Learn more! ->
April 24, 2015
Corporate Security
Sponsored By:
"Insider Threats Force Balance Between Security and Access"
"Sunset Clause on Info Sharing Bill Irks Financial Industry"
"Five Simple Steps to Protect Corporate Data"
"Obama Wants Billions to ‘Modernize’ Energy Infrastructure"
"Researcher Denied Flight After Tweet Poking United Airlines Security"
Homeland Security
"American, Italian Hostages Killed in CIA Drone Strike in January"
"China Warns North Korean Nuclear Threat Is Rising"
"Rising Toll on Migrants Leaves Europe in Crisis; 900 May Be Dead at Sea"
"In Atomic Labs Across U.S., a Race to Stop Iran"
"TSA to Face Changes, Challenges Implementing Employee-Screening Directives"
Cyber Security
"Pentagon Announces New Strategy for Cyberwarfare"
"House Passes Cyberthreat-Sharing Bill"
"New Law to Strip Social Security Numbers from Medicare Cards"
"Risky Business: Cyber Experts Claim Whistleblowing Brings Retaliation"
"Hackers Using Startling New Ways to Steal Your Passwords"
Insider Threats Force Balance Between Security and Access
CIO (04/23/15) Corbin, Kenneth
Speaking at a recent Symantec-hosted panel discussion on insider threats and other cybersecurity issues, Fairfax County, Va., CISO Michael Dent said IT leaders can help their cause with prudent policies that limit who can access what kinds of data. Organizations must broaden their understanding of what constitutes an insider threat, as the typical enterprise access to sensitive systems and information runs beyond in-house staff, Dent says. He notes insider threats are not just employees, but "also are your contractors, your vendors—your volunteers, potentially—that come in and work for you." Traditional perimeter defenses such as firewalls and intrusion detection are not going to protect against threats coming from within the organization, Dent warns. Although putting in policies to address bad actors is relatively easy, it is far more difficult to develop an appropriate framework for access and permissions that balances strong security protocols and an open workplace where employees are increasingly expecting to be able to work remotely and on a variety of devices. Dent says Fairfax County currently runs on a least-privilege system, strictly limiting access to certain data assets based on job function and responsibility. The county also has implemented a tough policy for offenders who violate the organization's data-access rules.
Web Link | Return to Headlines
Sunset Clause on Info Sharing Bill Irks Financial Industry
Politico Pro (04/22/15) Kopan, Tal
The financial services industry is warning lawmakers that it opposes a proposed seven-year sunset being offered as an amendment on the House information sharing bills, saying it jeopardizes the program. Republicans had argued at a Homeland Security Committee markup last week that a shorter sunset would make information sharing look like a pilot program and discourage companies from participating. But at a Rules Committee hearing Tuesday night, Homeland Chairman Mike McCaul said the seven-year length is one he could get behind. The Financial Services Roundtable responded that the amendment “could significantly weaken” cybersecurity efforts and undermine the “clarity and certainty” for businesses that is a central goal of information sharing legislation.“Investments have to be made” by companies who wanted to join the cyberthreat sharing envisaged by the bills, added the American Bankers Association in a statement shortly afterwards. The proposed amendment was to be debated on the Intelligence Committee bill Wednesday and Homeland bill Thursday.
Web Link | Return to Headlines
Five Simple Steps to Protect Corporate Data
Wall Street Journal (04/20/15) Yadron, Danny
A Wall Street Journal survey of security firms, government officials, and ex-hackers uncovered five basic steps organizations can follow to sustain good cyber hygiene and protect corporate data, starting with installing software patches regularly. Other steps include not leaving entry points into networks insecure and keeping only necessary systems online and protected. Data encryption is also recommended, as is the phaseout of passwords and deployment of more secure protective measures; the fifth step is to run thorough security checks on the vendors and third parties the company uses. Following these steps is increasingly important in a time when attacks are at record highs and preparedness is unsatisfactory. Investing time and energy into security is essential, because studies have shown that the number one reason breaches have increased is due to insufficient preparation and understanding. Funding must be provided to the security side of the company, and it must be shown the same attention as other aspects.
Web Link | Return to Headlines
Obama Wants Billions to ‘Modernize’ Energy Infrastructure
The Hill (04/21/15) Cama, Timothy
The Obama administration released a report Tuesday calling for billions of dollars to "modernize" and "transform" the nation’s energy infrastructure to adapt to modern circumstances. The plan comes from the key findings in the first installment of the Energy Department’s first "Quadrennial Energy Review," which it hopes to write every four years. The report describes a system of energy transportation, storage and distribution that is largely based on decades-old principles. Federal officials complain in the 348-page report that the energy infrastructure system does not fit into current needs regarding domestic energy production, renewable energy, resilience needs, climate change, and international security, among other concerns. The Obama administration is asking in the report for billions of dollars to upgrade the "resilience, reliability, safety, and security" of energy infrastructure. It says it would cost up to $3.5 billion over 10 years to replace natural gas pipelines and improve maintenance. The Energy Department also wants to spend up to $5 billion to support state "energy assurance" pipeline programs, to help them protect their energy infrastructure from various threats. The administration calls for nearly $4 billion to modernize the electrical grid, as well as $2 billion to promote carbon dioxide capture and sequestration, along with pipelines to move the gas.
Web Link | Return to Headlines
Researcher Denied Flight After Tweet Poking United Airlines Security
Associated Press (04/19/15) Gillum, Jack
On April 18, United Airlines stopped a security researcher from boarding a California-bound flight, following a social media post by the researcher days earlier suggesting the airline's onboard systems could be hacked. The researcher, Chris Roberts, was flying to California to speak at a major security conference this week. Roberts had been removed from a United flight on Wednesday by the FBI after landing in New York and was questioned for four hours after suggesting on Twitter he could get the oxygen masks on the plane to deploy. Authorities also seized his laptop and other electronics. A lawyer for Roberts said United gave him no reason why he was not allowed on the plane on Saturday, but said they would send him a letter within two weeks with an explanation. Airline spokesman Rahsaan Johnson said Roberts had made "comments about having tampered with aircraft equipment, which is a violation of United policy and something customers and crews shouldn’t have to deal with.” In recent weeks, Roberts gave media interviews discussing airline system vulnerabilities. He added that he was able to connect to a box under his seat at least a dozen times to view data from the aircraft's engines, fuel, and flight-management systems.
Web Link | Return to Headlines
American, Italian Hostages Killed in CIA Drone Strike in January
Wall Street Journal (04/23/15) Entous, Adam
A United States drone strike in January that targeted an al Qaeda compound in Pakistan inadvertently killed two hostages, one American and one Italian. The victims were American development expert Warren Weinstein and Italian aid worker Giovanni Lo Porto. It is the first known occasion where the U.S. has accidentally killed hostages with drones. The White House admitted its role in the strikes and President Barack Obama expressed deep regret and condolences for the incident, noting that a full investigation will be launched to determine what went wrong and how it can be avoided in the future. The mistake highlights major concerns about the CIA and its ability to use drones to strike suspected terrorists. There is a natural risk of unintended consequences, one that unfortunately came up in this scenario. Officials say the CIA will not launch missiles at a target if they know civilians are present; still, the agency was not aware that Weinstein and Lo Porto were in the compound despite scouting it for weeks. Along with the hostages, al Qaeda leader Ahmed Farouq, an American citizen, was killed as well. While the White House declassified some information about the strikes due to the government's involvement, it was still unclear when and precisely where the strike took place.
Web Link | Return to Headlines
China Warns North Korean Nuclear Threat Is Rising
Wall Street Journal (04/23/15) Page, Jeremy; Solomon, Jay
China's top nuclear experts have estimated that North Korea could make enough warheads to threaten regional security for the United States, Japan, and South Korea. China's latest estimates suggest that North Korea may already have 20 warheads, and the capability of producing enough weapons-grade uranium to double that number by next year. U.S. experts have recently estimated that North Korea has 10-16 nuclear bombs. Japan and South Korea could seek their own nuclear weapons in defense if they consider this a threat. Since Washington has mutual defense treaties with Seoul and Tokyo, an attack on either would be considered as an attack on the United States. The Chinese estimates indicate the country's growing concern over North Korea's weapons program and what they consider inaction by the United States, with President Obama focusing on a nuclear deal with Iran. If North Korea does have an arsenal of nuclear weapons, the United States may have to adopt countermeasures.
Web Link | Return to Headlines
Rising Toll on Migrants Leaves Europe in Crisis; 900 May Be Dead at Sea
New York Times (04/21/15) P. A1 Yardley, Jim
An estimated 900 people may have died off the Libyan coast this weekend as they attempted to cross the Mediterranean into Europe, and only 28 survivors have been found. The incident has prompted calls for a new approach to the growing number of refugees from Africa and the Middle East. A second migrant ship crashed near the Greek island of Rhodes, emphasizing how many people are desperate to escape poverty, persecution, and war back home. European foreign ministers met in Luxembourg to discuss a response to the issue, hoping to balance humanitarian responsibilities against budget constraints and a general anti-immigration sentiment. Leaders must determine whether and how to expand rescue efforts in the Mediterranean, as more migrants are trying to reach Europe even as the journey becomes more dangerous. There were about 17 times as many refugee deaths in January-April 2015 compared with the same period last year.
Web Link | Return to Headlines
In Atomic Labs Across U.S., a Race to Stop Iran
New York Times (04/22/15) P. A1 Sanger, David E.; Broad, William J.
The nine atomic laboratories in the United States have developed an extensive program to block Iran’s nuclear progress. Part of the program includes a secret replica, constructed in the forests of Tennessee, of Iran’s nuclear facilities. This has helped scientists reach what they say are the “best reasonable” estimates of Iran’s ability to race for a weapon. As the next round of diplomatic talks begins this week in Vienna, the scientists are providing negotiators with vital information, says Ernest J. Moniz, the nuclear scientist and secretary of energy, who oversees the atomic labs. At the labs, specialists are on call to answer diplomats' questions and sometimes back up the answers with calculations and computer modeling. A major target of the effort was a redesign of Iran’s nuclear reactor at Arak, and how to prevent it from producing weapons-grade plutonium, even as Iran insisted it was being built to produce medical isotopes for disease therapy. Scientists at Argonne National Laboratory outside Chicago refined Iran's idea to make sure Arak’s new fuel core would produce no pure bomb-grade plutonium, and the the Iranians eventually agreed.
Web Link | Return to Headlines
TSA to Face Changes, Challenges Implementing Employee-Screening Directives
Wall Street Journal (04/21/15) Carey, Susan
The Department of Homeland Security (DHS) on Monday announced that it will require airports and airlines to tighten the background checks they perform on the nearly 1 million workers nationwide who have access to airport facilities without needing to go through security screening. So-called badged employees, which include caterers and baggage handlers, will now be subject to criminal history record checks every two years. Airports already carry out such vetting, but the guidelines and timelines of the checks vary from location to location. The standardization of the background checks lays the groundwork for a long-term goal of providing the Transportation Security Administration (TSA) with real-time access to criminal complaints filed against airport workers. The action is one of several recommendations made by the Aviation Security Advisory Committee, which was convened by DHS Secretary Jeh Johnson early this year. Other recommendations being acted upon include reminding the TSA to enforce an existing rule that badged employees must undergo security screening with other passengers when traveling, increased random screening of workers, and renewed emphasis on a "challenge" program encouraging airport and airline workers to keep an eye on each other and their credentials and to report any evidence of threat activity.
Web Link | Return to Headlines
Pentagon Announces New Strategy for Cyberwarfare
New York Times (04/23/15) Sanger, David E.
During a speech at Stanford University on Thursday, Defense Secretary Ashton B. Carter announced a new Pentagon strategy that for the first time explicitly discusses the circumstances under which the U.S. could use cyber weapons against attackers. The new strategy also explicitly names China, Russia, Iran, and North Korea as the countries most likely to pose a cyber threat to the U.S. A previous strategy released in 2011 was less detailed, only alluding to cyberweapons and talking vaguely about potential adversaries. During his speech, Carter said that the Pentagon had detected and repelled an intrusion into its unclassified networks by Russian Hackers in recent months. The new strategy lays out a hierarchy or cyberattacks and who should respond to them and how, saying that the U.S. will only conduct what it calls a "cyberspace operation" if it has exhausted all "network defense and law enforcement actions." However, it reserves for the president and the secretary of defense to carry out such operations, "to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations." The phrasing of the strategy seems to leave open the possibility of the U.S. carrying out a preemptive cyberattack.
Web Link | Return to Headlines
House Passes Cyberthreat-Sharing Bill
Wall Street Journal (04/23/15) Paletta, Damian
The House of Representatives on Wednesday passed a bill that would encourage companies to share details of computer breaches with the federal government. The legislation would give companies liability protection if they share certain data about security threats with the government, as long as they attempt to remove customer information. This information could then be shared with other agencies, such as the National Security Agency. Sharing information would be voluntary for companies, so the bill's impact may depend most on whether companies decide to participate. The bill passed 307-116 with bipartisan support, but lawmakers added a requirement that the measure phase out in seven years. The government is still divided over cybersecurity, however, with the White House challenging parts of the new bill to limit liability from shareholder lawsuits if a company does not sufficiently protect consumer data. Many tech companies remain skeptical about the government's need for more data after reports of secret surveillance programs.
Web Link | Return to Headlines
New Law to Strip Social Security Numbers from Medicare Cards
New York Times (04/20/15) Pear, Robert
After more than a decade of warnings from federal auditors and investigators a new law recently signed by President Barack Obama will see Social Security numbers removed from Medicare benefit cards. Since 2004, the Government Accountability Office has urged officials to curtail the use of Social Security numbers as identifiers. In 2008, the inspector general of social security specifically called for the numbers to be removed from Medicare cards, noting that their display put Medicare users at risk of identity theft. Yet it is only now, with a push from Congress, that Medicare is taking this step. For its part, the Department of Health and Human Services, which supervises Medicare, says that its information technology specialists have been preoccupied with the HealthCare.gov online health insurance marketplace. The law provides $320 million over four years to pay for the changes. Medicare officials will have up to four years to start issuing new cards with a randomly-generated Medicare identifier. It will then have another four years to replace existing cards. There have been several documented cases of identity theft that could be traced to identity thieves copying the Social Security numbers displayed on Medicare benefit cards.
Web Link | Return to Headlines
Risky Business: Cyber Experts Claim Whistleblowing Brings Retaliation
Fox News (04/22/15) Zimmerman, Malia
Recently, Christ Roberts, a researcher, was banned from a flight after tweeting that planes are vulnerable to hackers. Now, several international tech security experts attending the annual RSA Conference said what happened to Roberts is not unusual given the "shoot-the-messenger" mentality they claim dominates some segments of industry. Roberts, who has been a cyber security consultant for the FBI, said the tweet was out of frustration at his and others' warnings going unheeded, but authorities took the tweet seriously. The Electronic Frontier Foundation, a nonprofit legal organization defending Roberts and others, say they have been harassed for sounding the alarm. Nate Cardozo, staff attorney for the organization, said "security researchers are allies, not opponents, and their work makes us all more safe, not less." Roberts and Cardozo said many other researchers have been hassled for their research and Cardozo added that researchers will be less likely to help United improve their security in the future. “If you don’t have people like me researching and blowing the whistle on system vulnerabilities, we will find out the hard way what those vulnerabilities are when an attack happens," Roberts warned.
Web Link | Return to Headlines
Hackers Using Startling New Ways to Steal Your Passwords
TechWorm (04/20/15) Iyer, Kavita
Syracuse University researchers have found hackers can speculate PINs by interpreting video of people tapping their smartphone screens even when the display is not visible. The researchers analyzed the video using software that relies on spatio-temporal dynamics to measure the distance from the fingers to the phone's screen, and then guess which characters are pressed. "Based on hand movement and the known geometry of the phone, we can see which keys are pressed," says Syracuse professor Vir Phoha. Although no instances of this type of hacking have been reported, it is very likely to be adopted by criminals who seek to steal sensitive private information, according to the researchers. They note the technology is simple to implement for anybody who knows basic programing. The software uses a combination of image-analysis and motion-tracking algorithms to fill in the gaps in the video. The software was able to determine the correct password 40 to 62 percent of the time on the first guess, with the accuracy improving to almost 82 percent after five guesses, and 94 percent after 10 guesses. In addition, the use of more than one video for each phone raised the odds of success even further.
Web Link | Return to Headlines
Abstracts Copyright © 2015 Information, Inc. Bethesda, MD
ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.
Unsubscribe | Change E-mail | Security Management Online | ASIS Online