Wednesday, November 21, 2007

Security Management Weekly - November 21, 2007

header

  Learn more! ->   sm professional  

November 21, 2007
 
 
CORPORATE SECURITY  
  1. " Student Group Wants More Guns on Campus" Rights and Safety Debated
  2. " Security Guards Turn Hijackers" Attempted Heist in Papua New Guinea
  3. " Security Guard Union Blasts JetBlue" Service Employees International Union Local 32BJ
  4. " Many Retailers Open to Wireless Attacks" Greater Threat Than Physical Theft

HOMELAND SECURITY  
  5. " Homeland Security Adviser Resigns" Frances Fragos Townsend Leaves Post
  6. " U.S. Expands Security Rule for Canadians Entering Country on Visas" Fingers Will Be Scanned
  7. " Radiation Detectors for Border Are Delayed Again" Devices Not Yet Effective
  8. " Video Raises Fears of Al Qaeda Expansion to Maldives"
  9. " Bangladesh Cyclone Death Toll at 2,400" Tropical Cyclone Sidr
  10. " Homeland Security Officials Say Government Unprepared for Dirty Bomb"
  11. " Bill Takes Aim at Gaps in Airport Security" Transportation Security Administration to Perform Background Checks

CYBER SECURITY  
  12. " McAfee Sees Cybercriminals Targeting Web 2.0, Windows Vista, and Online Games"
  13. " No More Lost Laptop Drama" New, Proven Encryption Technology
  14. " Security Firms Pursue PCI-DSS Sales Opportunities" Payment Card Industry Data Security Standard


   





 

"Student Group Wants More Guns on Campus"
Associated Press (11/21/07) ; Roberts, Michelle

Students for Concealed Carry on Campus, a nationwide organization of over 8,000 college students, is calling for state legislators and university officials to allow students and faculty to carry concealed weapons on campus. Currently, 48 states allow residents to register for the right to carry a concealed weapon. However, only Utah expressly permits students to bring weapons to school. Concealed Carry on Campus gained many supporters after 32 people were killed by a gunman at Virginia Tech. Supporters argue that some of the deaths could have been prevented if students or faculty were allowed to carry weapons. The student group utilized the Web site Facebook.com to grow rapidly since April, organizing its first nationwide protest in October. The organization's position has been criticized by a number of law enforcement and government officials, who say that campus safety problems would worsen if guns were allowed. "I'm a strong supporter of the Second Amendment, but our society has changed, and there are some environments where common sense tells us that it's just not a good idea to have guns available," said W. Gerald Massengill, former head of the Virginia state police.
(go to web site)

"Security Guards Turn Hijackers"
United Press International (11/20/07)

Two armed security guards hijacked a chartered aircraft Monday, temporarily escaping with almost $2 million. The airplane was in route to a bank in Papua New Guinea's Western Province when the security guards used their guns to force the pilots to land at Port Moresby's Jackson Airport. The pilots managed to send out a distress signal, but by the time police arrived at the landing strip, the hijackers were gone. However, police later caught up with the two guards, who had met up with three accomplices. One of the robbers was killed in a shootout and two others were captured as the police recovered the stolen cash. The search for the remaining two robbers is ongoing.
(go to web site)

"Security Guard Union Blasts JetBlue"
Crain's New York Business (11/16/07) ; Michaud, Anne

A new set of television advertisements criticizes JetBlue Airways for its treatment of security guards at JFK International Airport. The ads, paid for by the Service Employees International Union Local 32BJ, claim that JetBlue has a contract with Summit Security to pay 80 security guards as little as $20,000 a year. The advertisements also mention JetBlue's cancellation of hundreds of flights in February 2007, which left passengers trapped on grounded airplanes for several hours, and the poor quality of food served by the airline. A JetBlue spokesman declined to comment on the commercials, but did state that the guards employed through Summit Security are used for traffic control, not baggage or aircraft security. Service Employees International Union Local 32BJ, which represents over 50,000 building services employees in New York, is striving to organize the Summit employees.
(go to web site)

"Many Retailers Open to Wireless Attacks"
Dark Reading (11/15/07) ; Wilson, Tim

Data breaches constitute a far greater security threat to retailers than physical theft, says Amit Sinha of wireless security vendor AirDefense, whose new report estimates that 50 percent of wireless networks at major mall outlets are easily hackable, as determined via penetration testing. Weaknesses cited in the report range from complete openness and insecurity to deployment of proven vulnerable Wired Equivalent Protection security technology to wireless devices configured with easily tracked out-of-the-box default passwords to LAN configurations with the store's name as the Service Set Identifier. Retail store networks with loose security can allow the exploitation of the local network and bar code readers for the theft of credit card and transaction data from in-store customers, while many local store wireless LANs' linkage with corporate networks or partners' system can also serve as an intrusion point for hackers. The initial exposure of systems and data at TJX was traced to this second form of attack, according to court records. "What this says to me is that despite all the discussion of [Payment Card Industry Data Security Standard] and huge breaches such as TJX, many retailers still don't see the threat," notes Sinha. "There's still a lot of education that needs to be done." Sinha recommends that retailers refocus their security efforts to concentrate more on data theft than physical theft.
(go to web site)

"Homeland Security Adviser Resigns"
New York Times (11/19/07) ; Knowlton, Brian

The White House Monday announced the resignation of Frances Fragos Townsend, President Bush's adviser on terrorism and homeland security. Townsend had served in the position since 2004, advising the president and working with the FBI, CIA and Pentagon to fix internal agency weaknesses exposed by the Sept. 11 attacks. Townsend, who earlier in her career prosecuted the mafia in Manhattan, was nicknamed "The Hurricane" for her aggressive style. Earlier this year, Townsend admitted that the U.S. was making little progress in the fight against al-Qaeda in Pakistan, an issue that has gained more exposure after General Pervez Musharraf declared emergency rule in the country earlier this month. Despite the trouble in Pakistan, Townsend's tenure was successful in preventing any major terror attacks. "We are safer today because of her leadership," said President Bush in a statement released Monday. Townsend is the latest top White House official to resign this year, following Karl Rove and press secretary Tony Snow. Townsend will step down from the position in January 2008; President Bush hopes to name a replacement prior to Townsend's departure.
(go to web site)

"U.S. Expands Security Rule for Canadians Entering Country on Visas"
Canadian Press (11/20/07)

Canadians entering the United States on visas later this month will be required to have all 10 of their fingers scanned at selected airports under an expanded US-VISIT program. The mandate will cover some 10,000 people, both Canadians who need a visa to work in the United States and those betrothed to U.S. citizens. Beginning in late November, all affected individuals flying into Dulles International as well as airports in Boston, Chicago, Detroit, Atlanta, Houston, Miami, New York, Orlando, and San Francisco will be required to submit to the scanning. By the end of next year, the new rule will go into effect at all 311 air, land, and sea ports of entry in the United States. Eventually, other Canadians, such as students and nurses, may be brought under the program.
(go to web site)

"Radiation Detectors for Border Are Delayed Again"
Washington Post (11/20/07) P. A1 ; O'Harrow, Robert Jr.

The purchase of new radiation-detection machines by the Department of Homeland Security has been put on hold because the devices do not yet operate sufficiently. In July 2006, Homeland Security Secretary Michael Chertoff announced plans to buy up to 1,400 of the new scanners at a cost of $1.2 billion, in an effort to improve screening at the nation's borders. However, field testing has revealed problems with the machines, several of which did not function without the assistance of the vendor. The announcement comes as federal officials are investigating whether someone at the Domestic Nuclear Detection Office (DNDO) told analysts to erase some data from the machine's test results. Although a Homeland Security spokesman said that an internal review showed no indication of inappropriate behavior, the director of the DNDO sent a letter to Congress on Nov. 16 alerting them that someone may have directed personnel to delete test results. Last year, the Government Accountability Office discovered that Homeland Security officials allowed the vendors to calibrate their machines prior to tests earlier this year, which exaggerated the performance of the machines. Currently over 55 of the machines have already been purchased at a cost of $377,000 each.
(go to web site)

"Video Raises Fears of Al Qaeda Expansion to Maldives"
Reuters (11/19/07) ; Makan, Ajay

Investigators believe a propaganda video filmed inside of the radical Dhar-al-Khuir mosque in the Maldives suggests al-Qaeda terrorists may be developing a cell within the island country. The video was uploaded onto a Web site linked to al-Qaeda, and is likely intended to draw funds and recruits to the country, according to counter-terrorism expert Nick Grace of threatwatch.org. The two minute trailer depicts images of masked men praying, with the tagline "Your brothers in the Maldives are calling you." The video was filmed hours before an Oct. 6 raid by police, who were investigating a Sept. 29 bomb attack in Male, the capital, which left 12 foreign visitors wounded. The blast was the first Islamist militant attack to be recorded in the Maldives. According to security expert B. Raman, "The reported expansion of al Qaeda's arc of jihadi operations to the Maldives should be of concern to the international maritime community."
(go to web site)

"Bangladesh Cyclone Death Toll at 2,400"
Associated Press (11/19/07) ; Ahmed, Parveen

Relief agencies in Bangladesh report that the death toll from Tropical Cyclone Sidr has reached over 2,400 so far, with potentially up to 10,000 casualties once rescuers reach the outlying delta islands, according to the Bangladesh Red Crescent Society. Over 1.5 million residents fled after a preliminary warning was issued, but those who stayed endured 150-mph winds, which flattened tens of thousands of homes and destroyed thousands of acres of crops in the southwestern region of the country. So far Bangladesh has pledged $5.2 million to help rebuild homes, and the United Nations, Britain, and the United States pledged $7 million, $5 million, and $2.1 million, respectively, in relief, while other international organizations like Italy's World Food program are bringing in food for survivors.
(go to web site)

"Homeland Security Officials Say Government Unprepared for Dirty Bomb"
Government Executive (11/16/07) ; Povich, Elaine S.

A recent address to the Senate Homeland Security and Governmental Affairs Government Management Subcommittee revealed that the United States does not have sufficient radiological testing capabilities in the event of a dirty bomb. In testimony before the congressional group on Nov. 15, Thomas Dunne, associate administrator of homeland security for the Environmental Protection Agency, said the lack of capacity "will result in a lack of timely, reliable and interpretable data and will delay national and local response and consequence management activities." Decontamination drugs and storage facilities for radioactive soil are also unavailable, and Dunne suggested that such technologies and facilities would not be built without federal funds, since they would be utilized in the exclusive event of a terrorist attack.
(go to web site)

"Bill Takes Aim at Gaps in Airport Security"
Chicago Tribune (11/14/07) ; Hilkevitch, Jon

A new proposal by U.S. Rep. Mark Kirk (R-Ill.) would prohibit non-citizens of the United States from holding airport jobs that entail having direct access to planes and underlying baggage areas. In light of a recent major security breach at Chicago's O'Hare International Airport, where a group of employees and many illegal residents were arrested for gaining fraudulent access to sensitive areas of the airport including aircrafts, Kirk proposed legislation that would place responsibility for airport employee background checks in the hands of the Transportation Security Administration. The federal government would also perform resident status checks for all workers with access to the airfield, aircraft, and baggage-handling zones. Questions remain, however, about the ability of TSA agents to provide tighter security than current personnel, given the recent problems of failed bomb checks and high absenteeism among TSA staff at O'Hare.
(go to web site)

"McAfee Sees Cybercriminals Targeting Web 2.0, Windows Vista, and Online Games"
InformationWeek (11/15/07) ; Claburn, Thomas

Fishy adware companies have been driven out of the industry or into authenticity by the FTC, but sophisticated cybercriminals remain undaunted, according to Dave Marcus and Craig Schmugar of McAfee. Indeed, adware has been trending downward since early 2007, and is expected to continue doing so, Schmugar says. In contrast, malware authors are increasingly targeting Web 2.0 sites, which are now successful enough and large enough to draw attacks. In 2008, Windows Vista and online gaming are other areas that can expect to face a growing number of cyberattacks, say the researchers. Vista will be increasingly attractive to criminals as businesses and consumers adopt the software, and online gaming is not only a lucrative target, but also less risky to steal from than a bank, explains Schmugar. The researchers predict the Storm botnet will continue to thrive, thanks to its ability to evolve and its clever coding methods. Low-profile targets such as regional banks can expect more phishing attacks as well. In addition, the researchers foresee parasitic crimeware growing by 20 percent; unfortunately, most new anti-virus programs are not proficient at handling such crimeware. Finally, McAfee anticipates VoIP attacks to surge by 50 percent, and predicts that hackers will focus on virtualization software, as security experts are now employing virtualization for protection.
(go to web site)

"No More Lost Laptop Drama"
CIO (11/01/07) Vol. 21, No. 3, P. 25 ; Gruman, Galen

Today's CIOs can employ encryption to safeguard mobile devices, thanks to new, sophisticated tools. Cryptography Research's Paul Kocher says that although encryption technology is proven and mature, management techniques still vary from enterprise to enterprise and vendor to vendor. For that reason, CIOs should concentrate on crucial management strategies, such as what should be encrypted, how to regain lost passwords, and how to provide passwords to software that operates unattended. Christy Quinlan, CIO of California's Department of Health Care Services, using systems and infrastructure already in place, directed her staff to encrypt all data on the field force's 2,000 laptops. Some CIOs are opting to use whole-disk encryption, which defends all applications on a laptop, as well as all files. Fortunately, whole-disk encryption does not hinder performance on newer laptops. Many enterprise-class encryption tools also include management tools that set and reset passwords and update encryption policies. Though most tools do not integrate with client management systems, experts say it is worth it to simply add one more console. Most importantly, CIOs must ensure that implementing encryption does not give users more passwords to remember, as many users will leave themselves a written reminder, thereby invalidating the protection. Handheld devices are another risk, as they are easy to lose and often contain key data. Unfortunately, encryption software for handhelds is not as advanced as it needs to be, according to Kocher. As a result, IT should outfit the devices with password access. Encrypting data has several costs, including up-front expenses such as installation, and an increased burden on the help desk staff. However, CIOs can control costs with savvy strategies, such as encrypting laptops for employees in high-risk departments such as HR and encrypting other workers' laptops when they are broken or replaced.
(go to web site)

"Security Firms Pursue PCI-DSS Sales Opportunities"
Computerworld Canada (10/31/07) ; Ruffolo, Rafael

True merchant compliance with the Payment Card Industry Data Security Standard (PCI DSS) involves a lot more than simply following the guidelines, according to security vendors. "Taking PCI forward, compliance with the requirements doesn't guarantee that you're going to be secure, it just sets the minimal standard that will indicate that you're doing something to protect data," says Finjan CTO Yuval Ben-Itzhak. "But, these minimal requirements are very far from where the threats are today and that's why additional layers of security are required to protect, going above and beyond the standard to match the threats that we see today in the Internet." Visa USA recently reported that two-thirds of the biggest merchants and nearly 50 percent of medium-sized retailers are now PCI compliant, but these percentages are well under PCI DSS targets; with new security threats breaking on almost a daily basis, many security vendors are concentrating more on credit card safeguards. Earlier in October, Visa USA levied close to $900,000 in fines on Fifth Third Bank for the massive cardholder data breach its client, TJX, suffered. Symantec's PCI compliance management service focuses on boosting awareness among merchants and service providers of the need to continuously comply with PCI standards. "If you look at PCI, it's not a one-time event, but rather a combination of embedding really good security practices, deploying a certain set of technologies and then demonstrating evidence of that security," says Symantec's Joe Lindstrom.
(go to web site)

Abstracts Copyright © 2007 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment