Search This Blog

Friday, July 30, 2010

Security Management Weekly - July 30, 2010

header

  Learn more! ->   sm professional  

July 30, 2010
 
 
Corporate Security

  1. "Four Journalists Kidnapped in Mexico"
  2. "Eastern European Gangs Hit ATMs: Police" Melbourne, Australia
  3. "South Africa: Piracy on East Coast is Creeping Closer"
  4. "Two Laundry Workers Get Steamed as Gun is Pulled in Workplace Brawl" Fayetteville, Ga.
  5. "Today's Energy Theft Detection Models Help Protect Revenues While Enhancing Neighborhood Safety"
Homeland Security

  1. "Computer Evidence Ties Leaks to Soldier"
  2. "WikiLeaks Fallout: Tighter Access to US Secrets?"
  3. "Nuclear Forensics Skill is Declining in U.S., Report Says"
  4. "Judge Blocks Arizona Law"
  5. "FCC, Public Safety Groups Clash Over Broadband Plan"
Cyber Security

  1. "What Your Phone App Doesn't Say: It's Watching"
  2. "Most Breaches Caused by Crime Gangs"
  3. "So Many Bugs, So Little Time" Tools and Techniques for Discovering Security Flaws
  4. "Cyber Risks Place New Demands on Public/Private Partnership"
  5. "Cybercrime Costs a Business $3.8 Million/Year, Study Finds"

   

 
 
 

 


Four Journalists Kidnapped in Mexico
Wall Street Journal (07/29/10) De Cordoba, Jose; Casey, Nicholas

Four Mexican journalists were kidnapped by drug cartels in the northern city of Gomez Palacio on Monday. The four journalists were taken hostage after they photographed the penitentiary where inmates were protesting the arrest of prison head Margarita Rojas, who has been arrested and charged with providing weapons to a group of prisoners and allowing them to go free so that they could attack a party in the northern city of Torreon nearly two weeks ago. Seventeen people were killed in that attack. After the journalists were captured, the two cars that they had been traveling in were found burned a short distance away from the prison. No remains were found. It is believed that the reporters are being held hostage by the drug cartels because they are upset about their coverage of the Rojas case. The incident is the latest in a series of attacks by drug cartels that aim to prevent the press in northern Mexico from covering the region's drug wars. According to George Grayson, a professor and expert on illegal drugs at the College of William & Mary, drug cartels in the region are believed to have been behind the murders of about 12 journalists.


Eastern European Gangs Hit ATMs: Police
Sydney Morning Herald (Australia) (07/29/10)

Police in Victoria, Australia, say that Eastern European gangs are responsible for millions of dollars lost from an ATM scam that has targeted 28 ATMs in the Melbourne area since March 2010. Police have thus far found 10 machines that still had the scamming devices attached. The devices reportedly used a fake card entry point and a panel hiding a pinhole camera above the keyboard to capture PIN numbers. In order to prevent this kind of theft, police recommend customers use their free hand to shield their PIN codes from view. They should also use ATMs with which they are familiar whenever possible so that customers can recognize any small differences that could indicate a scamming device is in use. Additionally, all customers are asked to regularly check their bank statements for unauthorized withdrawals.


South Africa: Piracy on East Coast is Creeping Closer
allAfrica.com (07/28/10) Baumann, Julius

Africa's maritime sector is currently facing a number of critical challenges, but the increasing aggression and frequency of pirate attacks is drawing the most attention. The International Maritime Organisation (IMO) has reported 38 incidents of attempted hijacking in the month of May, mostly around Somalia. The Brenthurst Foundation, in a document titled "Maritime Development in Africa," noted that piracy is one of the greatest threats to Africa's economic development and security. Pirates near Somalia have not yet attacked a South African registered or flagged ship, but many officials are concerned that this risk will increase as piracy moves further south. To counter the threat from piracy, an overarching maritime strategy for the entire continent of Africa needs to be developed, said retired Rear-Adm. Steve Stead, an author of the foundation's report. The Brenthurst report found that the increase in pirate activity has had a number of effects on commerce in the region. For example, there has been a 12 percent to 15 percent increase in premiums for general insurance, the report found. Meanwhile, Ocean Africa Container Lines decided not to introduce a new service through the Gulf of Aden because of piracy. Despite these problems, most African navies have not taken steps to fight piracy. Instead, the North Atlantic Treaty Organization has largely taken responsibility for protecting Africa's east coast. South African Navy spokesman Capt. Jaco Theunissen says the South African government does not provide patrols or other support outside its own waters unless assistance is requested from a neighboring government, which has not yet occurred.


Two Laundry Workers Get Steamed as Gun is Pulled in Workplace Brawl
Fayette Citizen (07/27/10) Nelms, Ben

A workplace dispute over clothes at a dry cleaners in Fayetteville, Ga., has resulted in the arrest of two coworkers. The first employee, Melinda James, was charged with aggravated assault, battery, carrying a concealed weapon, obstruction, pointing a weapon at others, reckless conduct, and using fighting words. The other, Adelina Brovo-Ricardes was charged with battery, fighting in public, and using fighting words. The dispute reportedly began verbally and escalated to pushing, shoving, and slapping. At one point, James pushed Brovo-Ricardes to the floor, injuring her left shoulder. James then reportedly brought a gun from her car into the business and pointed it at Brovo-Ricardes, who ran out of the store, telling the clerk on duty that James had a gun. She also reported the incident to the police the following day. When confronted by police, James initially lied about the weapon, though it was later found, loaded, on the premises.


Today's Energy Theft Detection Models Help Protect Revenues While Enhancing Neighborhood Safety
Pipeline & Gas Journal (07/10) Vol. 237, No. 7, P. 16; Madrazo, Michael

Energy theft is on the rise due to the recession, and unauthorized use of power results in higher costs for all customers. Annually, usage of energy without the utilities' knowledge causes a loss of billions of dollars worth of revenues, which means higher prices for customers as utilities try to recover revenue. LDCs should be motivated to catch gas thieves because of public safety, lost revenues, desire to lower customer billing rates, community responsibility, liability, and gas emissions standards. Utilities typically use meter readers and service personnel for tips on gas theft, but because automatic meter reading and advanced meter infrastructure have become popular, the meter reader is no longer around as often. The only way to find thieves is to understand how each customer uses natural gas and focus on those who differentiate from expected consumption. It is helpful to understand the factors of an account in order to know the customer's gas usage. The energy usage can then be compared to a group of similar customers who have similar characteristics. Outliers can be further investigated. There are two theft detection models, peer comparison and characteristic analysis, which contrasts all information about residential and commercial customers to similar homes and businesses with geographical settings and look for differences in consumption patterns that could show un-metered equipment in an account. More than one model should be run together to analyze an account's energy usage and flag anomalies based on different types of assessment. Finding gas theft is important in order to save utilities' revenue.




Computer Evidence Ties Leaks to Soldier
Wall Street Journal (07/30/10) Barnes, Julian E.; Bustillo, Miguel; Rhoads, Christopher

A unnamed U.S. defense official says that investigators have tied Pfc. Bradley Manning, who has already been charged in a separate case in which he allegedly provided secret and classified data to the whistleblower site WikiLeaks, to the recent release of thousands of secret reports from Afghanistan to the site. According to the official, a search of computers used by Manning--an intelligence analyst who was supposed to be examining data from Iraq--uncovered evidence that he used his "Top Secret/SCI" clearance to download war logs from Afghanistan. It remains unclear exactly what evidence was uncovered during the search. In addition, investigators also found other classified documents on the computers that had not been made public. Meanwhile, investigators are also looking into whether civilians helped Manning give the documents to WikiLeaks. Several defense officials say that the release of the documents could have serious consequences. Defense Secretary Robert Gates, who has promised to find ways to prevent similar breaches from taking place in the future, has said that the release of the documents could hurt U.S. relations with Pakistan and put Afghans who helped the U.S. at risk. In addition, Joint Chiefs of Staff Chairman Adm. Michael Mullen said that the breach could result in the deaths of U.S. soldiers or Afghan civilians.


WikiLeaks Fallout: Tighter Access to US Secrets?
Associated Press (07/29/10) Dozier, Kimberly

The recent publication of thousands of secret documents by the Web site WikiLeaks is being blamed on the reforms of the nation's intelligence community that took place in the wake of the September 11, 2001 terrorist attacks. Among those reforms was the expansion of access to a Defense Department intranet system known as the Secret Internet Protocol Router Network, or SIPRNet. Since 2001, intelligence analysts and troops in the field have been able to use SIPRNet to access military field reports from Iraq and Afghanistan, as well as State Department and intelligence Web sites. According to one U.S. official, all of the documents that were leaked in the WikiLeaks case could have been accessed over SIPRNet. In addition to the expanded access to SIPRNet, the government has put more information on the network by adding portals that give users access to an interagency data-sharing system called Intelink. Although passwords are required to access top-secret information through these portals, they are not required to access the secret material that was made public by WikiLeaks. Experts say that those reforms, which aimed to increase the sharing of information among government agencies, contributed to the release of the documents in the WikiLeaks case because they made it too easy to lose control over secret information. In the wake of the release of the documents, experts are saying that additional security measures should be implemented to protect sensitive data, including using tools that monitor everything government employees type. However, some lawmakers are warning that there would be serious consequences if the sharing of information among intelligence analysts and agencies is limited because of the WikiLeaks case.


Nuclear Forensics Skill is Declining in U.S., Report Says
New York Times (07/29/10) Broad, William J.

A report released by the National Research Council on Thursday indicates that the nation's nuclear attribution capabilities have declined dangerously in recent years. Nuclear attribution, in which nuclear forensics experts study clues from fallout and radioactive debris to identify potential creators and users of nuclear devices, would provide essential information to the country in the event of a nuclear terrorist attack. The major goals of nuclear attribution are to identify the culprit in order to assess retaliation options and to deter terrorists by letting them know they cannot set off such a device without fear of reprisal. Researchers, led by nuclear engineer Albert Carnesale of the University of California, Los Angeles, attributed the decline in U.S. nuclear forensics capabilities to a decrease in funding since the end of the Cold War as well as a lack of coordination between responsible government agencies, a lack of skilled personnel, the use of outdated instruments, and the existence of old facilities in need of upgrading. In order to address these concerns, the report calls on the federal government to improve planning, shore up budgets, ensure clearer lines of authority, and create more realistic exercises.


Judge Blocks Arizona Law
Wall Street Journal (07/29/10) Jordan, Miriam

U.S. District Judge Susan Bolton has granted a preliminary injunction against several provisions of the controversial new Arizona immigration law that was set to take effect on July 29. Judge Bolton said that her decision was based on the fact that it is the responsibility of the federal government, not the states, to handle immigration enforcement. Arizona Gov. Jan Brewer has said that the state plans to file an expedited appeal of the decision with the Ninth Circuit Court of Appeals. In the meantime, the state will be unable to enforce provisions of the law that would require police to check the immigration status of people stopped for routine infractions like traffic violations, if they suspect they are illegal immigrants. In addition, Arizona will be unable to detain individuals until their legal status is clarified, require foreigners to carry proper immigration documentation, and ban illegal immigrants from seeking employment in Arizona. However, Judge Bolton did allow other provisions of the law to take effect including a section that makes it a state crime to harbor and transport illegal immigrants and another that prohibits disruption of traffic to pick up a day laborer. In addition to the suit by the Justice Department, six other lawsuits were filed to halt the law by civil-rights groups and a Phoenix police officer. Judge Bolton applied the ruling to all of the challenges.


FCC, Public Safety Groups Clash Over Broadband Plan
Homeland Security Today (07/10) McCarter, Mickey

The Federal Communications Commission (FCC) has announced that it hopes to auction off 10 megahertz (MHz) of broadband spectrum to generate $6-8 billion over the next 10 years to fund a public safety spectrum owned and operated by the private sector on those frequencies. The majority of the public safety community appears to favor receiving the spectrum directly and allowing first responders to decide how to use it through a public/private partnership. The plan has also gained the endorsement of several former members of the 9/11 Commission. Congress will have the final say over the details of the deal. If implemented, the plan would also grant first responders priority access to the D-Block spectrum that commercial companies could allocate to other purposes until they were required. Congress is expected to look to the Department of Homeland Security (DHS) as it will need to address the concerns of first responders. Regardless of whether the D-Block is auctioned or directly transferred to the public safety community, DHS will need to set public safety standards for use of broadband and must help define technical and legal capabilities. DHS representatives say that, before they can achieve this goal, they must have assurances from the FCC that their arrangement is technologically feasible.




What Your Phone App Doesn't Say: It's Watching
Associated Press (07/28/10) Robertson, Jordan

Lookout, a mobile phone security company, scanned nearly 300,000 free applications for Apple iPhones and devices built around Google's Android software and found that a number of them covertly take sensitive information from users' phones and transmit it to third parties without notification. That is a significant concern that has been popping up among privacy and security professionals. The data can include complete details about users' friends, their pictures, text messages, and Internet and search histories. Among these third parties are advertisers and companies that analyze user information. The data is used by companies to target advertisements and accrue more user information. The risk, however, is that the data becomes susceptible to hacking and use in identity theft if the third party does not carefully secure the data. Lookout shared its findings in late July during the Black Hat computer security conference in Las Vegas. Lookout found that nearly one in four iPhone apps and almost 50 percent of the Android apps contained software code that enabled these capabilities. "We found that not only users, but developers as well, don't know what's happening in their apps, even in their own apps, which is fascinating," says Lookout CEO John Hering.


Most Breaches Caused by Crime Gangs
BankInfoSecurity.com (07/28/10) McGlasson, Linda

Eighty-five percent of all stolen data last year was the work of organized crime, according to the annual Verizon Data Breach Investigations Report, produced in collaboration with the U.S. Secret Service. Of the 143 million records compromised in 2009, 85 percent of them stemmed from financial service incidents. In addition to organized crime, there was greater incidence of breaches attributable to insiders and social engineering. The Verizon report also notes that most of the breaches could have been avoided if security fundamentals had been implemented. Financial services accounted for a third of the cases investigated, while hospitality made up 23 percent and retail 15 percent. ID Experts CEO Rick Kam points to the growth of hybrid attacks involving collaboration between insiders and external organized cybercriminals. Kam says that criminals are employing advanced data-mining data methods to build more complete identities by "stealing data from public and private data sources that contain both sensitive financial data, as well as other identifiers like health insurance numbers, diagnosis, personal information from social Web sites like Facebook."


So Many Bugs, So Little Time
Technology Review (07/27/10) Naone, Erica

A new technique known as fuzzing has changed the way software bugs are discovered. Fuzzing involves forcing a program to crash by repeatedly feeding it randomly altered inputs. Inputs that cause a program to crash could reveal an important bug. The work required to identify important crashes is compounded by a new, more intensive approach called industrial fuzzing. COSEINC senior security researcher Ben Nagy is developing a tool that could help researchers determine exactly where a program has gone wrong after a crash occurs. Meanwhile, University of California, Berkeley researcher Dawn Song has developed BitBlaze, a platform that can follow exactly what is happening within a program, making it easier to analyze the potential security flaws found through industrial fuzzing. If industrial fuzzing works with all types of software, it could change the way companies test to make sure their codes are secure, says Zynamics' Vincenzo Iozzo.


Cyber Risks Place New Demands on Public/Private Partnership
Federal Computer Week (07/26/10) Corrin, Amber

Collaboration between the public and private sectors is a necessary but difficult factor for helping ensure the cyber security of U.S. infrastructure. "We need to be realistic about the fact that it's not just military networks that are at risk [of cyber attack], it's all networks," said Army Brig. Gen. John Davis, director of current operations at U.S. Cyber Command (Cybercom), at a recent cyber security symposium. "And we realize that military networks are built on the networks of industry." The symposium focused on the National Security Agency's Perfect Citizen program to monitor the networks of publicly owned utilities that function as critical infrastructure, scanning them for any indication of a potentially crippling cyber attack. Government and military officials at the event argued that to shield U.S. cyber space, they need to work out a new plan for the public/private partnership that includes exchanging information in order to learn from each other and identify best practices. "The private sector is the lowest common denominator in cyber security," said INSA President Ellen McCarthy. She noted that strong information sharing and open communication standards must be adopted to get the collaboration right, and among the responsibilities of the public/private partnership is protecting private citizens' interests. Many hope that Cybercom can facilitate a new epoch of public/private collaboration as the Defense Department expands its cyber space footprint.


Cybercrime Costs a Business $3.8 Million/Year, Study Finds
Network World (07/26/10) Messmer, Ellen

A recent study of 45 U.S. organizations found that cybercrime—including online attacks, pernicious code, and rogue insiders—costs them an average of $3.8 million a year and results in at least one successful attack a week. The "First Annual Cost of Cyber Crime Study," carried out by the Ponemon Institute and funded by ArcSight, involved seven months of research and on-site interviews with the organizations. The participating midsize and large companies—from 500 to more than 105,000 employees—represent a wide array of industries and government agencies. Researchers spoke with IT security specialists, as well as network, forensics, and management personnel, to understand the costs of addressing and mitigating cybercrime attacks. Although $3.8 million was the average annual cybercrime cost, organizations reported from a low of $1 million to a maximum of $52 million, according to the report. "The eye-popping thing we found is a lot of organizations are very disorganized in even understanding the environments they're dealing with," Ponemon says.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: