27Jan
Cameras May Open Up the Board Room to Hackers
New York Times (01/23/12) Perlroth, Nicole
Advanced digital videoconferencing equipment has vastly improved meeting
opportunities for coworkers and clients across the globe, but the new systems
can also be hacked to spy on those meetings, potentially jeopardizing
confidential client data or corporate secrets. In a recent demonstration, HD
Moore, a chief security officer at Boston-based IT security company Rapid7,
showed that he could remotely manipulate videoconferencing equipment to hear or
see anything in a board room. “These are literally some of the world’s most
important boardrooms — this is where their most critical meetings take place —
and there could be silent attendees in all of them,” warned Mike Tuchen, chief
executive of Rapid7. According to Tuchen, these vulnerabilities are caused by
IT administrators setting up videoconferencing links outside of company
firewalls and configuring them in ways that create easy targets for hackers. No
company has yet announced that they have been compromised using
videoconferencing, but it is also entirely possible that companies have been
victimized and may not be aware. Some new systems are outfitted with a feature
that does not require users to accept every person that dials into their
conference. These features can help a meeting run more smoothly, but could also
make uninvited guests much harder to detect. Moore recently wrote a computer
program that would allow him to detect any videoconferencing links located
outside their company firewalls and configured to automatically answer calls.
In less than two hours, he scanned about 3 percent of the Internet, discovering
5,000 open conference links at law firms, pharmaceutical companies, oil
refineries, universities and medical centers. In order to prevent hackers from
being able to do the same, Rapid7 recommends companies set up a
“gatekeeper” that securely connects calls from outside the company
firewall.
Web Link
20Jan
InformationWeek (01/10/12) Montalbano, Elizabeth
In an attempt to gain insight into how to best protect the U.S. electricity
grid, the Department of Energy and the Department of Defense have joined forces
to create a cybersecurity model that can be tested and applied across the
utility industry. The Electric Sector Cybersecurity Risk Management Maturity
Model pilot project seeks to work with experts in the public and private sector
to use current cybersecurity strategies to create a “maturity model”
that can identify how secure the electric grid is from cyber threats. Once
complete, the model will be tested with participating utilities to see how
effective it is. Taking the lead on the project, the DOE will hold workshops
with the private sector over the next few months to develop the model. Once the
model is finished, it will be tested by more than a dozen electric utilities
and grid operators. A risk-management model will then be released to the
industry over the summer.
Web Link
20Jan
Associated Press (01/09/12)
A Florida woman has filed a lawsuit against Starwood Hotels & Resorts
Worldwide in Manhattan federal court, saying that the hotel chain’s lax
security resulted in her being sexually assaulted. The assault took place at
the Hotel Kamp in Helsinki, Finland, early in the morning of January 15, 2011.
The victim, 31-year-old Alison Fournier, awoke and found a man entering her
room. He then began to grope her while she was in bed. Afraid that she was
going to be raped, Fournier put on a bathrobe and fled. Fournier alleges that
the man, who was drunk at the time, was able to get into her room because he
told the hotel’s staff that he was her husband. However, Fournier said that
staff at the Hotel Kamp did not check the man’s identification. An attorney for
Fournier also noted that she was traveling alone and no one else was registered
to her hotel room. The lawsuit is seeking an unspecified amount of compensatory
and punitive damages. Starwood Hotels has said that it is investigating the
incident. The man who assaulted Fournier has not been criminally prosecuted.
Web Link
13Jan
Grocer Confirms POS Skimming Attack
BankInfoSecurity.com (01/04/12) Kitten, Tracy
The California-based Save Mart grocery chain has verified that a recent data
breach was perpetrated by hackers who used skimming devices to steal debit and
credit card account data from self-service checkout terminals at 24 San
Francisco-area Save Mart and Lucky Supermarkets. An ongoing probe that Save
Mart conducted in collaboration with the Secret Service traced compromised card
data to use at single checkout lanes at each of the affected outlets, but the
company has inspected or replaced all of its 2,557 point-of-sale card readers
as a precautionary measure. The Save Mart breach was detected in the course of
a routine maintenance check, and Aite Group’s Julie McNelley reports that both
this breach and a similar incident uncovered at Michaels crafts stores
emphasize the need for physical inspection of card readers and payments
devices. “It really takes the combined efforts of FIs [financial
institutions], merchants, and consumers to proactively detect and mitigate the
impact of these attacks,” McNelley says. “Many FIs have sophisticated
analytics deployed to look for these types of breaches, but it takes a number
of losses that are detected by consumers in order to have enough of a pattern
to identify a common point of compromise.”
Web
Link
Recent Comments