackers were able to move into Target's point-of-sale devices from an unrelated platform. Target, the FBI, and the Secret Service are still trying to identify those behind the attack.


Columbia Mall Gunman Was Known in Store Where Killings Occurred, Employee Says
Washington Post (01/28/14) Bui, Lynh; Zapotosky, Matt

An employee at the Maryland skateboarder shop where two people were shot and killed on Jan. 25 says that the gunman was a regular at the Mall in Columbia, where the shop is located, and occasionally visited the store itself. Quy Vo, who had been scheduled to work at Zumiez the day of the shootings, said gunman Darion Aguilar did not display any unusual behavior while in the shop, nor did he have any strange interactions with employees Brianna Benlolo and Tyler Johnson, both of whom were killed in the shootings before Aguilar killed himself. Vo says Benlolo and Johnson's interactions with Aguilar amounted to nothing more than "customer greetings." Vo, like police investigating the case, was unable to say why Aguilar committed the shooting. Police are in the process of analyzing Aguilar's financial records, a computer taken from his home, and his cell phone in an effort to find clues that could shed some light on the cause of the shooting. However, entries in Aguilar's journal indicated that he may have been having mental health issues. The journal does not indicate that Aguilar knew either of his victims.


Mall Security in the Spotlight in Wake of Shootings
Baltimore Sun (MD) (01/28/14) Marbella, Jean

Security at malls nationwide has been in the spotlight following the Jan. 25 shootings at The Mall in Columbia. Shopping centers nationwide employ a sophisticated and unobtrusive security apparatus designed to prepare employees to handle adverse events such as shootings. These security measures are designed to ensure that customers are protected while not being so overt that they intrude on the appeal of the mall experience. For example, off-hours drills and training are held at some malls to familiarize employees with procedures to follow in the event of a shooting or some other type of disaster, while surveillance cameras are used to capture potentially suspicious behavior and individuals in real time. Officials at the Columbia mall credited the "active shooter" drills run by police with the well-handled response to the shooting. Security consultant Joseph LaRocca noted that in addition to training employees and installing sophisticated camera systems, malls also have both uniformed and plain clothes security guards patrolling corridors and parking lots, along with off-duty police officers. But some say that preventing mall shootings is difficult if not impossible even with all of these security measures. William Nesbitt, the president of Security Management Services International, said one problem with preventing or handling mall shooters is that "there doesn't seem to be one profile -- maybe they want to commit suicide, or capture the news of the day."


Homeland Security Details Super Bowl Safety Plan
WSBT 22 (South Bend, IN) (01/28/14) Perez, Evan

The Department of Homeland Security has revealed that it will be deploying more air marshals and behavioral detection officers as part of the effort to help New Jersey and New York police secure the Super Bowl at Met Life Stadium. The location presents several security challenges, given its proximity to a major airport and commuter train lines, particularly since many of those who plan on attending the event will be using mass transit to reach and leave the venue. Other security measures will include random baggage checks and the deployment of radiological detection teams in the nearby transit hubs. Homeland Security officials say that federal agencies including the FBI and the Transportation Security Administration will deploy hundreds of employees to help the New York and New Jersey police in the security effort. According to a TSA spokesman, the agency will deploy its Visible Intermodal Prevention and Response (VIPR) teams at train stations beginning Wednesday, when they will start conducting random baggage checks, and will be adding equipment and opening additional screening lanes at Newark Liberty International Airport to handle the increased number of people traveling to attend the game. Other security measures will be implemented by the Coast Guard, Customs and Border Patrol, and Immigration and Customs Enforcement.


Training Security Officers for Better Access Management
Security Magazine (01/14) P. 40 Toben, Ami

Enterprise security leaders should provide their security officers with training on how to effectively manage access to their buildings, since doing so can help officers better identify potential security threats. Such training should focus on a number of key points, including monitoring individuals who are attempting to access the building as soon as possible and from as far away as possible and continuing to monitor the person until he has reached his intended access point. Monitoring should focus on identifying signs in the person's appearance or body language, such as the presence of bulky items inside pockets or nervous behavior, that could be indicative of a potential threat. However, security officers should be reminded during their training that appearance and body language need to be evaluated in the context of the individual's environment before they make a determination that a person is indeed suspicious. Security officers should be trained to ask disarming questions to any individual that they determine to be suspicious. These questions, which may seem irrelevant to the person trying to enter the building, serve to help security officers identify behavioral inconsistencies like unusual nervousness. Finally, security officers should be trained on how to identify fraudulent IDs, since the use of fake identification could be an indication that a person is a potential security threat.




NSA Choice is Navy Expert on Cyberwar
New York Times (01/31/14) Sanger, David E. ; Shanker, Thom

Defense Secretary Chuck Hagel announced Thursday that Vice Adm. Michael S. Rogers, the head of the U.S. Navy's Fleet Cyber Command, is President Obama's nominee for director of the National Security Agency (NSA). Rogers is considered to be an expert on cyberwarfare, as he is responsible for all of the Navy's cyberwarfare efforts in his current role. Rogers' resume also includes a stint as a member of the military's Joint Staff in the early 2000s, where he specialized in cyberwarfare. In addition to being seen as highly knowledgeable about the use of cyberattacks in warfare, Rogers is also considered by at least one senior military officer to be adept at connecting seemingly unrelated pieces of intelligence to form a cohesive whole. Rogers has experience in this area as well, having served as the director of intelligence for the military's Pacific Command and as the director of intelligence for the Joint Chiefs of Staff. But Rogers is likely to face challenges that he has not had to deal with in his military career should he win Senate confirmation, including facing the type of intense criticism that is likely to come with heading an agency that has been criticized for engaging in surveillance that is seen by some as being overly intrusive and perhaps unconstitutional. Rogers will also have to decide how to carry out the reforms of NSA surveillance that were announced by Obama on Jan. 17.


DNI: Post-Snowden Surveillance Changes Hurt Security
Politico (01/29/14) Gerstein, Josh

The changes to the National Security Agency's telephone metadata collection program that have been ordered by President Obama will make it more difficult for intelligence agencies to track terrorists, Director of National Intelligence James Clapper said in his Senate testimony on Wednesday. “Hopefully, we can minimize the threat as we make these modifications and alterations, but … we are — in toto — going to certainly have less capacity than we had in the past,” he said. Clapper did not provide a specific risk analysis of the changes, but said that they, along with budget cuts and the information leaked by Edward Snowden, would make the intelligence community's job harder. Senate Intelligence Committee Chairwoman Dianne Feinstein (D-Calif.), who has been less critical of the White House's proposed changes to intelligence programs than other committee members, echoed concerns voiced by Sen. John Rockefeller (D-W.Va.) about proposed changes to intelligence gathering that would have the private sector store telecom data instead of the government. “Practically, we do not have the technical capacity to do this,” Rockefeller said of the change.


Snowden Leaks Assailed in Senate Hearing on National Security
Wall Street Journal (01/29/14) Gorman, Siobhan

In his Senate testimony on Jan. 29, Director of National Intelligence James Clapper said that former National Security Agency (NSA) contractor Edward Snowden had made America "less safe" by leaking information on the NSA's surveillance programs. He also called for the return of the leaked documents. According to Clapper, terrorists are "going to school" on those documents, which he said were stolen in "the most damaging theft of intelligence information" in the nation's history. Sen. Ron Wyden (D-Ore.) responded to Clapper's testimony, saying that the intelligence community had misled the public for "years" about the nature of its surveillance activities. He additionally pushed Clapper and other intelligence officials to set deadlines for answers on whether Americans' communications had been searched without a warrant. Sen. Wyden's attack on Clapper was not unexpected, as Clapper told Wyden at a hearing last year that the NSA does not collect "any type of data at all on millions or hundreds of millions of Americans." That assertion was later found to be not true. Clapper's aides say that he was not speaking on the NSA's telephone metadata collection program when answering that question.


Spy Agencies Tap Data Streaming From Phone Apps
New York Times (01/28/14) Glanz, James; Larson, Jeff; Lehren, Andrew W.

Dozens of documents released by Edward Snowden indicate that the National Security Agency (NSA) and the U.K.'s Government Communications Headquarters (GCHQ) are capable of collecting data from smartphone apps without the cooperation or knowledge of the companies that distribute them. The documents do not clearly spell out the scale and specifics of the data collection effort, which is part of a program called "the mobile surge." However, the documents note that both NSA and GCHQ regularly obtain information from certain apps, particularly early cell phone apps. One of the mobile apps that the two agencies are particularly interested in is Google Maps, which can provide information about a user's precise location. The documents also note that NSA and GCHQ have the ability to collect user data from newer apps, such as Angry Birds, but it is not clear whether the two agencies have actually done so. Any data collected from mobile apps, which can include the user's age, sex, and household income, is compared with lists of intelligence targets maintained by NSA and GCHQ. The agencies also reportedly mine streams of data generated by smartphone apps for new information. The documents do not explicitly state why such information would be useful for intelligence purposes. GCHQ responded to the release of the documents by saying that all of its activities are legal, while NSA said it does not profile everyday Americans.


U.S. Lets Tech Firms Reveal More About Surveillance
Washington Post (01/28/14) P. A1 Timberg, Craig; Goldman, Adam

Officials with the Justice Department announced Monday that tech firms will now be allowed to publicize broad numerical descriptions of the amount of requests for customer information made by the federal government and the Foreign Intelligence Surveillance Court (FISC). The Justice Department notes that tech companies will be allowed to report the number of national security letters and FISC requests they receive in a range from zero to 999. The combined number of national security letters and FISC requests can be reported in a range from zero to 249. Though the change in policy is seen by some as a small victory for the tech companies who had fought for the right to disclose more information about their compliance with government surveillance requests, both these companies and privacy advocates have stated that the concessions are not extensive enough to provide adequate or reliable information on the extent of the government's access to private customer information. The new policy was explained in a letter written by Deputy Attorney General James Cole to the five companies that filed legal action at the FISC asking for more transparency about government data requests. Apple was the first company to use the new rules when it disclosed how many national security letters it had received in the first six months of 2013.




Yahoo Mail Targeted in Hacking Attempt
BBC News (01/31/14)

Yahoo has reported a hacking attempt against the e-mail accounts of an untold number of its customers. Yahoo says its investigation into the attack shows that malicious computer software used a list of usernames and passwords taken from a third-party database to access the accounts. The attackers are believed to have been after the names and e-mail addresses of the recipients of messages recently sent by the owners of the affected accounts. It is unclear when the attack took place. The company went on to say that it does not know who was behind the hack, but that it is working with law enforcement to find out. Yahoo says that passwords for affected accounts have been reset and users must undergo an additional verification step when they sign in. The company said it is undertaking unspecified "additional measures" to block future attacks against its systems.


Wikipedia Dodges Critical Vulnerability that Could Have Let Attackers Take Over
Network World (01/29/14) Messmer, Ellen

The Wikimedia Foundation and Check Point recently announced the discovery of a vulnerability in the open source Web platform that runs Wikipedia and numerous other Wiki sites. Check Point's Patrick Wheeler says the vulnerability was a remote-code execution flaw that could have allowed an attacker to seize control of any MediaWiki website. Attackers could then have uploaded malicious code turning turning Wikipedia and other WikiMedia sites into vectors for malware. Check Point says the vulnerability was patched within 45 minutes of being discovered and Wikimedia, which operates Wikipedia, released the patch to the public on Jan. 29. Trustwave's Sonatype CEO Wayne Jackson says such vulnerabilities in open source software can be especially dangerous because of how freely and widely used open source code can be. He points to a vulnerability discovered last year in the open source Apache Struts application framework, which had to be patched out of the products of several companies, including Cisco.


Security Professionals Identify IT Risks Associatied With Cloud Computing
Network World (01/28/14) Oltsik, Jon

ESG recently surveyed 211 enterprise security professionals about what they saw as the biggest security risks associated with using cloud infrastructure services. One third of respondents pointed to a lack of control over the security of cloud resources being used internally as the biggest issue, while 31 percent identified privacy concerns associated with storing or processing sensitive or regulated data with cloud providers as their biggest concern. Another 29 percent identified the lack of visibility into cloud providers' security as a major risk, and 28 percent pointed to the risk of a security breach that might compromise the cloud provider's own infrastructure. Other concerns cited by enterprise security professionals included cloud providers having poor security practices and the risk of a network breach between internal networks and cloud providers. The respondents' answers imply there is a great deal of concern about and interest in visibility and control, suggesting a need for security tools that can extend external security controllers into the cloud. Also implied is a lack of confidence in the security competence of many cloud providers.


The National Guard Takes on Hackers
Stateline.org (01/28/14) Maynard, Melissa

Governors, legislators, and other organizations are increasingly pushing to use the National Guard to help address the issue of cybersecurity. In a recent State of the States speech, Colorado Gov. John Hickenlooper raised the issue, saying "as the nation develops resiliency to cyberattacks, the Guard should be mobilized to support federal and state efforts to protect networks and respond to incidents." The National Defense Authorization Act, signed by President Barack Obama on Dec. 16, 2013, includes provisions requiring the Defense Department to assess the cybersecurity capabilities of the Guard and consult with governors to help understand the states' cybersecurity needs and what role the Guard can play in meeting them. The Cyber Warrior Act, a bill introduced by eight U.S. senators last March, would have established "cybersecurity civil support teams" within the Guard that could be called up by governors as needed. Several states already have found roles for the Guard in bolstering their cybersecurity posture, beginning with Washington, which created Guard units centered around cybersecurity after realizing that many of its Guard members also worked for companies such as Google, Verizon, and Microsoft. Other states that have created cybersecurity-focused Guard units include Missouri, Maryland, Delaware, Utah, and Rhode Island.


Air Force Researchers Plant Rootkit in a PLC
Dark Reading (01/27/14) Higgins, Kelly Jackson

Researchers at the U.S. Air Force Institute of Technology's Center for Cyberspace Research have demonstrated a prototype rootkit capable of infiltrating the firmware and corrupting the operations of programmable logic controllers (PLCs), which are used in many different sectors to operate industrial and other machinery. Center director Jonathan Butts says he and fellow researcher Stephen Dunlap did not exploit bugs to insinuate their code into PLCs. "We just used methods to code the system up where you take advantage of and embed your own malicious software to run on top of the firmware," he says. The rootkit had two payloads: one that would make the PLC shut down seemingly at random and another that would permanently brick the device so that it would have to be replaced. The researchers say they were able to develop the rootkit in less than four months and for a cost of about $2,000. Butts says the rootkit could infect a PLC through a malicious firmware update or via an infected USB drive connected to the PLC via a laptop. Butts and Dunlap suggest that vendors, integrators, and operators can all take steps to improve the security of PLCs.


Abstracts Copyright © 2014 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: