"Officials: Maternity Ward Security Scare Caused by System Glitch" The Daily Journal (NJ) (05/22/09) ; Smith, Joseph P. There was a security scare at Elmer Hospital in Elmer, N.J., on Monday when the security system recorded a deactivated badge being swiped at a secured door to the hospital's maternity ward. A subsequent investigation into the incident has found that the security scare may have been caused by a glitch in an authorized employee identification badge. According to Sgt. Steve Felice of the Elmer Police Department, a review of security recordings showed that only authorized personnel entered and left the maternity ward at the time of the incident. Felice also noted that the former employee whose badge was believed to have been used was somewhere else when the security scare occurred. In addition, several nurses in the maternity ward said they did not see any unauthorized people at the time of the incident. According to Paul Simon of South Jersey Health Care, the company that operates the hospital, all ID badges are recovered from employees when they leave their jobs. The badges are then deactivated, shredded, and thrown away, Simon said. (go to web site) "Global Firms Activate Anti-virus Plans for H1N1, Study Finds" National Underwriter (Property & Casualty - Risk & Benefits Management Edition) (05/19/09) ; McDonald, Caroline A survey released by The Conference Board on May 19 shows how global companies are responding to the swine flu outbreak. According to the survey, which was taken during the week of May 4, 55 percent of executives at global firms have plans in place to manage pandemic risk and have activated those plans in the wake of the swine flu outbreak. In addition, the survey found that 94.2 percent of global companies are communicating with their employees about the impact of the swine flu virus on health and work performance on a regular basis. Nearly all of the companies surveyed, 87 percent, said they were using tools such as Web sites and blogs to communicate with workers about the swine flu outbreak. Other steps being taken to deal with the swine flu outbreak include encouraging employees to stay home if they do not feel well, supplying antibacterial cleanser in public areas or washrooms, and restricting business travel. (go to web site) "Hotel Crime Rises in Recession, but Hotels Say They're Still Safe" USA Today (05/18/09) ; Stoller, Gary Hotel security observers say that with the country in a major recession, there's a greater likelihood of criminal activity occurring on hotel property. "We're absolutely seeing an increase in crime at hotels," says Philip Farina, CEO of Enterprising Securities, a San Antonio company that designs security programs for hotels. At the same time, some hotels are forced by tight budgets to reduce security staff. "The current (economic) downturn is associated with significant cuts in security," says Dave Wiggins, a member and former president of the California Tourism Safety & Security Association. At the same time, he says, hotel employees are working fewer hours and making less money, which "may be pushing some otherwise honest people toward dishonest behaviors." Hotel industry officials dispute the notion that hotels are any less safe now, noting that security was beefed up following the Sept. 11 terrorist attacks. Joe McInerney, president of the American Hotel and Lodging Association, says there is no evidence crime is on the rise. Police don't keep statistics on hotel crime, but hotel security experts such as Farina estimate that at least one crime may occur daily in a big-city hotel. A 2009 study that examined crimes reported by 64 Miami Beach hotels to the Miami Beach Police Department in 2002 and 2003 shows that theft is the chief problem. Nearly half the crimes against guests found in the study, conducted by criminology professors at Ball State University and a hospitality professor at Florida International University, were thefts, and 38 percent occurred in the hotel rooms. Car break-ins in hotel lots represented 13 percent of the crimes, and more crimes occurred in the afternoon than any other time during a day. Many hotels have security staff that periodically patrol hallways on guest-room floors, and many limit access to some floors with rooms for high-paying and frequent guests. At most hotels, however, non-guests have easy access to guest-room floors. (go to web site) "Heartland Data Breach: MasterCard Introduces 'Tamper-Resistant' Chip" BankInfoSecurity.com (05/18/09) ; McGlasson, Linda MasterCard has announced that it will use countermeasures in its smart credit cards to insulate them against differential power analysis (DPA) attacks through a partnership with Cryptography Research (CRI). DPA is a method in which hackers attempt to infer cryptographic keys by analyzing measurements of a chip's electrical power consumption. "On the technology side, DPA countermeasures are continually present on the payment device chip hardware," says CRI's Kit Rodgers. "They are always 'on' when the chip is in use. DPA countermeasures are hardware and software design techniques whose primary goal is to make it difficult for attackers to use DPA to analyze/break a chip." MasterCard says that starting now it will mandate that sellers of smart cards and other cryptographic products that use DPA countermeasures must be licensed from CRI in order to be used on MasterCard's payment networks. MasterCard's Erica Harvill says that some of its vendors already are using licensed products with the CRI countermeasures and that the rest of the sellers will switch to the CRI solution in time. "The new requirements and rigorous testing provide enhanced assurances to our smart cards and devices," says MasterCard's Christian Delporte. (go to web site) "To Catch a Thief" Risk Management (05/09) P. 40 ; Bellinger, G. Michael When dealing with a potential embezzlement case, it is not always wise for companies to immediately call the police and fire the employee who is believed to have participated in the theft, since doing so can often result in internal scrutiny and negative publicity, which in turn can hurt employee morale and the company's reputation. Instead of immediately calling law enforcement and firing the employee suspected of the embezzlement, companies that believe that one or more of their employees may have stolen money from them should immediately launch an investigation into the suspected theft. The investigation should be conducted by outside counsel rather than the company's general counsel or others. During the investigation process, outside counsel should interview the suspect and try to get them to admit to the theft--something that can be easily done when proper, legal interrogation methods are used. After investigators obtain an admission of guilt from the suspect, they should then try to determine how much money was stolen, how much remains of what was embezzled, and the total value of the assets the employee owns free and clear. Work should then begin on restoring what the company lost. This can involve negotiating with the employee for the return of the stolen assets, as well as negotiations with the suspect's family members, who may be willing to help make the company whole again. These family members may be willing to help if the company promises not to go public with the theft. Companies may still need to notify police about the theft, particularly in the event their investigation does not result in the closure of the case. Notifying law enforcement is necessary if companies want to make a claim with their insurance company. (go to web site) "Terror Plot Suspects Have Lengthy Criminal Records" Associated Press (05/22/09) ; Hill, Michael; Fitzgerald, Jim More information about the four men accused of plotting to bomb a synagogue in the Bronx and shoot down military planes in upstate New York came to light after they appeared in a courthouse in White Plains, N.Y., on Thursday. One of the men, James Cromitie, was angry about the U.S. war in Afghanistan, where his parents lived before he was born. According to the criminal complaint, Cromitie told an FBI informant that he met at a mosque that he was interested in jihad and in "doing something to America," namely destroying a synagogue and shooting Jews as they walked down the street. Cromitie also told the informant that he wanted to join the Pakistani terrorist group Jaish-e-Mohammed. One of the other suspects, Onta Williams, converted to Islam while in prison and wanted revenge against the U.S. for killing Muslims. The two other men, David Williams--who is not related to Onta Williams--and Laguerre Payen--have criminal records that include assault and drug offenses. All four men face life in prison if they are convicted for their involvement in the terrorist plot. (go to web site) "In Dueling Speeches, a National Security Debate" Washington Post (05/22/09) ; Wilson, Scott; Fletcher, Michael A. President Obama and former Vice President Dick Cheney offered divergent assessments of the nation's post- 9/11 security record and the use of controversial interrogation tactics on terrorists in separate speeches on Thursday. The addresses were notable because they marked the first time the leaders of a current administration and the preceding administration crossed paths so soon after the end of a presidential term and in such a public fashion. At stake is the court of public opinion on the direction of the national security policy for the war on terror. In his speech at the National Archives, President Obama argued that the most constructive way to fight terrorists is an even-handed application of the rule of law and respect of civil liberties, saying that during the Bush administration, "too often we set those principles aside as luxuries we could no longer afford." In contrast, Cheney defended the Bush administration's rationale for launching military offensives in Afghanistan and Iraq, its adoption of detention policies and use of controversial interrogation tactics against enemy combatants. In remarks at the American Enterprise Institute, Cheney said "the great dividing line in our current debate over national security" is whether that "comprehensive strategy has worked and therefore needs to be continued as vigilantly as ever." (go to web site) "Study Detects Flu Immunity in Older People" Washington Post (05/22/09) ; Brown, David Scientists at the Centers for Disease Control and Prevention have found that a large number of Americans over the age of 60 may have some immunity to the swine flu virus. According to a study by the scientists, which was published Thursday in the CDC's Morbidity and Mortality Weekly Report, 33 percent of the blood samples from people over the age of 60 that were examined had antibodies against the swine flu virus. By comparison, the blood samples from children between the ages of six months and 9 years had virtually no antibodies against the swine flu, while 6 percent of people ages 18 to 40 had the antibodies in their blood. Nine percent of the blood samples from people aged 18 to 64 had the antibodies. Blood samples taken after people in the two oldest age groups received seasonal flu vaccines contained more swine flu antibodies. After receiving the seasonal flu vaccine, 43 percent of those over 60 had swine flu antibodies in their blood, while 25 percent of those between 18 and 64 had the antibodies. The findings suggest that older people may have been exposed to a virus similar to the swine flu virus that is now circulating around the world, and that seasonal flu shuts may boost their bodies' immune response to the virus. Further research will need to be done to better define who has partial immunity to the swine flu virus. If older people are found to have partial immunity against the swine flu virus, they will likely be given only one dose of a swine flu vaccine instead of two like everyone else. (go to web site) "WHO Hesitates to Declare Pandemic" Agence France Presse (05/21/09) Although there have been 10,000 cases of swine flu and 80 deaths from the disease since the outbreak began last month, the World Health Organization is hesitant to declare a pandemic. According to Antoine Flahaut, an epidemiologist and head of the School of Public Health, the WHO could declare a pandemic because the technical elements for such a declaration are in place. A declaration of a swine flu pandemic would indicate that there is sustained community transmission of the disease in a region outside of the Americas--something that is already occurring. In Japan, 281 swine flu cases have been reported. However, the recommendations that come with a declaration of a pandemic, including air travel restrictions and advice to wear surgical masks, are not necessary at this stage because the virus has so far been mild, Flahaut said. Experts say that the swine flu is no worse than the seasonal flu for now. In addition, experts point out that those who have died from the swine flu often had other health problems--a pattern that is also seen in outbreaks of the seasonal flu. (go to web site) "Obama Seeks Reforms to Military Commission System" Wall Street Journal (05/18/09) ; Bravin, Jess President Barack Obama will keep the military tribunal system for trying some terrorism suspects held at the U.S. prison camp in Guantanamo Bay, Cuba, with expanded legal protections for defendants. The new rule likely means that evidence obtained through waterboarding or other harsh methods won't be admissible. "These reforms will begin to restore the commissions as a legitimate forum for prosecution, while bringing them in line with the rule of law," according to the president, who says the administration will work with Congress on additional changes to deal with alleged terrorism suspects. The other changes limit the government's leeway in using hearsay evidence, shifting the burden away from defendants to disprove the reliability of such evidence. The government is also granting detainees more autonomy to choose their lawyers and to refuse to testify, while giving military commission judges greater control over their own courts. The Defense Department has reportedly selected John Murphy, a naval reservist who has been working on commissions cases and helped prosecute Salim Hamdan, Osama bin Laden's former driver, as the new chief prosecutor to oversee the commission trials when they resume. Justice Department prosecutors are examining which detainees to try by commission, prosecute in civilian court, or transfer to other countries. Officials have said that in at least 50 cases, the prisoners are viewed as too dangerous to set free but the government lacks sufficient evidence to prosecute. (go to web site) "Microsoft IIS Hole Fells University Server" The Register (UK) (05/20/09) ; Goodin, Dan Hackers took advantage of a conspicuous hole in Microsoft's Internet Information Services (IIS) Webserver, say system administrators at Muncie, Indiana's Ball State University, who discovered a breach of the servers incorporating the program on May 18. As of early May 20, the students' iWeb accounts were still frozen and university officials said it may be as late as May 22 before service is restored. Hours after the breach was announced, Microsoft publicly refuted the claim that the attack took advantage of vulnerabilities in its IIS server. "Microsoft is still not aware of attacks that are trying to use this vulnerability or of customer impact at this time," said a company statement about the IIS security hole mentioned in Security Advisory 971492. On May 18 Microsoft confirmed the presence of an "elevation of privilege vulnerability" in IIS versions 5 and 6, but denied knowledge of any in-the-wild exploits despite a recent warning about the vulnerability by the U.S. Computer Emergency Response Team. (go to web site) "Facing Criticism, Adobe Rethinks PDF Security" Computerworld (05/20/09) ; Keizer, Gregg Adobe has announced that it is planning to take a number of steps to improve the security of its Adobe Reader and Acrobat PDF viewing software. For instance, Adobe will begin applying its Secure Product Lifecycle methodology--which involves a number of steps programmers take to reduce the chances that their software will include bugs--to older, at-risk sections of Reader and Acrobat. Although the move is not a full-blown code review, it does mean that Adobe will look for possible vulnerabilities and perform threat-modeling and static-code analysis on select areas of the two applications. In addition, Adobe will more quickly release patches for Reader and Acrobat and will communicate with its users on a more frequent basis. Adobe's patches will be released on a quarterly basis on the second Tuesday of the month. Adobe says it expects to begin using the quarterly schedule for the release of the patches sometime this summer. The security improvements are part of an attempt by Adobe to respond to criticism that it took too long to patch a critical vulnerability in Reader and Acrobat that had already been exploited back in February. But some critics say that it remains to be seen whether the changes will improve security in Reader and Acrobat. NCircle Network Security's Andrew Storms says the new security strategy will be successful if there are fewer bugs and fewer zero-day vulnerabilities in Adobe's software in about six months. (go to web site) "Momentum Growing to Strengthen Information Security Requirements" NextGov.com (05/19/09) ; Aitoro, Jill R. Speaking before the House Government Management, Organization, and Procurement Subcommittee on May 19, several officials from the White House and a number of different federal agencies told lawmakers that the Obama administration is planning to develop new performance metrics that will continually identify cybersecurity risks. Among the officials who testified at the hearing was Vivek Kundra, the federal chief information officer at the Office of Management and Budget (OMB). According to Kundra, such metrics are necessary because the Federal Information Security Management Act (FISMA) does not protect the federal government's systems from cyberattacks. He noted that while the current reporting metrics might have made sense when FISMA was enacted in 2002, they no longer make sense because they are trailing indicators, not leading indicators. Kundra called for the development of metrics that can give officials a glimpse into agencies' security postures and possible vulnerabilities on an ongoing basis. OMB has already partnered with the federal Chief Information Officers Council and agencies' chief information security officers and inspector generals, as well as the National Institutes of Standards and Technology, to develop metrics that are capable of predicting cybersecurity weak spots and reflecting their information security status. Another official who testified at the hearing was acting Transportation Department CIO Jacquelyn Patillo, who called on the private sector to lend a hand in efforts to improve information security requirements or develop new ones. She also urged information security requirements to be linked with capital planning at agencies to ensure that sufficient funding is in place for security putting practices. (go to web site) "Chink in Encryption Armor Discovered" ZDNet UK (05/19/09) ; Espiner, Tom Researchers from the Information Security Group (ISG) at Royal Holloway, University of London have discovered an underlying flaw in the OpenSSH encryption protocol. The flaw, which is present in version 4.7 of OpenSSH on Debian/GNU Linux, allows 32 bits of encrypted text to be rendered in plaintext. An attack has a one-in-262,144 chance of success. ISG lead professor Kenny Paterson says the flaw is more threatening than previous vulnerabilities in OpenSSH. "This is a design flaw in OpenSSH," Paterson says. "The other vulnerabilities have been more about coding errors." He says a man-in-the-middle attacker could sit on a network and catch blocks of encrypted text as they are sent from client to server. By re-transmitting the blocks to the server, the attack can determine the first four bytes of corresponding plaintext by counting how many bytes the attacker sends until the server generates an error message and breaks the connection, and then work backwards to deduce the OpenSSH encryption field before encryption. The attack uses flaws in the Request for Comments Internet standards that define SSH. The vulnerability was first made public in November 2008 by the UK Centre for Protection of National Infrastructure (CPNI), though the full details of the flaw were not released at that time. The CPNI advisory says the OpenSSH flaw can be mitigated by IT professionals using AES in counter mode to encrypt, instead of cipher-block chaining mode. Paterson says his team has worked with OpenSSH developers to mitigate the flaw, and OpenSSH version 5.2 features countermeasures. (go to web site) "Are Your 'Secret Questions' Too Easily Answered?" Technology Review (05/18/09) ; Lemos, Robert The "secret questions" that protect online accounts and passwords may be far less secure than commonly believed, largely because their answers are often far too simple, researchers say. Carnegie Mellon University and Microsoft researchers will present research at the IEEE Symposium on Security and Privacy, which highlights the vulnerabilities of the secret question systems used to secure the password-reset functions to numerous Web sites. In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions, and even people not trusted by the participant had a 17 percent chance of guessing the correct answer. "Secret questions alone are not as secure as we would like our backup authentication to be," says Microsoft researcher Stuart Schechter. "Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords." The least-secure questions are simple ones that can be guessed with no existing knowledge of the subject. Schechter says backup-authentication schemes should be reliable and allow only legitimate users to regain access to their accounts. They also should be secure, preventing unauthorized users from gaining access. The study found that secret questions fail on both accounts. "We would eventually like to see these questions go away," Schechter says. "Unfortunately, since we didn't find many questions that were conclusively good, it's hard to recommend simply changing questions." (go to web site) Abstracts Copyright © 2009 Information, Inc. Bethesda, MD |
No comments:
Post a Comment