Search This Blog

Friday, September 04, 2015

Security Management Weekly - September 4, 2015


  Learn more! ->   sm professional  

September 4, 2015
Corporate Security
Sponsored By:
  1. "Deadly Explosions Highlight China Workplace Dangers"
  2. "What CIOs Need to Know About the FTC Cybersecurity Ruling"
  3. "Report: Some Top Baby Monitors Lack Basic Security Features"
  4. "U.S. Agency to Seek Consensus on Security-Vulnerability Disclosures"
  5. "Employees Put Business Data at Risk by Installing Gambling Apps on Their Phones"

Homeland Security
  1. "Justice Department Changes Policy on Cellphone Surveillance"
  2. "Murder Rates Rising Sharply in Many U.S. Cities"
  3. "Coordinated Strategy Brings Obama Victory on Iran Nuclear Deal"
  4. "ISIS Damages Temple of Baal in Palmyra"
  5. "Image of a Small, Still Syrian Boy Brings Migration Crisis Into Focus"

Cyber Security
  1. "Credit-Card Fraudsters Pump Gas Stations for Profit"
  2. "White House Readying Sanctions Plan Against Chinese Firms for Cybertheft"
  3. "Web Address Explosion Is Bonanza for Cyber-Criminals: Study"
  4. "IoT Malware and Ransomware Attacks on the Incline: Intel Security"
  5. "Russian-Speaking Hackers Breach 97 Websites, Many of Them Dating Ones"




Deadly Explosions Highlight China Workplace Dangers
Wall Street Journal (09/02/15) Chen, Te-Ping

Less than a month after a deadly explosion in the Chinese city Tianjin, a Monday-night blast in Dongying is drawing further attention to the nation's workplace safety. The latest explosion killed at least five people, and the cause remains unclear. The number of workplace fatalities in China was 68,061 in 2014, or about 186 a day, government statistics show. This rate is a 2-percent decline from 2013 and a 5.4-percent decline from 2012, but many experts say that the numbers are still too high. Chinese workplaces, including coal mines and factories, have seen 39 explosions since December, according to the Hong Kong-based research group China Labour Bulletin. Concerns about workplace safety often merge with concerns about corruption. A University of Southern California study of public Chinese companies in hazardous industries found that workplace death rates in 2008-2013 were two to three times as high at companies with at least one executive who had previously held a high-level government post.

What CIOs Need to Know About the FTC Cybersecurity Ruling
Wall Street Journal (08/31/15) Raysman, Richard; Morris, Francesca

The Third U.S. Circuit Court of Appeals has ruled that the U.S. Federal Trade Commission (FTC) has authority to investigate a company whose IT systems were hacked. The commission could then charge the company with unfair trade practices for failure to protect customers from data theft. CIOs, therefore, should work to reduce a company's exposure to FTC claims, including documenting compliance with cybersecurity safety standards. Companies should have the most up-to-date, practical anti-hacking software, and also should be able to demonstrate how it protects private customer information. Potential defensive steps include compliance with NIST Cyber Security Framework, updating data and privacy policies, getting a report by a third-party consultant, getting a risk manager involved, and taking out cybersecurity insurance. Without the proper safety measures, organizations could suffer damage to their reputations, and could be subject to expensive fines or class-action lawsuits.

Report: Some Top Baby Monitors Lack Basic Security Features
Associated Press (09/03/15)

A new report from security firm Rapid-7 found that several of the most popular Internet-connected baby monitors currently on the market lack security functions and are vulnerable to even the most basic hacking attempts. Rapid-7 tested nine different baby monitors from companies including iBaby, Lens Laboratories Inc., Withings, Summer Infant, and WiFi Baby. The monitors ranged in price from $55 to $260. The monitors are cameras, frequently mounted above a crib, that provide parents with access to a live video of their baby. Some include other features, like motion or noise detectors that can provide parents alerts when their baby moves or makes a noise. Rapid-7 rated the monitors on a 250-point scale, assigning each a grade between "A" and "F." Eight of the monitors received and "F," while one received a "D." "When one gets an 'F' and one gets a 'D minus,' there isn't an appreciable difference," said Rapid-7's Mark Stanislav. Vulnerabilities included failing to encrypt data from the monitor, meaning hackers could easily watch the video stream, and weak access controls that could allow hackers to take control of the monitors or use them to launch attacks on other devices connected to the home network.

U.S. Agency to Seek Consensus on Security-Vulnerability Disclosures
IDG News Service (08/30/15) Gross, Grant

Beginning in September, the U.S. National Telecommunications and Information Administration (NTIA) will host a series of meetings intended to improve collaboration between security researchers, software vendors, and IT system operators on the issue of disclosing and responding to software vulnerabilities. Public disclosure of vulnerabilities is a contentious issue: frustrated security researchers often turn to public disclosures in the name of the public good and forcing vendors to take action to patch vulnerabilities, while vendors argue publicly disclosing vulnerabilities gives hackers the opportunity to compromise systems before they can be patched. NTIA hopes the meetings will help the two communities come to a consensus on how best to handle vulnerability disclosure, says NTIA's Angela Simpson. "We'd like to promote collaboration, rather than antipathy, between the researcher and the vendor," Simpson says. The first of the new meeting series will be hosted by NTIA at the University of California, Berkeley, School of Law on Sept. 29. NTIA has sponsored similar multi-stakeholder meetings related to issues including mobile app privacy, drones, and facial recognition, but those efforts have produced mixed results.

Employees Put Business Data at Risk by Installing Gambling Apps on Their Phones
CIO (09/02/15) Constantin, Lucian

A recent study conducted by security firm Veracode has found that some employees at large global companies may have one or more gambling applications installed on their mobile devices, which can put corporate data stored on those devices at risk. Veracode's analysis scanned hundreds of thousands of mobile apps installed in corporate mobile environments, and found that some companies had as many as 35 mobile gambling apps on their network environment. The company additionally tested some of the most popular gambling apps it detected in corporate environments for potential security risks and found "critical vulnerabilities that could enable hackers to gain access to a phone's contacts, emails, call history, and location data, as well as to record conversations." Such security vulnerabilities included lack of encryption during back-end server communications and glitches that could grant an app unfettered access to a device, among others.

Justice Department Changes Policy on Cellphone Surveillance
Wall Street Journal (09/03/15) Barrett, Devlin

The Justice Department announced Thursday that it will add more judicial and internal supervision to its practice of tracking cellphones, a major change in its past approach. Critics have said that the department's practice invades privacy and has lacked oversight, and officials have worked to keep any details of its technology secret. Judges, lawmakers, and privacy advocates have demanded that the government explain how and why it uses cell site simulators, which mimic a cellphone tower to silently scan the phones within range. Under the changes, supervisors would be required to track the devices' use more closely, and would direct investigators to delete data on innocent Americans as soon as they catch the person they are seeking, at least once a day. Agents also must get a warrant from a judge before using the equipment, except in emergencies or exceptional situations. Agents also will be barred from using the devices to examine the content of communications, such as conversations or photos. The changes do not apply to local and state police departments, or to the Justice Department's secret operations outside the United States.

Murder Rates Rising Sharply in Many U.S. Cities
New York Times (09/01/15) Davey, Monica; Smith, Mitch

More than 30 U.S. cities have seen murder rates spike this year, in some cases after seeing record-low murder rates only last year. Milwaukee has seen 104 murders so far this year, while it saw only 86 murders in all of 2014. Similar spikes have been seen in New Orleans, Baltimore, Washington, D.C., Chicago, and New York. Murder rates remain below the levels they rose to in the 1980s and 1990s, but many are still concerned. Police officials are divided on what is causing the spike. Some say that it is the result of officers growing cautious as the mood in the country has shifted following the killing of Michael Brown in Ferguson, Mo., last year, but statisticians say the spike likely predates that event. Others blame the easy availability of guns. However, most agree about the character of the killings driving the spike: victims and perpetrators are usually young African-American men with criminal records, the killings involve guns, and seem to stem from personal disputes. These types of targeted crimes, frequently involving people who know each other, can be very hard to address through policing. One of the most notable killings in Milwaukee this year occurred at a public fireworks display in spite of a heavy police presence at the event.

Coordinated Strategy Brings Obama Victory on Iran Nuclear Deal
New York Times (09/03/15) Herszenhorn, David M.

On Wednesday, President Obama declared victory in the the fight to secure American approval of the nuclear agreement the U.S. and other world powers reached with Iran earlier this year. That victory took the form of convincing enough Democrats to vote for the deal, which was accomplished through a coordinated campaign on the part of Democratic congressional leaders, the White House, and representatives of the other nations signing the deal with Iran. House Minority Leader Nancy Pelosi (D-Calif.) coordinated the congressional effort, putting pressure on House Democrats with daily endorsements of the deal and by distributing letters of support by colleagues and outside experts. The White House's efforts included setting up a Twitter account dedicated to promoting the deal. Testimony in favor of the deal from Energy Secretary Ernest J. Moniz and the former heads of Israel's intelligence and internal security agencies helped to build support for the deal. However, many Democrats say the clincher for them was a blunt message from senior diplomats representing other signatory countries like Britain, China, France, Germany, and Russia that if the U.S. chose to reject the deal, they would not return to the negotiating table nor rejoin the U.S. in imposing sanctions on Iran.

ISIS Damages Temple of Baal in Palmyra
New York Times (08/30/15) Rosen, Kenneth

Islamic State militants damaged the Temple of Baal in the ancient city of Plamyra in Syria. The Syrian Observatory for Human Rights, an activist and monitoring group based in Britain, said that Islamic State fighters had destroyed part of the nearly 2,000-year-old temple. The temple was not far from where another building, the Temple of Baalshamin, was destroyed. The Islamic State has attacked a number of historic sites, blowing up tombs and destroying statues that are forbidden by its extremist interpretation of Islam. Almost two weeks ago the militants killed Khalid al-Asaad, 83, the retired antiquities director at Palmyra.

Image of a Small, Still Syrian Boy Brings Migration Crisis Into Focus
New York Times (09/04/15) P. A1 Barnard, Anne; Shoumali, Karam

Although a migrant crisis has been building in Europe for years, public attention has been galvanized by the photo of a three-year-old boy who drowned as his family tried to cross from Turkey to Greece. Out of a family consisting of Abdullah Kurdi, his wife, and their two small sons, only Kurdi survived the crossing. The case has created a political bombshell he in the Middle East and Europe, and even as far as Canada. Western nations have had to confront a collective failure to help migrants fleeing the Middle East and Africa, including 11 million Syrians displaced by more than four years of war. The boy's family had not received approval to immigrate to Canada legally, even though they had relatives there willing to support and employ them, and Canadian officials are under intense pressure to explain. Chris Alexander, Canada's citizenship and immigration minister, had promised to admit 10,000 refugees from Syria, but opposition parties say that even more should be welcomed.

Credit-Card Fraudsters Pump Gas Stations for Profit
Wall Street Journal (09/03/15) Sidel, Robin

Although many large merchants will have equipment to accept new chip-based, fraud-resistant cards by Oct. 1, the tougher guidelines do not apply to gas stations until 2017. The delay in technology adoption in this sector could exacerbate a recent surge in fraud at the pump. "The concern is that this is still a gaping hole that has not been well addressed and now there are conditions that are going to make it worse," says Javelin Strategy & Research analyst Al Pascual. Gas station fraud is being driven by easily accessible stolen credit-card data available online, and the fact that gas stations are easy targets for those making fraudulent purchases using stolen numbers because pumps are usually unattended. Law enforcement officials say skimming devices, which capture data from the magnetic stripe on customers' cards, are becoming increasingly common. In 2013, the most recent year for which information is available, the gas station industry estimates it incurred losses of $250 million due to such activities. However, the payment card industry estimates losses closer to $500 million on fuel-related fraud for that year.

White House Readying Sanctions Plan Against Chinese Firms for Cybertheft
Wall Street Journal (09/01/15) Paletta, Damian; Davis, Bob

The White House is reportedly mulling a plan to sanction major Chinese companies it believes have benefited from cybertheft targeting the intellectual property and corporate secretes of major U.S. firms. They White House has not decided definitively one way or another to impose the sanctions, but the process has reportedly gone on for several months and involves advanced planning from multiple agencies. People familiar with the matter say that officials expect to target about five private and state-owned enterprises. The sanctions being considered would affect the companies access to the U.S. financial system and trade with American companies, and could hamper the ability of their executives to travel to the U.S. The plan is to keep the initial round of sanctions limited so that they could be expanded in the future depending on the Chinese reaction. "Overall what we’re likely to see is something that is a shot across the bow, leaving ammunition to actually shoot down large chunks of Chinese industry if there isn’t a favorable response," said Robert Knake of the Council on Foreign Relations. However, the White House is unlikely to go through with the sanctions plan in the near future, with Chinese President Xi Jingping set to meet with President Obama in Washington later this month.

Web Address Explosion Is Bonanza for Cyber-Criminals: Study
New York Times (09/01/15) Prodhan, Georgina

According to an industry study, an increase in the number of new Internet addresses has created more opportunities for criminals exploiting shady domains such as .zip, .kim, or .party. Attackers want new domains for links to lead users to download malware, divulge personal data, or spam their friends. The most dangerous top-level domains (TLDs) were .zip, .review, and .country, according to an analysis of tens of millions of websites by enterprise security company Blue Coat. ICANN, the body that manages Web identifiers, launched an initiative to expand the number of TLDs to promote competition. Originally, there were just six not including country codes: .com, .edu, .gov, .mil, .net and .org. Organizations who want to sell new TLDs have had to pay a $185,000 fee to ICANN and demonstrate that they are capable of running a registry.

IoT Malware and Ransomware Attacks on the Incline: Intel Security
ZDNet (09/02/15) Barbaschow, Asha

Recent years have seen a rapid rise in graphics processing units-based malware and ransomware attacks, due to increased data, bigger networks, and the Internet of Things (IoT), Intel Security reports. In its five-year retrospective threat report, “McAfee Labs Threats Report: August 2015,” Intel Security examined malware claims, online criminal exfiltration techniques, and the threat landscape since 2010, and compared them to researchers' expectations. The report noted that people have become dependent on many devices, such as tablets and wearables, and are willing to sacrifice security and privacy. "It is only a matter of time until IoT device threats are widespread,” the report authors write, noting that hackers are not after the devices themselves, but their data or gateway capabilities. Analysis of real-world attack patterns in the second quarter of 2015 found that ransomware continued to grow rapidly, rising 58 percent. Researchers also found that, every hour, there were more than 6.7 million attempts to get customers to connect to risky URLs, and more than 19.2 million infected files were exposed to customers' networks.

Russian-Speaking Hackers Breach 97 Websites, Many of Them Dating Ones
CIO (08/30/15) Kirk, Jeremy

Russian-speaking hackers have breached 97 websites and stolen login credentials, according to analysts at Wisconsin-based Hold Security, which specializes in analyzing data breaches. Many of the compromised websites are niche dating sites similar to Ashley Madison, but some are job-related sites, Hold Security reported. Batches of stolen data were found on a server by the company's analysts, and for some reason the server was not password protected. The information includes a list of websites and their software vulnerabilities; all the websites involved were breached in a period between July 4 and last week. Many of the sites appear to have SQL injection flaws that could give hackers the ability to access other information stored in the systems. Alex Holden, Hold Security's founder and CTO, said that it does not appear that the hackers have tried to sell the data.

Abstracts Copyright © 2015 Information, Inc. Bethesda, MD

  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: