Security Management Weekly - July 8, 2005

A weekly security news briefing from ASIS International   Learn more! ->     July 8, 2005     CORPORATE SECURITY     1. " Bill Rewards Building Owners With Tax Breaks for Guards" New York Legislature Passes Bill Allowing Tax Breaks for Building Owners Who Raise Wages for Unionized Security Guards   2. " Judge Attacks Sarbanes-Oxley Legislation"   3. " House Commerce Circulates Draft Bill to Require Information Security Programs" Bill Would Affect Organizations That Store Personal Data   4. " Dos and Don'ts for Digital Evidence" Companies That Mishandle Digital Evidence Will Pay the Price   5. " Identity Theft Suits Gain Popularity With Plaintiffs" Businesses Urged to Review Security to Avoid Suits HOMELAND SECURITY   sponsored by     6. " Subway and Bus Blasts in London Kill at Least 37" Additional Details About London Attacks   7. " U.S. Increases Threat Level for Mass Transit" Terrorism Threat Level at Orange During Short-Term   8. " Chemical Plants Threaten Population Centers, Report Says"   9. " Military Expands Homeland Efforts" Pentagon Plan for Homeland Security   10. " At D.C.'s Party, Spectacle and Security" Evacuation Routes Tested   11. " Study: Suicide Bombers Can Get by Detectors"   12. " U.S. Raises Estimate for Terror Attacks" Nearly 3,200 Attacks Worldwide in 2004   13. " A Dash of Danger" New York-Area Hazmat Unit Could Serve as Template for Others CYBER SECURITY     14. " Firewalls a Distraction Says Security Researcher" Focus Should Be on Inside Threats   15. " Group: Secure Bluetooth With Long PINs" Bluetooth Special Interest Group Urges Bluetooth Users to Set PINs       "Bill Rewards Building Owners With Tax Breaks for Guards" New York Sun (07/05/05) P. 2 ; McGuire, Brian New York Gov. George Pataki is expected to take action in the near future on legislation that passed both houses of the Legislature in the last hours of the session, allowing tax breaks for building owners in New York City who raise wages for unionized security guards they employ. Critics of the bill referred to it as a direct political barter that places security regulations, and the tax code, at the beck and call of political backing from union members; while advocates claimed the bill will eventually result in better wages for all guards. Pataki has to sign the bill within 10 days of it arriving on his desk, which is likely to occur in days. Under the legislation, owners of commercial and residential buildings in the city would get a $3,000 credit for each unionized worker who finishes 40 hours of training in a new "terrorism awareness" program overseen by the state. The guards would get as well incremental wage hikes over three years. (go to web site) "Judge Attacks Sarbanes-Oxley Legislation" Financial Times (07/05/05) ; Tucker, Sundeep; Parker, Andrew Delaware Court of Chancery Vice Chancellor Judge Leo Strine recently stated that the Sarbanes-Oxley Act impinges on the rights of states to regulate corporations. Strine, considered an influential judge in the legal system, noted that the intentions of the act were genuine, but that some provisions are "dubious." Companies have consistently complained that the act is too burdensome and costly to comply with and many critics applauded Strine's comments. However, investors noted that Strine's comments fail to take into account how the act has improved the ability of investors to hold companies and their managers accountable for actions that reduce shareholder value and company performance. "House Commerce Circulates Draft Bill to Require Information Security Programs" BNA Daily Report for Executives (07/05/05) P. A-11 ; Alexis, Alexei House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection chairman Cliff Stearns (R-Fla.) will introduce legislation that will require organizations storing private and sensitive information about individuals, like Social Security or credit card numbers, to develop "policies and procedures to prevent unauthorized acquisition of such information and to notify individuals of any such unauthorized acquisition." The bill mandates that an officer within each organization be assigned the task of securing the data and that a security policy and statement be established in regards to the collection, use, sale, and dissemination of personal information. If a security breach occurs, the organization would be required to notify all impacted individuals in the United States. The Federal Trade Commission (FTC) will be tasked with defining what a security breach is and would be given enforcement powers. Data brokers, several of which have recently been hit by major data security breaches, will be required to submit security polices to the FTC annually. They will also have to give individuals the chance to review personal data and place a "conspicuous" notice on their Web site notifying individuals how to access this data. (go to web site) "Dos and Don'ts for Digital Evidence" Security Management (06/05) Vol. 49, No. 5, P. 55 ; Lang, Dave There are protocols governing how digital evidence should be handled, but many corporate executives remain ignorant of these rules. For example, the president of one top telecommunications provider inadvertently committed two felonies by taking a corporate laptop along with him on a cross-state vacation. In this case, the president had been alerted by the IT director that a laptop used by a former employee contained child pornography. The president was in a rush and did not have time to immediately alert law enforcement, so he put the laptop in his briefcase so that he could examine it while on his trip; child pornography, however, is contraband, and by transporting the laptop across state lines the executive had committed at least two felonies. Incidents such as this one can be avoided if security professionals launch an education campaign at their organization. An education campaign should consider who is in charge of investigations involving corporate information systems, when to get law enforcement involved, how to proceed with the investigation, and how to handle and preserve evidence. Companies that lack a dedicated digital forensics department should hire a qualified outside consultant who has certifications in digital forensics and investigations. Consideration should be given to the consultant's courtroom experience and presentation ability, and the consultant should be able to pass muster as an expert witness instead of a fact witness. Companies should have clear policies regarding searches and seizures and the chain-of-custody regarding evidence. (go to web site) "Identity Theft Suits Gain Popularity With Plaintiffs" Corporate Legal Times (07/05) Vol. 15, No. 164, P. 32 ; Banks, Jarrett As identity theft becomes increasingly common, with losses related to the practice totaling over $222 billion in 2003, businesses need to take additional steps to protect themselves from lawsuits filed by customers whose personal information has been made available to identity thieves. High-profile cases such as the theft of consumer data from ChoicePoint and LexisNexis are resulting in suits that may require the companies to pay millions of dollars in damages. In order to avoid similar results, businesses should have an outside review of their securities systems conducted in order to determine if there are any major loopholes that would allow thieves to gain access to consumer data, and educate employees on how to avoid being tricked into divulging such data to unauthorized parties. In the event that a security breach does occur, businesses should have a plan for minimizing losses and compensating customers who may have been affected. Paying for credit reports and other services to help victims regain their identities may be necessary; although such services can become expensive, the reputation damage caused by a high-profile lawsuit may be much more costly in the long run. (go to web site) "Subway and Bus Blasts in London Kill at Least 37" New York Times (07/08/05) P. A1 ; Cowell, Alan Thursday's terrorist attacks in London consisted of three subterranean bombing attacks on separate subway trains and one above-ground bombing of a double-decker bus, and the number of casualties has now reached at least 37 dead and 700 injured. Many of the wounded have been badly burned or lost limbs. The first bombing occurred at 8:51 a.m., killing seven people aboard a subway train that had ventured 100 yards into the Liverpool Street station tunnel. The second bomb went off at 8:56 a.m., killing 21 people at the King's Cross subway station, and the third attack occurred at 9:17 a.m., killing seven people on a train arriving at the Edgware Road station. At 9:47 a.m., the final attack blew off the roof of a double-decker bus, killing two people in a powerful explosion that sent debris flying into the air. Officials have not yet been able to verify the authenticity of a claim of responsibility from a group calling itself the Secret Organization of Al Qaeda in Europe. The security of mass transit systems has been increased throughout Europe and the United States, and officials in Germany and Italy indicated that their countries could also be targeted by terrorists due to their military ties to the United States. Witnesses to the subway attacks described scenes of black smoke and dust swirling through the subway tunnels after the attacks: A witness said that after one blast, all the lights went out and the train came to an immediate halt, and another witness said that a blast caused the side of a subway car to be "blown outward." (go to web site) "U.S. Increases Threat Level for Mass Transit" Washington Post (07/08/05) P. A18 ; Goo, Sara Kehaulani; Eggen, Dan The U.S. terrorism threat level has been raised to Orange for mass transit systems, a level that indicates a high risk, though Homeland Security Secretary Michael Chertoff is assuring Americans that officials do not have any "specific, credible evidence of an attack that's imminent in the United States." Chertoff says that the threat level will be raised for the "short-term" and that the decision was made due to the possibility of a copycat attack in the United States. The bolstered security at U.S. transit systems will include additional video surveillance, a greater police presence, bomb-sniffing dogs, additional barriers, increased inspections of trash cans and other areas where bombs could potentially be hidden, and--in some areas--inspections of passengers and their bags. Former Homeland Security inspector general Clark Kent Ervin warned that it is probably only a matter of time before a similar attack is launched against the U.S. mass transit system, partly because such an attack is easy to carry out. Security experts echoed his assessment. Statistics from the Rand Corp. show that there were 181 terrorist attacks on transit systems across the globe from 1998 to 2003, with these attacks killing 431 people and wounding several thousand others. In New York City, agency officials are monitoring the air and water for indications of biological or chemical weapons, and in Chicago officials are carefully monitoring the city's bank of 2,000 surveillance cameras. (go to web site) "Chemical Plants Threaten Population Centers, Report Says" Philadelphia Inquirer (07/06/05) ; Jordan, Lara Jakes A new report from the Congressional Research Service provides a state-by-state analysis of the number of potentially lethal chemical plants that exist in close proximity to communities of at least 1 million people. The plants listed in the report--up to 111 in all--are located in 23 states, and are deemed potential terrorist targets. The plants listed by the report contain deadly chemicals or chemical explosives that could cause widespread death. The report shows that Texas has up to 29 such plants, more than twice the number of any other state. New Jersey has seven, and Delaware and Pennsylvania each have two. The report, slated for release July 6, was conducted at the behest of Rep. Edward Markey (D-Mass.) to provide a "full picture" of the potential terrorist threat against U.S. chemical facilities. A report released five years ago determined that there were 123 such chemical plants in the country, but that number has been reduced at least in part because companies have moved some plants out of high-population areas or are using less toxic chemicals. (go to web site) "Military Expands Homeland Efforts" Washington Post (07/06/05) P. A1 ; Graham, Bradley The Pentagon has completed a plan that outlines a comprehensive approach to defending the United States against terrorist attacks. The plan is outlined in a 40-page document, "Strategy for Homeland Defense and Civil Support," that was approved June 24. The plan calls for an "active, layered" approach to homeland security, one that envisions the possibility of multiple, simultaneous attacks for which U.S. forces must be prepared. The plan notes that the National Guard could play a role in securing the homeland after an attack and that the president has the authority to introduce military forces on the ground to intercept and defeat any threat. The Pentagon document urges greater cooperation between military intelligence analysts and civilian law enforcement and it also recognizes that civilian agencies will continue to be mostly responsible for homeland security. "The role of the military within domestic American society, both by law and by history, has been carefully constrained, and there is nothing in our strategy that would move away from that historic principle," said Paul McHale, assistant secretary for homeland defense at the Pentagon. (go to web site) "At D.C.'s Party, Spectacle and Security" Washington Post (07/05/05) P. A1 ; Morello, Carol At the end of the city's annual July 4th celebration, Washington D.C. officials set "Operation Fast Forward" into motion, a test of evacuation routes to be used in the event of a terrorist attack, at 9:50 p.m., just 15 minutes after the fireworks ended. Over the next 45 minutes, officers directed motorists to four evacuation routes, known as E-routes, where green lights were lengthened from 70 seconds to three minutes, followed by one minute of red. Although the timed lighting appeared to work as planned, at least one area initially experienced slow going. A snag at 12th Street and Constitution Avenue NW resulted from traffic barriers placed by U.S. Park Police to allow pedestrians to leave safely. The barriers created gridlock until they were cleared at 10:10 p.m., with the exercise half over. Police officers with yellow vests and bullhorns ordered pedestrians to use the sidewalks and crosswalks. By 10:30 p.m., traffic was moving smoothly. When the drill ended at 10:35 p.m., lights on a map at the city's command center in the Reeves Municipal Center gradually winked from blue to green. "I think it went well," said Michelle Pourciau, deputy director of the D.C. Department of Transportation. "Every quarter except Constitution worked just as we expected it to. As soon as it was opened up, traffic was cleared out." In an evaluation of the drill that will take days or weeks, the department will examine why there were delays in opening up Constitution Avenue, she said. After the traffic jams in the District on Sept. 11, 2001, officials expressed concern that the region's transportation web could not handle a citywide evacuation of panicked residents. (go to web site) "Study: Suicide Bombers Can Get by Detectors" USA Today (07/04/05) A new study funded by the Defense Advanced Research Projects Agency has concluded that the widespread deployment of sensors that detect suicide bombers would save only a few lives at most. The report, published in this week's issue of Proceedings of the National Academy of Sciences, also finds that the types of detectors available at present are not reliable enough and are too costly to be deployed on a widespread scale. "Pedestrian suicide bombings might be better prevented by investing in intelligence leading to actions that prevent terrorists from prosecuting such attacks," said researchers Edward Kaplan and Moshe Kress. If existing technology was more reliable and less expensive, it could be used to protect known targets like airports, sporting events, and government buildings, but would be of little use to random targets like restaurants and businesses, the report said. The report was based on an examination of pedestrian suicide bombings in urban locations. A dense array of devices capable of detecting bombs are needed in order to discover a suicide bomber, the researchers concluded. (go to web site) "U.S. Raises Estimate for Terror Attacks" CNN (07/05/05) ; Ensor, David There were 3,192 terrorist attacks in 2004, with 28,433 people killed, wounded, or kidnapped, according to an estimate from the U.S. National Counterterrorism Center (NCTC). The numbers represent a revision, as the U.S. government had stated in April that only 651 "significant" attacks occurred during 2004, killing 1,907 people. Unlike the figures released in April, the NCTC's numbers include attacks that were of a domestic nature. The April numbers had left out several notable incidents, including the February 2004 bombing of a Philippine superferry and the August 2004 suicide attacks that destroyed two Russian airliners. The NCTC's outgoing acting director, John Brennan, says that the center is taking direct control of the process of providing "a new statistical baseline on worldwide terrorism." Terrorism as defined by the NCTC involves the use of violence against noncombatants or civilians to make a political point. Thus, the NCTC says that attacks against U.S. soldiers in Iraq do not count as terrorism, but attacks like the 2000 bombing of the USS Cole in which military personnel are attacked in a "non-combat setting" will be included in the statistics. (go to web site) "A Dash of Danger" Security Management (06/05) Vol. 49, No. 5, P. 129 ; Roberts, Marta The North Shore-Long Island Jewish Health System, consisting of 15 hospitals, boasts the largest hospital-based ambulance service in the New York area and one of the largest in the United States. The Center for Medical Services (CEMS), as the ambulance service is officially known, consists of 350 emergency response personnel, 45 hazmat technicians, and more than 40 response units. Other urban areas in the United States would be wise to examine the operational model of the CEMS hazmat unit when preparing for chemical and biological threats. The unit not only has the necessary equipment--hazmat vehicles, portable hazmat equipment, identification and decontamination products--to respond to threats, it also has the appropriate operational infrastructure, including a communication network, operations center, and an aggressive in-house training program for personnel. Members of the hazmat team undergo 16 hours of intensive training to identify and respond to hazardous substances and decontaminate victims. Some members of the hazmat team are selected to receive 40 hours of additional training at the Alabama-based Center for Domestic Preparedness, which is funded by the U.S. Homeland Security Department and available free of charge to state and local first responders. The free-standing CEMS operations center features instruments and monitors that provide data about police and fire reports, local weather and traffic, and local and national news, so that technicians are better prepared to respond to potential problems. The hazmat team uses a portable device capable of identifying more than 6,000 chemicals, and the team has access to a company with a library of more than 30,000 substances. (go to web site) "Firewalls a Distraction Says Security Researcher" Computerworld Australia (07/07/05) ; Gedda, Rodney San Diego Supercomputing Center (SDSC) computer security researcher Abe Singer laments that companies are often spending 90 percent of their security efforts on firewalls. Therefore, most companies are focusing their security efforts on preventing outsider attacks when threats from insiders are just as important. Singer actually points to insider attacks when the attacker knows what to look for as even more dangerous than external attacks. Singer, speaking at an Australian Unix and open systems users group seminar on security, recommends taking a full audit of all business processes, eliminating unnecessary services, and implementing a well-rounded security policy. Singer says SDSC does not use a firewall and yet it has not had a root-level intrusion to its systems in four years. Singer says, "You really need to think through your processes [and] relying on a firewall means you're probably doing security wrong. Surveys have shown that 60 percent of security breaches are internal, but 70 percent of people are worried about hackers on the outside." (go to web site) "Group: Secure Bluetooth With Long PINs" ZDNet UK (06/27/05) ; Judge, Peter Attackers are forcing the repairing of Bluetooth devices in order to hear the process and crack the code by simply sending a lost key message that looks as if it came from the device itself, according to a report entitled "Cracking the Bluetooth PIN" that was presented by two researchers from Tel Aviv University at a recent Mobisys conference. Therefore, the Bluetooth Special Interest Group (SIG) is urging Bluetooth users to set eight-digit, alphanumeric PINs and avoid repairing in public places where attackers could potentially listen to the process. The SIG believes an eight-digit, alphanumeric PIN number would take about 100 years for a computer to crack, but a four-digit PIN would take merely a tenth of a second. The SIG also says most attackers cannot yet afford the expensive and complex equipment required for attacks. Therefore, SIG says, "It is highly unlikely that a normal user would even encounter such an attack." (go to web site) Abstracts Copyright © 2005 Information, Inc. Bethesda, MD   ASIS also offers a daily and a non-sponsored, special-content Professional Edition of Security Newsbriefs. Please click to see a sample or to contact us for more information. Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online