Friday, June 22, 2007

Security Management Weekly - June 22, 2007

header

  Learn more! ->   sm professional  

June 22, 2007
 
 
CORPORATE SECURITY  
  1. " Harry Potter Plot Hacked, Posted Online" Hacker Claims to Have Digital Copy of Valuable Book One Month Before Release
  2. " Retail Theft Causes Price Increase" Shrinkage Costs Retailers Record $41.6 Billion in 2006
  3. " Security Expert Will Review Ohio Data Theft" Stolen Backup Storage Device Contains Data on at Least 84,000
  4. " Va. Tech Shooter Seen as 'Collector of Injustice'" Federal Investigators Explain Seung Hui Cho's Criminal Behavioral Profile
  5. " A Little Privacy, Please" Carnegie Mellon University Lab Creates Privacy-Protecting Technology
  6. " Brewing Up a Safe Oktoberfest" Securing Germany's Oktoberfest Festival
  7. " Building Ethics From the Ground Up" Pretexting Scandal Prompts Hewlett Packard to Conduct Ethics Review

HOMELAND SECURITY  
  8. " Qaeda Grads on U.S. Bomb Mission: Report" ABC News Says Suicide Bombers Sent to U.S., Europe
  9. " New U.S. Passport Rules Postponed for at Least Six Months"
  10. " Lynx Will Spend Homeland Security Grant" Fla. Bus Agency to Provide Anti-Terror Training to 1,000 Employees
  11. " Earthquake Preparedness Drill Starts Today" Participants Include Several States and Federal Agencies
  12. " Homeland Security Grant to Buy High-Tech Radar on Lake"
  13. " When Tornadoes Strike, Preparedness Pays Off"

CYBER SECURITY  
  14. " Watching Virus Behavior Could Keep PCs Healthy" University of Michigan Anti-Virus System Obtains Virus "Fingerprints"
  15. " Key Master" How to Prevent Hackers From Acquiring Encryption Keys


   









 

"Harry Potter Plot Hacked, Posted Online"
Australian Broadcasting Corp. News (06/21/07)

The publishers of the immensely popular Harry Potter series of books have gone to great lengths to ensure that the plot details of the final book in the series remain a secret until it is released on July 21, but a computer hacker claims to have obtained a digital copy of the book and posted the plot on the Internet. The hacker, known as "Gabriel," claims to have obtained a digital copy of "Harry Potter and the Deathly Hallows" by hacking into a computer at Bloomsbury Publishing. Gabriel indicates in an Internet posting that the plot and secret ending of the series have been posted to the InSecure.org Web site. Bloomsbury declined to comment, but members of the book industry and computer security industry cautioned that the alleged plot details posted by Gabriel could be inaccurate or a hoax.
(go to web site)

"Retail Theft Causes Price Increase"
WWAY NewsChannel 3 (06/21/07)

A recent survey of 139 U.S. retailers concludes that retail theft and fraud resulted in $41.6 billion in losses to U.S. retailers during 2006. The amount, a record, is 11 percent higher than 2005's totals. Retailers say they will be forced to pass on the losses to consumers. The survey concludes that store employees are doing most of the stealing, accounting for about $20 billion of the $41.6 billion in losses. Shoplifters accounted for $13 billion of losses, with administrative errors and vendor fraud accounting for the remainder of the losses. Thieves favor smaller products on shore shelves, including cards, groceries, and specialized accessories, according to the study, which also identifies organized crime rings as a major problem. Members of these rings shoplift in bulk and then resell the stolen products for profit, usually over the Internet.
(go to web site)

"Security Expert Will Review Ohio Data Theft"
USA Today (06/18/07) ; Reed, Matt

Ohio Gov. Ted Strickland has announced that the state has hired computer security expert Matthew Curtin to conduct an analysis of data contained on a backup storage device that was stolen from a 22-year-old intern's car. Strickland said the stolen device contains personal data on 84,000 welfare recipients and about 1,200 records containing data about vendors. Previous reports suggested that the device also contains the personal data of about 193,000 other people, including 64,000 state employees, 54,000 pharmacy benefits enrollees, and 75,000 dependents. The incident has prompted Strickland to issue an executive order that specifies how state data must be handled. Curtin, who founded Interhack, will attempt to determine how much data the device contained.
(go to web site)

"Va. Tech Shooter Seen as 'Collector of Injustice'"
Washington Post (06/19/07) P. A1 ; Horwitz, Sari

Federal investigators have released details of Operation Prevail, the ongoing two-month-old investigation into Virginia Tech shooter Seung Hui Cho's life and mental state. The evidence collected so far suggests that Cho fits a criminal behavioral profile known as the "Collector of Injustice." Those who fit this profile believe that "the world is out to get them," and they believe that any injustices or misfortunes that befall them are caused by others. Eventually, the list of perceived slights compiled by the Collector of Injustice becomes so lengthy that the Collector will turn to violence to get even and avenge the perceived wrongs. Cho's writings suggest that he felt disrespected and humiliated by society, which treated him like a "filthy street dog" and an "ugly, little, retarded, low-life kid." In his writings, Cho warns of the impending carnage, advising his enemies to "kill yourselves or?the little kid will come with hundreds of rounds of ammunition on his back to shoot you down." Investigators also note that Cho sprinkled his words with religious imagery; considered himself a martyr; and apparently used the alter ego "Ishmael Ax" because he identified with the biblical figure Ishmael, an outcast who disdained society. In one passage, Cho writes, "I say we take up the cross, Children of Ishmael, take up our guns and knives...and spare no lives."
(go to web site)

"A Little Privacy, Please"
Scientific American (07/07) ; Walter, Chip

Director of Carnegie Mellon University's Laboratory for International Data Privacy Latanya Sweeney is dedicated to upholding people's privacy in an increasingly security-conscious world through the development of software. Her lab has devised "anonymizing" programs that can replace a person's face in a surveillance camera image with a new, impossible-to-identify facial image crafted from other faces in a database. Another brainchild of Sweeney's is the Identity Angel program, which combs the Internet and compiles thousands of identities by connecting names in one database with addresses, ages, and Social Security numbers distributed throughout others--enough information to commit identity theft--so that vulnerable people can be alerted to the problem and take corrective action before they can be exploited by malevolent parties. As a fellow of MIT's National Library of Medicine, Sweeney wrote the Scrub System program to improve the protection of several Boston hospitals' medical records; the program mined patient records, treatment notes, and letters between physicians to extract and delete a greater range of personal patient identifiers than standard search-and-replace software could. According to Sweeney, the ultimate solution is the upfront incorporation of privacy protection into the design and usability of new technologies by engineers and computer scientists. "Society can [then] decide how to turn those controls on and off," she reasons.
(go to web site)

"Brewing Up a Safe Oktoberfest"
Security Management (05/07) Vol. 51, No. 5, P. 72 ; Elliott, Robert

Germany's raucous Oktoberfest, the largest party in the world, poses numerous challenges from a security practitioner's perspective. One of the biggest problems is theft, as the large crowds--there were 6 million attendees at the 2006 Oktoberfest--prove too tempting a target for professional criminals, including pickpockets from Eastern Europe. Other problems include violence, attacks on police, and terrorism. To secure the sprawling event, German authorities have established the Oktoberfest Police Department, which consists of some 400 officers, along with bomb experts, interpreters, and officers who are experienced in handling youths. Vendors and merchants who work under the festival's massive beer tents traditionally hire about 1,000 private security guards. The police who patrol the event are chosen for their diplomacy and communications skills because they must be able to handle the stress of dealing with the wild atmosphere, including people who are inebriated. The security presence also includes a police station house and 360-degree dome surveillance cameras that have been strategically deployed in the fairgrounds.
(go to web site)

"Building Ethics From the Ground Up"
Ethisphere (06/01/07) P. 48 ; Hoak, John

Hewlett Packard, a company best-known for its technological achievements, also was applauded for its success in environmental stewardship, employee development, philanthropy, and ethical conduct. However, the pretexting scandal, stemming from a risk management investigation into where leaks of confidential corporate information came from, rocked the firm and called into question the firm's ethical foundation. Since the scandal broke headlines, the firm engaged in an review of its ethical practices, policies, and procedures and revamped its vulnerabilities. As a result of former U.S. Attorney's Office head of the criminal division Bart Schwartz's investigations, the firm appointed a new independent director to review ethical and legal compliance throughout internal and external investigative processes. HP has also developed a new senior executive post to ensure the entire company is in compliance with the firm's Standards of Business Conduct, ethical principles, and legal obligations; this position reports to the board, the independent director in charge of ethics on the board, and the chief executive. A compliance council, led by HP's privacy officer, is in place to support and review the efforts of the independent board members and the ethics officers. The firm is actively engaged in educating its vendors, suppliers, and workers in terms of business conduct expected of them and the ethical principles they are expected to follow in their dealings with HP and other firms. HP expects to face further ethical challenges in the future, notes HP Chief Compliance and Ethics Officer and Vice President Jon Hoak, but the firm is committed to ensuring those risks are minimized; Hoak says one of the keys in fighting ethical lapses is vigilance.
(go to web site)

"Qaeda Grads on U.S. Bomb Mission: Report"
New York Post (06/19/07) ; Soltis, Andy

The Taliban and Al Qaeda have trained some 300 suicide bombers in Afghanistan who are being sent to the United States, Canada, United Kingdom, and Germany to carry out attacks, according to an ABC News report that aired Monday night. The report said that groups of the bombers have already been sent to the United States and Europe, having departed from their Afghan camp 10 days ago. Some of the bombers are just 12 years old. The Taliban invited a Pakistani journalist to attend the camp, and on June 9, the journalist took pictures of Taliban commander Mansoor Dadullah praising the graduates of the terrorist camp. "These Americans, Canadians, British, and Germans come here to Afghanistan from faraway places," Dadullah says on tape. "Why shouldn't we go after them?" American officials claim that the tape is nothing more than propaganda, but former White House counter-terrorism expert Richard Clarke said the threat should not be dismissed.
(go to web site)

"New U.S. Passport Rules Postponed for at Least Six Months"
Washington Post (06/21/07) P. A11 ; Hsu, Spencer S.

Homeland Security Secretary Michael Chertoff announced on June 20 that the Jan. 1, 2008, start date for new passport rules for U.S. travelers returning from Canada, Mexico, and the Caribbean will be pushed back until at least the summer of 2008. The new rules, which will require Americans to display a passport when crossing U.S. borders, had come under fire from lawmakers, travelers, and the travel industry due to economic concerns and a mounting backlog of passport requests at the State Department. While Chertoff promised that "we're not going to drop the ax on Jan. 1, 2008," he did stress that the new rules are key to U.S. antiterrorism efforts and need to be implemented. Although Chertoff agreed to postpone the new rules, he also made changes to the current set of rules, which allow Americans to simply make a verbal declaration when returning from Canada, Mexico, and the Caribbean. The changes, which will go into effect Jan. 31, 2008, will require Americans to show an ID card and birth certificate.
(go to web site)

"Lynx Will Spend Homeland Security Grant"
Orlando Sentinel (FL) (06/20/07) ; Hamburg, Jay

Central Florida's Lynx bus agency is using a $908,000 Department of Homeland Security grant to provide anti-terrorism and emergency-response training to its 1,000 employees. The effort will allow Lynx to coordinate with police and fire departments and serve as their eyes and ears, says Lynx spokeswoman Linda Watson. The training will cover a variety of potential areas, including spotting suspicious behavior and packages, self-defense, remaining calm under duress, and establishing closer ties with law enforcement and emergency medical personnel. The security training for Lynx employees is necessary because buses and trains have proven to be favorite terrorist targets in other countries, Watson says. Transportation Security Administration spokesman Lee Kair explains that the training for Lynx employees will be similar to the terrorism-awareness training that truckers and airport employees have received. The sheriff of Orange County says that he may even bring in Israeli transit-security experts to help with the Lynx training. By using the homeland security grant to pay for the employee training, Lynx will be able to spend its own money on other projects, including the deployment of tracking devices on Lynx buses.
(go to web site)

"Earthquake Preparedness Drill Starts Today"
St. Louis Post-Dispatch (06/19/07) ; Taylor, Betsy

Missouri, Tennessee, Arkansas, and several other states are taking part in a three-day earthquake-preparedness drill this week. The drill, which has been planned for the past two years, centers on a mock magnitude 7.7 earthquake that occurs along the New Madrid fault, which runs from Arkansas to Illinois. The drill will feature the participation of 80 Missouri cities and counties, the U.S. Coast Guard, Environmental Protection Agency (EPA), and Missouri State Emergency Management Agency, among others. Response, both short-term and long-term, will be a key focus of the drill. For example, cities and counties in Missouri will examine how they would provide services to earthquake victims, how they would reopen schools and banks, and how they would work with insurance companies. The EPA will examine how to respond to toxic spills. The drill will feature field exercises and tabletop exercises that include the deaths of leaders, destroyed bridges, and communication outages.
(go to web site)

"Homeland Security Grant to Buy High-Tech Radar on Lake"
Pittsburgh Post-Gazette (06/17/07)

The Erie-Western Pennsylvania Port Authority will use a $242,000 homeland security grant to install a radar-based surveillance system that will allow law enforcement authorities to monitor naval traffic on Lake Erie. A secure Internet connection will allow local, state, and federal agencies to access the radar system, which can be used for detecting boats that are behaving suspiciously or speeding. The system, which has a range of four miles from land, will also prove useful during search and rescue missions and in reconstructing boating accidents. Joseph Weindorf, the Erie County (Pa.) public safety director, says the system will address law enforcement's ability to scrutinize what takes place on the water, currently a major weakness. Similar systems have been installed in the San Francisco, Chesapeake, and Delaware bays.
(go to web site)

"When Tornadoes Strike, Preparedness Pays Off"
Cleveland Plain Dealer (OH) (06/21/07) ; Hebert, Melissa

Statistics show that tornadoes kill 70 people, wound 1,500 others, and cause billions of dollars of damage each year. June and July are the prime months for tornadoes in the Great Lakes region. Several local and national agencies provide advice on preparing for tornadoes. This advice includes buying a weather radio, creating a preparedness plan for sheltering during storms, creating a safety kit in the storm-shelter space, choosing a person to serve as main point of contact, and making plans for pets. The shelter should be underground or in an interior space, and it should be located away from windows or large objects that could potentially fall. Tenants of high-rise buildings should seek shelter in an interior hallway with no windows. The safety kit should include a battery-operated radio, extra batteries, and a map of the county in case an evacuation occurs. Diseased or dead tree limbs should be trimmed to prevent them from becoming missiles during a tornado.
(go to web site)

"Watching Virus Behavior Could Keep PCs Healthy"
New Scientist (06/15/07) ; Simonite, Tom

A prototype anti-virus system developed at the University of Michigan uses the "fingerprint" of virus activity to more effectively identify viruses. The system obtains such fingerprints by intentionally infecting a quarantined computer with viruses. Conventional anti-virus software monitors systems for suspicious activity and then tries to determine the source by checking for virus signatures, which makes it difficult to spot new pieces of malware and track different variations. The University of Michigan team studied the files and processes malware created and modified on an infected computer, and developed software that uses the information gathered to identify malware. The prototype is capable of defining clusters of malware that operate in similar ways, and can create a kind of family tree that illustrates how superficially different programs have similar methods of operation. In tests on the same software, the prototype was able to identify at least 10 percent more of the sample than five leading anti-virus programs. The prototype also always correctly connected different pieces of malware that operate similarly, while the best anti-virus program was only able to identify 68 percent of such links.
(go to web site)

"Key Master"
Information Security (06/07) Vol. 10, No. 6, P. 50 ; Cole, Eric

When implementing an encryption solution, it is essential to ensure that the encryption keys are properly controlled so that an attacker cannot acquire them, writes Lockheed Martin Senior Fellow Eric Cole, who is also a SANS Institute instructor and course developer. Cole says there are a number of things companies can do to ensure that their encryption keys are properly controlled. For example, keys should be generated in a secure manner so that the administrator generating them does not actually have access to them. In addition, third-party software should be used to give the key to the user in a secure manner. When keys are no longer needed, they should be retired in a way that ensures that no one can use them again. After key management issues are dealt with, companies must then focus on deploying their encryption infrastructure. When doing this, companies should stress to their employees that they will be liable in the event keys are not properly protected and someone gains access to the encrypted information. Companies should also state all encryption key exposure points as policy, such as the required level of complexity of pass phrases.
(go to web site)

Abstracts Copyright © 2007 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment