Friday, November 30, 2007

Security Management Weekly - November 30, 2007

header

  Learn more! ->   sm professional  

November 30, 2007
 
 
CORPORATE SECURITY  
  1. " Intelligence Bill May Hinge on Immunity for Telecoms" Opposed by the American Civil Liberties Union
  2. " Two U-Va. Students Charged in Kidnapping" Victim Found in Tysons Corner, Virginia
  3. " Too Many Workers Fail to Grasp the Value of Data, Risks of Loss" Coding System Could Help
  4. " Total Recall: A Flawed System of Trade" China as Scapegoat

HOMELAND SECURITY  
  5. " Bin Laden Urges Europeans to Quit Afghanistan: Tape" New Video on Al-Jazeera
  6. " Group Was a Terrorist Cell Seeking 'Unholy Alliance' With Al-Qaida" Plotters in Chicago
  7. " Saudi Terror Plot Foiled; Officials Say Target Was Oil Industry" 208 Suspects Arrested
  8. " 1,500 Qaeda Members Freed After Counseling" Released From Saudi Arabia
  9. " Feds Work on Detecting Bombs in USA" New Technology in Development
  10. " Suicide Bomber Suspect in Bus Blast" Six Dead in Southeastern Russia
  11. " Israel Launches Anti-hijack Pilot ID System" Security Code System Called Foolproof

CYBER SECURITY  
  12. " Hacker Threat to U.S. Rising" U.S. Military Responds
  13. " Hackers Will Feed on Vista in 2008, Says McAfee" Hacker Interest Predicted to Rise
  14. " Ping: Bob Maley" Pennsylvania's Chief Information Security Officer
  15. " Handheld Hazards" PDAs Vulnerable to Security Breaches


   





 

"Intelligence Bill May Hinge on Immunity for Telecoms"
USA Today (11/28/07) ; Willing, Richard

The U.S. Senate will hold hearings on an intelligence bill when it returns on Dec. 3, which the American Civil Liberties Union (ACLU) claims will prevent Americans from uncovering the specifics of warrantless surveillance programs run by the federal government since the 2001 terrorist attacks. The bill also provides immunity to telecommunications firms from litigation. Former U.S. Justice Department attorney Michael Sussman said the bill is carefully written not to expose any unconfirmed domestic caller surveillance programs, but offers up immunity to those firms cooperating with alleged surveillance programs should they exist. The Bush Administration did admit that national security agencies have conducted warrantless eavesdropping on U.S. callers in the past, but only regarding those callers with connections to foreign terrorists. Bush Administration officials and the Director of National Intelligence, Mike McConnell, claim retroactive immunity is necessary to ensure telecommunications firms continue cooperating with the government and do not face bankruptcy because of their cooperation. The U.S. Senate remains divided on the issue of immunity, but the U.S. House version of the legislation only includes future immunity for telecommunication firms.
(go to web site)

"Two U-Va. Students Charged in Kidnapping"
Washington Post (11/27/07) ; Jackman, Tom

Two University of Virginia students were recently arrested and charged with abduction with intent to extort money. Investigators say the two students, both Chinese nationals living in Charlottesville, picked up the victim on Nov. 20 near Tysons Corner in the Washington, D.C.-metro area and held him at a motel until investigators tracked the kidnappers in the early hours of Nov. 22. Guanyu Lu and Baichuan Shu left several threatening messages for the victim's host family in McLean and demanded a $500,000 ransom. Fairfax County police and the Federal Bureau of Investigation found the kidnappers and the kidnapped victim in the motel room after tracking calls made on the victim's phone, and investigators believe the victim, who was a "known associate" of his kidnappers, may have been deliberately targeted by Lu and Shu.
(go to web site)

"Too Many Workers Fail to Grasp the Value of Data, Risks of Loss"
Wall Street Journal (11/27/07) P. B3 ; Worthen, Ben

According to Symantec Corp., the data lost on two computer disks in Britain by government workers is worth approximately $2.5 billion if each record garners $100 on the black market. Experts agree that workers too often view the loss of computer disks and USB memory keys as easy to replace devices that cost $20 or less to replace, but security experts say the confidential data on them is worth much more. Ponemon Institute Chairman Larry Ponemon says, "There's a real disconnect between the perceived value and the real value of information. The rank-and-file employee still doesn't seem to get it." He suggests that companies and governments develop a color-coded system that alerts workers as to what information is the most precious and what data needs little security. Red tags could signify data that is highly sensitive, while green tags signify the information can be passed along without security protocols in place.
(go to web site)

"Total Recall: A Flawed System of Trade"
Far Eastern Economic Review (11/01/07) Vol. 170, No. 9, P. 46 ; Finstad, Ryan

China has become the scapegoat for the increase in product recalls in the United States, but the system of contract manufacturing is essentially flawed. U.S. companies have turned to Chinese manufacturers in an effort to produce goods more cheaply, but as the Chinese economy matures and living standards improve, factories have tried to respond to rising production costs and intense price pressures by cutting corners, and quality has suffered. Manufacturers can no longer expect to attract workers at government-mandated minimum salary levels, and they have to contend with U.S. companies that ferociously compete and negotiate for the lowest prices, which ultimately ripples throughout the supply chain. The first step in preventing quality problems is to understand that Chinese manufacturers face a low penalty for failing a quality inspection compared to U.S. companies, which have well-developed brand names and can be held liable in court. The incentive structure must be overhauled to get at the root of the problem, and an increase in penalties for failing a quality inspection would be another way for the U.S. government to create additional pressure. Companies should have documented policies in place. Moreover, a written vendor manual that is specific about approved ingredients, banned substances, and testing methods is the key to quality inspection.
(go to web site)

"Bin Laden Urges Europeans to Quit Afghanistan: Tape"
Agence France Presse (11/29/07)

Al-Qaeda leader Osama bin Laden urges European leaders to pull their troops out of Afghanistan in a new tape that aired on Al-Jazeera on Nov. 29, 2007. In his broadcast, bin Laden accuses the chief executives of Great Britain, Italy, Spain, and France of being "under the shadow of the White House." He goes on to denounce U.S.-led forces for unnecessarily killing innocent women and children in Afghanistan in retaliation for the Sept. 11 attacks. "I affirm that the Afghans - government and people - had no knowledge whatsoever of these events and America knows that," he states. U.S. military and security experts assure that bin Laden's recent message is a worn strategy, and that Europe is committed to peace in Kabul.
(go to web site)

"Group Was a Terrorist Cell Seeking 'Unholy Alliance' With Al-Qaida"
Associated Press (11/30/07) ; Anderson, Curt

The Federal Bureau of Investigation foiled a plot by a group of Chicago residents to partner with al-Qaida and carry out terrorist bombings on the city's Sears Tower and several FBI offices. The seven men, known as the "Liberty City Seven," and their ringleader Narseal Batiste belong to the Moorish Science Temple, an inter-religious sect that does not respect the authority of the U.S. government. Two FBI informants infiltrated the group in 2005 and 2006, claiming direct ties to al-Qaida, and made the damning audio and video recordings used against the defendants in court. In multiple broadcasts, the would-be terrorists pledge allegiance to al-Qaida and discuss a "full ground war" and potential terrorism scenarios. The defendants claim the whole plot was a scam to extort money from one of the members, and they could each receive up to 70 years in prison if their defense does not hold up in court.
(go to web site)

"Saudi Terror Plot Foiled; Officials Say Target Was Oil Industry"
Reuters (11/29/07)

Saudi Arabia announced Nov. 29 that it had arrested 208 suspected terrorists in six cells and thwarted several planned attacks, the kingdom's largest such sweep to date. The Interior Ministry said the capture of eight suspects linked to Al Qaeda "preempted an imminent attack on an oil installation" in the east, which is home to most Saudi petroleum reserves. A statement carried by the Saudi Press Agency said the eight were led by a non-Saudi man, who was among those held. Eighteen other suspects led by a foreign missile expert were arrested for "planning to smuggle eight missiles into the kingdom," the statement said. With the oil market trading high on political risk, the timing of the announcement was particularly sensitive. Experts said it was the most serious report of terrorist activity since 2003, when al-Qaeda sympathizers sought to topple the royal family.
(go to web site)

"1,500 Qaeda Members Freed After Counseling"
New York Sun (11/27/07) ; Lake, Eli

While government leaders met in Annapolis in late November to discuss a peaceful resolution to the Israeli-Palestinian Arab conflict, the Interior Ministry of Saudi Arabia released from prison 1,500 Al Qaeda members who claimed to be reformed of their desire to rid the Arabian Peninsula of infidels. Muhammad al-Nujaimi, a member of the committee to reform Saudi jihadists, says over 3,200 of the detained al-Qaeda members - many of whom have been in prison since 2003 - have received counseling. However, this statistic reveals a less than 50 percent success rate, and the kingdom's mosques and Ministry of Culture continue to export a brand of Islamic ideology that permits violence in some instances. U.S. intelligence analysts fear there is insufficient evidence to prove the released captives will not continue practicing violence outside of Saudi Arabia.
(go to web site)

"Feds Work on Detecting Bombs in USA"
USA Today (11/27/07) P. A3 ; Hall, Mimi

The Department of Homeland Security is working to develop new technology that could detect improvised explosive devices (IEDs), which experts believe are a growing threat against urban areas. Homeland Security's Science and Technology division is working on a camera system that could identify a person in possession of a bomb by analyzing the way the person moves. Another system would make use of sensors that could identify chemicals used to make bombs. Officials are also developing advanced computer programs that could analyze communication and bank information to identify possible terrorist behavior. Experts believe that terrorists will eventually attempt to use IEDs in the same manner as they have been used in Iraq, where they have killed 1,600 soldiers since 2003. "Iraq has been an invaluable battle lab for the terrorists," said security experts Randall Larsen. "We should expect to see these extraordinarily lethal devices in future attacks -- not necessarily against tradition targets, such as subways, trains and buses, but against hardened targets such as VIP limousines." Congress is considering a bill that would allot $60 million to Homeland Security's Office of Bombing Prevention for the development and sharing of anti-IED technology. In addition to bomb detection, that division is advising companies that sell chemicals that could be used in bombs to train employees in "bomb making awareness" in an effort to prevent terrorists from acquiring an IED.
(go to web site)

"Suicide Bomber Suspect in Bus Blast"
Moscow Times (11/26/07) ; Abdullaev, Nabi

Investigators in southeastern Russia believe a suicide bomber may have been responsible for the Nov. 22 blast that left six dead and 10 hospitalized. A bomb packed with 300 grams of TNT and ball bearings exploded inside a bus as it approached a checkpoint between North Ossetia and Kabardino-Balkaria, authorities say. Included in the casualties were a woman, a nine-year-old girl, and a border agent. Since the bomb exploded in the less-crowded rear section of the bus and was detonated before the bus reached the checkpoint, investigators believe it is possible a suicide bomber was not involved and that the bomb was detonated from a different location. Separatist groups in the North Caucasus have been fingered for possible involvement, but no party has yet taken responsibility for the attack, the third of its kind in Russia in recent months.
(go to web site)

"Israel Launches Anti-hijack Pilot ID System"
Washington Post (11/21/07) ; Williams, Dan

Israeli officials plan to implement the Security Code System, a new anti-hijack identification system that will launch in 2008. Israel will run a trial next month for the system, which officials say is foolproof. The system requires pilots to punch in an authentication code on a keypad in order to gain entry to Israeli airspace. A plane that fails the test will be denied entry and fighter planes will be deployed in case the aircraft needs to be shot down. "You can't bluff this system," said Transportation Ministry Security Chief Dani Shenar. "It provides a higher level of confidence that the aircraft is being controlled by the right people, which is a huge asset in terms of avoiding unnecessary security alerts." However, some experts say that the system is not foolproof because it is based on the thought that hijackers will either kill the pilots and take control of the plane, or force pilots to issue the correct response. Although research shows that pilots would relay a distress signal if the plane was taken over, experts say that this thought process ignores the possibility that pilots could be unwilling to risk their lives, or could be in cahoots with the hijackers. There is also the possibility that terrorists could wait until after entering Israeli airspace to attempt their takeover.
(go to web site)

"Hacker Threat to U.S. Rising"
Sacramento Bee (CA) (11/26/07) ; Montgomery, Dave

In response to the hundreds of assaults against government computer systems' firewalls on a daily basis, the U.S. military is weaving computer technology into its standard warfare arsenal. Computer-security operations are underway in all branches of the military, and the Air Force is establishing a full-blown cybercommand. The military's blueprint is the "2006 National Military Strategy for Cyberspace Operations," which includes offensive and defensive strategies. The document is classified, but could include offensive techniques such as immobilizing an enemy's command-and-control networks. The U.S. military and the U.S. government rely on computers to a great extent, which makes both agencies susceptible to everything from network-crippling viruses to illegal intrusions that aim to steal sensitive data. In the 2007 fiscal year, the Department of Homeland Security recorded 37,000 reports of attempted breaches on private and federal systems. Moreover, computer control systems that direct public infrastructure elements confront "increasing risks," according to the Government Accountability Office. Thanks to its advanced firewalls and multilayered systems, the United States has prevented attacks that could cause extensive disruption to federal and private institutions. However, many countries have advanced computer operations, and foreign hackers affiliated with hostile governments are often believed to be behind attacks on U.S. systems, according to experts.
(go to web site)

"Hackers Will Feed on Vista in 2008, Says McAfee"
Computerworld (11/26/07) ; Keizer, Gregg

Analysts at McAfee's Avert Labs predict that over 40 vulnerabilities in Windows Vista will be reported in 2008. McAfee's Craig Schmugar asserts that Vista, in its first year, has escaped the notice of hackers, who are motivated by money. However, in 2008 Vista will reach the 10 percent market-share milestone that is likely to put the system on criminals' radar and trigger hackers' endeavors to seek out vulnerabilities in the system. In response to Microsoft's claim that Vista is more secure than Windows XP, Schmugar acknowledges that the malware statistics are likely correct, but adds that Vista's superior performance stems not only from its security competency, but also from the fact that it has largely been ignored by attackers to date. In its first nine months, 19 Vista vulnerabilities were reported, according to the National Vulnerability Database. Windows XP experienced a similar amount of vulnerabilities over a similar interval, but XP's rate of reported vulnerabilities increased more than twofold over the next year. Avert Labs produced its prediction for Vista's 2008 vulnerabilities by using the same doubling-plus formula.
(go to web site)

"Ping: Bob Maley"
Information Security (11/07) Vol. 10, No. 10, P. 64 ; Fisher, Dennis

Bob Maley faced a number of challenges when he became Pennsylvania's first chief information security officer in 2005. Upon accepting the job Maley was charged with putting together a comprehensive security strategy and architecture for 80,000 users on a limited budget. At the time, every one of Pennsylvania's 47 agencies took a different view of security. The agencies handled content filtering on their own and there was no assurance that it was being done--something that was a problem for a network that sees 1 billion events a month, Maley said. In addition, server builds were different from agency to agency and there was no common desktop image. To address these issues Maley and his team put in network intrusion prevention, an identity and access management program, and a security assessment framework. Maley also worked to educate users about security. He started a security awareness month in October as well as an online enterprise-wide security awareness program that all commonwealth employees are required to participate in.
(go to web site)

"Handheld Hazards"
Law Technology News (11/07) Vol. 14, No. 11, P. 28 ; Hansen, Adam

There are several security threats PDA devices pose that organizations should understand. PDA's increased storage capacity and portability heightens the risk of a security breach. Higher storage capacity means PDAs can accept larger files, and the larger the application, the greater the chance a breach may occur. PDAs also interface easily with other mobile devices and networks, are bi-directional, and are often unsecured. Organizations can protect themselves by doing a needs assessment, conduct an internal survey of PDA users and study their expectations of mobile devices. Next, craft protocols for the selection of devices, use policies, and maintain and replace older equipment. Afterwards, use risk-management evaluation to assess potential hazards of device and then relay those concerns to vendors. Lastly, find a person or department with influence to market the PDA protocols to other parts of the firm.
(go to web site)

Abstracts Copyright © 2007 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment