| | 
"The Sniffer vs. the Cybercrooks"
New York Times (07/31/05) P. 3-1 ; Rivlin, Gary As the motivation for hackers shifts from the pursuit of bragging rights to high-stakes economic plundering, many corporations are enlisting the services of sniffers, security analysts who peer through the eyes of a hacker to exploit a system's vulnerabilities in the name of improving its security. A recent survey found that over 87 percent of the companies polled conduct penetration tests, up from 82 percent a year ago; up 14 percent from 2003, companies in North America spent more than $2 billion on security consulting last year, says Gartner analyst Kelly Kavanagh. Sniffers such as independent consultant Mark Seiden often resort to unorthodox techniques to expose a system's vulnerabilities. While he is a former programmer with considerable technical expertise, Seiden may be best known for his innovative methods for gaining access to companies' most sensitive information, such as using disguises to infiltrate restricted places. Once inside, Seiden is an expert at figuring out where a data center is housed, and by blending in, picking locks, and shimmying through air ducts to drop through a ceiling into an otherwise secure room, he has exposed weaknesses in many high-profile companies. The most porous security is most likely to be found in a physical building, where file cabinets with cheap locks and unsecured backup tapes offer a wealth of sensitive information to someone such as Seiden. Though his creativity and uncanny ability to think like a cyber-criminal have kept him in high demand, he acknowledges that "you can't prevent a determined adversary who has unlimited resources from breaching security." But as Gartner analyst Richard Mogull points out, even though 100 percent security will forever be an illusion, sniffers such as Seiden can help companies protect against the vast majority of would-be hackers who "have only rudimentary skills."
(go to web site) "Terrorism Not On Most Companies' Radar"
Fairfield County Business Journal (CT) (08/01/05) ; Scott, Andrew The likelihood of terrorism-induced emergencies has jumped to the top of many firms' priority lists, causing them to create emergency response plans. ExxonMobil Chemical Co. recently tweaked its original emergency plan in order to deal with a terrorist event. Workers understand their roles in the execution of the plan and know where the emergency equipment, such as flashlights and walkie-talkies, and contact lists are located. Other companies have set up alternative locations for their operations and disaster recovery plans to ensure that the business continues to run in the event of a catastrophe. However, a 2004 survey conducted by the American Management Association revealed that most employers fail to train all of their support staff in crisis management and 90 percent of respondents revealed that those receiving training are only subjected to the material once per year. The Occupational Safety and Health Administration (OSHA) requires businesses to have escape routes mapped out, install procedures for locating employees after a disaster, and the establishment of procedures to ensure that all workers know their roles and responsibilities in an evacuation. Some experts suggest equipping workers with communications devices to ensure that check-ins are possible and maintaining a list of up-to-date phone numbers for each worker.
(go to web site) "Blowing the Whistle Can Lead to Harsh Aftermath, Despite Law"
USA Today (08/01/05) ; O'Donnell, Jayne The whistleblower protections of the Sarbanes-Oxley Act can only go so far to protect workers interested in promoting transparency, integrity, and honesty at their employers' facilities, and many companies do not enjoy being forced to rehire company workers who have blown the whistle. Out of the hundreds of workers using the act and hoping that its protections would help them retain their positions with their employers, only two plaintiffs have kept or been returned to their posts under the law. Meanwhile, the Department of Labor is the agency responsible for determining whether these workers lost their jobs in violation of the law and whether their former employer should be forced to rehire them, but it is incapable of determining if wrongdoing actually occurred. While the government seeks to balance the needs of the worker with the desires of the employers, many whistleblowers note that the experience is not worth repeating, given their job loss and experiences with the administrative court process, and in most cases employers seek to have rehire orders dismissed.
(go to web site) "How Best to Respond to Subpoenas for E-mail"
National Law Journal (07/25/05) Vol. 27, No. 45, P. S5 ; Sanchez, Anthony E-mail is becoming an important part of e-discovery in legal and regulatory actions. In fact, 21 percent of companies have been ordered by courts to produce employee e-mail, according to the ePolicy Institute. Companies that have not prepared themselves to produce e-mail in court are often faced with an expensive, time consuming process, particularly if the subpoena requests e-mails in which certain words or phrases were used, where certain people were copied, within a certain set of dates, or a combination of all of these criteria. E-mail archiving is an effective way to prepare for the possibility of a subpoena. The system is set up to identify e-mails by date, type of document, and who sent the document, or a combination of all three. The archive can also be set up so that the e-mail can be quickly and easily found. Companies should also rethink destroying old e-mails, since this archiving technology makes it easy to look through non-relevant e-mails in order to find the relevant ones. Finally, companies should work to make sure that their employees realize that e-mail could be a legal record of their conversations, and train them to use it in a way that will not come back to haunt them or the company in the event of a subpoena.
(go to web site) "The State of Surveillance"
BusinessWeek (08/08/05)No. 3946, P. 52 ; Yang, Catherine; Capell, Kerry; Port, Otis Future surveillance technologies may be more effective terrorism deterrents, and the public's apparent acceptance of the increased privacy infringement they entail is encouraging research in this area. Scientists at the University at Buffalo and elsewhere are investigating systems that could turn one's breath, saliva, or body odor into a biometric ID; however, biometrics' tendency to generate false positives is a problem, while the increased use of biometrics for identity authentication, building access, and so on raises the risk of theft or forgery. Biometrics-based surveillance technologies being funded by the U.S. government include camera-based software that can identify people from a distance according to their strides, and systems for tracking known criminals by comparing their irises to prints in a database. Faster and cheaper data processing and storage systems carry with them the likelihood of serious privacy infringement, by establishing an infrastructure for stitching together a detailed picture of a person's daily activities from the various pieces of data he discloses throughout the day. Furthermore, the government is focusing on the use of software to mine multiple databases in order to extract relationships between people to aid in criminal investigations, which could also be applied to eavesdropping. The most highly prized concept is a universal sensor capable of identifying any known pathogen or toxin, which would be distributed in networks. Among the most uncomfortable aspects of high-tech surveillance is the fact that citizens will be at the mercy of the government and corporations, which will reserve the most advanced surveillance technologies for themselves. In addition, widespread consumer use could lead to abuses, such as the victimization of individuals with unpopular views.
(go to web site) "Asking the Hard Questions"
Security Management (07/05) Vol. 49, No. 5, P. 85 ; McDonough, Edward With good planning and effective interviewing and interrogation tactics, security professionals can get useful information out of witnesses and suspects when investigating a case. The process begins with planning and strategy, including what approach to use; knowing and studying the facts of the case; timing the interviews as soon as possible after an event occurs; the type of setting; and what information is hoped to be gained. The setting of the interview should be a private place, and if an interview is being conducted, the setting should be friendly and comfortable, whereas interrogations should be held in uncomfortable and unsupportive settings. Protecting a suspect's legal rights should always be a foremost consideration, and having a third-party observer on hand is a good idea. One of the two most commonly accepted interviewing and interrogation techniques is Kinesics, which identifies and interprets a range of commonly seen verbal and nonverbal behaviors that are associated with indications of guilt or innocence. The other technique, the Reid Technique, starts with a non-accusatory interview but eventually evolves into an interrogation composed of nine parts. The first part begins with the interrogator directly and confidently expressing that the suspect is guilty, followed by theme development; handling denials; overcoming objections; getting and keeping the suspect's attention; handling a suspect's passivity; posing alternative questions; detailing events; and obtaining a written statement of guilt.
(go to web site) "Preparing Fire Wardens"
Security Management (07/05) Vol. 49, No. 5, P. 100 ; Hewitt, John The recruitment and training of volunteer fire wardens in the workplace is a crucial part of creating corporate fire-safety plans. Most employees who volunteer to become a fire warden do not have special emergency skills; thus, they must be trained well to ensure that corporate evacuation plans are carried out as they are intended during an emergency. Having one warden per 50 employees is a good ratio, and two deputy wardens per floor should be chosen and trained just to ensure that there is redundancy during an emergency. Retaining volunteer wardens can be difficult; thus, companies may want to consider offering them a small financial bonus or other incentive. Fire wardens have many responsibilities during an emergency, including overseeing the evacuation of employees and searching floors for remaining employees, including temporary employees and vendors who may not be aware of the company's evacuation policy. Security directors should not hesitate to allow all employees to attend the fire warden training sessions. Once fire wardens have been trained, they should share information about the evacuation plans with their fellow employees. Fire wardens should wear a brightly colored vest, hat, or armband so that employees know how to find them during a drill or real event, and wardens should react immediately to any alarms.
(go to web site) "Winning the Gadget Wars"
CSO Online (08/05) ; Duffy, Daintry Some chief security officers are struggling to develop rules that will prevent seemingly benign technologies like camera phones and Web-based services from compromising their company's data security. The challenge for many CSO's is the need to balance the legitimate use of these technologies with the potential for misuse. In order to safeguard First Data's sensitive information, its chief information security officer Phil Mellinger has an employee that examines mobile devices and other technologies that employees want to bring into work, and who must give written consent before a device is allowed to be brought in. First Data also has systems in place that deal with the use of Peer-to-Peer and Web-based services like GoToMyPC. The program allows users to access their office computer from any other computer with an internet connection, which concerns many CSO's because they have no control over the computer that the employee is using to access the company's network. First Data uses a proxy server from Blue Coat Systems that limits these kinds of external connections while allowing employees to have access to the information they need. Mellinger says that companies that face these kinds of threats shouldn't go overboard with the security measures they take. "There's a line of sensibility here. The object is to stay ahead of the people who aren't doing anything [malicious], who just have no security awareness at all. As long as I can stay ahead of that crowd, I'm in good shape," he said.
(go to web site) 
"U.K. Institutes New Deportation Measures"
Washington Post (08/05/05) ; Johnson, Ed U.K. Prime Minister Tony Blair announced Friday strict new measures that would allow the government to deport foreigners in the country who belong to extremist groups or who preach violence and hatred. "They come here and they play by our rules and our way of life," Blair said. "If they don't, they are going to have to go." The British government will work with the Muslim community to shut down mosques that are used as forums where extremism is encouraged. In addition, the government will create a list of foreign Islamic clerics who will not be allowed to enter the United Kingdom. The British government will also create a list of bookshops, Web sites, and centers that encourage violence and hatred, and U.K. citizens involved with these organizations could be strictly penalized, and foreign nationals could be deported. In order to conform to European laws on human rights, the British government is negotiating with foreign countries to ensure that any foreigners expelled from Britain under the new measures would be treated humanely once they arrive back in their native country.
(go to web site) "New York Police Sued Over Subway Searches"
Washington Post (08/05/05) P. A3 ; Garcia, Michelle The New York Police Department's random search of subway riders' bags faces a legal challenge from the New York Civil Liberties Union, which has filed a lawsuit on behalf of five subway riders to end the searches. Police officials say that the random searches are carried out on about one out of every five to 10 people, depending on the number of travelers. Gail Donoghue, special counsel in the New York City legal department, said that the NYCLU's suit is shortsighted. Meanwhile, New York state Assemblyman Dov Hikind (D) has announced that within two months' time he will introduce a bill that would give police officers the authority to focus their anti-terrorism efforts based on people's national origin and ethnicity. "Police officers need to keep specific attention to young people--Middle Eastern, South Asian--based on a profile that is so obvious," said Hikind.
(go to web site) "Private Security Guards' Training Boosted in Anti-Terror Effort"
SF Gate (08/02/05) ; Thompson, Don California has mandated that licensed security guards in the state receive four hours of counterterrorism training to help the state protect its infrastructure from terrorist attacks. The private sector controls upward of 80 percent of the state's vital structures, including buildings and power plants. California has 200,000 licensed security guards and 200,000 unlicensed guards. The licensed guards are mostly employed by contract security firms, while the unlicensed guards are employed by businesses to protect a business facility. The Department of Consumer Affairs, which licenses guards, helped create the training curriculum as part of the 40 hours that licensed guards receive. The anti-terrorism training includes such topics as weapons of mass destruction, responding to terrorist attacks, and potential weapons used by terrorists. Materials used during the training include a DVD, book, and CD. The result of the training effort will be a ten-fold increase in "the number of eyes and ears out there," says the chief deputy director of the state's Office of Homeland Security.
(go to web site) "Police Chiefs Group Bolsters Policy on Suicide Bombers"
Washington Post (08/04/05) P. A2 ; Horwitz, Sari Police officers who are confronting a suicide bomber and need to use lethal force should shoot the bomber in the head, according to recommendations in a new training guide from the International Association of Chiefs of Police. The recommendations, which were published July 8, a day after the first London bombing, apply to some 20,000 U.S. law enforcement members. By aiming for a bomber's head, the hope is that a bomber can be killed instantly before he can set off explosives that may be strapped to his body. The guide states that a typical behavioral profile for suicide bombers includes "multiple anomalies," such as carrying a backpack, duffle bag, or briefcase while wearing a heavy coat or jacket in warm weather. The backpack or other item being carried might have visible wires or protrusions, and the individual might have stains on their hands or chemical burns on their clothing. The typical suicide bomber might pace back and forth while mumbling prayers, and he may avoid eye contact, appear nervous, or sweat profusely. The threat posed by a suicide bomber does not have to be imminent before the officer shoots to kill, nor does the officer need to wait for the bomber to make the first move before shooting--instead the officer only needs a "reasonable basis" to act, according to the recommendations. Israel and the United Kingdom have national shoot-to-kill policies to deal with suicide bombers, but the United States allows each of its 18,000 law enforcement agencies to set their own policies.
(go to web site) "Securing the Hospital Food Chain"
Modern Healthcare (07/18/05) Vol. 35, No. 29, P. 44 ; Taylor, Mark Protecting the security of the food supply at U.S. hospitals is an important issue, one that was underscored by a series of suspicious incidents earlier this year in which people posing as inspectors attempted to enter a handful of hospitals. Traditionally, hospitals have focused their food security efforts on protecting food supplies from accidental contamination, but since the Sept. 11 terrorist attacks, hospitals have also had to think about protecting their facilities from terrorists. Security experts explain that if terrorists can neutralize hospitals during a terrorist attack, they can in effect multiply the effect of their attacks because doctors will be unable to assist those who need help. Chicago's Rush University Medical Center, which has 679 beds and prepares 2.1 million meals per year at its city campus, uses several security procedures to make sure that its food supply is safe. The hospital conducts thorough pre-employment background checks, including checks of citizenship, criminal history, and drug testing. The hospital's food retail area, which includes self-service counters and salad bars, is considered the most vulnerable area, so the hospital keeps close tabs on this area to ensure that there is no tampering. The hospital also visits its vendors without prior warning so that it can get a true feel for their preparations, and it makes sure that its own campus and dock are secured and that only authorized personnel are allowed to enter. The vendors must provide a guarantee to the hospital that their products are safe upon delivery, and the hospital inspects vendors' security procedures, including the routes their trucks use and the timing of their deliveries.
(go to web site) 
"DNS Servers--an Internet Achilles Heel"
CNet (08/03/05) ; Evers, Joris At last week's Black Hat conference in Las Vegas, security researcher Dan Kaminsky presented the results of his survey that found susceptibilities to DNS cache poisoning in almost 10 percent of the 2.5 million Domain Name System machines he scanned. The incentive to attack a DNS server is largely financial, according to the SANS Internet Storm Center, as hackers are frequently paid on the basis of how much malicious software they install on people's PCs; they can also gain access to sensitive information such as social security and credit card numbers. DNS cache poisoning attacks, sometimes known as pharming, substitute the address of a malicious site for that of a legitimate, popular site, redirecting users to bogus pages that might upload corruptive software or prompt users for sensitive personal information. Since DNS servers can each support thousands of users, the number of vulnerabilities Kaminsky found could expose millions of Internet users to phishing attacks, identity theft, or other threats. Kaminsky said the vulnerable servers he found are powered by the Berkeley Internet Name Domain software, and are in need of an upgrade that does not employ forwarders for DNS requests. BIND 4 and BIND 8 in forwarder configurations are porous, and the equivalent of "Internet malpractice" on the part of service providers, said Nominum Chairman Paul Mockapetris. Kaminsky appealed to the managers of DNS servers to upgrade and audit their systems, as a scan similar to the one he conducted could easily be performed by a hacker trolling for vulnerable servers.
(go to web site) "Hackers Again Hit CU"
Denver Post (08/02/05) ; Cardona, Felisa; Ortiz, Christopher Social Security numbers, names, and photographs of 29,000 current and former students at the University of Colorado at Boulder as well as up to 7,000 staff members were breached when hackers gained access to information on the CU-Boulder identification Buff OneCard. The card is used by students as an ID and to gain access to campus buildings. The university was a victim of hacking two previous times since July 21. Due to the recent attacks, security personnel quickly detected the unauthorized access and took action to prevent data theft. The three incidents are under investigation and not yet linked. The university is already taking security steps, such as eliminating Social Security numbers as identification and establishing a hotline where individuals can inquire about the security breaches. In addition to identity theft, hackers often penetrate systems to send spam email without being spotted or to share pirated software or movies through the computer network architecture. Recent hacker breaches at Boston University, Georgia Tech, and other U.S. institutions prompted CU to phase out Social Security numbers as student IDs in favor of unique student numbers that cannot be employed to acquire or extend credit.
(go to web site) Abstracts Copyright © 2005 Information, Inc. Bethesda, MD |
No comments:
Post a Comment