Friday, August 22, 2014

Security Management Weekly - August 22, 2014

header

  Learn more! ->   sm professional  

August 22, 2014
 
 
Corporate Security
  1. "Islamic State Claims it Executed American Photojournalist James Foley"
  2. "Macy's to Pay $650,000 in Shopper-Profiling Probe"
  3. "Jury to Decide if Cinemark Liable for Aurora Shootings"
  4. "OSHA is Cracking Down on Workplace Violence. Are You at Risk?" Occupational Safety and Health Administration
  5. "IRS Failed to Do Background Checks on Contractors"

Homeland Security
  1. "U.S. General Says Raiding Syria is Key to Halting ISIS" Islamic State of Iraq and Syria
  2. "National Guard is Pulling Out of Ferguson as Tensions Ease"
  3. "ISIS Demanded Ransom From U.S. Before Killing Reporter" Islamic State of Iraq and Syria
  4. "U.K. and U.S. Scramble to Identify Executioner in James Foley Video"
  5. "Cities Rocked by Past Unrest Offer Lessons in What, and What Not, to Do"

Cyber Security
  1. "JPMorgan Customers Targeted in Email Phishing Campaign"
  2. "UPS Now Third Company in a Week to Disclose Data Breach"
  3. "NIST Vetting Guide Helps in Testing Mobile Apps to Learn What They Really Do" National Institute of Standards and Technology
  4. "Cybersecurity: What Every Board Must Know"
  5. "Chinese Hackers Steal 4.5 Million Patients’ Data"

   

 
 
 

 


Islamic State Claims it Executed American Photojournalist James Foley
Washington Post (08/20/14) DeYoung, Karen; Goldman, Adam

The Islamic State on Tuesday posted a video on YouTube that indicated that photojournalist James Foley had been beheaded. The video shows a masked Islamic State militant and a man who purportedly is Foley, who was working for the news Web site GlobalPost when he was kidnapped in Syria on Thanksgiving 2012. The militant who appears in the video identifies Foley by name, brandishes a large knife, and then begins to behead the man before the screen fades to black. A body with a head on its chest is then shown. U.S. officials are trying to verify that the man in the video is indeed Foley, while officials in Europe are trying to identify the militant. Officials are comparing the British-accented speech of the militant to that of Britons who are known to have traveled to the Middle East to fight with the Islamic State. The Islamic State says that it executed Foley in retaliation for U.S. airstrikes in Iraq. The video hints that other kidnapped journalists could be executed next. After purportedly executing Foley, the masked man in the video appears again with kidnapped journalist Steve J. Sotloff and says that his life depends on President Obama's "next decision." At least one other journalist is also believed to be a captive in Syria.


Macy's to Pay $650,000 in Shopper-Profiling Probe
Associated Press (08/20/14)

Macy's will pay $650,000 to settle allegations of racial profiling at its flagship store in Manhattan's Herald Square, under an agreement signed Tuesday with New York Attorney General Eric Schneiderman. The retailer also has agreed to adopt new policies regarding police access to its security camera monitors and profiling, and will further train employees, investigate customer complaints, keep better records of detentions, and report for three years on its compliance. Macy's also must publicly post "customers' bill of rights" in English and Spanish in all its New York stores and on the Macy's Web site. Schneiderman said the settlement is meant to ensure that Macy's customers are treated equally regardless of race or ethnicity. The attorney general's Civil Rights Bureau opened an investigation into Macy's last year, after receiving several complaints from minority customers who claimed that they had been apprehended and detained at Macy's stores, when they had not stolen or attempted to steal any merchandise.


Jury to Decide if Cinemark Liable for Aurora Shootings
Wall Street Journal (08/18/14) Schwartzel, Erich

Judge R. Brooke Jackson of U.S. District Court in Colorado has ruled that a jury will decide whether movie-theater operator Cinemark Holdings is liable for the deaths of 12 moviegoers in the July 2012 shooting spree at its multiplex in Aurora, Colo. Cinemark sought to have the suit dismissed, arguing that the attack, in which James Holmes allegedly opened fire on a crowded theater, was so unprecedented that managers and security personnel could not have anticipated it. Jackson wrote in a decision Aug. 15 that he was "not convinced" by that argument, partly because recent mass shootings should have made theater owners aware that such incidents could take place on their properties as well. Attorneys provided evidence that Cinemark should have known or did know about the threat of a shooting, including a Department of Homeland Security briefing on theater security and the company's own security protocol. On the night of the "Dark Knight Rises" opening, when the shooting took place, 80 of Cinemark's theaters hired off-duty policemen or security personnel, but the Aurora location was not one of them.


OSHA is Cracking Down on Workplace Violence. Are You at Risk?
Safety.BLR.com (08/18/2014)

Although the Occupational Safety and Health Administration (OSHA) does not have a specific workplace violence standard, it recently cited two employers for failing to protect their workers from threats and assaults. OSHA reports that delivery drivers, healthcare professionals, public-service workers, customer-service employees, and law-enforcement employees are at higher risk for workplace violence. Risk factors include exchanging money with the public; working with volatile, unstable people; working in isolated conditions or late at night; and working in areas with high crime rates or where alcohol is served. OSHA recommends that organizations protect employees from workplace violence by using administrative controls, such as job site hazard assessments and incident reviews; engineering controls, such as panic alarm systems and protective barriers; personal protective equipment, such as personal alarm systems for staff; and training that includes workplace violence prevention and stress management, as well as post-incident services.


IRS Failed to Do Background Checks on Contractors
Associated Press (08/15/14) Ohlemacher, Stephen

A report by the Treasury Department's inspector general for tax administration finds that the IRS failed to conduct background checks on some private contractors who handled confidential taxpayer information. In one case, a printing contractor received a computer disk with names, addresses, and Social Security numbers of 1.4 million taxpayers, though the contractor's employees who worked on the project were not required to undergo background checks. In another incident, the IRS used a courier who spent 21 years in prison on arson and other charges to transport sensitive documents. Other cases involved contractors who were not required to sign agreements not to disclose sensitive information. The report did not look into whether any information was stolen. The IRS maintains that it is committed to doing background checks on all contractors. Further, it has implemented guidance that ensures contractors submit non-disclosure agreements.




U.S. General Says Raiding Syria is Key to Halting ISIS
New York Times (08/22/14) P. A1 Gordon, Michael R.; Cooper, Helene

During a Pentagon press conference with Defense Secretary Chuck Hagel on Thursday, Joint Chiefs of Staff Chairman Gen. Martin Dempsey said that truly defeating the Islamic State (IS) will require action by the U.S. or its allies against the group in Syria. U.S. airstrikes have helped to roll back gains made by the militant Islamist group in recent weeks, but Hagel told reporters that he expects IS to regroup and attempt to launch another offensive. However, despite tough rhetoric from the Obama administration in the wake of the beheading of an American journalist by IS in retaliation for U.S. airstrikes, the U.S. military mission against the group seems like it will remain confined to support for Iraqi and Kurdish forces in Iraq for the time being. Dempsey's comments, however, highlight the fact that fighting the group only in Iraq will not lead to their ultimate defeat, and were remarkable coming from one of the military advisers who most strongly argued against U.S. military intervention in Syria when that country's civil war first broke out. For now, it seems the administration is focused on supporting the formation of a new Iraqi government that may be able to rally support from local communities to help repel the militants.


National Guard is Pulling Out of Ferguson as Tensions Ease
New York Times (08/22/14) P. A1 Bosman, Julie; Apuzzo, Matt; Santora, Marc

Missouri Gov. Jay Nixon on Thursday said that he would begin withdrawing Missouri National Guard troops from Ferguson in what many took to be a sign that tensions were easing in the St. Louis suburb after nearly two full weeks of protests. The national guard has been in Ferguson since Monday, when it was deployed to defend a police command post in the city. The withdrawal comes as the unrest seems to be ebbing. Only seven arrests were reported Wednesday night and protests proceeded peacefully without any efforts instigate confrontations with the police. Separately, St. Louis police hastened this week to release a cell phone video that purportedly supports the police account of the shooting death of Kajieme Powell in St. Louis at the hands of officers earlier in the week. The release of the video was seen as an attempt to head of public frustration that accompanied police silence following the death of Michael Brown in Ferguson.


ISIS Demanded Ransom From U.S. Before Killing Reporter
New York Times (08/21/14) Callimachi, Rukmini

The recent execution of American journalist James Foley by Islamic State militants in Syria has raised questions about how governments around the world are responding to demands made by terrorist groups who kidnap civilians. In Foley's case, the Islamic State reportedly demanded a $100 million ransom in exchange for his release. The Islamic State is also threatening to kill at least three other hostages, including journalist Steven J. Sotloff, if it does not receive ransom payments. In addition, the group wants several prisoners, one of whom is being held in the U.S. and has ties to al-Qaida, to be released. However, both the U.S. and the U.K.--whose citizens are also being held hostage by the Islamic State--have policies of not paying ransoms or making concessions to terrorist groups. Officials in both countries believe that giving into terrorists' demands and paying ransoms only serves to encourage more kidnappings, though their counterparts in several European countries are in favor of paying ransoms and have recently done so. However, Washington's policy on dealing with terrorists also means that most Americans who are kidnapped by militants are killed. The differing approaches Western governments are taking to responding to kidnappings is being criticized by journalist David Rohde, who himself was kidnapped by the Taliban. Rohde notes that the lack of uniformity in dealing with terrorist groups' demands may have cost Foley his life.


U.K. and U.S. Scramble to Identify Executioner in James Foley Video
Wall Street Journal (08/21/14) Coker, Margaret; Winning, Nicholas

U.S. and U.K. officials are working to determine the identity of the Islamic State (IS) militant who delivered an anti-U.S. rant in British-accented English before beheading photojournalist James Foley in a video released by the militant group. Prime Minister David Cameron said Wednesday "it looks increasingly likely that it is a British citizen." Security officials in both the U.S. and U.K. are reportedly scouring the beheading video and others released by IS for clues to the identity of the suspected killer and comparing them with information on known British jihadists. The head of the London police force, which is one of the U.K.'s primary anti-terrorism forces, said that either the U.K. or the U.S. will attempt to pursue the IS militant in the video if it is determined that he is a British citizen. The roughly 400 British Muslims suspected of fighting with jihadist groups in Syria and Iraq have become a major source of concern in the U.K., especially the younger, recently radicalized ones who are much harder to trace due to their lack of criminal records and proficiency at covering their digital tracks.


Cities Rocked by Past Unrest Offer Lessons in What, and What Not, to Do
New York Times (08/19/14) P. A1 Wines, Michael; Goode, Erica

The civil unrest in Ferguson, Mo., has entered its ninth day, prompting efforts by the Missouri National Guard and even the White House to restore peace. Many other U.S. cities have seen riots triggered by the fatal shooting of unarmed black men by police officers, but few of these protests have been as resistant to resolution as the Ferguson riots against the death of Michael Brown, who was shot by white police officer Darren Wilson. Although large mobilizations of police or National Guard forces have helped calm civil unrest in the past, studies of riots in Cincinnati, Oakland, Calif., and Los Angeles have demonstrated that the prompt, rapid release of information and partnering with religious and civic leaders are even more important to the cessation of violence. Critics say that Ferguson officials have made matters worse by issuing contradictory statements, declining to release details about the shooting, and sending out police units with military-style equipment. Other experts say that Ferguson officials are at a disadvantage because the suburb lacks much of the social infrastructure that larger cities have been able to use to restore calm in the past.




JPMorgan Customers Targeted in Email Phishing Campaign
Reuters (08/21/14) Finkle, Jim; Damouni, Nadia

Cybercriminals believed to be based in Eastern Europe have a launched an attack that combines phishing e-mails and the use of malware to steal login credentials for a number of online banking sites, including those of JPMorgan Chase, Bank of America, and Citigroup. The phishing e-mails were sent out to a large number of people in the hope that some of them might be JPMorgan Chase customers, and they contain JPMorgan's logo and a message urging recipients to click on a link to view a secure message from the bank. Users who click on that link are asked to enter their login credentials for JPMorgan's online banking site, and their computers are also infected with the Dyre banking Trojan. Dyre then attempts to steal login credentials of the other banks.


UPS Now Third Company in a Week to Disclose Data Breach
Computerworld (08/20/14) Vijayan, Jaikumar

UPS disclosed that law enforcement officials recently alerted it to a "broad-based malware intrusion" that may have compromised credit and debit card data for customers who did business at 51 UPS Store outlets in 24 states this year. A subsequent probe by an IT security company confirmed hackers had installed previously unknown malware on systems in more than 48 stores to access cardholder data. The breach may have exposed data on transactions carried out at the stores between Jan. 20 and Aug. 11. "For most locations, the period of exposure to this malware began after March 26, 2014," UPS says. The affected stores represent approximately 1 percent of U.S. UPS Store locations, and UPS notes each of the stores is individually owned and operates private networks that are not linked to other outlets. The UPS intrusion is the third significant breach to be reported in the past week, following the disclosure of the Supervalu grocery chain exploit and the compromise of Community Health Systems' network. The incidents emphasize the continued vulnerability of U.S. private networks to hackers, and many businesses' lack of preparedness to address this threat.


NIST Vetting Guide Helps in Testing Mobile Apps to Learn What They Really Do
NIST News (08/20/14) Brown, Evelyn

The National Institute of Standards and Technology is seeking public comments on its new draft publication, "Technical Considerations for Vetting 3rd Party Mobile Applications." NIST's Tom Karygiannis says the new draft publication describes the ways that agencies analyze a mobile app's potential vulnerabilities and performance issues before they are approved for use. Malicious apps are a common vector for mobile malware, but apps that are not overtly malicious may create security concerns, for example by requiring unnecessary access to sensitive device information such as location data or contact lists or poorly securing the data that it does collect. Some apps also may simply not perform to the degree required by agency staff, for example by draining batteries rapidly. Karygiannis says the new draft publication does not offer a step-by-step guide to vetting mobile apps, but does offer an overview of available vetting solutions, as well as information and advice about setting up a mobile app vetting program, including an appendix that identifies and defines the various vulnerabilities specific to apps running on Android and iOS mobile devices.


Cybersecurity: What Every Board Must Know
Insurance News Net (08/19/14)

A new report from the Institute of Internal Auditors Research Foundation (IIARF) and the Information Systems Audit and Control Association (ISACA) urges boards of directors to actively take part in measuring and monitoring their organizations' cybersecurity strategies. The report, which was released at the 2014 Governance, Risk, and Control Conference, offers in-depth guidance on how corporate directors can better monitor and influence policies and practices involving cyber-risks. The guidance builds on five principles cited in a report by the National Association of Corporate Directors in conjunction with the American International Group and the Internet Security Alliance. The IIARF-ISACA report offers strategies and direction on such topics as how boards can stay abreast of legal implications, demand adequate access to cybersecurity expertise, and establish an enterprise-wide risk management network.


Chinese Hackers Steal 4.5 Million Patients’ Data
Politico (08/18/14) Allen, Arthur

Community Health Services, a hospital system that runs 206 facilities in 29 states, reported Aug. 18 that it was the victim of a cyberattack earlier this year that resulted in the theft of information belonging to 4.5 million of its patients. An investigation into the attack by the cyber forensics firm Mandiant revealed that the attack was carried out by a hacking group in China and involved the use of an advanced persistent threat and highly-sophisticated malware. The use of these techniques reportedly allowed the hackers to steal patients' Social Security numbers, birth dates, names, and other personal data in April and June. However, credit card numbers and medical information were not stolen in the attack. Community Health says it has been working with federal authorities in the aftermath of the attack to remove the malware from its systems and correct the security problem that allowed the hackers to gain access. Meanwhile, observers are speculating as to what the hackers' motives may have been. Larry Ponemon, the director of the Ponemon Institute, says the attackers may be planning to sell the stolen information on the black market. However, Ponemon also says that the Chinese government may have ordered the attack as part of an effort to damage the U.S.


Abstracts Copyright © 2014 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments:

Post a Comment