Search This Blog

Friday, April 30, 2010

Security Management Weekly - April 30, 2010

header

  Learn more! ->   sm professional  

April 30, 2010
 
 
Corporate Security

Sponsored By:
  1. "Man Says He Sold Prototype iPhone, Will Cooperate With Police"
  2. "Costs of Data Breaches Much Higher in U.S. Than in Other Countries, Study Says" Ponemon Institute
  3. "As Patrols Increase, Somali Pirates Widen Their Reach"
  4. "U.S. Seizes Big Batches of Fake Goods"
  5. "Understanding the Relative Cost of Crime to Business"
Homeland Security

  1. "China Reports Another School Attack"
  2. "E.U. Will Let Air Travelers Carry Liquids in 3 Years"
  3. "Administration Continues to Defy Senate Subpoena for Fort Hood Documents"
  4. "Terror Threat Shadows Johannesburg Games"
  5. "Police Let Terrorist Slip Through"
Cyber Security

  1. "Encryption High-Priority for Massachusetts"
  2. "Federal Agencies Wrestle With Cybersecurity's Harsh Realities"
  3. "Microsoft's Security Report Finds Enterprises Vulnerable to Worms"
  4. "Spammers Pay Others to Answer Security Tests"
  5. "The Top Threats to Government Systems, and Where They're Coming From"

   

 
 
 

 


Man Says He Sold Prototype iPhone, Will Cooperate With Police
San Jose Mercury News (04/30/10) Carey, Pete

The man who found a prototype iPhone in a Redwood City, Calif., bar issued a statement through his lawyer on Thursday saying that he will cooperate with the investigation into the matter. According to the statement, the man, 21-year-old Brian Hogan of Redwood City, was at the bar when another customer handed him the phone, which he said he found on a nearby barstool. Hogan then asked other customers at the bar if the phone--which was a camouflaged prototype of the next version of the iPhone--belonged to them. After failing to find the owner, Hogan then left the bar with the phone, which had been left behind by an Apple engineer who had been out celebrating with friends. Hogan then sold the phone to the tech Web site Gizmodo for $5,000 cash so they could "review the phone." A short time later, Gizmodo editor Jason Chen posted an entry on his blog about the phone and its new features. The phone was eventually returned to Apple after a lawyer for the company sent a written request for the device to Gizmodo.


Costs of Data Breaches Much Higher in U.S. Than in Other Countries, Study Says
Dark Reading (04/28/10) Wilson, Tim

Data breaches in the United States could cost companies twice as much as they do countries with less stringent disclosure and notification laws, reports a Ponemon Institute study. "The overarching conclusion from this study is the staggering impact that regulation has on escalating the cost of a data breach," says Ponemon chairman Larry Ponemon. The study examined breach costs in the United States, the United Kingdom, Germany, France, and Australia. In the U.S., the cost per lost record was 43 percent higher than the global average. In Germany, where equivalent laws were passed in July 2009, costs were the second highest at 25 percent above the worldwide average. Australia, France, and the U.K., where data breach notification laws have yet to be introduced, all had costs below the world average. The study's report says that a major reason for the high cost "is that U.S. companies are required to notify customers of their breaches, even if they only suspect that the customers' records might be affected." The notification requirements could be forcing some companies to disclose too much information too soon, Ponemon says.


As Patrols Increase, Somali Pirates Widen Their Reach
Time (04/27/10) Tharoor, Ishaan

Although the presence of the international naval force in the Gulf of Aden and the waters off the coast of Somalia has succeeded in reducing the number of pirate attacks in the region between the first quarter of 2009 and the first quarter of 2010, Somali pirates have yet to be completely defeated. Instead, Somali pirates are simply moving further out into the Indian Ocean to avoid the international naval coalition that is trying to protect ships moving through the Gulf of Aden. The recent hijacking of three Thai fishing trawlers, for example, took place 1,200 miles away from the Somali coast, which was further than any other attack launched by Somali pirates. According to Roger Middleton, an expert on the Horn of Africa at the London-based think tank Chatham House, such attacks are likely to become more common as Somali pirates scatter out further away from the Somali coast in order to avoid being caught by the international naval force in the region. He added that the international naval force off the Horn of Africa would have to grow from the current force of 35 to 40 warships to between 700 and 800 ships in order to eradicate the threat from pirates in the region--a mobilization that would be virtually impossible, given the limited capabilities of most countries' navies. Meanwhile, ship owners are being urged to take steps to protect their vessels and crew members from the threat of piracy, including creating safe rooms that crew members can hide in in the event of a pirate attack. Others say that ship owners may want to consider arming their crew members or hiring private security guards. But experts say that having armed crew members or security guards on board ships could provoke a violent response from pirates, who have generally been non-violent up to this point.


U.S. Seizes Big Batches of Fake Goods
Wall Street Journal (04/26/10) Johnson, Keith

More than $240 million in counterfeit goods were seized in two separate operations earlier this month, U.S. officials say. Roughly $40 million worth of items--including counterfeit Rolex watches, Coach handbags, and Nike shoes--were seized by the federal, state, and local law enforcement officials that comprise the National Intellectual Property Rights Coordination Center as part of a 30-city sweep called "Spring Cleaning." The remaining $200 million worth of items were confiscated in the Port of Baltimore after being shipped to the U.S. from Asia. According to John Morton, the assistant secretary for U.S. Immigration and Customs Enforcement, the goods that were seized in the operations appear to be linked to organized crime. However, terrorist organizations such as Hezbollah have also been known to deal in counterfeit goods in order to raise money, the FBI says. As a result, the U.S. government plans to continue fighting the sale of counterfeit goods. The U.S. General Services Administration, for example, will target fraudulent goods that make their way into the federal civilian supply chain, while federal, state, and local officials will work together to establish 20 "IP theft enforcement teams" to stop the sale of fake products to consumers nationwide.


Understanding the Relative Cost of Crime to Business
Security Director's Report (04/10) Vol. 2010, No. 4,

To stop senior managers from unnecessarily absorbing the losses from crime -- and to encourage them to see a lack of security spending as penny wise and pound foolish -- security executives must be able to communicate the costs of crime. A security leader who wants to be a truly trusted advisor should also understand how significant crime-related losses are compared to other business costs. The average vandalism incident sets a small business back $3,370, according to the U.S. Small Business Administration. "Put another way," says Dr. Martin Bressler, a Houston Baptist University professor and author of a new study on business crimes, "a small business with revenues of $500,000 per year and a net margin of 5 percent would lose approximately 13.5 percent of [its] annual net profit." The lesson for small businesses is that while vandalism is not frequently seen as critical compared to other business costs, it sometimes makes the difference between profit and loss.




China Reports Another School Attack
Associated Press (04/30/10)

Five kindergarten students in Weifang, China, were injured Friday when an assailant attacked them with a hammer. The incident began when the assailant, a local farmer named Wang Yonglai, broke down the gate of the school with a motorcycle. Wang then struck a teacher who tried to block him and attacked the children with his hammer. He then grabbed two of the children, doused himself with gasoline, and lit himself on fire. Teachers at the school were able to pull the children away, though Wang burned to death. None of the children suffered any serious injuries. The attack at the school was the third in as many days in China. On Thursday, a 47-year-old man named Xu Yuyuan made his way into a kindergarten in Taixing with an eight-inch knife. Nearly 30 students were wounded in that attack. Another knife attack took place in a primary school in Leizhou the day before. One teacher and 15 students were injured in that incident, none of them seriously. The attacks have taken place despite increased security measures at Chinese schools. Under those security measures, which were adopted in 2006, schools are required to register or inspect visitors and prevent unauthorized individuals from entering.


E.U. Will Let Air Travelers Carry Liquids in 3 Years
New York Times (04/29/10) Clark, Nicola

The European Union announced Thursday that it is planning to make a number of changes to its airport security measures, including ending the four-year-old ban on liquids in airline passengers' hand luggage. Under the plan to end the ban, which was put in place in 2006 after British authorities discovered a plot to bomb airplanes with liquid explosives, liquids purchased at duty-free shops outside the E.U. or onboard non-E.U. airlines would be allowed in hand luggage beginning in 2011. The E.U. currently allows passengers to carry such liquids in hand luggage if they are purchased at airports in the U.S., Canada, Croatia, and Singapore. However, passengers would be required to seal the liquids in tamper-proof bags and put them through screening before boarding their flight. The ban on other liquids would be lifted by 2013. In addition, the new guidelines call for European airports to install new technology at security checkpoints that would be capable of detecting liquid explosives. Other countries, including the U.S., are also moving towards ending the ban on liquids in airline passengers' hand luggage. As part of that effort, the U.S. Transportation Security Administration has entered into talks with software companies about upgrading airport security screening equipment so that it can detect liquid explosives.


Administration Continues to Defy Senate Subpoena for Fort Hood Documents
Washington Post (04/28/10) P. A06; Whitlock, Craig

The departments of Defense and Justice said on April 27 that they will provide some of the information the U.S. Senate Committee on Homeland Security and Governmental Affairs requested about the Fort Hood shooting and suspected gunman Maj. Nidal Malik Hasan. For example, the Department of Defense said it would provide the panel with access to Hasan's personnel file and portions of an Army report that examined why Hasan's superiors did not act on warnings that the Army psychiatrist was becoming a radical Muslim. However, neither the Pentagon or the Department of Justice will comply with a subpoena for witness statements and other documents related to the investigation of the Fort Hood shooting, saying that doing so could hurt their chances of prosecuting Hasan. The decision not to comply with the subpoena was criticized by Leslie Phillips, a spokeswoman for the Homeland Security and Governmental Affairs Committee, who said that it hurt Congress's ability to conduct independent oversight of the executive branch.


Terror Threat Shadows Johannesburg Games
Jerusalem Post (04/27/10) Slier, Lionel

Security for the soccer World Cup, which is scheduled to begin in Johannesburg, South Africa, on June 11, is expected to be extremely high to prevent terrorists from capitalizing on the publicity of such a high profile international target. Anneli Botha, a senior researcher in terrorism at the Institute of Security Studies in Pretoria, says that despite the precautions being taken to protect athletes and fans, terrorist activity cannot be ruled out. In addition to local Islamic militants, Botha says that right-wing Afrikaans extremists could pose a possible threat. South Africa also has a history of providing a haven to international terrorists. For example, Khalfan Khamis Muhammad was arrested in Cape Town in 2004 for his involvement in the U.S. Embassy bombing in Dar es-Salaam. The country's borders remain porous and corruption is common. It is estimated that more than 6,000 South African passports have been purchased illegally from officials and used to gain entry into the United Kingdom. These incidents raise serious concerns for international terrorist threats to the games, but officials say they have taken every precaution in order to ensure that threat remains as low as possible.


Police Let Terrorist Slip Through
Wall Street Journal (04/26/10) Gardiner, Sean

Public revelations that the Port Authority of New York and New Jersey failed to find explosives hidden inside Najibullah Zazi's car last September are worsening tensions between the agency and the New York Police Department. According to the NYPD, the Port Authority's inability to find the explosives during a search of Zazi's car and its subsequent decision to allow him to enter the city despite warnings from the FBI was a potentially catastrophic mistake. However, officials with the Port Authority and the FBI--who told the Port Authority to search Zazi's car as he prepared to cross the George Washington Bridge and enter the city--said that searching the terrorist suspect's vehicle may not have been the best thing to do. Since the Port Authority did not have a warrant, any evidence that would have been uncovered in a search would have been inadmissible in court, a Port Authority officer said. In addition, a thorough search of Zazi's car without a warrant would have made him suspicious. Zazi subsequently disposed of the explosives because he believed that he was under surveillance. He flew back home to Colorado and was arrested shortly thereafter. Zazi has pleaded guilty in the case and will be sentenced on June 25.




Encryption High-Priority for Massachusetts
Network World (04/28/10) Messmer, Ellen

Massachusetts state government departments are deploying encryption technologies as part of an effort to comply with a new data-privacy law and an executive order issued by Gov. Deval Patrick that requires sensitive data to be encrypted. For example, the Executive Office of Housing and Economic Development is installing encryption hardware that connects to department's Ethernet and edge switches and encrypts all data, not just sensitive information, that travels between roughly 70 locations on the network. The data is automatically decrypted once it reaches its sub-net destination point. Dana Racine, the department's director of infrastructure, says the process of installing the hardware has not been too difficult so far since it has been similar to the process of implementing a firewall rules set, but it is expensive. Racine says the department decided to encrypt all data instead of trying to determine what specific data might fall under the state's guidelines.


Federal Agencies Wrestle With Cybersecurity's Harsh Realities
Dark Reading (04/28/10) Wilson, Tim

Attendees at the April 28 FedScoop Cybersecurity Leadership Summit, which included IT executives of federal agencies, federal business unit executives, and major IT security vendors, agreed that cybersecurity strategies should not focus entirely on creating impenetrable perimeters around sensitive data. Instead, participants in a cybersecurity panel said that agencies must take a more practical, risk-based approach, which includes developing ways to detect attacks and recover from them. The risk-based approach also focuses on identifying the most sensitive information and the information most likely to be targeted in a cyberattack. As National Institute of Standards and Technology (NIST) computer scientists Ron Ross points out, "We've developed a structure for enterprise-wide risk management. How do you monitor risk over time? How much risk can you tolerate? Once you've answered these questions, then you can set up your missions and business procedures." Another important aspect of cybersecurity is attack attribution. While it may be difficult to determine exactly where an attack came from, agencies should make decisions much the way a court would- using standards like "a preponderance of evidence" or "beyond reasonable doubt," panelists said.


Microsoft's Security Report Finds Enterprises Vulnerable to Worms
eWeek (04/26/10) Kolakowski, Nicholas

Volume 8 of Microsoft's Security Intelligence Report compiled information gathered from roughly 500 million computers globally to develop a picture of the worldwide IT security situation for the last six months of 2009. Although some of the findings came as no surprise—more service packs on more recent operating systems resulted in fewer weaknesses—there were conspicuous differences between the vulnerability profiles of business and consumer IT. Meanwhile, total vulnerability disclosure figures in software continued to drop. Older operating systems were hit hardest by the attacks, Microsoft says, with Windows XP reporting higher overall infection rates than either Windows 7 or Windows Vista. As an overarching trend, succeeding service packs for operating systems mitigated the rates of infection. According to the report, "Microsoft security products cleaned rogue security software-related malware on 7.8 million computers in [the second half of] 2009, up from 5.3 million computers in [the first half of 2009]—an increase of 46.5 percent."


Spammers Pay Others to Answer Security Tests
New York Times (04/25/10) Bajaj, Vikas

Spammers are paying people in countries such as India, Bangladesh, and China to pass Web security tests known as CAPTCHAS, which ask Web users to type in a string of semi-distorted characters to prove they are humans and not spam-generating robots, according to Carnegie Mellon University professor Luis von Ahn. He says thousands of people in developing countries, primarily in Asia, are solving these puzzles for pay. The completed CAPTCHAS help spammers open new online accounts to send junk emails. However, Internet company executives say the threat of spammers paying people to decode CAPTCHAS is not a major concern. They note that Web sites use several tools to verify accounts and maintain security. Some sites may send confirmation codes as text messages, which then must be entered into a separate verification page before new email accounts are activated. "Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve CAPTCHAS proves that the tool is working," says Google's Macduff Hughes.


The Top Threats to Government Systems, and Where They're Coming From
Federal Computer Week (04/23/10) Jackson, William

Fourteen percent of cyberattacks against U.S. government agencies last year originated in China, according to Symantec's Government Internet Security Threat Report. The report says that last year's global government threat landscape was dominated by Internet-based attacks and targeted, persistent threats designed to secretly steal valuable data. The report also says that 46 percent of the top 10 cyberattacks last year were Web server attacks. Meanwhile, advanced persistent threats—in which cybercriminals subtly look for data such as software source code and steal it over a long period of time—became increasingly common last year, Symantec found. These attacks are effective because they use social engineering techniques to deliver malicious code to the victim, which means that government agencies cannot rely on traditional network and perimeter defenses to defend against this threat. Symantec also found that more and more malware is circulating on the Internet. However, the company noted that government agencies cannot simply rely on signatures to protect themselves from malware, since malicious code can be quickly altered in order to avoid detection.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: