Search This Blog

Friday, September 30, 2005

Security Management Weekly - September 30, 2005

header

  Learn more! ->   sm professional  

September 30, 2005
 
 
CORPORATE SECURITY  
  1. " Local Retailers Get Tips for Stopping Thieves" Lessons Learned From Retail Theft Ring in Virginia
  2. " China a 'Central' Spying Threat" China Is Spying on U.S. Businesses, Intelligence Official Says
  3. " New Trackers Help Truckers Foil Hijackings" High-Tech Tracking Devices Combat Cargo Theft
  4. " Real Estate Firms Need Solid Disaster Recovery Plan"
  5. " Sarbox: Year 2" Complying With Sarbanes-Oxley Act in Year 2 of Its Enforcement Will Not Get Any Easier
  6. " How Not to Look Like a Phish" Steps Companies Can Take to Avert 'Phishing' Scams

HOMELAND SECURITY   sponsored by  
  7. " Houston Has 'Better Plan' Than Most Cities" U.S. Cities' Ability to Evacuate Comes Under Scrutiny After Recent Hurricanes
  8. " U.S. Sends Dogs Into Subways, But New York Declines Offer" DHS to Provide Bomb-Sniffing Dogs for Transit Systems in 10 Cities
  9. " Registered Traveler Test Is Ending Inconclusively" TSA's Test of Airport Security Program Will End This Week
  10. " Woman Suicide Bomber Marks Possible New Insurgent Tactic in Iraq"
  11. " Talking in the Dark" Wi-Fi Mesh Offers a Self-Correcting Communication System Capable of Surviving Hurricanes and Other Disasters
  12. " Advancing Airport Security" The Trend in Airport Security Technology Moves Toward Integrated Systems

CYBER SECURITY  
  13. " Brazilians Blazing Trails With Internet Technology" Some of the World's Most Sophisticated Hackers Live in Brazil
  14. " Lawmaker Doesn't Rule Out Cybersecurity Regulation" Government and Private Sector Not Giving Cybersecurity Enough Attention, Congressman Says
  15. " Bring on the Security Gateway" Some of the Most Severe Threats Emerge From Within a Firewall


   







 

"Local Retailers Get Tips for Stopping Thieves"
Hampton Roads News (09/28/05) ; Shapiro, Carolyn

Earlier this year, authorities in Hampton Roads, Va., broke up a retail theft ring that stole an estimated $1 million in merchandise. The ring was composed of local, independent truck drivers who worked under contract for a Virginia transport company. The truck drivers diverted merchandise that was bound for stores like Wal-Mart and Kmart and sold it themselves, with some of the merchandise sold on eBay. The stolen goods included men's suits, tools, chain saws, and pool supplies. Sgt. Bruce Razey of the Virginia Beach Police Department said that the retailers that lost merchandise to the trucker ring could have reduced their losses with stronger oversight of their employees. For example, the retail stores' receiver employees, who received deliveries of merchandise from the truckers, were lulled into a false sense of security by the friendly nature of the drivers. The drivers became friendly with the receivers and earned their trust so that in many instances the receivers simply signed off on the truck deliveries without bothering to check that all the merchandise had arrived. Many of the retailers were completely unaware that their merchandise was being stolen until they were approached by law enforcement.
(go to web site)

"China a 'Central' Spying Threat"
Washington Times (09/29/05) ; Gertz, Bill

China is engaging in a broad espionage effort to procure U.S. technology, and this threat includes the targeting of private businesses, businessmen, and scientists, according to Michelle Van Cleave, one of the top U.S. counterintelligence officials. The spying poses the most severe threat to sensitive national security technology secrets, but private-sector spies are also a problem. The Chinese spies use a number of simple methods to acquire information, including by sending spies to visit U.S. businesses, private defense contractors, and national laboratories. The methods also include telephone solicitations, in-person requests, email, and facsimile. The Chinese agents are "adept at exploiting front companies" and are "very aggressive" in business and at eliciting information, Van Cleave said. Chinese students, scientists, and other specialists in the United States are also providing the Chinese government with information.
(go to web site)

"New Trackers Help Truckers Foil Hijackings"
Wall Street Journal (09/29/05) P. B1 ; DeWeese, Chelsea

Shippers and trucking companies are combating a steep rise in cargo theft by planting high-tech tracking devices inside crates and vehicles. This new breed of tracking devices allows companies and law enforcement agents to remotely monitor the whereabouts of valuable cargo while the cargo is being transported on trucks and even after it is unloaded. Cargo theft is often an inside job, and opportunistic insiders can easily thwart the more traditional satellite-based tracking systems that have been used to track trucks. The retail industry loses up to $15 billion per year due to the theft of semitrailer trucks and their cargo in the United States, and hundreds of semitrailers are stolen each day. Rep. Cliff Stearns (R-Fla.) says that officials are concerned that the profits from some cargo thefts are being used to finance Middle East terrorist groups. Stearns introduced a bill that would strengthen the penalties for cargo theft and create a law enforcement reporting system for cargo theft incidents. In February of this year, FBI agents used tracking devices to break up an inside-job retail theft ring that targeted the route between Memphis and Chicago. During that bust, FBI agents viewing computer monitors were able to track the progress of a semitrailer carrying DVDs, and as the truck stopped to allow the thieves to unload cargo, plainclothes officers moved in to arrest the culprits, including the truck driver, a warehouse employee, and two deputy jailers from a local police department.
(go to web site)

"Real Estate Firms Need Solid Disaster Recovery Plan"
Banker & Tradesman (09/19/05) ; Ferrara, Matthew

Hurricane Katrina taught many businesses that disaster recovery plans for their operations and their technology are necessary to survive when catastrophes strike. The three main areas to incorporate into these plans are communications, data, and hardware and whether these elements can be protected or replaced quickly. Hardware is easy to replace during a small scale disaster; but larger disasters, like hurricanes, can wipe out local supplies of computers, laptops, digital cameras, and other equipment--which is why realty agents and others should have old or relatively new equipment on hand. Moreover, backup generators are helpful to provide power to systems when power is out for a long period of time, and are better than battery backups that only last a few hours. Data restoration is easier if backup copies of data are made on a regular basis and kept offsite, and offices need to place certain people in charge of backing up the data and they should be trained as to when and how it should be done properly. Finally, communications should be operational at all times in one form or another in order to keep workers abreast of what is going on with the firm and what they should be doing. Communications strategies should take into account that operations may be interrupted and for a significant period of time, so workers should be trained on how to contact one another and their clients. Staff can use email, phones, cell phones, text messaging, and other forms of communication to check with clients and supervisors as well as maintaining the flow of data from offsite locations.
(go to web site)

"Sarbox: Year 2"
CFO-IT (09/05) Vol. 21, No. 13, P. 17 ; Violino, Bob

While many companies are relieved that the initial rush to comply with the 2002 Sarbanes-Oxley Act is over, continuing the compliance process in the second year of the act's enforcement will take just as much effort, perhaps even more. However, implementing a number of programs to assure the most efficient compliance effort may cut down on the stress associated with Sarbanes-Oxley. First, a formal group tasked with overseeing compliance should be created; this group should include high-ranking members of the organization in finance, accounting, technology, and business operations, and should be able to act quickly in order to maximize efficiency. The group should evaluate the controls the company established during the first-year rush to compliance; while many may be effective, some may have been put in place simply to comply with the act and may not be strictly necessary. Implementing automation of many compliance tasks should also be a goal in the second year; now that the company knows what needs to be done, it can design more efficient processes for doing it. The makeup of the compliance chain of command may also need to be re-evaluated; both the finance and information-technology departments have a huge stake in compliance issues, so their roles should be balanced according to the company's needs. The role of IT in particular may have to be expanded, going beyond the traditional areas under its control and focusing instead on broader issues of strategy.
(go to web site)

"How Not to Look Like a Phish"
Security Products (08/05) Vol. 9, No. 8, P. 30 ; Maier, Fran

Companies should use industry best practices for email communications to protect themselves and their customers from the online identity theft technique known as "phishing." Many phishing scams involve the use of emails that mimic official email communications from some of the most trusted brands known, including financial institutions, online retailers, and Internet service providers. These fraudulent emails ask customers to share some of their most sensitive personal data, which often leads to identity theft, financial loss, and credit card fraud for the consumer. Businesses also face indirect losses from these scams because when a company's official email communications are mimicked the results can include customer dissatisfaction, loss of brand equity, and wasted resources. Businesses can take several steps to protect their brands from being hijacked during phishing scams, and these steps include communicating with customers and employees about the dangers of phishing and communicating across all divisions and units of the business. Companies should evaluate the technologies they are using and implement new technologies where needed, and they should also either conduct an email best practice review themselves or register with an accreditation program that will support and verify their email practices. When communicating with customers by email, companies should never use "click here" hyperlinks or request personal data from customers via email hyperlinks, and they should also refrain from using instant messages and pop-up windows for data collection. When communicating with customers, companies should always personalize their emails, proofread and spell-check communications, use clear and consistent branding, and use simple and clean URLs and links.
(go to web site)

"Houston Has 'Better Plan' Than Most Cities"
Houston Chronicle (09/27/05) ; Hedges, Michael

Houston's ability to evacuate its residents as Hurricane Rita approached was severely tested, but the city is better prepared to respond to disasters than most big cities in the United States, according to experts. New York University's Paul Light, an emergency response expert, says that Houston's evacuation plan worked as well as could be expected under the circumstances, though improvements can be made. Many other cities just improvise their responses to disasters, says homeland security expert James Carafano. Light explains that Chicago lacks a real response plan, Los Angeles is still attempting to figure out how to evacuate its residents, evacuating New York would be hampered by the city's many "choke points," and evacuating Washington, D.C., "would be a mess." Officials on Monday said that the Homeland Security Department and Federal Emergency Management Agency will examine the emergency plans for hurricanes Rita and Katrina and learn from those experiences. President Bush is calling for a "robust discussion" about whether the Department of Defense should be placed in charge of responding to natural disasters. Carafano, for one, supports the idea of making the Defense Department the lead responder to disasters. "It would be counterproductive and ruinously expensive for other federal agencies, local governments, or the private sector to maintain the excess capacity and resources needed for immediate catastrophic response," he says.
(go to web site)

"U.S. Sends Dogs Into Subways, But New York Declines Offer"
New York Times (09/29/05) P. A30 ; Chan, Sewell; Wald, Matthew L.

The transit agencies in 10 U.S. cities, including Los Angeles, Chicago, San Francisco, Philadelphia, and Washington, D.C., will receive three bomb-sniffing dogs apiece under a $2.7 million Department of Homeland Security (DHS) program. Each city's transit agency must apply for the program, and the program's other terms specify that each agency allocate three police officers to attend a 10-week training course to become a canine handler. Agencies that participate in the program will receive funding from the DHS to cover the costs of the dogs and the training, including $120,000 per year to pay for veterinary care, police vehicles, and food and uniforms. New York's Metropolitan Transportation Authority has chosen not to apply for the program due to the program's stipulation that, during crisis situations, each city make the dogs available for the needs of the federal government. A spokesman for New York's authority explained that the agency already has 25 bomb-sniffing dogs and plans to double that number in 2007. The DHS program also stipulates that the canine units spend a minimum of 80 percent of their patrolling time in city transit systems. A DHS spokesman explained that local authorities would almost always have control of the canines, which would only be reassigned during a national emergency.
(go to web site)

"Registered Traveler Test Is Ending Inconclusively"
Washington Post (09/27/05) P. A15 ; Goo, Sara Kehaulani

The Transportation Security Administration (TSA) will end its Registered Traveler airport security program this week and will refrain from expanding the program as it is currently construed, according to government and industry sources. The test program, introduced last summer, is operating at half a dozen U.S. airports. The program works by allowing airport travelers to go to the front of security lines if they register in the program, provide personal data, and allow their irises and index fingers to be scanned. "We are concluding the pilot program and we are going to review the results to determine how Registered Traveler would fit as a link in the security chain," says TSA spokeswoman Yolanda Clark. Several companies have contracts to operate the program, but those contracts will be allowed to expire this week, Clark said. A limiting factor to the program's effectiveness is that it is only useful to users at the airport where they registered, industry officials said, adding that the registration must work at all participating airports if the program is to be expanded.
(go to web site)

"Woman Suicide Bomber Marks Possible New Insurgent Tactic in Iraq"
Associated Press (09/28/05) ; Keath, Lee

A female suicide bomber killed six people and wounded 35 others in Tal Afar, Iraq, on Wednesday, by bypassing security checkpoints where women are not searched due to Islamic cultural sensitivities about close contact between men and women. Once in the city, the woman, who had explosives strapped to her body, disguised herself in traditional male attire and joined a group of men applying for jobs, where she blew herself up. U.S. and Iraqi officials are concerned that insurgents could begin deploying more female suicide bombers, which would present security challenges because there are not nearly enough female security officers to conduct searches of women passing through security checkpoints. Iraqi officials said that new techniques will be needed to combat female bombers, and they announced that from now on, women and children will be searched at Tal Afar checkpoints.
(go to web site)

"Talking in the Dark"
New York Times Magazine (09/18/05) P. 24 ; Thompson, Clive

The recent experience of Hurricane Katrina was an excruciating lesson in the utter dependence we have on our communications systems: The panic and chaos that followed the storm were exacerbated by the failure of our communications networks, as the only devices that still worked for the week after Katrina hit were satellite phones and two-way radios. Wi-Fi mesh offers a self-correcting communication system capable of surviving a disaster of Katrina's magnitude. Conventional phone systems are centrally operated, meaning that the disruption of a small cache of switches affects service for a large portion of users; also, they are frequently overwhelmed in times of disaster, as they are only designed to allow 10 percent of customers to talk at once. Wi-Fi mesh systems are inexpensive and decentralized, and can easily support a phone system impervious to disaster. Meshed Wi-Fi can be thought of as a widescale bucket brigade, as each node transmits data to the next, located only a few hundred feet away; Wi-Fi also supports VoIP, and enables widespread connectivity to the Internet if just one user is logged on. Mesh networks are ideal for disaster situations, as the removal of a given node does nothing to disrupt a widely implemented Wi-Fi network. They are also remarkably efficient and inexpensive, as each node only consumes about 10 watts, and carries an implementation cost of around $350, a figure that increases to $650 with the addition of an emergency battery. Though Wi-Fi nodes do require a clear line of sight to communicate with each other, their marginal cost makes their widespread implementation in densely clustered urban areas eminently viable.
(go to web site)

"Advancing Airport Security"
Security Products (09/05) Vol. 9, No. 9, P. 52 ; McChesney, Brooks

Technology is one of the key underpinnings of airport security, and the trend in this area has moved toward integrated systems that provide situational awareness in real time, as opposed to passive restraints and independent sensors and alarms. The methods that airport surveillance and response systems use to manage data are becoming more like those used by corporate enterprise-level information technology systems. "Network-based security systems, video management software, intelligent video surveillance software, emerging access control technologies, and biometric indices-based security technologies are among the technologies that will strengthen airport security in the future," predicts Frost & Sullivan research analyst Soumilya Banerjee. Numerous agencies and teams are involved in airport security, and coordinating this effort can be problematic. Automated security workflow technology, which enforces and supports airport security disaster plans, can resolve this problem by identifying threats, notifying the correct type of responders, providing updates on changing needs as an incident unfolds, and providing detailed situation analysis after the event. For example, if the workflow technology identifies a threat along the airport perimeter, it might respond by sending a text message to police officers to use their handhelds to view specific security camera footage. Meanwhile, the workflow technology might contact airport personnel and order them to implement crowd control processes and contact medical responders to guide them to the incident location. In the future, airport security technology will likely take the form of an integrated national security system that quickly determines whether suspicious activity at one airport is an isolated incident or part of a greater threat facing multiple airports.
(go to web site)

"Brazilians Blazing Trails With Internet Technology"
Knight-Ridder Wire Services (09/26/05) ; Chang, Jack

Despite crippling levels of poverty and violence, Brazil is home to some of the world's most innovative technology, and plays host to some of the most sophisticated hackers. Brazil often finds itself the locus of international debates over intellectual property rights and private media controls, and though it does not have in place the infrastructure that other developing nations do, Brazil has made significant advances in open access technology that place it at the forefront of the Third World. Brazil received a major economic boost when Google acquired the native firm Akwan Information Technologies and established an office in Sao Paolo. There is still a wide gulf between rich and poor in Brazil, and while its 22 million-plus residents with Internet access rank it in the top 10 worldwide, that number still only represents 12 percent of the population. Piracy is also a major issue, as roughly 60 percent of the software and 70 percent of the hardware in use in Brazil infringes on copyright laws; Brazil is also a notorious haven for cyber criminals, as it is estimated that approximately 80 percent of the world's hackers are based in Brazil. The country's emerging IT industry has reached the $10 billion mark in annual sales. The spirit of unfettered access has led to the widespread implementation of the Linux platform in government and private industry, along with a host of other open-source applications. Throughout Brazil, open access movements are seeking to provide free Internet capability to computer users, and its vibrant open-source community draws on innovation from all over the country to maintain Web sites, provide tech support, and develop new technologies.
(go to web site)

"Lawmaker Doesn't Rule Out Cybersecurity Regulation"
IDG News Service (09/27/05) ; Gross, Grant

The U.S. government and the private sector have not given cybersecurity adequate emphasis, said Rep. Dan Lungren (R-Calif.), speaking at a Sept. 26 cybersecurity policy forum hosted by Nortel Networks. Although his preference is for companies to voluntarily patch vulnerabilities, Lungren, chairman of the House Economic Security, Infrastructure Protection, and Cybersecurity Subcommittee, did not dismiss the possibility of the government imposing cybersecurity regulations, which he fears would "stifle the kind of innovation that's available to the private sector to come up with their own fixes." Lungren also said the government must gain a better comprehension of cybersecurity risk, especially as it pertains to Internet-powered supervisory control and data acquisition (SCADA) systems responsible for much of the country's critical infrastructure. He urged the government to make a stronger effort to anticipate cyberattacks, particularly those that threaten to cause the worst damage, and channel its resources into preventing such incidents. Nortel CEO Bill Owens noted at the same forum that the likelihood of cyberattacks will rise as increasing numbers of devices transmit information via Internet Protocol. Acting director of the Homeland Security Department's National Cybersecurity Division Andy Purdy claimed his agency is attempting to raise the profile of the cybersecurity issue, citing the creation of a new assistant secretary for cybersecurity as a step in the right direction. But he agreed with Lungren that private companies bear a significant measure of responsibility in the assurance of Internet safety.
(go to web site)

"Bring on the Security Gateway"
Communications News (09/05) Vol. 42, No. 9, P. 20 ; Hardof, Tamir

Although antivirus software and firewalls are still integral components of any network security system, they fail to adequately guard against today's cyber threats. In today's network environment, some of the most severe threats emerge from within a firewall. Any laptop that is connected to a network remotely offers access to a host of threats the firewall will never have a chance to protect against. Most organizations have workers who connect to their networks in cafes or airports, or employ the services of contractors and temporary workers who might also connect remotely. Intrusion-detection systems (IDSes) scan a network for traffic and notify administrators about activity based on signatures, but are incapable of actually responding to a threat. Intrusion-prevention systems (IPSes) improve on IDSes by offering a far more responsive attack protection. IPSes still occasionally produce false positives, and they still depend on signatures. Freestanding IPSes also frequently overlook the activity within a network. Comprehensive security must be intricately layered, integrating both internal and perimeter security tools and working in tandem to provide central management, logging, reporting, and event correlation. Internal security gateways monitor all traffic within a network, and provide several sophisticated methods of response to suspect activity. They also offer updated signatures, advisories, and thorough descriptions of potential threats. Zone segmentation also helps by providing varying levels of security based on the needs of a particular area. Quarantining helps to keep attacks localized. Forensic methods are needed to observe the logging and reporting of gateway devices. Quality reporting tools help funnel relevant information to administrators more quickly, such as automated aggregation and correlation devices.
(go to web site)

Abstracts Copyright © 2005 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: