| Marijuana Legalization Measure Loses in California Associated Press (11/03/10) California voters on Tuesday rejected Proposition 19, the ballot measure that would have legalized the recreational use of marijuana in the state. Proposition 19 had been opposed by some in California's business community, who feared that it would allow employees to come to work under the influence of marijuana. Despite the failure of Proposition 19, supporters of the ballot measure vowed to try again to legalize the recreational use of marijuana in 2012. The issue of marijuana use was on the ballot in other states as well, including South Dakota, where voters rejected a measure that would have legalized the medicinal use of the drug. In addition, voters in Oregon voted no on a measure that would have expanded the state's medical marijuana program to create a network of dispensaries where patients could have purchased the drug. EMV, Top 5 Tech Advances in Payments BankInfoSecurity.com (11/02/10) Kitten, Tracy The U.S. Federal Reserve Bank of Atlanta's Richard Oliver says a transition to EMV chip and PIN payment is the only sensible move for U.S. payment advancement because universal cross-border payments are going to become impossible to facilitate if the United States continues to stick with the old magnetic stripe payment card standard. Oliver says the time for an EMV switchover is right because the rest of the world is making commitments to eliminating the mag-stripe standard. "Sooner or later, the inconveniences of this and the problems with this, with respect to consumers and their utilization of cards and businesses and their utilization of cards, across the globe are going to be a defining factor, and it's going to cause action to be crystallized," he predicts. Adding weight to Oliver's argument for a move to chip and PIN is the shrinkage of fraud in countries that have adopted the system, which is likely to drive fraudsters to countries where the system is not in use, such as the United States. He says it would likely cost $8 billion to $13 billion to build out the chip and PIN infrastructure across the United States. Crafting Crisis Communications Security Management (10/01/10) Vol. 54, No. 10, P. 170 Brundage, Richard The manner in which a company handles the media during a crisis can affect their image, public perception, and ultimately their success or failure. Organizations should focus on presenting themselves in the best light during an emergency by making crisis communication part of their corporate culture, training staff to interact with the media and remembering to address the human element. Companies should have a crisis communication plan that reflects how they will respond, and implementation starts with a crisis management audit that includes consulting with key employees about the potential crises that could occur. Companies should brief all employees to ensure uniformity of response and help prevent them from saying things that would make the organization appear disorganized and even dishonest. Managers should be trained on what to say and how to say it to the media, and must be able to anticipate questions. Managers will appear trustworthy and likeable to viewers the more control they feel they are exerting in an interview. Businesses tend to react with their heads and not their hearts for fear of being sued, but expressing concern or sorrow about a catastrophic event does not mean they are accepting fault. A compassionate delivery will help managers hit the right note. Five Cheap Tools to Manage Investigations CSO Online (10/01/10) Vol. 9, No. 8, P. 28 Gregg, Brandon Here are five tools to help make the investigation documentation process less of a hassle. Having a case plan to show the client and the management team helps outline the analysis, streamline tasks ahead of time, and keep investigators on track despite interruptions. Open Workbench (www.openworkbench.org) is a free, open-source platform that allows a user to set up a basic template for an investigative case-plan. Second, keep written notes handy and organized with digital devices that convert written notes into images and text files, such as Solidtek's DigiMemo pens and pads and Dane-Elec's zPEN Wireless USB Pen. Third, to help deflect any questions of investigative integrity and to keep the case organized, consider a free software platform called CaseNotes. This tool from QCC Information Security includes a user-friendly notepad-like format that can work with a digital pen and Open Workbench to keep track of completed tasks, interviews conducted, and evidence amassed in the course of the investigation. Fourth, maintain physical evidence using an affordable Dymo label printer like the Label-Writer 450. Dymo's software is straightforward and allows for the creation of easy-to-read labels with confidentiality reminders, current dates, and ID numbers. And fifth, consider using Analysis of Competing Hypotheses (ACH) methodology developed by Richard Heuer Jr. in his book "Psychology of Intelligence Analysis." With a free membership at beta.competinghypotheses.com, an investigative team can take data, rumors, and other pieces of evidence and compile them into a system that filters out biases like social influence and personal processing shortcuts to prove or disprove theories. Are Your Guards Secure in Complying With OSHA? Industrial Safety & Hygiene News (ISHN) (10/10) Vol. 44, No. 10, P. 106 Howes, Charles P. The detective, guard, and armored car services industry has been cited more than 450 times for OSHA violations between June 2004 and June 2009. OSHA fines average $2,300 per citation, so these fines total more than $1 million in lost profits. Security companies need to adhere to the same regulations as any other business subject to OSHA regulations. More than 100 OSHA standards make employee training mandatory, but few security companies offer such safety training as required by OSHA. For example, if a security officer is expected to put out small fires, OSHA expects him or her to be trained yearly in the use of fire extinguishers. OSHA Publication 2254 discusses several subject areas in which an employee should be trained, training methods, record keeping, and guidelines. It is important that security managers read this publication and see which sections may be applicable to their organization. The OSH Act of 1970 mandates that all employers have a general duty to provide staff with a workplace free from recognized hazards that are likely to cause death or serious physical harm. Employers can also be cited for violating the General Duty Clause if there is a recognized hazard of workplace violence in their establishments and they do nothing to prevent or curb it. Flight School Students Arrested Boston Globe (11/05/10) Sacchetti, Maria The recent arrests of 34 alleged illegal immigrants with connections to a Massachusetts flight school could expose problems in the Transportation Security Administration's efforts to ensure that only legal aliens are allowed to take flying lessons in the U.S. The alleged illegal immigrants, all of whom are Brazilian nationals, were learning to fly small single-engine planes at TJ Aviation Flight Academy in Stow, Mass., when they were arrested between July and October. Under a mandate that was adopted in the wake of the September 11, 2001 terrorist attacks, foreigners who want to take flight lessons in the U.S. must register online with the Transportation Security Administration and provide the agency with information that is used to determine whether they are on terrorism watch lists or have criminal histories or immigration violations. Prospective foreign students are also fingerprinted and are required to show their passports and visas to their flight instructor. It remains unclear how the individuals in the Stow case received pilot's licenses, and officials have not revealed how many were given permission to fly and how many eventually obtained a pilot's license. However, the TSA has said that it conducts background checks on all foreign flight students and checks pilot's licenses against terrorism watch lists. No connection to terrorism has been found in the Stow case. In addition, the owner of the flight school--who was among the 34 arrested in immigration violations--has said that the foreign students received approval from the TSA before they took classes and that he did not know that they were in the country illegally. Skipping the Line at Customs Wall Street Journal (11/04/10) McCartney, Scott U.S. Customs and Border Protection has implemented a trusted traveler program that allows American citizens and permanent U.S. residents to clear customs more quickly and easily. In order to sign up from the program, known as Global Entry, travelers are required to provide a variety of personal information on the program's Web site, including information about any criminal history and their travel history for the past five years. Customs agents then perform a background check on the traveler to uncover any criminal history and to determine whether or not the individual's name is on any terrorism watch lists. After travelers receive preliminary approval to participate in Global Entry, they are required to submit to an interview in which a customs officer verifies their identity and takes their fingerprints. Travelers are also asked where they travel and why they travel. Fingerprints are then run against Homeland Security and FBI databases, and re-run against government databases every day if the person is approved for Global Entry in order to check for any possible warning signs. Once they are accepted into the program, travelers simply scan their passports and fingerprints at a kiosk and answer several questions that are similar to those on the customs forms that flight attendants hand out on international flights. This allows travelers to clear customs in about 40 seconds. However, some travelers who use Global Entry are randomly selected for examination. The program is currently in use at 20 major international airports, and is used by nearly 85,000 travelers. Philippines Remains Safe Manila Bulletin (11/04/10) Kabiling, Genalyn D. The government of the Philippines has attempted to assure travelers that the country is still a safe place to visit after the U.S., the U.K., Australia, Canada, and New Zealand issued travel advisories warning that attack may occur in Manila or other places frequented by foreigners. The travel advisories, which appear to be re-issued versions of previous warnings, were part of a larger set of warnings about global travel put out in recent weeks. Although the Philippines' government does not believe there is a threat specific to the country, officials said security forces have raised their alert to protect people from potential attacks. Bureau of Customs agents have also been placed on full alert to watch for any suspicious activity or shipments in the country's ports or other major entry points. Additionally, the Philippine Coast Guard has stepped up sea borne patrol operations around vital installations and Philippine Airlines has said that it is on heightened alert status in order to ensure passenger safety. Bomb Makers Plotted Blasts Over U.S. Wall Street Journal (11/03/10) Entous, Adam; Perez, Evan; Coker, Margaret Investigators looking into the recent attempt to send explosives to the U.S. on board cargo flights believe they have determined the intent of those behind the plot. According to investigators, there are several signs that indicate that the bombers intended for the explosives to detonate while the cargo planes were in mid-air before they landed at their destinations. For example, the cell phones that the terrorists used as detonators had been altered to maximize their battery life. Authorities say that the changes, which included removing the screen face from the cell phones, could have allowed the devices' batteries to last three to four days. In addition, officials say that the fact that the packages that contained the explosives had outdated addresses of synagogues in Chicago was another indication that the terrorists behind the plot wanted to detonate their explosives while the cargo planes were in mid-air. However, authorities do not believe that the terrorists would have had full control over where the devices would have detonated. It remains unclear whether the devices would have worked as designed. Earlier Flight Studied as Possible Test Run Wall Street Journal (11/02/10) Entous, Adam; Coker, Margaret; Al-Masmari, Hakim Officials say that an incident in September may have been a dry run for al-Qaida in the Arabian Peninsula's (AQAP) recent attempt to send bombs to the U.S. in cargo planes and passenger jets. During the September incident, U.S. authorities stopped and searched packages in transit after learning that they may have been connected to AQAP, the group that is believed to be behind last week's bombing attempt. The packages, which were being shipped from Yemen to Chicago, contained papers, books, and other harmless items, but no explosives. However, the fact that the packages were stopped and searched shows the extent to which U.S. intelligence officials were concerned that AQAP could try to hide bombs in cargo packages. A U.S. official noted that the September incident was factored into the government's response to the recent bombing attempt. Meanwhile, countries around the world are beefing up security in the wake of the discovery of bombs in several packages last Friday. Germany, for example, has banned all passenger and cargo flights from Yemen, while the U.K. has banned unaccompanied airfreight from Yemen and Somalia. British Home Secretary Teresa May said that freight from Somalia was being banned because of concerns about airport security in Mogadishu as well as the possible ties between al-Qaida in Yemen and Somali terrorist groups. PayPal Fixes Security Glitch Wall Street Journal (11/04/10) Ante, Spencer E. PayPal has repaired a security flaw in its iPhone application that could enable a hacker to capture users' passwords because the app fails to verify the digital certificate for PayPal's Web site when communicating over the Internet. Without that verification, a hacker could electronically come between a user and PayPal, masquerade as the PayPal Web site, and intercept usernames and passwords. The hacker would have to be in the same physical location as the user or have obtained access to the same Wi-Fi network. The flaw only affects app users connecting over unsecured Wi-Fi networks, while users of PayPal's Android app and the PayPal.com site are unaffected. PayPal says the iPhone app has been downloaded more than 4 million times since its issuance in April, and in October the company said it anticipates more than $700 million in mobile payments to go through its system by year's end. PayPal confirmed the glitch on Nov. 2 and sent a new version of the app to Apple's App Store that users will have to download, says PayPal's Amanda Pires. Hackers Exploit Unpatched IE Bug With Drive-By Attacks Computerworld (11/03/10) Keizer, Gregg Microsoft has cautioned that attackers are exploiting a critical vulnerability in all current versions of the Internet Explorer (IE) Web browser. The only unaffected version is IE9, which is still being tested. Microsoft and others verified that attacks are being carried out in the wild, primarily affecting IE6, the nine-year-old browser that Microsoft has been attempting to squelch for more than a year. "So far, the attacks we have seen only target Internet Explorer 6 and would not have been successful against Internet Explorer 8," says Microsoft engineers Andrew Roths, Jonathan Ness, and Chengyun Chu, who are members of Microsoft's Security Response Center team. Microsoft has played down the risk, saying it has observed only "extremely limited" attacks so far. The attack takes down IE by seizing a heap spray, the engineers say. Hackers can overtake Windows PCs by directing users to a pernicious site, making the attack a traditional "drive-by" strike that can instantly commandeer control of a machine with an older version of IE. Although the vulnerability is present in the newer IE8, it is not susceptible to the current round of attacks because it turns on data execution prevention (DEP) by default. Microsoft has not said when it when it would patch the bug, and is advising users to shield themselves by upgrading to IE9's beta or deploying one of several workarounds, which include turning on DEP in IE7, applying a custom cascading style sheet for formatting documents loaded in IE, and implementing and configuring the free Enhanced Mitigation Experience Toolkit utility. Study: 359 Android Code Flaws Pose Security Risks CNet (11/02/10) Shankland, Stephen Coverity has uncovered 359 programming flaws in a scan of the Android source code. There are 88 high-risk flaws and 271 medium-risk flaws in the source code behind the Android kernel used in HTC's Incredible phone. Android carries the Linux kernel, but the Android-specific parts have a higher percentage of defects than mainstream Linux, Coverity says. However, the defect rate is still lower than the industry average of one flaw per 1,000 lines of code. Android's kernel was significantly lower than that at 0.47 defects per 1,000 lines, according to Coverity. However, the Android-specific code contains more vulnerabilities. "We found that the Android-specific files had a higher defect density (0.78 defects/kloc) than any other component in the system," Coverity reports. Furthermore, the Android-specific files contained more high-risk flaws than any other component. Coverity also points to the fragmentation of accountability for Android software integrity, given the many contributors to the software. Virginia Tech Computer Scientist, Student Design Award Winning Software to Combat Hacking Virginia Tech News (11/01/10) Nystrom, Lynn Virginia Tech professor Daphne Yao and former student Deian Stefan have developed Telling Human and Bot Apart (TUBA), a remote biometrics system based on keystroke dynamics data. The TUBA authentication framework can identify when a computer program designed by a hacker is producing keystroke sequences in order to fool users. "Our work shows that keystroke dynamics is robust against the synthetic forgery attacks studied, where the attacker draws statistical samples from a pool of available keystroke datasets other than the target," Yao says. TUBA can be used as a tool to identify anomalous activities on a personal computer, including activities that can be due to malicious software, according to the researchers. "Keystroke dynamics is an inexpensive biometric mechanism that has been proven accurate in distinguishing individuals," Yao says. The 2010 Tech Terror Watch List DigitalCommunities.com (10/30/10) Schrier, Bill There are a number of security threats that CIOs need to protect their organizations from, writes Seattle CIO Bill Schrier. Among them is malware such as Trojan viruses and keystroke loggers. Cybercriminals recently infected government and school Web sites with these malicious applications in order to steal passwords from financial employees at the targeted government agencies and schools. Meanwhile, nation-states are increasingly using computer viruses and malware to attack one another. Another threat comes from smartphone apps, Schrier writes. BlackBerry or Android apps are particularly risky because they are not reviewed and tested before they are made available to users, which means that these apps could be written by criminals, hackers, or cyberterrorists. Finally, the use of personal tablet computers and smartphones in the workplace represents a security risk because users are sometimes hesitant to allow IT to install security software on their devices, such as applications that allow data to be deleted in the event the device is lost or stolen. Abstracts Copyright © 2010 Information, Inc. Bethesda, MD |
No comments:
Post a Comment