Learn more! ->

August 21, 2015

Corporate Security

Sponsored By:

"CISOs Facing Boards Need Better Business, Communication Skills"

"IRS Says Cyberattacks More Extensive Than Previously Reported"

"Businesses See Sharp Rise in Targeted Attacks"

"Federal Worker's Personal Devices Pose Security Risk"

"Companies Hope Cybersecurity Experts in the Boardroom Can Counter Hacks"

Homeland Security

"China Blast Chemicals' Health Risks Can Linger"

"Obama Administration Warns Beijing About Covert Agents Operating in U.S."

"Bangkok Bomb Attack at Popular Shrine Kills at Least 20"

"Police Snap Up Cheap Cellphone Trackers"

"Probe of Clinton's Server Could Find More Than Just Emails"

Cyber Security

"SEC Moves Toward Penalties for Companies with Lax Cybersecurity"

"Internet of Things, You Have Even Worse Security Problems"

"VW Has Spent Two Years Trying to Hide a Big Security Flaw"

"China Arrests 15,000 for Internet-Related Crimes"

"Hackers Dump Data Online From Cheating Website Ashley Madison: Reports"

CISOs Facing Boards Need Better Business, Communication Skills
CSO Online (08/19/15) Korolov, Maria

The growing importance of information security for corporate boards has prompted more CISOs to come forward and brief boards on cyber issues, which increases their need to improve communication skills and their understanding of business needs. A June study by Fidelis Security and the Ponemon Institute found that 26 percent of board members admit to "minimal or no knowledge" about cybersecurity, and only 33 percent claim to be "knowledgeable" or "very knowledgeable." Also, very few IT security professionals consider their companies' cybersecurity governance practices as very effective. Boards do not want the technical details of new security technologies, but want to hear risk metrics and peer benchmarking. CISOs should not focus on vulnerabilities or the cybersecurity tools used, but focus on easy-to-understand metrics that show the company's effectiveness at managing security. "My job is to facilitate the awareness of risk and be in a position of educating my leadership about what risk they are willing to accept," said Paul Calatayud, CISO at Surescripts. He also said he does not recommend new security projects to the board based on improving security, but on increasing business value.

Web Link | Return to Headlines

IRS Says Cyberattacks More Extensive Than Previously Reported
Wall Street Journal (08/18/15) McKinnon, John D.; Saunders, Laura

On Monday the Internal Revenue Service announced that a breach of taxpayer data it announced in May likely affected more than twice as many households as previously stated. The agency said in May that identity thieves had used stolen social security numbers and other data to gain access to the prior-year tax return information of about 225,000 U.S. households. On Monday, the IRS said that the hackers had previously gained access to 330,000 more accounts and attempted to break into another 280,000. The initial investigation covered the period between February and May, while this latest investigation looked at data as far back as November 2014. The breaches affected an online application called "Get Transcript," which was introduced last year and allows taxpayers to obtain their prior-year tax information. Only a few thousand of the affected accounts have been subject to attempted refund fraud, with IRS officials saying that the majority were likely being targeted for fraud in the 2016 tax season. To access the data, the attackers had to make use of stolen information including social security numbers street addresses, date of birth, and filing status, data that the attackers had likely aggregated from various sources.

Web Link | Return to Headlines

Businesses See Sharp Rise in Targeted Attacks
eWeek (08/17/15) Eddy, Nathan

Sixty-four percent of organizations believe themselves to be potential targets for nation-state cyberattacks, according to a Tripwire survey of 215 attendees at the Black Hat USA 2015 security conference.  Eighty-six percent of the respondents also said they have seen an increase in targeted attacks directed at their networks over the past year. Nevertheless, 47 percent noted a rise in confidence in their companies' ability to detect and respond to cyberattacks, even with the spike in such threats.  Tripwire's Tim Erlin says "it's surprising that 48 percent of respondents said they are able to track all the threats targeting their networks," particularly since "organizations continue to experience an increase in the rate of targeted attacks, [and] still feel like they're unable to accurately detect and prevent them."  Erlin recommends small businesses ensure they have basic foundational controls before worrying about the latest 'sophisticated' attack, as "simply keeping systems on current software, effectively patching vulnerabilities, and ensuring critical systems are running hardened configurations can significantly increase the cost to the attacker."

Web Link | Return to Headlines

Federal Worker's Personal Devices Pose Security Risk
USA Today (08/20/15) Kelly, Erin

Although a majority of federal workers are aware of the risks, many use their personal devices for work, according to a Lookout survey. The survey polled 1,000 workers from 20 civilian, intelligence, and military agencies and found that of the 60 percent who were aware of the risks of using personal devices for work, 85 percent said they do it anyway. About 40 percent of the employees that work at agencies that prohibit the use of personal devices for work said the rules have little or no impact on their behavior. Almost half of the employees said they were not allowed to store work-related files or data on their personal devices, but 30 percent admitted to doing it anyway. Almost a quarter of the respondents said they install apps from sources other than the official Apple and Google app stores on their devices. Additionally, 7 percent said they had jailbroken or rooted their personal devices, which can make the devices more vulnerable to attack. Former National Security Council official Roger Cressey says agencies should adopt software solutions that allow employees to use their personal devices for work and should pair them with employee education, training, and device monitoring to ensure the security of those devices.

Web Link | Return to Headlines

Companies Hope Cybersecurity Experts in the Boardroom Can Counter Hacks
Los Angeles Times (08/17/15) Dave, Paresh

Several major companies have in recent years begun to recognize the need for more cybersecurity expertise a the board level. A National Association of Corporate Directors report from this year found that only 11 percent of public company boards reported a high level understanding of cybersecurity. A New York Stock Exchange and Veracode review found that two-thirds of board members think companies are ill-prepared for cyberattacks, even though a PricewaterhouseCoopers study found that 30 percent of boards do not even talk about cybersecurity. But some companies are waking up to the threat as losses to cybercrime continue to climb every year. AIG, Blackberry, CMS Energy, General Motors, and Wells Fargo have all added board members with computer-security knowledge in recent months. One company that has taken the need for cybersecurity expertise at the board level to heart is Parsons Corp., a construction and engineering company that works on several critical infrastructure and military projects. Parson's CEO Charles Harrington realized the importance of cybersecurity several years ago and has taken steps to "bake" it into Parsons' business. He bought two cyber security companies and two years ago brought retired Air Force Major Gen. Suzanne Vautrinot onto the company's board. Vautrinot had a hand in building the Defense Department's U.S. Cyber Command and led the Air Force's IT and online battle group.

Web Link | Return to Headlines

China Blast Chemicals' Health Risks Can Linger
Wall Street Journal (08/20/15) Naik, Gautam

Among the 40 different chemicals stored at the Tianjin blast site, there were 700 tons of highly toxic substances, according to China's official Xinhua News Agency. Several factors could affect the potential health threat from the fallout, such as the mix of chemicals involved in the explosion, wind direction and strength, and the amount of rainfall. Winds could disperse some of the toxins, spreading their effects over a wider area, but a lack of wind would cause them to hover in one location for a longer time. Sodium cyanide was the main toxic chemical stored at the warehouse involved in the explosion, and poses the biggest risk to residents if it is inhaled. It is unknown how much sodium cyanide was dispersed in the explosion, or how it was stored beforehand. The warehouse also stored 1,300 tons of oxide compounds, including potassium nitrate and ammonium nitrate. Potassium nitrate could get into the groundwater and contaminate drinking supplies.

Web Link | Return to Headlines

Obama Administration Warns Beijing About Covert Agents Operating in U.S.
New York Times (08/17/15) P. A1 Mazzetti, Mark; Levin, Dan

The Obama administration has called for Beijing to cease a campaign that involves Chinese agents secretly working in the United States to pressure prominent expatriates to return to China immediately. U.S. officials say that Chinese law-enforcement agents are working covertly as part of Operation Fox Hunt, a global campaign by Beijing to hunt down and repatriate Chinese fugitives. U.S. officials say that the Chinese agents are undercover operatives with the Ministry of Public Security. Since 2014, the ministry reports, more than 930 suspects have been repatriated, including 70 who returned this year voluntarily. U.S. officials say there is solid evidence that the Chinese agents use various strong-arm tactics to get fugitives to return, including threats against family members still in China. It is unclear whether the FBI or the Department of Homeland Security has advocated to have the agents expelled from the United States, but the State Department's warning to the Chinese government may be an initial step in the process. While China says it follows local laws overseas, two Chinese police officers in December were caught operating in Australia without the permission of local authorities.

Web Link | Return to Headlines

Bangkok Bomb Attack at Popular Shrine Kills at Least 20
New York Times (08/18/15) Fuller, Thomas

At least 20 people were killed and 123 reported wounded when a bomb exploded Monday inside a Hindu shrine in Bangkok, Thailand that is popular among tourists. The bomb exploded just before 7:00 p.m. local time and police say that the shrine was very crowded at the time. Police spokesman Lt. Gen. Prawut Thavornsiri says that the bomb was placed under a bench near the outer edge of the shrine. Despite the large number of casualties, the explosion caused relatively little damage to the Erawan Shrine, which is popular among Asian tourists and locals who come to pray for good fortune. This is the fourth bombing in Thailand since the military seized power in a coup last May. Previous targets have included a shopping mall and a courts building, but Monday's bombing was by far the most powerful and lethal. No group has claimed responsibility for the bombing, but Prayuth Chan-ocha, head of the country's military government, has said that authorities are seeking an individual seen on closed-circuit TV. The U.S. Embassy in Bangkok has advised American citizens to avoid the area of the bombing.

Web Link | Return to Headlines

Police Snap Up Cheap Cellphone Trackers
Wall Street Journal (08/19/15) Valentino-Devries, Jennifer

Local law-enforcement agencies are starting to buy cheap cellphone-tracking devices that in many cases they do not need a court order to use. Going by trade names like "Jugular" and "Wolfhound," the devices are attractive to local law enforcement for a number of reasons. They are small and quite cheap compared to other cellphone-locating devices, handheld and costing only a few thousand dollars apiece, where other devices commonly known as "stingrays" can cost as much as $100,000 and are often mounted on vehicles. The smaller devices work passively, looking for the signals sent by a cellphone when it contacts or is contacted by a cellphone tower. Stingrays, by contrast, work by masquerading as cellphone towers and tricking cellphones into communicating with them. This had made the use of stingrays controversial and while the law is catching up to their use, the same is not true of the smaller devices, the use of which is not governed by any laws in many jurisdictions. This means some police forces may be able to use the devices to locate cellphones with total impunity, which civil libertarians argue could lead to violations of the 4th Amendment.

Web Link | Return to Headlines

Probe of Clinton's Server Could Find More Than Just Emails
New York Times (08/18/15)

FBI investigators have obtained Hillary Rodham Clinton's homebrew email server, but the files they examine on her machine could reveal more than the emails themselves. Clinton used the private server to send, receive, and store emails during her four years as secretary of state. It is under FBI custody due to concerns that classified information had crossed the system. While Clinton has said that she did not send or receive emails marked classified at the time, her emails show that some messages were censored by the State Department for national security reasons before they were publicly released. Many physical details of the server remain unknown, and other data could reveal the security of Clinton's system, whether someone tried to break in, and who else had accounts on her server. It is unclear whether Clinton's drive was thoroughly erased before the device was turned over to the FBI, and if so, it is uncertain whether the FBI could recover the data.

Web Link | Return to Headlines

SEC Moves Toward Penalties for Companies with Lax Cybersecurity
Politico Pro (08/18/15) Temple-West, Patrick

Securities and Exchange Commission (SEC) Chair Mary Jo White is broadening her aggressive enforcement regime into the world of corporate cybersecurity. The SEC is investigating companies for fraud when they don't tell shareholders enough about hackings and is also getting closer to filing sanctions against companies for deficient “internal controls” to prevent hacking in the first place, according to insiders. The sources said the SEC's enforcement division has issued subpoenas and made informal inquiries to companies, including large retailers. Of the cases that the agency has decided to pursue, some are getting close to formal action.

Web Link | Return to Headlines

Internet of Things, You Have Even Worse Security Problems
ZDNet (08/21/15) Stilgherrian

Dick Bussiere, principle architect for Asia Pacific at Tenable Network Secuirtywas unsurprised recently when he found a Windows 2000 Server controlling the network of a power station. He expects such scenarios to increase as the age of the Internet of Things takes hold, with critical or vulnerable systems built on old or vulnerable hardware simply for convenience's sake. "Over the long term, [IoT devices] are not going to be properly maintained at all, and likewise, they're probably not going to be tested appropriately from a security perspective," said Brussiere. "People are going to use whatever copy of Linux they can get, whatever [software] stacks they have, whatever the cheapest possible thing they can get their hands on, to keep the cost down" Brussiere expects that this will be the case not just with smaller, cheaper IoT devices, but also with big-ticket items like cars. He notes that car manufacturers largely lack the experience and knowledge to carry out in-depth security testing on electronic devices. This is why Brussiere advocates for the creation of a standards organization that would help establish best practices for securing and testing the security of IoT devices. He envisions an organization similar to the Wi-Fi Alliance and its Wi-Fi certified label.

Web Link | Return to Headlines

VW Has Spent Two Years Trying to Hide a Big Security Flaw
Bloomberg (08/14/15) Solon, Olivia

Volkswagen has spent two years trying to suppress in the courts expert research that reveals that thousands of cars from a host of manufacturers have spent years at risk of electronic car-hacking. "Keyless" car theft, where hackers use vulnerabilities in electronic locks and immobilizers to steal vehicles, now accounts for 42 percent of stolen vehicles in London, with BMWs and Range Rovers particularly at risk according to police. Researchers discovered a similar vulnerability, which affects the Radio-Frequency Identification transponder chip used in immobilizers, with keyless vehicles in 2012, but carmakers sued the researchers to prevent the publication of the findings. However, the paper is being presented this week, after lengthy court negotiations, at the USENIX security conference in Washington, D.C., and will detail how the cryptography and authentication protocol used in the Megamos Crypto transponder has weaknesses that allow malicious hackers to more easily steal vehicles such as Volkswagen-owned Audi, Porsche, Lamborghini, Fiat, Honda, and Volvo, among others. Tim Watson, director of cyber security at the University of Warwick explained that the "serious flaw" is "not very easy to quickly correct," and that "it isn't a theoretical weakness, it's an actual one and it doesn't cost theoretical dollars, to fix, it costs actual dollars." RFID chips in the keys and transponders inside the cars must be replaced in order to fix the problem, resulting in significant costs.

Web Link | Return to Headlines

China Arrests 15,000 for Internet-Related Crimes
CSO Online (08/19/15) Kan, Michael

China's Ministry of Public Security has revealed that its efforts to clean up the Internet have resulted in 15,000 arrests related to cybercrimes. In an online post broadcast on Aug. 18, the ministry said that it had been cracking down on illegal Internet activities and plans to increase enforcement even more. So far, the ministry has investigated 7,400 Internet crimes that include activities such as hacking attacks, cyber fraud, and the promotion of gambling. China has also been deleting what it finds to be offensive or harmful on the Web, including content with gun-related violence, pornography, and gambling, resulting in investigations of 66,000 websites and Internet posts. The country is well-known for its online censorship, and has made regulation of Internet content, especially on social media platforms, a top priority.

Web Link | Return to Headlines

Hackers Dump Data Online From Cheating Website Ashley Madison: Reports
New York Times (08/18/15)

Hackers have unleashed the online personal details of more than 1 million users of the infidelity website AshleyMadison.com, tech websites reported Tuesday. Hackers had already threatened to release details on as many as 37 million of the site's customers, and more recently claimed to publish a cache of email addresses and credit-card data stolen in July. Avid Life Media, which owns the sites Ashley Madison and Established Men, said that it was aware of the claim, but did not verify the authenticity of the data. The hackers used the “dark web,” which can only be accessed through a specialized browser. Within hours, thousands of email addresses from North America and Europe emerged on other sites as people decrypted the database. The hackers, who go by the name The Impact Team, leaked portions of the compromised data in July and threatened to publish customers' names, nude photos, and sexual fantasies unless Ashley Madison and Established Men were taken down. The FBI, the Royal Canadian Mounted Police, and local police are all investigating the data theft.

Web Link | Return to Headlines

Abstracts Copyright © 2015 Information, Inc. Bethesda, MD

ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

Show more