Search This Blog

Friday, February 27, 2009

Security Management Weekly - February 27, 2009

header

  Learn more! ->   sm professional  

February 27, 2009
 
 
CORPORATE SECURITY  
  1. " Now You Can Track Colleagues and Students on Your Laptop" Carnegie Mellon Researchers Looking Into Ways Tracking Services Like Google Latitude Can be Used on Campuses
  2. " TMI Safety Questioned" Pennsylvania
  3. " SEC, FTC Investigating Heartland After Data Theft"
  4. " New Visa Cards Come With Hefty Price for Retailers" Canada
  5. " More Than Half of Booted Workers Steal Data on Way Out, Survey Finds" Ponemon Institute

HOMELAND SECURITY  
  6. " Report: More Agents Needed to Secure Mass Transit" DHS Inspector General Says 102 Additional Inspectors Not Enough to Protect Rail And Mass Transit From Terrorists
  7. " Recession, Bailout, Stimulus: US Security Threats"
  8. " Napolitano Cites Mexican Drug Cartels as Major Threat"
  9. " Crisis Sharpens Scrutiny of Security Spending"
  10. " Taliban Extend Cease Fire in Pakistani Valley"

CYBER SECURITY  
  11. " New Version of Malicious Computer Program Is Released"
  12. " The Tigger Trojan: Icky, Sticky Stuff"
  13. " Survey: Security Is CIOs' Top Challenge" Grant Thornton Also Finds IT Infrastructure and IT Management are Major Concerns
  14. " Cybersecurity Chiefs Unveil Plan to Lock Out Intruders" A Dozen Security Experts Publish List of Steps Federal Agencies and Contractors Must Take to Protect IT Networks
  15. " Guidelines Released for Secure Use of Digital Signatures, Hashing"


   







 

"Now You Can Track Colleagues and Students on Your Laptop"
Chronicle of Higher Education (02/27/09) Vol. 55, No. 25, P. A15 ; Young, Jeffrey R.

Researchers such as Carnegie Mellon University professor Norman M. Sadeh are exploring the possible campus applications of new location-tracking services, whose adoption depends on whether scholars are willing to accept a certain degree of privacy infringement. Google's recently announced Latitude service utilizes information from the user's cell phone or laptop Internet connection to zero in on the user's location and allow them to share it with friends. Meanwhile, Sadeh's Locaccino system has various settings that allow users to control when they can be tracked, as well as access a list of every moment when another system user saw their location. For professors, the killer location-tracking application could be during academic conferences, which could enhance dialog and engagement between colleagues. Such tools also carry an appeal for students, who like to know who is in close proximity and are less conservative than their professors when it comes to privacy. The technology could be used by parents to determine whether their kids are showing up to class on time, assuming students permit such monitoring. Still, the takeup of location-tracking services on campuses is expected to be slow because the technology's advantages are less obvious, while its disadvantages are apparent. Nevertheless, a new Educause study lists location tagging as one of the leading technology trends to keep an eye on in the next several years.
(go to web site)

"TMI Safety Questioned"
Chambersburg Public Opinion (Pa.) (02/25/09)

Residents near the Three Mile Island nuclear plant are questioning whether it is safe and secure as federal officials decide whether to renew the license for the nuclear plant. The U.S. Nuclear Regulatory Commission is gathering public comment on a draft report that is part of the relicensing process for TMI's Unit 1. The unit is the only one that has operated at TMI since Unit 2 was crippled in the 1979 meltdown. TMI owner Exelon Nuclear is seeking a 20-year extension of its license for Unit 1. A public meeting was held on Feb. 24 as part of the relicensing process. One resident urged the NRC to require more security measures to guard against a terrorist attack or an accidental plane crash from nearby Harrisburg International Airport, while Scott Portzline of the citizen watchdog group Three Mile Island Alert questioned if the plant is safe from an earthquake or a water-bound attack through the Susquehanna River. An NRC official said the plant is solid and subject to regular security evaluations. NRC projects branch chief Ronald Bellamy said TMI's shell is not the only structure protecting the facility from aircraft. He said there are more physical impediments inside that would provide extra protection. Exelon spokesman Ralph DeSantis said the plant has made $17 million in security upgrades since 2001, and is in the process of spending another $5 million. The upgrades include barriers, surveillance equipment and razor-wire fencing. The plant has also roughly doubled the size of its heavily armed security force, he said. "Security experts call Three Mile Island a hardened facility," DeSantis said.
(go to web site)

"SEC, FTC Investigating Heartland After Data Theft"
IDG News Service (02/25/09) ; McMillan, Robert

The massive data breach of Heartland Payment Systems has prompted inquiries from the U.S. Federal Trade Commission (FTC) and the Securities and Exchange Commission and an investigation from the Treasury Department's Office of the Comptroller of the Currency (OCC). Gartner analyst Avivah Litan says the OCC's interest may stem from the Heartland breach implying a larger overarching problem for the banking industry. "I think that the criminal gang that targeted Heartland is targeting multiple payment processors and it's a serious threat to the integrity of the payment systems," she warns. A FTC probe into data breaches is normal, as is its assertion of authority to seek penalties or consumer reparation following such breaches. The Open Security Foundation's David Shettler says government inquiries will help Heartland's business partners and customers find answers to "a lot of unanswered questions," noting that "bankers around the country are getting frustrated because they're having to incur the costs of reissuing these cards, and they're not getting a lot of information."
(go to web site)

"New Visa Cards Come With Hefty Price for Retailers"
Canadian Press (02/25/09)

Visa and MasterCard are rolling out new chip-and-PIN credit cards that could be expensive for small Canadian merchants, as one of the terms of acceptance is upgrading to expensive chip-reading terminals or compatible processing systems. Retailers who have not upgraded will be responsible for fraudulent transactions made through swipe technology after October 2010. "The move to chip is part of Visa's ongoing commitment to providing secure payment products and services," says Visa Canada's Mike Bradley. Bradley says the transition to chip-and-PIN systems will save merchants money in the long term, as the technology shields retailers from fraud, lowers the costs of operational paperwork, and saves time during transactions. About 225,000 retailers—over one-third of Visa's base—were accepting chip cards as of 2008, and Bradley projects that 14 million cards will be in circulation by the end of 2009.
(go to web site)

"More Than Half of Booted Workers Steal Data on Way Out, Survey Finds"
Network World (02/23/09) ; Messmer, Ellen

Nearly 60 percent of 945 people who left their jobs in the past 12 months stole sensitive data from their former employers, reveals a new Ponemon Institute survey. The survey found that 67 percent used this data, which was typically contained in emails and hardcopy files, to get a new job. In addition to asking employees how they used the data they stole, the survey also asked them how they managed to get the information out of their company's offices. The survey found that the theft of company information was typically carried out by simply walking out with paper documents, transferring data onto a CD or portable data storage device, or by sending documents as an attachment to a personal email account. The survey also found that employees often continued to have access to company data even after they quit or were fired. Nearly a quarter of the employees surveyed said they still had access to their former employer's computer systems after they left. About half of these employees said they still had access between one day and one week after leaving their companies, while 20 percent continued to have access after more than a week.
(go to web site)

"Report: More Agents Needed to Secure Mass Transit"
Associated Press (02/27/09) ; Sullivan, Eileen

The Homeland Security Department's inspector general will release a report on Friday that says that the Transportation Security Administration's request for an additional 102 inspectors to ensure rail and mass transit employees are doing enough to protect against terrorist attacks is insufficient to get the job done. The report also noted that the TSA has just 175 inspectors who are assigned to assess transportation security for bus and mass transit systems, compared with 1,350 safety inspectors at the Transportation Department and 1,000 inspectors at the Coast Guard. In addition, the report noted that many of these inspectors were hired without having any experience with mass transit systems and that they will soon have to take on additional responsibilities, including enforcing regulations and monitoring grants. Finally, the report faulted the TSA for having rail, transit, and highway safety inspectors report to aviation security supervisors. House Homeland Security Committee Chairman Rep. Bennie Thompson (D-Miss.) noted that the report raises serious concerns, though he added that he was confident President Obama and Homeland Security Secretary Janet Napolitano would work to ensure that the TSA has enough inspectors.
(go to web site)

"Recession, Bailout, Stimulus: US Security Threats"
Associated Press (02/26/09) ; Apuzzo, Matt; Sullivan, Eileen

The economic turmoil that is sweeping the globe could create a number of security problems for the U.S., experts say. For instance, analysts say that terrorists or countries could take advantage of the uncertainty on Wall Street by setting up several overseas hedge funds and dumping U.S. stocks, either by short-selling a major financial index or by selling the stocks of important U.S. companies. Such an attack would begin slowly and pick up speed over several hours, and would result in panic and confusion in the market. James Rickards, a financial consultant at the McLean, Va.-based research firm Omnis Inc., noted that the U.S. is particularly vulnerable to such an attack now because the shaky banking industry is unable to jump in and prop up the markets the way it did after the September 11, 2001 attacks. Other threats could come in the form of growing extremism and anger at the U.S., which is seen as being responsible for the global economic problems, said Director of National Intelligence Dennis Blair.
(go to web site)

"Napolitano Cites Mexican Drug Cartels as Major Threat"
Washington Post (02/26/09) P. A4 ; Hsu, Spencer S.

Homeland Security Secretary Janet Napolitano has told Congress that assisting the Mexican government in the fight against drug cartels must be a top priority for the United States. Testifying before the House Homeland Security Committee, Napolitano outlined new steps designed to prevent drug-related violence from bleeding over into the U.S. She said the measures were inspired by Mexico's tough crackdown on narco-traffickers, which has generated violence "of a different degree and level than we've ever seen before. It is something that deserves our utmost attention right now." Napolitano has consulted with Attorney General Eric H. Holder Jr., national security adviser James L. Jones and local and state law enforcement officials on ways to provide assistance to Mexican law enforcement; to stem the flow of guns, assault rifles and cash from the United States into Mexico; and pinpoint areas in which more resources might be needed.
(go to web site)

"Crisis Sharpens Scrutiny of Security Spending"
Reuters (02/25/09) ; Maclean, William

Security experts predict governments around the world will start delivering more streamlined and cost-effective homeland security amid deepening economic uncertainty. Former senior U.S. Central Intelligence Agency official Henry Crumpton believes governments will continue to spend on security technology, but instead of investing millions of dollars in expensive gadgetry, they will look for more cost-efficient ways of shoring up security. "People often think there's a need for pervasive Orwellian surveillance, but in fact networks built on trust can provide the effective intelligence require," Crumpton says. While counter-terrorism will continue to be an integral part of economic confidence, security specialists are less certain of the need for scale of spending governments have committed to over the last few years. "We must ask ourselves in all seriousness how long we can continue to drain our economies in a futile attempt to secure everyone and everything at all times," says Raphael Perl, chief of the Action Against Terrorism Unit at the Organization for Security and Cooperation in Europe.
(go to web site)

"Taliban Extend Cease Fire in Pakistani Valley"
ABCNews.com (02/24/09) ; Graham, Stephen

Taliban militants indefinitely extended a cease-fire on Feb. 23 in a northwestern Pakistani valley, granting more time for peace talks that the U.S. worries could create an insurgent haven in the nuclear-armed country. Troops and insurgents have been observing a truce in the Swat valley since Feb. 15, when Pakistani authorities offered to introduce Islamic law in the region if militants lay down their arms. A hard-line cleric is negotiating a possible deal with the militants on behalf of the government. Pakistani officials say the offer to introduce Islamic law in Swat and surrounding areas addresses long-standing demands for speedy justice that have been exploited by the Taliban, which residents say now control much of the region. NATO and the United States have expressed concern that any peace accord could effectively cede the valley to militants who have defied a yearlong military operation, beheaded opponents and bombed girls' schools. Many analysts doubt the Taliban will accept the mild version of Islamic law on offer or that they will loosen their grip on the valley, which lies just 100 miles from the capital, Islamabad. A deal last year collapsed after several months.
(go to web site)

"New Version of Malicious Computer Program Is Released"
New York Times (02/24/09) P. D2 ; Markoff, John

The authors of the Conficker virus, which has infected more than 12 million computers since its release last fall, have released a new version of the malware. Security researchers at SRI International, who recently identified the new version of the software, known as Conficker B++, say the latest version gives the virus new ways to communicate with the authors after it infects a computer. Security groups were recently able to discover how the virus was able to direct infected machines to new Internet addresses where they could get software instructions. However, the new version of the virus does not update computers that have already been infected, which means that it must repeat the process of spreading itself. The release of the new version of Conficker—which, like its predecessor, aims to create a botnet and download code that could be used to steal passwords and send spam to other infected machines—comes on the heels of an offer of a $250,000 reward for any information leading to the arrest of the virus' creators.
(go to web site)

"The Tigger Trojan: Icky, Sticky Stuff"
Washington Post (02/24/09) ; Krebs, Brian

Researchers at the Sterling, Va.-based security intelligence company iDefense spotted the "Tigger.A" trojan in November 2008, but none of their 37 anti-virus solutions picked up on it. By December, AntiVir began detecting the trojan, but its invisibility to other virus detection software allowed the data-stealing trojan to infect more than 250,000 machines in only a few months, according to a data log recovered from a Tigger-infected Web server. The trojan is directed mainly toward customers and employees of stock trading companies, according to iDefense's Michael Ligh. Included on a selective list of prime targets are E-Trade, Scottrade, TD Ameritrade, Options XPress, Vanguard, and ING ShareBuilder. Trojan is the only malware known to exploit the since-patched "privilege escalation" vulnerability in Windows, which allows the hacker to access administrative privileges on a machine. Unlike most information-stealing trojans, Tigger removes other predacious software. "The scary part is, none of us are really sure how Tigger is even being distributed," Ligh says. "I look at a lot at info-stealing malware, and this is the first one I've seen in a while that goes to the trouble of removing other pieces of malware."
(go to web site)

"Survey: Security Is CIOs' Top Challenge"
Federal Computer Week (02/24/09) ; Mosquera, Mary

Information security is the biggest priority and the greatest challenge for federal CIOs, concludes a new Grant Thornton survey. The survey also found that federal CIOs are deeply concerned about IT infrastructure and IT management. Some of the CIOs who participated in the survey said they measured their IT security progress by the number of vulnerabilities they patched, while others said they used a strategic response to enterprise security that required consolidated and standardized IT infrastructure and good IT management. Finally, the survey found that CIOs believe that efforts to correct vulnerabilities are too scattered. Grant Thornton's Paul Wohlleben says this finding underscores the need for the Obama administration to establish a broad, comprehensive government response to ensure that security monitoring and operational activities are performed effectively. A report accompanying the survey also suggested that CIOs use industry best practices—such as having strong leadership to bring about change, demanding results, and verifying results—in order to work toward achieving their goals.
(go to web site)

"Cybersecurity Chiefs Unveil Plan to Lock Out Intruders"
Federal Times (02/23/09) Vol. 45, No. 1, P. 1 ; Carlstrom, Gregg; Eisler, Peter

More than a dozen security experts have introduced a list of 20 steps that they say federal agencies and contractors should take to protect their networks from being attacked. The group recommends that all federal agencies and contractors take basic security precautions such as setting secure configurations, controlling the use of administrative privileges by employees, and closing inactive accounts. The group notes that although these measures are basic rules for cybersecurity, the government often fails to take them, which has resulted in a more than 40 percent increase in the number of cyberattacks on government networks in the past two years. The recommendations also address some of the complaints about the government's current cybersecurity guidance. For example, the recommendations contain actions that agencies can perform immediately to boost the security on their networks, as well as approaches that will help them track compliance in the long term. That will help address the complaint that the government's current cybersecurity strategy is difficult to enforce. The recommendations have been posted on the Web site of the SANS Institute, and will remain there for the next 30 days so the public can comment on them. Additional recommendations could come in the future after federal agencies implement the current 20 guidelines and the group of experts re-evaluates security threats to federal networks.
(go to web site)

"Guidelines Released for Secure Use of Digital Signatures, Hashing"
Government Computer News (02/23/09) ; Jackson, William

The National Institute of Standards and Technology (NIST) has updated its guidelines for proper use of approved hash algorithms. Special Publication 800-107, named "Recommendations for Applications Using Approved Hash Algorithms," lists steps for maintaining optimal security when utilizing algorithms authorized in Federal Information Processing Standards 180-3. NIST also issued Special Publication 800-106, or "Randomized Hashing for Digital Signatures," which explains how to protect digitally signed statements from third-party interference by scrambling the message. "A cryptographic hash function that is not suitable for one application might be suitable for other cryptographic applications that do not require the same security properties," NIST writes in SP 800-107. The special document explains how each approved algorithm has strengths when utilized for different purposes, such as collision resistance, preimage protection, and second preimage resistance.
(go to web site)

Abstracts Copyright © 2009 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: