Friday, June 24, 2005

Security Management Weekly - June 24, 2005

header
A weekly security news briefing from ASIS International

  Learn more! ->   sm professional  

June 24, 2005
 
 
CORPORATE SECURITY  
  1. " ChoicePoint Curtails Business, Changes Methods to Protect Data"
  2. " Music Piracy Widespread Globally, Group Says" International Federation of Phonographic Industries Says One in Three Music Recordings Pirated
  3. " Animal Rights Extremism a Priority for FBI" Combating Violence Against Drug Companies
  4. " Bill Requiring Cameras at Shopping Malls Pulled" Maryland County Will Reintroduce Security Legislation This Fall
  5. " Lying on Job Application Nets 40 Arrests" Security Guard Legislation in New Jersey Goes Into Effect in September
  6. " 40 Million Cards Hit by Data Theft" Credit Card Data Stolen From Arizona Company
  7. " When It's Time for Anger Management"

HOMELAND SECURITY   sponsored by  
  8. " Blueprint to Terror-Proof Nation's Skyscrapers" The National Institute of Standards and Technology Completes World Trade Center Study
  9. " 3-Year Federal Study of 9/11 Urges Rules for Safer Towers"
  10. " Are These Towers Safe?" Terrorists Could Trigger Meltdown at Nuclear Plants, Expert Says
  11. " Illegal Immigrants Accessed Nuclear Weapons Facility"

CYBER SECURITY  
  12. " An Army of Soulless 1's and 0's" Hackers Seizing Control of Computers
  13. " Best Practices for Implementing Data Security"
  14. " Black Market in Stolen Credit Card Data Thrives on Internet"
  15. " "Blue Hat" Summit Meant to Reveal Ways of the Other Side" Microsoft Invites Hackers to Expose System Flaws


   









 

"ChoicePoint Curtails Business, Changes Methods to Protect Data"
Wall Street Journal (06/24/05) P. A10

ChoicePoint Inc. is sharply curtailing one line of business and making significant changes in the way it shares much of its electronic data, in an effort to avoid incidents like the data breach disclosed earlier this year in which criminals obtained personal information on about 145,000 people. The Alpharetta, Ga., data concern will electronically mask sensitive information such as Social Security numbers in its reports, such as background checks provided to companies on new employees. ChoicePoint is also taking steps to severely reduce its business in providing data to private investigators, collection agencies and some small financial concerns.
(go to web site)

"Music Piracy Widespread Globally, Group Says"
Hartford Courant (CT) (06/24/05) ; Woolls, Daniel

According to the International Federation of Phonographic Industries one in three music recordings is pirated across the globe, and fake recordings often outsell legal ones in 31 countries. The group noted that Latin America, India, the Middle East, and Eastern Europe have the busiest bootleg markets around the world, but some governments are beginning to crackdown on the trend. Pirated recordings raked in $4.6 billion in sales in 2004, and Internet piracy appears most prevalent in Asia. Those countries listed as priorities in the fight against piracy included Spain, Brazil, China, India, Indonesia, Mexico, Pakistan, Paraguay, Russia, and the Ukraine.
(go to web site)

"Animal Rights Extremism a Priority for FBI"
Seattle Times (06/21/05) ; Elias, Paul

The top domestic terrorism issue at the FBI is violence against drug companies committed by environmental and animal rights extremists, according to FBI counterterrorism deputy assistant director John Lewis, who recently spoke at the annual meeting of the Biotechnology Industry Organization. Currently, the agency is investigating about 150 cases linked to militant environmental and animal rights activists with many involving arson, bombings, and other violence against medical research establishments. The attacks are decreasing employee morale and reducing drug company profits, so companies, such as Chiron, are fighting back against the activists in court. Chiron corporate communications director John Gallagher laments that attacks cost the company $2.5 million, so that is money not spent on drug development and other medical research.
(go to web site)

"Bill Requiring Cameras at Shopping Malls Pulled"
Baltimore Sun (06/21/05) ; McGowan, Phillip

A bill that would require some malls in Anne Arundel County, Md., to install outdoor security cameras was pulled from the table and will be revised before being re-introduced by this fall. The bill introduced before the County Council mandated that shopping malls with 15 stores or more install outdoor security cameras, but local businesses had lobbied for changes to the bill so that it would not unfairly burden smaller retailers. The sponsor of the bill, council member C. Edward Middlebrooks (R-Severn), said that before he revises the measure he intends to meet with officials in Baltimore County, Md., where a similar bill was passed in March. The Baltimore County law provides financial assistance to some businesses so that they can install security cameras, but Middlebrooks' bill did not offer such help. Several members of the Anne Arundel County Council said they favor the idea of requiring outdoor security cameras at some shopping centers, but they have concerns about whether police could be given easy access to the tapes and about the quality of the cameras. Some members of the council have suggested that camera requirements should be tied to the size of a mall's parking lot or the number of parking spaces.
(go to web site)

"Lying on Job Application Nets 40 Arrests"
Newhouse News Service (06/20/05) ; Hayslett, Chandra M.

When New Jersey's Security Guard Act of 2005 goes into effect in September, certain ex-convicts who are working as security guards in the state will be arrested on a disorderly persons charge. Previously, these ex-convicts merely would have been fired if their criminal backgrounds had been discovered. The act has two aims: to deter ex-convicts from applying for jobs as security guards, and to jolt the private sector into taking appropriate actions to determine if their security guards have been screened properly, says New Jersey Attorney General Peter Harvey. Applicants for security guard positions are required to sign a notarized affidavit that they have clean criminal backgrounds. To call attention to the act, state authorities launched "Operation Sentry," arresting 40 ex-convicts between May 23 and June 9 for allegedly lying about their criminal backgrounds when applying for jobs as security guards. The 40 men and women who were arrested had convictions that included selling drugs, theft, fraud, and manslaughter, and police charged most of them with falsifying public records, which falls under a disorderly persons offense. The act also calls for security guards to receive training and certification, including training on homeland security, ethics, law statutes, and first aid. A database of security guards who have been certified will be created, and security companies and private detective agencies who employ security guards will have Internet access to the database.
(go to web site)

"40 Million Cards Hit by Data Theft"
San Francisco Chronicle (06/18/05) P. A1 ; Kirby, Carrie

Holders of more than 40 million credit cards are vulnerable to financial fraud because their credit card information was stolen from an Arizona company that processes transactions for Visa, MasterCard, American Express and Discover, it was disclosed Friday. A computer hacker infiltrated the network of CardSystems Solutions Inc. in Tucson, apparently in late 2004, according to MasterCard. The credit card firm said it has given its member banks lists of card numbers involved in the theft so they can protect their customers. But experts say credit card users should be protected by their customer policies and don't need to take action unless they notice fraud on their accounts or receive a warning that they were part of the breach. The theft is by far the biggest in a recent stream of security breaches and mishaps that have raised questions about whether the financial and personal data of cardholders and bank account holders is safe with the corporations and government entities that store it in databases. Visa USA, based in San Francisco, said Friday that roughly 22 million Visa accounts had been compromised. Card companies stressed that federal law and the firms' policies dictated that cardholders were not liable for losses stemming from unauthorized transactions. CardSystems Solutions is one of several hundred transaction processors that route card information from merchants to banks.
(go to web site)

"When It's Time for Anger Management"
HR Magazine (06/05) Vol. 50, No. 6, P. 131 ; Andrews, Linda Wasmer

Anger management training can be an effective method of allowing employees to learn appropriate ways of dealing with emotions at work. Many employees can benefit from such training; while issues of workplace violence have dominated the public discussion of employee anger management, most workers who exhibit signs of anger are unlikely to become violent. Anger issues can, however, make employees less productive and more prone to absenteeism; if this becomes the case, referral to an anger management program may be helpful. Both group and individual counseling are generally available; while individual counseling is often more expensive, the customized training can be more effective over the long term. Since anger is not considered to be a mental disorder such as anxiety or depression, health plans rarely cover the costs for such programs; employers generally must foot the bill themselves. However, such treatment's effectiveness in reducing absenteeism and improving morale generally offsets the cost.
(go to web site)

"Blueprint to Terror-Proof Nation's Skyscrapers"
Christian Science Monitor (06/24/05) ; Marks, Alexandra; Scherer, Ron

The National Institute of Standards and Technology (NIST) has completed its three-year study of the World Trade Center collapse and developed a set of recommendations to improve the evacuations of skyscrapers, improved structural stability, and reductions in fire vulnerability. Stairwells would be increased in width, allowing people to evacuate and firemen to enter the building; elevator shafts would be "hardened" with one set aside for use by emergency responders. There are 30 recommendations overall in the report, and the recommendations are likely to raise the ire of state construction and building code creators. Engineers working on the NIST study noted that their main concern was increasing safety, which included the reduction of sway in tall buildings in strong winds and earthquakes, improvements in fireproofing, and better systems to track emergency personnel. Additionally, the report would require fire doors to divide up skyscrapers to limit the air feeding a fire. Experts note that many of the recommendations can be applied to current structures not only those being currently developed, but some critics are worried about the costs of the safety measure and how that will affect the overall construction industry.
(go to web site)

"3-Year Federal Study of 9/11 Urges Rules for Safer Towers"
New York Times (06/22/05) P. A1 ; Dwyer, Jim; Lipton, Eric

On Thursday, a federal panel is expected to make a public announcement recommending profound changes in the way American skyscrapers are planned, constructed, and operated so that the structures can be made safer in the event of a terrorist attack, accident, or natural disaster. The recommendations from the National Institute of Standards and Technology are based upon a three-year, comprehensive study of the collapse of the World Trade Center. The proposed changes, which are not binding, are likely to increase development costs of regular buildings by 2 percent to 5 percent, structural engineers say. The proposed changes take into account the possibility that tall buildings will be subjected to earthquakes, fires, sudden hurricanes, and power outages, said engineer S. Shyam Sunder, the leader of the study. Cities and states could choose to adopt the proposed changes, but there has been fierce resistance to change from many parties, including some building industry professionals and top engineers. The proposed changes include a major change in the way tall buildings are evacuated so that everyone in the building has a means of exiting the building during an emergency. In addition, the recommendations include enhancements for stairways and elevators, and improvements in the way fireproofing for steel is conducted.
(go to web site)

"Are These Towers Safe?"
Time (06/20/05) P. 34 ; Thompson, Mark; Crumley, Bruce

Terrorists could trigger a meltdown at a nuclear power plant by damaging some of the plant's control mechanisms and by gaining access to pumps and important valves, according to nuclear engineer David Lochbaum. Lochbaum warns that once triggered, a nuclear meltdown would release radiation within 20 minutes. Security measures at U.S. nuclear power plants focus on preventing attackers from gaining access to the plants' controls, but offer no protective measures once terrorists are inside the control room. Some experts in the security field warn that the size of security forces used by power plant operators are insufficient to thwart an attack similar in planning and scale as the Sept. 11 attack. The United States has only invested $1 billion to improve security at nuclear power plants since 9/11 in comparison to the $20 billion spent on upgrading aviation security. In addition, the NRC has not established security measures at nuclear power plants against air attacks. The commission believes that the concrete-and-steel structure enclosure that covers nuclear power plants can protect against air attacks, but some experts believe some plants are vulnerable. Other security concerns at nuclear power plants include the 80-guard security forces employed by most nuclear power plants. DOE and Pentagon officials believe the size and the weaponry of these security forces is inadequate to defeat a terrorist attack similar to the one on 9/11.
(go to web site)

"Illegal Immigrants Accessed Nuclear Weapons Facility"
CNN (06/20/05) ; McManus, Michael

A new report from the Department of Energy's inspector general finds that 16 illegal immigrants using fake documentation were able to access the Y-12 National Security Complex nuclear weapons facility outside Knoxville, Tenn., last year. The illegal immigrants, working on a construction project, accessed the nuclear weapons facility on multiple occasions, representing "a potentially serious access control and security problem," the report said. In addition, the workers were able to enter a construction trailer on the site where sensitive documents labeled "official use only" were found to be lying about unprotected. The workers used fake green cards to get security badges that allowed them to access the Y-12 facility. It does not appear that the workers compromised those documents or any other classified or sensitive information, the report said.
(go to web site)

"An Army of Soulless 1's and 0's"
New York Times (06/24/05) P. C1 ; Labaton, Stephen

By luring Internet users with an enticing offer just one click away, hackers are seizing control of thousands of computers that they can then deploy to attack other Web sites or crack security codes. These computers, known as zombies, are compromised when their user takes the bait and clicks on the offer, which immediately downloads software onto their computer, enabling it to be controlled remotely, frequently without the user's knowledge. By marshaling thousands of computers to request a given Web site's page simultaneously, known as a denial-of-service attack, hackers can effectively shut down a site. Al Jazeera, Microsoft, and the White House have all had their sites come under this sort of attack. The numbers of zombie computers are growing, as CipherTrust reports that in May, 172,000 new zombies were identified each day, compared to 157,000 the previous month, with hackers preying especially on Chinese computers that do not offer software protection from zombie attacks. High-speed connections have enabled hackers to target individuals within households, who are typically the most vulnerable. Due to their high bandwidth, computers on college campuses are also popular targets. One case currently being prosecuted in New Jersey involves one online merchant hiring a hacker to create zombie networks to attack the sites of two competitors, so that anyone attempting to view those sites would be met with an error message. Cautious clicking and comprehensive antispam and antivirus software are the best ways for users to protect themselves, but individual users, who often "don't have the knowledge to protect themselves," said CipherTrust's Dmitri Alperovitch, "pose a threat to all the rest of us."
(go to web site)

"Best Practices for Implementing Data Security"
SC Magazine (06/05) ; Crawford, Steve

Rather than focusing on perimeter security using firewalls, intrusion prevention, spam filtering, and antivirus products, enterprise security is increasingly focused on content management as more enterprises find themselves sharing data among internal and external sources. Enterprises should consider security that provides the same comfort as personal interactions. Usernames and passwords often authenticate users, but enterprises need to develop password policies to ensure a proper level of complexity to prevent successful password cracks. Also, public key cryptography allows for even more secure online authentication, because the technology provides the sender with a private key and the receiver with a public key so data is verified from the sender. However, due to its complexity, early adopters are not happy with the technology. In general, most forms of online authentication, including digital certificates, have problems, so using them in conjunction will ensure a proper level of security. Companies need to remember security is based on technology, policies, and end users with all three required for proper security to be established.
(go to web site)

"Black Market in Stolen Credit Card Data Thrives on Internet"
New York Times (06/21/05) P. A1 ; Zeller Jr., Tom

Internet security is not foolproof as evidenced by the recent security breach at CardSystems Solutions, which exposed over 40 million credit card accounts to possible theft. However, law enforcement officials note that consumers not only have to worry about individual hackers, but also buyers of stolen credit card and account data on the Web. Many account numbers are purchased online at sites including the International Association for the Advancement of Criminal Activity. Many of these sites are run from the former Soviet Union and act a lot like eBay, where traders are ranked according to the accuracy of the data they provide buyers. In other cases, many sites are providing services to change billing addresses or locate safe drop off locations. Those who purchase the stolen credit card information are those that are using the accounts to purchase goods online and have them dropped at safe locations so the items can be fenced later on in public or on the black market. Message boards and banner ads are also being used by this black market to advertise the sale of stole credit card and account information, and federal investigators are finding that data aggregators are most vulnerable to theft, especially when thieves can access the systems by simply posing as legitimate clients.
(go to web site)

""Blue Hat" Summit Meant to Reveal Ways of the Other Side"
CNet (06/15/05) ; Ina Fried

Security, which claims over a third of Microsoft's research budget, was the focus of the March "Blue Hat" meeting where prominent hackers were invited to Microsoft's corporate headquarters to expose weaknesses in the company's systems. The unusual and un-publicized meeting, named after the "Black Hat" security conferences, highlights the importance Microsoft has placed on improving security while giving outside security researchers a rare view inside the inner-workings of Microsoft. Security researcher Dan Kaminsky says, "I didn't know if we were going to end up with this massively adversarial experience or if this was going to be something of a collaborative mode between all of us." The outsiders exposed Microsoft's security vulnerabilities with hacking demonstrations to audiences constituting a broad swath of Microsoft, from senior executives down to mid-level programmers. In an atmosphere teetering between mutual respect and hostility, the hackers, mostly professionals in fields such as security research, demonstrated products such as Metasploit, a tool that in addition to measuring a system's security, can also devise ways to attack other systems. Aside from a few bruised egos, Microsoft's participants agreed that the meeting was a good reality check, and that it was just the first step in what they hope will be an ongoing dialogue with the hacking community. Microsoft program manager for wireless Noel Anderson says, "We have conversations where we say an attacker might do this or an attacker might do that. Now there is a face to some of those guys. They were just as much geeks as we were."
(go to web site)

Abstracts Copyright © 2005 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment