Friday, August 31, 2007

Security Management Weekly - August 31, 2007

header

  Learn more! ->   sm professional  

August 31, 2007
 
 
CORPORATE SECURITY  
  1. " FBI Investigates String of Store Threats" Bomb-Threat Caller Demands Money From 15 U.S. Stores During Past Week
  2. " Convenience Stores Get Tips to Boost Security"
  3. " Mexico City Police Find Bomb in Nation's Tallest Skyscraper" Ten Thousand Workers Evacuated
  4. " With Software and Soldering, AT&T's Lock on iPhone Is Undone"
  5. " Saudis Set Up Force to Guard Oil Plants"
  6. " Vindicated Olympic Park Bombing Suspect Richard Jewell Dies"

HOMELAND SECURITY  
  7. " E-Mail Bomb Threats Sent to Campuses Across U.S."
  8. " Chertoff Touts Coast Guard Changes, New FEMA Warning System" Hurricane Response Is Revamped
  9. " Aggressive Bees May Track Future of Flying Robots"
  10. " After Virginia Tech" Campuses Struggling to Keep Up With Record Number of Mentally Ill Students
  11. " Preventing the Next Campus Shooting"

CYBER SECURITY  
  12. " All of World's Biggest Firms Hit by Typosquatting"
  13. " Digital Detectives Discern Photoshop Fakery"
  14. " America's Hackable Backbone" IBM Researcher Hacks Into Nuclear Power Plant
  15. " A Common-Sense Approach to Computer Security"


   









 

"FBI Investigates String of Store Threats"
Seattle Post-Intelligencer (08/29/07) ; Tucker, Eric

The FBI says that a bomb-threat caller--believed to be one person or group--has made telephoned bomb threats against 15 stores in no fewer than 11 states during the past week, claiming that he will detonate a bomb in the store if store managers do not immediately wire money to an overseas account. During the threatening call, the caller tells store managers that he is watching the store at that moment and can see inside the store, adding that he has a gun or bomb and will kill shoppers inside the store. He typically asks the managers to send money to the overseas account via Western Union, MoneyGram International, or another wire-transfer service. During one call, the caller ordered employees and shoppers inside a Dillons grocery store in Kansas to take off their clothes upon threat of death; the employees and customers complied with his demand. In another instance, the caller demanded a store employee cut off the store manager's fingers if the manager failed to comply with the caller's demands. The targeted businesses include Wal-Mart, Safeway, US Bank, Giant Eagle, and Vons, among others. Police believe the caller is ad-libbing and bluffing during the calls, and they doubt he has the ability to see into the stores. One call has been traced to Portugal, and police said in at least one instance the caller was said to have a foreign accent.
(go to web site)

"Convenience Stores Get Tips to Boost Security"
Houston Chronicle (08/28/07) ; Crowe, Robert

Houston Mayor Bill White's 38-member Task Force on Convenience Store Security is providing security tips to the 1,600 convenience stores in the city. Among other things, the task force recommends that convenience store owners implement security cameras, keep minimal amounts of cash in the register, establish relationships with local police officers, and remove clutter from store windows so that crimes in progress will be visible. These recommendations are "minimal steps, which are very inexpensive and will improve the safety by 50 percent or more," says Assistant Houston Police Chief John Trevino. The task force is led by a convenience store owner and includes city officials, police officials, and other convenience store owners among its members. The task force further recommends that Houston legislators pass laws pertaining to the type of lighting used at stores and the minimum number of security cameras that must be in place. The task force plans to assign a grade of "high crime" or "low crime" to all convenience stores in the city, and the task force is lobbying the Houston Police Department to create a convenience store unit.
(go to web site)

"Mexico City Police Find Bomb in Nation's Tallest Skyscraper"
Bloomberg (08/30/07) ; Rota, Valerie; Arai, Adriana

About 10,000 workers were evacuated Thursday from Mexico City's 59-floor Torre Mayor skyscraper--the country's tallest--after authorities discovered a bomb in a stolen car parked in the building's underground parking area. Authorities claim that the bomb, consisting of a cell phone connected to three pipes, did not contain enough gunpowder to damage the building, but security experts say that the incident nonetheless underscores Mexico's vulnerability to terrorism. Torre Mayor's director of operations, Felipe Flores, explained that the building was evacuated after a threatening phone call was received, prompting the discovery of the bomb. Police say that a similar threat was received Wednesday, forcing the evacuation of the skyscraper's first 19 stories. Since November 2006, the extremist Popular Revolutionary Army group has been bombing stores and oil pipelines in Mexico. The group posted an anti-government rant on its Web site Thursday, but the message did not mention the Torre Mayor incident.
(go to web site)

"With Software and Soldering, AT&T's Lock on iPhone Is Undone"
New York Times (08/25/07) P. B1 ; Stone, Brad

Several software and hardware techniques have been developed to allow iPhone users to recalibrate the device to work on any network instead of exclusively on AT&T. George Hotz, a 17-year-old from Glen Rock, N.J., spent about 500 hours unlocking two iPhones, which can now operate on any network thanks to a little soldering and some software tools. "This was about opening up the device for everyone," says Hotz. Hotz described his technique in detail on his Web site in the hopes that someone may be able to simplify the process. Meanwhile, a group called iPhoneSimFree has developed a software update that allows users to install the software and switch the phone's SIM card with one from another carrier to unlock the phone. The group says it has been working on the software since June, and plans to sell it to anyone interested in unlocking large numbers of iPhones, though a price has not been announced. Another company called Bladox, based in the Czech Republic, recently started selling a device called Turbo SIM that would allow users to attach another carrier's SIM card and insert it into the iPhone to trick the iPhone into thinking it is running on the AT&T network. Last fall, the Librarian of Congress issued an exemption to the Digital Millennium Copyright Act that allows individuals to unlock their cell phones, but the ruling does not apply to companies and individuals such as Hotz who distribute or sell unlocking tools and techniques. AT&T and Apple could sue such distributors, arguing that people sharing modifications to iPhones are interfering with the business relationship between Apple, AT&T, and their customers.
(go to web site)

"Saudis Set Up Force to Guard Oil Plants"
Financial Times (08/26/07) ; England, Andrew

Faced with ongoing potential threats to its oil facilities from both Al Qaeda and Iran, the Saudi Arabian government has decided to boost the kingdom's oil-facility security personnel from the current 5,000 to about 35,000 within the next two to three years. U.S. defense company Lockheed Martin, in association with the Sandia National Laboratories' Defense Systems and Assessments Unit, is training the current group of Saudi security personnel in several areas, including the use of laser security, satellite imaging, surveillance technology, emergency management, and countermeasures. State oil company Aramco employs the 5,000 Saudi security personnel, who are stationed on-site at the oil facilities. The new security personnel will be subject to background checks.
(go to web site)

"Vindicated Olympic Park Bombing Suspect Richard Jewell Dies"
CNN.com (08/29/07)

Private security guard Richard Jewell, the hero of the 1996 Olympics who saved people's lives by evacuating Centennial Olympic Park in Atlanta just before a package bomb exploded, has died of natural causes. Jewell had diabetes and his kidneys were said to be in failure. After the Olympics bombing, the media initially hailed Jewell as a hero for spotting a suspicious package that turned out to be a package bomb. Jewell began herding people away from the package before it exploded, killing one person and wounding upward of 100 others. The media's coverage of Jewell took a turn for the worse after the FBI began investigating him as a potential suspect in the bombing. The FBI eventually cleared Jewell of all suspicion, and in 2005 serial bomber Eric Robert Rudolph pleaded guilty to the Centennial Olympic Park bombing. Jewell later sued the FBI and a number of media outlets, including CNN and NBC, which agreed to settle his lawsuit.
(go to web site)

"E-Mail Bomb Threats Sent to Campuses Across U.S."
Ithaca Journal (NY) (08/31/07) ; Sanders, Topher

The FBI is helping local law enforcement agencies across the country investigate a series of bomb threats that have been emailed to at least 15 colleges and universities, prompting evacuations at all of those schools. The Department of Homeland Security also is monitoring the threats, but department spokeswoman Veronica Valdez claims that the threats are not credible. "At this time, there is no credible information to suggest that there is an imminent attack on the homeland," Valdez says. The FBI says it is taking the threats seriously, noting that the threats are all similar in nature.
(go to web site)

"Chertoff Touts Coast Guard Changes, New FEMA Warning System"
Houston Chronicle (08/28/07) ; Nelson, Melissa

Homeland Security Secretary Michael Chertoff marked the two-year anniversary of the Hurricane Katrina disaster by praising the efforts of first responders and the Coast Guard, and he also used the occasion to tout a new text-message-based public warning system from the Federal Emergency Management Agency (FEMA). The FEMA warning system, dubbed Public Alert and Warning System (IPAWS), launched this hurricane season in the states of Louisiana, Mississippi, and Alabama. Citizens must sign up to participate with the system, which sends email alerts and text messages to their cell phones. Chertoff noted that the Coast Guard has been realigned since Katrina, with various operations groups deployed across the country and ready to respond in areas as varied as port security, hazardous materials, and law enforcement. This realignment model also will be used by other agencies within the DHS, including the TSA, Chertoff said. "We've already begun the process of cross-training and coordinating with TSA and Customs and Border Protection so we can create teams across these components as a single DHS-managed and -led force that can respond to any threat, whether it be natural or manmade threat," said Chertoff.
(go to web site)

"Aggressive Bees May Track Future of Flying Robots"
UQ News Online (08/23/07)

The Queensland government has given professor Mandyam Srinivasan $2.5 million to develop improved robot technology based on the behavior of bees. "Professor Srinivasan's unique marriage of biology and engineering will help to put Queensland on the map at a time where enhanced surveillance and security are key priorities for governments and leaders around the world," says Queensland Premier Peter Beattie. Srinivasan has studied bees for more than two decades, with previous funding coming from NASA and the U.S. Air Force. His research specializes in the emotion of bees, especially aggression, which changes the insects from docile creatures into "little fighter aircraft." Srinivasan also has studied the "visuomotor" system that allows bees to accurately track moving objects. Srinivasan believes that this research could be used in creating better unmanned aerial vehicles for purposes ranging from weather monitoring to reconnaissance and surveillance missions. The research also could be applied to autonomous spacecraft, which would be able to explore Mars more efficiently than the current robots that require remote control from Earth.
(go to web site)

"After Virginia Tech"
Newsweek (08/20/07) P. 70 ; McGinn, Daniel; Raymond, Joan; Henig, Samantha

The number of mentally disturbed students on college and university campuses is at an all-time high, and schools are finding that, despite their best efforts, they are having difficulty meeting the needs of all of these students. The University of Virginia and many other schools provide about eight or nine therapy sessions per individual student before referring the student to private counseling, although most schools avoid handling the most serious cases, choosing instead to refer those cases immediately to private counseling. Many students with mental health issues do not bother to check themselves in for counseling, making it imperative for colleges to come up with systems to identify such students before they can cause harm to themselves or others. To that end, the most crucial step schools can take is improving inter-departmental communications about troubled students. MIT, which was plagued by a rash of suicides during the last decade, decided in 2002 to enhance its efforts at identifying students who need help. Thus, MIT's mental-health center made a number of changes, including focusing most of its efforts on providing therapy to students instead of faculty; increasing the number of staff; making more walk-in hours available; and stressing to students that it is normal to seek counseling. MIT's health center also takes a proactive approach by sending health educators to dorms, where they talk about issues like time management, sleep, and eating disorders. Former MIT student Alison Malmon has formed Active Minds, a mental-health help-group with 1,000 members and chapters on 69 campuses.
(go to web site)

"Preventing the Next Campus Shooting"
Security Management (08/07) Vol. 51, No. 8, P. 54 ; Harwood, Matt

The April 16 Virginia Tech massacre prompted college and university campuses across the nation to examine their security and preparedness procedures, especially in the area of emergency communications. Universities are advised to create a system that identifies troubled or potentially violent students before they act upon their impulses. Although there are no national standards to serve as a roadmap for creating such a system, both the Federal Bureau of Investigation and U.S. Secret Service offer methods and guidelines for assessing behavioral threats. Universities must navigate the various privacy laws that can hinder information sharing efforts regarding troubled students or their removal from campus. The 1999 Columbine High School massacre dramatically changed the way authorities respond to active school shootings, forcing officers to switch from a patient approach of surrounding the school and negotiating with the gunman to a proactive approach predicated on entering the building quickly and eliminating the shooter or shooters. The switch in tactics was necessary because gunmen, like those who carried out the Columbine and Virginia Tech killings, have the same mindset as suicide bombers, meaning time is of the essence. The response to a school shooting should begin well before an event occurs by coordinating roles and relationships among all parties and agencies expected to take part in the response. Security experts highly recommend colleges and universities participate with the U.S. government's National Incident Management System and comply with its Incident Command System.
(go to web site)

"All of World's Biggest Firms Hit by Typosquatting"
Out-Law.com (08/29/07)

Typosquatting--the practice of registering domain names for profit that are very similar to domains used by famous brands--has affected all of the Fortune Global 500 biggest companies and the FTSE 100 biggest companies, according to research from OUT-LAW. Typosquatters typically register a domain name and use the domain to create an ad-filled Web site, thereby making money. One example of a typosquatting domain would be microsift.com. Typosquatters are using "very deliberate and carefully calculated" approaches, says Pinsent Masons intellectual property expert John MacKenzie, who advises lawyers to defend against typosquatters by thinking like they do and adopting technology "to automate their processes" and go after typosquatters' pocketbooks. Christopher Bolinger, a corporate counsel for Pfizer, estimates that domain name abuse causes millions, if not billions, of dollars in damages to brands. Pinsent Masons trademark specialist Lee Curtis explains what constitutes a reasonable case of typosquatting trademark infringement: "If you had a typosquatter operating a Web site via a domain name that was one or two letters different to the trademark owner's site and was obtaining advertising revenue that way on the back of that domain, then you could argue that they were using the brand in the course of trade."
(go to web site)

"Digital Detectives Discern Photoshop Fakery"
Christian Science Monitor (08/29/07) P. 13 ; Gaylord, Chris

Image-manipulation software has become increasingly easy to use and exponentially more difficult to detect, but Hany Farid, a computer science professor at Dartmouth and head of the college's Image Science Group, has developed computer algorithms that can test photos to see if they are fakes by finding the tiny hidden flaws. "There's no way to push a button and tell if it's real, but there are tests we can run that allow us to be pretty sure if it's a fake," Farid says. Some of the techniques teach a computer to identify subtle imperfections that untrained humans have difficulty spotting, such as inconsistencies in the physics and geometry of the image. For example, the vanishing points may not match, or the shadows cast from two or more objects may contradict each other. While some of the tests seem simple, others are quite complicated. One of the tests checks the reflection of light in people's eyes to triangulate the location of the flash camera that took the picture. If the analysis shows that the camera was in multiple places, the photo is a fake. While a significant amount of image manipulation is done by tabloid media, fake photos are problematic for the legal system, and this is where Farid's software will be put to good use. Farid has already testified in more than two dozen court cases as to whether photographs were altered. He says that so far most accusations of fraud turn out to be unfounded.
(go to web site)

"America's Hackable Backbone"
Forbes (08/22/07) ; Greenberg, Andy

By hacking into a nuclear power station, IBM researcher Scott Lunsford demonstrated to the plant's initially skeptical owners exactly how vulnerable their supervisory control and data acquisition (SCADA) software was to attack. SCADA systems are employed nationwide to manage infrastructure such as natural gas and oil pipelines, water filtration, and trains. Moreover, the system's flaws are increasingly linked to the Internet, exposing a large swath of national infrastructure to any hacker with a laptop. Tipping Point security researcher Ganesh Devarajan has notified SCADA software manufacturers about the weaknesses he has found, adding that though the bugs are simple, they are perilous. One such vulnerability enables hackers to insert their own commands, which would enable the insertion of false data. Still, the overwhelming complexity of critical infrastructure systems may be preventing criminals from controlling SCADA systems. However, over the past two years, threats have come in from hackers demanding ransom and claiming to have broken into SCADA systems, says Allan Paller of the SANS Institute. The dearth of security features in SCADA systems can be attributed to their age, as most were created before infrastructure systems were linked to the Internet. In addition, many SCADA software developers fail to provide security patches, or make it hard to install such patches. Jim Christy of the Department of Defense believes SCADA systems are in need of regulation by the government so that changes are made to increase security to at least a minimum standard.
(go to web site)

"A Common-Sense Approach to Computer Security"
Baseline (08/07)No. 75, P. 39 ; McCormick, John

William Boni's pragmatic approach to security at Motorola stems from his desire to balance protecting data with granting Motorola's engineers the freedom they need to be productive and innovative. Boni notes that many in the industry have not yet acknowledged the increasing sophistication of hackers, as modern hackers are more likely to be criminals than the hooligans and hobbyists of the 1990s. Boni's team is therefore focused on countering both existing risks and emerging threats. Boni has also chosen to concentrate on data that requires rigorous management as well as compliance with regulations and policies. User and staff training is also a large part of Boni's plan. To that end, Boni cut the 300-plus-page security guidance manual given to staff members down to a more manageable 20 or so pages. By narrowing security's focus and simplifying the message, Boni has eliminated security measures that had previously been impeding non-critical systems' operations. At the same time, Boni is working to ensure that critical data has the appropriate controls surrounding it, and to ensure that metrics and mechanisms are being developed to keep the variants within acceptable limits.
(go to web site)

Abstracts Copyright © 2007 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

3 comments:

  1. Anonymous10:19 PM

    Not sure where to post this but I wanted to ask if anyone has heard of National Clicks?

    Can someone help me find it?

    Overheard some co-workers talking about it all week but didn't have time to ask so I thought I would post it here to see if someone could help me out.

    Seems to be getting alot of buzz right now.

    Thanks

    ReplyDelete
  2. Anonymous10:53 PM

    My dеѵeloρеr is trying to ρersuade me tο movе tο .
    net fгom РHΡ. I haνе always ԁislikеd the idea because оf the expеnsеs.
    But he's tryiong none the less. I'ѵe bеen using WοrdPгess οn a numbeг of webѕites for
    about а year аnd am anxiouѕ about sωitching to anοther plаtfoгm.
    I havе heard very good things abоut blοgеngіne.
    net. Is there a waу I cаn import all mу wordpress posts into it?

    Аny help ωould be greatly аppreciated!


    Αlѕo vіsit mу site ::
    sportsbet ()

    ReplyDelete
  3. Anonymous1:14 PM

    My ѕpouse and Ӏ absolutely love уour blog
    and fіnd the majoгity of your post's to be what precisely I'm
    looκing fοr. can уοu оffer guest ωritегs to ωrite content for you persοnally?
    I wouldn't mind publishing a post or elaborating on a few of the subjects you write with regards to here. Again, awesome web log!

    Here is my web site - raspberry ketones

    ReplyDelete