| Credit-Card Industry Ramps Up Security Efforts Wall Street Journal (09/05/14) Sidel, Robin In response to a rash of data breaches at major U.S. retailers, the credit-card industry is accelerating efforts to keep sensitive customer information out of the hands of merchants. Visa and MasterCard are rolling out technology that replaces cardholder information such as account numbers and expiration dates with a unique series of numbers that validates the customer's identity. Called "tokenization," the new technology can be used for online transactions, payments made in a physical store with a smartphone, and with merchant applications that consumers load onto a smartphone. By getting rid of the sensitive card information, banks and merchants can leave hackers with nothing of value to steal if they break into their computer servers. "There is a recognition that we all need to evolve the payment standards to embrace what is going on around us," says Jim McCarthy, Visa's global head of innovation and strategic partnerships. Global Unrest Forces Colleges to Rethink Overseas Programs Wall Street Journal (08/30/14) Vilensky, Mike Amid conflict and tumult around the world, U.S. higher-education institutions are facing difficult choices about where—and whether—to send their students abroad this fall. "The challenge is if you want no risk you'd never leave the country," says Michael Chertoff, a former U.S. Secretary of Homeland Security who is now a risk-management consultant. "And even here, frankly, you can't abolish risk on campus." Some schools have canceled multiple programs. New York University suspended fall semester courses in Tel Aviv and Ghana because of violence in the Mideast and the Ebola outbreak in Africa. "We understood that the possibility of any of our students contracting Ebola in Ghana was very low," said John Beckman, an NYU spokesman. "However, after extensive consultations, including with colleagues and medical professionals in Ghana and New York, we were not confident that we could have provided the kind of experience students have come to expect." Richard Joel, the president of New York City-based Yeshiva University, criticized schools that are canceling courses in Israel. "People go running for cover because risk managers are saying 'don't do it,' but in running an academic institution…there has to be a point where principle trumps interest," he said in an interview. The University of Massachusetts Amherst suspended student participation in Israeli study-abroad programs this fall, saying its risk-management committee took the step after considering "input and information from multiple sources, including insurance and risk-management consultants and the U.S. State Department, which recommends the deferral of any non-essential travel." Home Depot's Suspected Breach Adds Security Pressure Bloomberg (09/03/14) Townsend, Matt; Strohm, Chris A report by independent journalist Brian Krebs that a possible data breach at Home Depot could potentially be larger than the Target incursion is renewing pressure on merchants, credit card providers, and other organizations to fortify payment system security. Krebs disclosed that a huge batch of stolen credit and debit card information was posted for sale online, noting there is evidence linking the data to Home Depot stores. He says the breach may have transpired in late April or early May and could involve all 2,200 of the chain's U.S. stores. ZScaler's Michael Sutton says the incident adds credibility to the need for EMV technology, the use of which has been held back by merchants' concerns about implementation costs. "Retailers are now seeing firsthand why the technology is necessary and how technology costs pale in comparison to the direct and indirect costs associated with a major data breach," Sutton says. Krebs also raises the possibility the hackers behind the Target breach also are responsible for the Home Depot incident. Security strategist Trey Ford says the perpetrators likely took their time to steal the Home Depot card data while evading detection, noting "they are efficient, they are focused, and they manage their risk and exposure the same way a businessperson would." Tim Cook Says Apple to Add Security Alerts for iCloud Users Wall Street Journal (09/05/14) Wakabayashi, Daisuke; Yadron, Danny Apple CEO Tim Cook says his company plans to take additional steps to block hackers' access to iCloud user accounts, but claims none of the Apple IDs and passwords used to compromise celebrities' accounts this week were leaked from the company's servers. To reduce the likelihood of such leaks, Cook says Apple will inform users via email and push notifications when someone attempts to change an account password, restore iCloud data to a new device, or when a device initially logs into an account. Apple says the new system will enable users to take immediate action, such as changing the password to retake control of the account, or alerting Apple's security team. When queried about criticism that the company did not sufficiently concentrate on the security of its products, Cook cites Apple's work with a fingerprint sensor in its iPhone 5S that unlocks the phone and authorizes transactions. He also says Apple will extend use of two-factor authentication, and the company plans to aggressively push users to activate the feature in the new version of iOS, which will cover access to iCloud accounts from a mobile device. Apple says it is cooperating with law enforcement to investigate the hacking incident and identify the perpetrators. A company spokesman declined to specify the number of users' accounts that had been compromised, citing the ongoing investigation. Security Vulnerabilities on the Decline, But Risk Assessment Is Often Flawed, Says IBM PC World (08/27/14) Constantin, Lucian A new report from IBM's X-Force security division says that if current trends hold, the number of publicly-reported vulnerabilities will drop this year for the first time since 2011. Vulnerability reports have been on the rise the last two years, but factors including a shrinking number of vendors report vulnerabilities is set to bring the total number of reported vulnerabilities in at under 8,000 for 2014. More than 1,600 vendors reported vulnerabilities in 2013, but this year only 926 have done so. However, the new report notes that the decline in vulnerabilities is tempered by ongoing problems with establishing useful metrics for measuring the seriousness of a given vulnerability. Sixty-seven percent of the vulnerabilities reported in the first half of 2014 are rated as having a medium risk level by the Common Vulnerability Scoring System. However, the Heartbleed bug in OpenSSL encryption was also rated as a medium risk vulnerability. X-Force researchers say that CVSS' inability to account for the costs of upgrades and patches that helped make Heartbleed one of the most costly computer bugs in history is one of the rating system's key faults, and something other rating systems have also failed to address. 'Active Shooter' Drills Spark Raft of Legal Complaints Wall Street Journal (09/04/14) Frosch, Dan "Active shooter" drills have become increasingly common in schools and workplaces following a series of high-profile mass shootings in recent years. At least five states have put in place new laws requiring schools to carry out active shooter drills in addition to and separate from disaster preparedness drills. However, the companies and police departments that carryout these drills are increasingly finding themselves on the receiving end of legal action from employees who say the drills are too lifelike or uncontrolled, leaving participants too traumatized, and in some cases actually injured, to learn anything. One major complaint is that employees are sometimes not informed that the drills will be happening and mistake them for the real thing. A nurse at a Colorado nursing home is suing a police officer and her employer after a drill that left her so traumatized she had to quit her job. Other times the drills get out of control and people get hurt. An Ohio man filed a lawsuit after he was unexpectedly tackled by a police officer during an active shooter drill, resulting in serious injuries to his hip and shoulder. "There ends up being zero learning going on because everyone is upset that you've scared the crap out of them," former SWAT team member Greg Crane says of such shooter drills. Reviewing Lessons on School Safety Security Management (08/14) Tarallo, Mark The Columbine shooting in 1999 changed the model for responding to school shootings. Assailants now operate more like terrorists, seeking body counts and media coverage, which leaves little time for the traditional police-response model of setting up a command post. Schools are preparing for active-shooter situations in several new ways, such as response training sessions for faculty and even students. Teachers are encouraged to think of three main options during a shooting: to hide, barricade, or evacuate. Some schools focus more on the physical security of the building or facility. Miller Place Union Free School District in New York upgraded physical security several years ago, improving its ability to go into lockdown by implementing a wireless proximity card-based locking system and applying a special film to all classroom door windows. The Columbine shooting also prompted efforts to address the root causes of violence. Paul Timm, PSP, president of RETA Security, advocates a comprehensive approach to school security that includes antibullying initiatives, drug-abuse programs, and dating-violence education, as well as mental-health education. Such interventions should go hand-in-hand with physical security measures. With South Asia Push, Al-Qaida Tries to Show It Is Still Strong Wall Street Journal (09/05/14) Abi-Habib, Maria Al-Qaida this week released a video featuring its current leader, Ayman al-Zawahiri, who said that the terror group had begun operating in India and who also denounced former al-Qaida affiliate the Islamic State. The video is al-Qaida's latest salvo in its battle with IS to dominate the world of Islamist extremism and jihad, but many experts see the video as a lame retort that only shows how out of touch al-Qaida and its leaders are with the young fighters today. While expansion into India has long been a goal of international Islamist groups, Zawahiri could not contrast more poorly with IS' leader and self appointed caliph, Abu Backr al-Baghdadi. Zawahiri, who inherited command of al-Qaida after the death of Osama bin Laden, has released statements infrequently and is believed to be in hiding in Pakistan, while al-Baghdadi operates openly on the ground in Iraq and Syria, even giving public speeches. While IS has succeeded in siphoning off members from al-Qaida's Syrian affiliate, it has not had as much success drawing recruits from al-Qaida's other regional franchises, in part because they disagree with IS' methods, particularly the fact that they kill other Muslims. In his video Zawahiri said IS, "should respect Muslim blood and properties and not kill them." In Interviews, 3 Americans Held in North Korea Plead for U.S. Help New York Times (09/02/14) Sang-Hun, Choe North Korea on Monday granted crews from CNN and the Associated Press interviews with three Americans who are being held by the communist country, which is using them as leverage to bring Washington to the table diplomatically. The prisoners were Kenneth Bae, Jeffrey Edward Fowle, and Matthew Todd Miller. Bae, 46, is a Christian missionary who was arrested in 2012 for attempting to set up a proselytizing network in North Korea. Fowle, 56, was arrested in April after leaving a Bible behind in a hotel room, while North Korean officials claim that Miller, 24, attempted to defect after entering the North on a tourist visa in April. The three prisoners were all interviewed together and gave what appeared to be coached statements, claiming that they had been treated fairly by the North Koreans and asking the U.S. government to send a diplomatic envoy to negotiate their releases. This latter statement is seen as a demand from the North Korean government meant to initiate diplomatic relations with the U.S., which has no diplomatic presence in North Korea. The North reportedly wants to negotiate a formal peace treaty to end the Korean War, which technically remains underway after more than half a century. Coalition Emerges to Battle Islamic State Militants Wall Street Journal (09/05/14) Nissenbaum, Dion; Meichtry, Stacy American allies say they will help form an international military coalition to fight a growing threat from Islamic State militants. U.S. officials are urging members of the North Atlantic Treaty Organization to adopt a strategy that includes providing more arms to Kurdish forces fighting the Islamist insurgents in northern Iraq. The American plan also entails choking off the financial resources the militants rely on to pay their fighters, curbing the flow of foreign extremists and backing Arab forces capable of battling Islamic State. President Barack Obama's push represents the most ambitious U.S. effort to create an international coalition to combat an extremist threat since President George W. Bush enlisted dozens of nations to fight al Qaeda and its Taliban allies in Afghanistan after the Sept. 11, 2001, attacks. U.S. officials say they are expecting key NATO allies—including the U.K., France and Australia—to commit to the broader fight on Friday. One European diplomat, however, says NATO itself shouldn't have a direct role in any military operations in Iraq. Instead the alliance is likely to be called upon to help coordinate efforts to deliver humanitarian aid and enforce controls along Iraq's porous borders. "NATO's role isn't operational [in Iraq]. It's a role of assistance," the diplomat says. Obama administration officials say they are not expecting NATO allies to immediately take part in airstrikes the U.S. has been conducting against Islamic State forces in Iraq. The initial coalition effort is expected to focus on Islamic State forces in Iraq, because Syria's civil war has fractured the country. U.S. officials have said that the threat of the group can't be eradicated without targeting its strongholds in Syria, but it is unclear if American allies can be persuaded to eventually expand the effort into Syria. Hackers Breach Security of HealthCare.gov New York Times (09/05/14) P. A18 Pear, Robert; Perlroth, Nicole Hackers were able to breach security at HealthCare.gov, the website for the government’s health-insurance marketplace, but no consumer information appears to have been stolen, Obama administration officials reported Thursday. The administration described the hack to Congress as “an intrusion on a test server” supporting the website, and that the website itself was not the target. Aaron Albright, a spokesman at the Centers for Medicare and Medicaid Services, which runs the website, said that the test server should not have been connected to the Internet, its default manufacturer password had not been changed, and it had not been subject to regular security scans. Hackers had downloaded malicious software onto a test server of HealthCare.gov as part of a broader denial-of-service attack meant to disable other websites, as well. Cybersecurity Threats Demand Small-Bank Directors' Attention American Banker (08/28/14) Stewart, Jackie With data breaches against retailers and other companies on the rise, community bank directors are becoming more involved in cybersecurity matters. However, experts say boards need to focus on governance as it relates to cybersecurity, rather than get involved in decision making. Sage Data Security founder Sari Stern Greene says, "The foundation of the bank-customer relationship is trust. It is the responsibility of the institution to honor that trust and that emanates from the top." Greene says directors could learn about ransomware trojans, for instance, then ask management questions about preparedness, and they should ensure the bank tests its security and reviews its policies on an annual basis. With regulators calling on banks to increase their oversight of third-party lenders, directors also should ensure contracts with third parties protect the bank in the event of a breach and perform due diligence on the subcontractors used by their vendors. At the $1.6 billion-asset Northwest Financial in Arnolds Park, Iowa, for instance, directors are given quarterly updates on technology projects and engage in big-picture discussions about security. Data Breaches in the Cloud: Who's Responsible? Government Technology (08/25/14) Hughes, Jessica A report by the Ponemon Institute about the security of cloud storage and services demonstrates what chairman Larry Ponemon calls the cloud multiplier effect, a combination of factors that lead many security professionals to view the cloud as less secure than it is. More than 600 IT security practitioners were polled for the study, 66 percent of whom said their organization's use of cloud resources impairs the protection and security of sensitive information. Sixty-two percent said the cloud services used by their organizations were not being thoroughly vetted, often because the acquisition of those services was done outside of IT's purview. More than 70 percent said they would not receive immediate notifications if their data were lost or stolen. However, just over half believed on-premise security is only just as good, if not worse, than that in the cloud. Although Ponemon and several governments CIOs say the cloud can be very secure, organizations have to take responsibility for carefully vetting cloud providers and making provisions to audit the data they have stored in the cloud. These measures are best practices followed by several states and municipalities, but they have been slower to take hold in the private sector. 10 Common Software Security Design Flaws Dark Reading (08/27/14) Higgins, Kelly Jackson The IEEE Center for Secure Design has published a report on the 10 most common software security design flaws and how to correct them. The report was drawn from a workshop session earlier this year attended by security experts from a variety of companies and organizations, including Google, Twitter, and Harvard University, and is part of an industry-wide recognition that security issues need to be addressed in the design and development phase and that security must be addressed on its own, not as part of the bug-testing process. Among the most common security design flaws were failures to properly use encryption and weak authentication, as well as flaws that leave software vulnerable to cross-site scripting attacks. Recommendations for addressing such flaws include strong authentication and cryptography, properly separating data and control instructions, strong data validation, and identifying and properly handling sensitive data. Twitter already has adopted an internal development document based on the new report according to Neil Daswani, a member of Twitter's security engineering team. Some of the measures adopted in the new document include using a certain number of templating frameworks to reduce software's vulnerability to cross-site scripting. Is the Open Floor Plan Trend a Data Security Headache? CSO Online (08/25/14) Ponemon, Larry Although proponents of open office floor plans say these setups can help encourage collaboration among employees, completely eliminating cubicles and individual offices also can create security risks, writes Ponemon Institute chairman Larry Ponemon. Among them is the potential for vendors, third parties, or malicious employees to view or capture sensitive information they see on computer screens, a behavior known as visual hacking. This also can include malicious individuals seeing employees entering login credentials, and can be facilitated by technologies such as smartphone cameras and Google Glass. Ponemon says organizations that still want to use open floor plans but also wish to mitigate this threat have several options, including using traditional privacy filters on computer screens along with software that blurs the screen when it detects someone behind the user or when the user looks away. Another potential threat stemming from the use of open office floor plans is the theft of laptops and other devices containing sensitive data. However, organizations with open office floor plans can protect themselves from such theft by using security cables on laptops to ensure they cannot be taken from employee workstations. In addition, laptops, tablets, and smartphones should be equipped with remote wiping tools that can be used to delete data in the event they are stolen. Abstracts Copyright © 2014 Information, Inc. Bethesda, MD |
No comments:
Post a Comment