Everything related to Computer Security - Security Audits, Security Vulnerabilities, Intrusion Detection, Incident Handling, Forensics and Investigation, Information Security Policies, and a whole lot more.
Deadline Nears for Ontario's Workplace Violence Law Occupational Health & Safety (04/15/10)
A number of safety organizations in Ontario, including the Industrial Accident Prevention Association and the Canadian Centre for Occupational Health and Safety, are offering courses and other resources to help employers in the province comply with a workplace violence prevention law known as Bill 168. Under the law, companies in Ontario that have more than five employees must perform a workplace violence risk assessment to determine the types of hazards that could be caused by the nature of the workplace, the type of work, or the work conditions. After performing this risk assessment, employers will be required to create an anti-violence program. Such programs will be required to include violence and harassment policies, procedures for employee reporting and incident investigations, and policies for dealing with incidents, complaints, and violent threats. The deadline for compliance with Bill 168 is June 15.
Game Consoles at Work Threaten Corporate Security Infosecurity (USA) (04/14/10)
Although 44 percent of senior IT decision-makers in the public and private sectors say that their organizations have an Internet-connected game console, nearly 40 percent are unaware of the threats associated with using such gaming systems, a recent survey by Sunbelt Software has found. Among the threats that come from using online gaming systems such as Xbox Live and PlayStation, Sunbelt said, were data leaks and in-game behavior that could damage a company's brand. Despite these threats, 80 percent of the 200 IT decision-makers who took part in the survey said that they had no records of who uses game consoles in the workplace, which makes it virtually impossible to determine who is responsible for data leaks and damaging behavior, Sunbelt found. Another threat that comes from using online gaming consoles in the workplace is distributed denial of service attacks that could result in the exposure of the IT addresses of corporate networks. Phishing attacks are also possible when using online gaming systems, due to the fact that such systems use fully-functional Web browsers, said Sunbelt researcher Chris Boyd. He added that organizations can protect themselves from these threats by using gaming consoles for offline play only.
Security Costs Rise for Amazon CEO Wall Street Journal (04/14/10) Morrison, Scott
The security costs for Amazon.com CEO Jeff Bezos increased by approximately $500,000 in 2009, according to a Securities and Exchange filing by the company. Amazon reports that it spent a total of $1.7 million on security for Bezos in addition to spending on security for business facilities and for business travel. That figure is up from the $1.2 million the company spent in 2008. These security costs are some of the highest for any U.S.-based CEO. Amazon has declined to comment on why it believed additional security for Bezos was necessary.
Red Cross Workers Kidnapped in Congo New York Times (04/13/10) Cowell, Alan
Eight Red Cross workers have been kidnapped in a violence-prone region of Congo, the Geneva-based organization said in a statement on Tuesday. According to the Red Cross, the workers--seven of whom were Congolese and one of whom was Swiss--were kidnapped April 9 by members of an armed group called Mai Mai Yakutumba after they completed an assessment of the needs of displaced people in the South Kivu region, an area that has been the scene of fighting that has forced thousands of civilians to leave their homes. The Red Cross has said that it has been in contact with the abducted workers and their families, though it did not say whether it has been in communication with the kidnappers. Franz Rauchenstein, the head of the Red Cross delegation in Congo, called for the workers to be released as soon as possible.
Legal Firm to Stop Issuing Net Piracy Letters Network World (04/13/10) Skinner, Carrie-ann
The British law firm Tilly, Bailey & Irvine Solicitors (TBI) has announced that it will no longer send letters to Web users accused of illegally sharing games, music, or movie files because the documents have created "adverse publicity." The letters instruct the users to pay a fine and sign a legal agreement not to engage in illegal file-sharing in the future. The letters also include the exact date and time the alleged offense occurred. Such details were obtained after copyright holders identified the IP addresses used in illegal file-sharing and asked a court to order Internet service providers to provide them with user details for those addresses. The Solicitors Regulation Authority (SRA) in the U.K. is currently investigating TBI as well as two other firms following complaints regarding the letters. The SRA has already concluded that letters sent by the law firm Davenport and Lyons on behalf of copyright holders were "bullying" or considered "excessive" and has referred the matter to the Solicitors Disciplinary Tribunal.
Pentagon to Boost Ties to Fight Terrorism San Antonio Express-News (TX) (04/16/10) Martin, Gary
The Pentagon announced Thursday that it was making several changes to prevent incidents similar to the shooting at Fort Hood, Texas, last year, which resulted in the deaths of 13 people. For instance, the Department of Defense said it would work more closely with law enforcement agencies to address terrorist threats. The move was prompted by an independent review of the Fort Hood shooting, which concluded that there was a lack of communication between the military and U.S. security agencies in the months leading up to the attack. In addition to vowing to work more closely with law enforcement agencies, the Pentagon also said that it would adopt a standard policy on personal gun ownership at military bases. Meanwhile, Sen. Joseph Lieberman (I-Conn.) has threatened to issue subpoenas to FBI agents and Defense Department officials who were aware of shooting suspect Maj. Nidal Malik Hasan's contact with a radical Yemeni cleric before the attack took place. Lieberman said the subpoenas are necessary because the Obama administration has refused to provide documents and witnesses to assist in the Homeland Security Committee's investigation of the shooting.
Investigators Blame Bad Security for Bhutto Death Wall Street Journal (04/16/10) Lauria, Joe
A three-member U.N. Commission has released a report detailing its findings from its investigation into the December 2007 assassination of former Pakistani Prime Minister Benazir Bhutto. The report concluded that Bhutto's assassination, which was committed by a 15-year-old suicide bomber who detonated his explosives near her vehicle during her visit to Rawalpindi, could have been prevented if the Pakistani government, the government of Punjab province, and the Rawalpindi District police had used adequate security measures to protect her. The report noted that local police failed to develop an emergency plan in case Bhutto was attacked, and failed to escort her vehicle or exercise crowd control. The authors of the report added that although the Pakistani government was aware of the threats against Bhutto, it opted to simply pass those threats on to her rather than take proactive steps to neutralize them. In addition, the report found that Pakistani authorities took deliberate steps to botch the investigation into Bhutto's assassination. For instance, the report noted that there was credible evidence that Pakistani intelligence agencies ordered the Rawalpindi police chief to use a fire hose on the crime scene in an effort to destroy evidence. The report did not say who it believed was responsible for Bhutto's assassination, though it did say that the killers likely came from four groups: al-Qaida, the Taliban, local jihadi groups, and elements of the "Pakistani Establishment," which is made up of military, intelligence, and government officials, as well as businessmen.
Leaders Pledge to Secure Nuclear Fuel Wall Street Journal (04/14/10) Weisman, Jonathan
The nuclear security summit that was held in Washington, D.C., ended on Tuesday with world leaders pledging to take steps to protect hundreds of thousands of tons weapons-grade nuclear fuel by 2014. In addition, world leaders who attended the summit agreed to hold another meeting in South Korea in 2014 to measure progress toward achieving that goal. However, world leaders at the summit did not agree to any legally-binding measures that would help secure certain amounts of nuclear material or would result in a move towards using low-enriched nuclear fuel. Nevertheless, some countries did announce that they were taking steps to improve nuclear security. Russia, for example, announced that it will soon close a nuclear reactors that has been producing weapons-grade plutonium since the 1950s. In addition, both the U.S. and Russia said they would abide by a 2000 agreement under which they each would destroy at least 34 metric tons of weapons-grade plutonium. In closing out the summit, President Obama praised the steps that were taken, saying that they would help make the U.S. and the world safer. But some critics say that the summit did not go far enough, because attendees did not take up the issue of an international treaty banning the production of new highly-enriched uranium and plutonium. Other critics say that the summit did not convince Russia and China to agree to U.N. sanctions to get Iran to abandon its nuclear program.
Kirkpatrick Impressed by SBInet Demonstration HSToday (04/15/10) McCarter, Mickey
Rep. Ann Kirkpatrick (D-Ariz.) recently voiced her support for the ongoing development of the Department of Homeland Security's (DHS) Secure Border Initiative (SBInet) after a visit to the command center for the pilot project in Arizona. While Kirkpatrick also supports the current freeze on the project, she said that DHS must find a way to expand SBInet beyond the 23 miles where it currently operates. However, she also stressed that such an expansion must be undertaken in a cost-effective manner. In addition to the potential expansion of the SBInet, Kirkpatrick argues that the U.S. Border Patrol needs more resources in order to prevent escalating violence by Mexico's drug cartels from spilling over into the United States. Although Kirkpatrick said she agrees with Arizona Sen. John McCain (R-Ariz.) that deploying National Guard troops to the border is a viable short-term solution, she noted that Border Patrol agents will eventually need to be able to keep the area secure on their own.
Radical Yemeni Cleric the New Bin Laden? Washington Times (04/13/10) Murdock, Heather
Some terrorism specialists say that Yemeni-American cleric Anwar al-Awlaki could be more influential than Osama bin Laden, particularly amongst young potential radicals in the U.S. Already, intelligence officials believe that al-Awlaki has inspired, and possible helped plan, several recent terrorist attacks including the shootings at Fort Hood, the failed airline bombing on Christmas day, and even Sept. 11. For this reason, the cleric, who is believed to be hiding in Yemen, has allegedly been placed on the list of suspects U.S. military, intelligence, and law enforcement officials are permitted to capture or kill. The Yemeni government, however, now says that al-Awlaki is not considered a terrorist and will not be targeted by Yemeni security. Al-Awlaki is a member of the Awlak tribe's most powerful family, and Yemeni tribal leaders have said they will protect him from harm. His father, Nasir al-Awlaki claims that he has no direct contact with his son, but has urged both the U.S. government and Anwar to take a step back and practice some restraint. He calls the terrorism accusations against his son "lies" and asked the U.S. to postpone the hit on Anwar for three months in return for his agreement to stop publishing anti-American rhetoric. He has given no indication whether or not his son agreed to such a deal. While the younger al-Awlaki publicly encourages jihad, he does not admit to being associated with al-Qaida. He had previously condemned both the attempted Christmas Day bombing and the Sept. 11 attacks because they targeted civilians, but now appears to have reversed that position, praising Umar Farouk Abdulmutallab in a recent blog post. Despite his international Internet notoriety, locals in Yemen do not appear to see al-Awlaki as a figure of consequence, except for as a member of a powerful family. His sermons are in English, which most Yemenis do not speak, and are directed at young Westerners. As Yemeni journalist Mohammed al-Sayari confirms, "He is not famous there. He has no influence in Yemen."
A Big Feat for a Pint-Size Computer Hacker Washington Post (04/15/10) P. B6; Jackman, Tom
Police in Fairfax County, Va., say a nine-year-old boy recently hacked into the county public school district's Blackboard Learning System. The breach was reported in late March, when it was discovered that someone had broken into teachers' and staff members' accounts on the Blackboard system—which allows teachers and administrators to post assignments, hold discussions, and track grades—and changed their passwords, changed or deleted course content, and changed course enrollment. In addition, the school district discovered that all of the changes had been made from the same IP address. Police then obtained a court order from a local Internet service provider to track down the computer that had been used to make the changes. That eventually led them to the Fairfax County boy, whose account on the Blackboard system had been given administrator privileges, thereby allowing him to access most or all of the accounts on the system. Authorities declined to press charges on the child after determining that he had no criminal intent when he broke into the teacher and staff accounts.
Spam Volumes Still Growing, Says Google IDG News Service (04/15/10) Sayer, Peter
Despite the efforts of security researchers to drastically reduce spam volumes, it continues to rebound. The volume of unsolicited email between January and March was approximately 6 percent higher than it was one year earlier, according to Postini, Google's email filtering division. Security researchers have had a few triumphs against spammers in the past 12 months, first against those hosting the control systems of the spammers, and later against the actual systems themselves, but they will have to come up with a new strategy if they want to win the war, Google said in a missive on its Enterprise blog. Today, nefarious users typically hire third parties to carry out the business of sending messages to a botnet administrator, who controls the web of malware-laden PCs. Dozens of botnets of various sizes exist, each usually looking to a different command-and-control server for its directions. Although Google stopped short of suggesting where security researchers ought to focus their strikes next, others have fingered a target. Trend Micro CTO Dave Rand says ISPs should target PCs that make up the botnets by blocking the TCP/IP ports through which they disseminate mail and notifying owners that they need a thorough cleaning.
Nasty Java Bug Could Lead to Attack IDG News Service (04/12/10) McMillan, Robert
Google researcher Tavis Ormandy has released details about a Java virtual machine bug that could be used to launch unauthorized programs on a computer. The attack could give hackers entree to launch surreptitious Java programs on a victim's machine. They have the ability to do this because Java permits developers to tell the Java virtual machine (JVM) to download alternate Java libraries. By fabricating a malevolent library and then commanding the JVM to install it, an attacker could implement his malicious program. FireEye chief security architect Marc Maiffret says the bug is especially nasty because it's due to a Java design flaw and not programming error. Nevertheless, Verizon Business security analyst Russ Cooper says most hackers are likely to stick to known attack vectors such as Adobe Reader or the browser.
Agencies Struggle With Securing Computers, GAO Reports Federal Computer Week (04/12/10) Weigelt, Matthew
The U.S. Government Accountability Office (GAO) has released two reports which found that federal agencies have largely not complied with the Trusted Internet Connection (TIC) and the Federal Desktop Core Configuration (FDCC) cybersecurity initiatives. According to GAO, none of the 24 federal agencies that are subject to FDCC have changed the configuration settings on their computers to comply with the initiative as of last September. However, GAO did find that some agencies were in compliance with agency-defined subsets of the FDCC's settings. Meanwhile, none of the 23 agencies that are required to comply with TIC had complied with all of the initiative's requirements as of September 2009. But GAO did find that 16 federal agencies had been able to reduce the number of their external connections to roughly 1,753, which is 225 more than they had planned. In its report, GAO acknowledges that it will be difficult for federal agencies to fully comply with TIC and FDCC, though it notes that doing so is necessary to protect systems and data from frequent security breaches.
Guidelines Take Stab at Guarding Personal Information Government Computer News (04/12/10) Jackson, William
The U.S. National Institute of Standards and Technology (NIST) has released a document that outlines a risk-based approach federal agencies can take to protect personally identifiable information (PII), or data that can be used to distinguish or trace someone's identity. According to the document, this risk-based approach to data security includes six steps, the first of which is identifying all the PII that the agency holds. In addition, NIST notes that an agency should only retain data if it is necessary for its mission and dispose of the data in accordance with relevant laws once it is done with it. Federal agencies also should categorize PII based on the possible damage that could be inflicted on the individual it belongs to or the agency if it is lost. Agencies should then implement security measures that are appropriate for each category of PII. Finally, federal agencies should develop a plan for responding to data breaches involving PII and encourage privacy officers, CIOs, information security officers, and legal counsel to work together to deal with PII issues.