Friday, February 20, 2009

Security Management Weekly - February 20, 2009

header

  Learn more! ->   sm professional  

February 20, 2009
 
 
CORPORATE SECURITY  
  1. " Court Allows Oklahoma Workers to Have Guns in Vehicles" Denver
  2. " Telstra Executive Sparks Microsoft Security Scare" Barcelona
  3. " Hackers Steal Thousands of Wyndham Credit Card Numbers"
  4. " CVS to Pay $2.25 Million in Privacy Case"
  5. " Nigeria's Kidnap Capital Forces Shell, Chevron to Cut Output" Port Harcourt, Nigeria

HOMELAND SECURITY  
  6. " U.S. Delays Pak Payment for Fighting Taliban"
  7. " Report Opposes Spinning Off FEMA"
  8. " Obama's War on Terror May Resemble Bush's in Some Areas"
  9. " Re-evaluation of National Security Ordered" Homeland Security Secretary Napolitano Orders Review of National Emergency Preparedness Exercise
  10. " 'Virtual Fence' Gets a Boost"

CYBER SECURITY  
  11. " For a Poisoned Internet, No Quick Fix" DNS Servers Will Not be Completely Safe Until DNSsec is More Widely Implemented, Researcher Dan Kaminsky Says
  12. " Cloud Security Fears Are Overblown, Some Say"
  13. " Stealthier Mac Attacks" Security Expert Demonstrates How to Attack Mac OS X Without Leaving Evidence
  14. " Raids on Federal Computer Data Soar" Number of Attacks on Government Computers Rose 40% Last Year, According to US-CERT
  15. " A New Internet?" Some Engineers and Security Experts Say Internet May Have to be Rebuilt to Address Security Issues


   






 

"Court Allows Oklahoma Workers to Have Guns in Vehicles"
NewsOK (02/19/09) ; Boczkiewicz, Robert E.

The 10th U.S. Circuit Court of Appeals in Denver has unanimously voted to overturn a lower court ruling that prevented Oklahoma from implementing a law that allows employees to keep guns in locked vehicles while at work. In its ruling, the U.S. Circuit Court of Appeals said that the lower court's conclusion that the Oklahoma law is pre-empted by the federal Occupational Safety and Health Act was wrong. The three-judge panel said it disagreed because the Occupational Safety and Health Administration does not have a standard that bans firearms from the workplace, despite the fact that it is aware of the controversy surrounding the issue. The appellate judges also noted that the lower court ruling interfered with Oklahoma's police powers and essentially created a safety standard--something federal courts cannot do. The ruling disappointed the companies who challenged the law, including ConocoPhillips. The company and others involved in the lawsuit have not said whether they plan to appeal.
(go to web site)

"Telstra Executive Sparks Microsoft Security Scare"
Sydney Morning Herald (Australia) (02/19/09) ; Moses, Asher

A mobile phone equipped with a secret version of Microsoft's soon-to-be-released Windows Mobile 6.5 operating system has reportedly been stolen from an unnamed Telstra executive during the Mobile World Congress in Barcelona. The theft of the phone, which was being tested by the executive before its release at the end of this year, could have serious security implications for Microsoft because the features and the early bugs of the Windows Mobile operating system could be leaked. The leakage of that information could hurt the launch of the new operating system, which Microsoft is hoping will help it compete with Apple's iPhone and Google's Android operating system. However, a spokesman for Microsoft said that the company does not feel that the loss of the phone will affect it in any way.
(go to web site)

"Hackers Steal Thousands of Wyndham Credit Card Numbers"
IDG News Service (02/18/09) ; McMillan, Robert

Wyndham Hotels and Resorts has disclosed a computer breach in July 2008 that allowed hackers to steal tens of thousands of customers' credit card numbers. Wyndham says the hackers were able to steal card verification value (CVV) code from cards' magnetic stripes, which Gartner Research analyst Avivah Litan says is vital if thieves want to produce counterfeit cards. "You can sell that information for much more on the black market," Litan says. CVV codes also were stolen in the breaches at TJX and Heartland Payment Systems. Banks are held responsible for charges made by fraudsters using bogus cards that use the CVV code, while merchants must bear the charges when the fraudsters only have the card numbers and expiration dates. Wyndham estimates that the breach affected 41 hotels and resorts before the company's information security team detected it in the middle of September.
(go to web site)

"CVS to Pay $2.25 Million in Privacy Case"
Wall Street Journal (02/18/09) ; Pereira, Joseph

CVS Caremark has reached a $2.25 million settlement with the Department of Health and Human Services (HHS) over claims that the pharmacy chain violated the privacy rights of its customers by improperly disposing customer medical records and other confidential information. The settlement, which HHS says represents the largest payout to date for a data-privacy case, effectively closes the government's probe into the trash disposal practices at many of CVS' retail stores. HHS and the Federal Trade Commission launched their investigation after a local television report aired in Indianapolis. Robinsue Frohboese, acting director of the HHS office for civil rights, says the investigation exposed "systemic problems in CVS's trash-disposal procedures throughout the country."
(go to web site)

"Nigeria's Kidnap Capital Forces Shell, Chevron to Cut Output"
Bloomberg (02/17/09) ; Mbachu, Dulue

The security situation in Port Harcourt, a hub of Nigeria's oil industry, is continuing to deteriorate amid attacks from groups that say they want more of the wealth from the production of petroleum to go to the nation's poor. According to job-placement firms, Port Harcourt is tied with Baghdad as the world's most dangerous cities for foreign workers. Since 2006, more than 300 oil industry employees have been kidnapped in the area, according to a Web site run by expatriates. The Web site noted that 12 of those kidnapped workers were killed. In 2007 alone, 167 abductions were reported in the Niger River Delta, said Arild Nodland, the managing director of the consulting firm Bergen Risk Solutions. Although kidnappings dropped in 2008, thanks in part to the relocation of expatriate workers, attacks on the oil industry rose 31 percent to 92. Oil companies in the region have responded by taking a number of steps to boost security, including stationing guards with automatic weapons outside their offices and keeping expatriate workers in guarded compounds. The Nigerian government is also considering taking steps to appease the groups perpetrating the violence, including doubling to 25 percent the revenue from oil and other forms of energy that goes to states in the Niger River Delta region.
(go to web site)

"U.S. Delays Pak Payment for Fighting Taliban"
RTTNews (02/20/09)

Pakistan has not received a payment from the U.S. for its military efforts against the Taliban and al-Qaida since May 2008, according to Shaukat Tarin, financial adviser to Prime Minister Yousuf Raza Gilani. Pakistan is scheduled to receive $1.35 billion from the U.S., but months of negotiations in Washington delayed the reimbursement, Tarin said. The U.S. government has approved a payment of nearly $1 billion, and discussion for the remainder continues. Tarin noted that Islamabad is expected to pay out about $8 billion for its military efforts against Islamic extremists during the ongoing fiscal year, which ends June 30. He added that Pakistan's "dried up" investments and trade have made it difficult to cover these expenses. Pakistan relies completely on aid from the U.S. and other Western countries in order to stave off an economic collapse. Since 2003, the U.S. has provided Pakistan with roughly $10 billion in aid for its military and social development programs.
(go to web site)

"Report Opposes Spinning Off FEMA"
Washington Times (02/19/09) ; Hudson, Audrey

A new report by Homeland Security Inspector General Richard Skinner strongly opposes the Obama administration's plan to strip regulatory oversight of the Federal Emergency Management Agency (FEMA) from the Department of Homeland Security (DHS). Titled "FEMA: In or Out?", Skinner urges the new administration not to succumb to congressional pressure and act rashly with regard to FEMA. "Maintaining the status quo in the first year avoids unnecessary instability and confusion at a time of elevated risk," Skinner wrote. "Removing FEMA from DHS at this point would cause considerable upheaval, to both FEMA and the department." He also warned that spinning off FEMA would force the department to use resources traditionally reserved for natural disasters, and a key component in another terrorist strike. "While FEMA has not again faced a catastrophe on the scale of Hurricane Katrina, it has generally been perceived as performing relatively well in responding to disasters in the past few years," Skinner said. Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman concurs, saying "moving it out now would weaken FEMA, since the agency would no longer have the same ready access to the resources and expertise of the rest of DHS, and it would be more difficult to coordinate in a disaster." A spokesperson for Homeland Security Secretary Janet Napolitano says the new DHS chief will consider the recommendation.
(go to web site)

"Obama's War on Terror May Resemble Bush's in Some Areas"
New York Times (02/18/09) ; Savage, Charlie

Some of the Obama administration's policies on fighting terrorism bear a close resemblance to those of the Bush administration. One Obama appointee testified during their confirmation hearing that they would continue the CIA's program of transferring prisoners to other countries without due process, and would support detaining terrorism suspects without trials indefinitely. Attorneys for the Justice Department also recently supported arguments made by the Bush legal team that lawsuits brought by former CIA detainees should not be allowed to proceed out of deference to "states secret" doctrine. The continuation of Bush-era policies has not gone unnoticed by supporters of the prior administration or civil liberties groups, which had hoped for comprehensive change.
(go to web site)

"Re-evaluation of National Security Ordered"
New York Times (02/17/09) ; Schmitt, Eric

The head of the Homeland Security Department has ordered a review of the national emergency preparedness exercise. Janet Napolitano wants the program reexamined amid concerns that it is too cost-prohibitive for states to conduct, takes too much time to plan, and is "too removed from a real-world scenario." These and other concerns about the national preparedness to a terrorist threat and the efficacy of Bush administration national security policies were raised by Napolitano at her Senate confirmation hearing. “If we’re going to be doing these kinds of things, and they are valuable, the underlying philosophy is a good one, but they need to be in my view streamlined,” Ms. Napolitano told the Senate Committee on Homeland Security and Governmental Affairs in January. Many states have already implemented Napolitano's recommendations to drill exercises planned for this summer. Changes include conducting national exercises each year instead of every two years, improving federal coordination with state and local partners in planning disaster drills set for this summer, and giving feedback to participants within 90 days of the mock drills.
(go to web site)

"'Virtual Fence' Gets a Boost"
Wall Street Journal (02/17/09) ; Simpson, Cam

Federal officials have given Boeing the green light to resume work on the $8 billion "virtual fence" along the U.S.-Mexico border. The project was put on hold last year due to a number of problems with the technology that was to be used to secure the border. For instance, some of the radars that were being used were tripped by rainfall, while other components--such as cameras, sensors, and mobile communications--were unable to connect with one another. Many of those problems have since been resolved, though the software used to run the "virtual fence" is still prone to crashing after running for long periods of time. However, this issue is also expected to be resolved in the near future, said Mark Borkowski, the executive director of the Department of Homeland Security's Secure Border Initiative program. If the problems are resolved soon, border patrol agents could begin running the system and getting feeds on a regular basis by the end of this summer. However, Borkowski noted that the project still faces another, more serious challenge: lowering public expectations that the technology will be able to solve the country's illegal-immigration and border security problems.
(go to web site)

"For a Poisoned Internet, No Quick Fix"
Forbes (02/19/09) ; Greenberg, Andy

A large number of Domain Name System (DNS) servers have still not been patched to prevent hackers from exploiting the vulnerability security researcher Dan Kaminsky found last summer. According to an analysis of roughly 200,000 DNS servers by researchers at the Georgia Institute of Technology, between one-fifth and one-third of those servers have not been patched for the vulnerability, which can be used by hackers to launch DNS cache poisoning attacks. In those attacks, users looking for legitimate Web sites are redirected to fraudulent sites without their knowledge. The analysis also found that roughly 2 percent of those servers had been attacked by cybercriminals trying to take advantage of the vulnerability. In the wake of the release of the analysis, Kaminsky is urging IT administrators to patch their DNS servers to correct the flaw. However, he notes that the Internet will not be completely safe from DNS cache poisoning until DNSsec is more widely used. That technology authenticates the destination to which Internet traffic is being sent instead of simply redirecting it. The researchers, led by Georgia Tech professor David Dagon, presented their findings at the recent Black Hat security conference. Dagon says every server must be patched to stop the attacks. "In most cases when a fix goes out, 90 percent of the Internet is patched within a year. So we're still ahead of schedule," he says. "But given the size of the risk here, the rate of patching is still discouraging."
(go to web site)

"Cloud Security Fears Are Overblown, Some Say"
IDG News Service (02/19/09) ; Niccolai, James

Speakers at IDC's recent Cloud Computing Forum said that some IT professionals are overly concerned about security in cloud computing environments. Security is the leading concern related to cloud deployments, according to IDC's research, but speakers at the conference said that security expectations should be realistic. For example, Schumacher Group CIO Doug Menefee noted that when his company proposed moving most of its applications to hosted, cloud-based services, his IT department presented him with a list of 100 security requirements that were more stringent than the security measures used to protect the company's own data center. Menefee said that large cloud providers can secure his company's data better than its IT staff of three. "I think a lot of security objections to the cloud are emotional in nature, it's reflexive," said Accenture's Joseph Tobolski. "Some people create a list of requirements for security in the cloud that they don't even have for their own data center."
(go to web site)

"Stealthier Mac Attacks"
Technology Review (02/18/09) ; Naone, Erica

A security expert at the recent Black Hat DC computer security conference demonstrated a technique for attacking the Mac operating system OS X without leaving any evidence. Similar attacks have plagued Windows and Linux machines for years, but creating such an attack on a Mac required a greater level of sophistication. Vincenzo Iozzo, a student at Italy's Politecnico di Milano, says the technique allows an attack to compromise the machine without leaving an imprint on the permanent memory, meaning evidence of the attack will vanish as soon as the machine is turned off. This technique could be used in combination with another software flaw to replace a legitimate version of a Web browser with a malicious one that records the user's keystrokes and sends them to the attacker. Iozzo says the attack can only be detected using software that looks for intrusions on a network. Predicting where to inject code is difficult due to a security feature in OS X that stores the variables needed to keep the attack untraceable in random locations within the memory. However, Iozzo discovered how to anticipate where the variables would be stored. Independent security researcher Dino Dai Zovi says there are few Mac attacks that are sophisticated enough to need this kind of stealth, but warns the technique could be used to bypass advanced antivirus software in the future.
(go to web site)

"Raids on Federal Computer Data Soar"
USA Today (02/17/09) P. 1A ; Eisler, Peter

The U.S. Computer Emergency Readiness Team (US-CERT) reports that the number of incidents of unauthorized access to government computers and installations of malicious programs rose from a combined 3,928 in 2007 to 5,488 last year, a 40 percent increase. Mischel Kwon, the head of US-CERT at the Department of Homeland Security, says some of the increase could simply reflect better reporting. Nevertheless, government officials say they are concerned about the security of federal networks. National Intelligence director Dennis Blair recently told Congress that government networks are being attacked by foreign countries such as China and Russia in order to obtain intelligence. Blair also said that federal IT networks are being targeted by criminal groups and individuals trying to disrupt the nation's infrastructure, such as its power and communication systems. Federal IT security officials also are concerned about phishing attacks, in which cybercriminals try to trick their victims into revealing sensitive information by sending them official-looking emails, and Web redirects, in which victims are unknowingly redirected to Web sites containing malicious software. These concerns are prompting the federal government to take a number of steps to improve cybersecurity. For instance, President Obama has named Melissa Hathaway to conduct a 60-day review of federal cybersecurity programs. That review is expected to result in more cybersecurity initiatives being implemented.
(go to web site)

"A New Internet?"
New York Times (02/15/09) P. WK1 ; Markoff, John

There is a growing belief among engineers and security experts that the only way to fix Internet security is to recreate the Internet from scratch. What a new Internet might look like is being discussed, but one possible solution would create a "gated community" in which users would relinquish their anonymity and certain freedoms in return for safety, which is already the case for many corporate and government Internet users. As more secure networks are created, the current Internet will continue to become an increasingly dangerous area that legitimate users will want to avoid. "Unless we're willing to rethink today's Internet," says Nick McKeown, a Stanford University engineer working on building a new Internet, "we're just waiting for a series of public catastrophes." Last year, a malicious software program believed to have been released by a criminal organization in Eastern Europe infected more than 12 million computers after bypassing the world's best cyberdefenses. Internet security continues to deteriorate globally and even the most heavily protected military networks have proved vulnerable. "In many respects, we are probably worse off than we were 20 years ago, because all of the money has been devoted to patching the current problem rather than investing in the redesign of our infrastructure," says Purdue University professor Eugene Spafford, the executive director of Purdue's Center for Education and Research in Information Assurance and Security. The Stanford Clean Slate project is developing a system that will allow a more advanced network to be established underneath the current Internet. The new network will be running on eight campus networks around the United States by the end of the summer.
(go to web site)

Abstracts Copyright © 2009 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment