Search This Blog

Friday, October 30, 2009

Security Management Weekly - October 30, 2009

header

  Learn more! ->   sm professional  

October 30, 2009
 
 
Corporate Security

  1. "Guard Hailed As a Hero" Security Guard at Boston Hospital Credited With Saving Life of Doctor Stabbed by Patient
  2. "Settlement Reached in Case of Muslim Clerics and Flight 300"
  3. "Ex-AMD CEO Ruiz Said to Be Tied to Galleon Insider-Trading Case"
  4. "Building Security: 7 Basic Blunders" Security Managers Typically Make Seven Mistakes That Impair Physical Security of Their Buildings
  5. "Employee Surveillance Protocol" Designing Policies and Providing Employee Training on Surveillance Practices Can Help Companies Earn Workers' Trust
Homeland Security

  1. "Michigan to Close Prison Considered for Guantanamo Detainees"
  2. "FBI Defends Decision To Shoot Mosque Leader" Detroit
  3. "Obama Endorses Military Commissions for Guantanamo Detainees"
  4. "Two Charged in Plot on Danish Paper" Chicago
  5. "FBI Lagging on Translation Efforts: Report" Justice Department Inspector General Finds FBI Having Difficulties in Keeping Up With Terrorism Cases
Cyber Security

  1. "Cyber Attack Puts Ethics Documents in Hands of Reporter"
  2. "Federal, Industry Reps Call for National Standards to Report Data Breaches"
  3. "Passwords 101: How to Protect Your Company's Data"
  4. "Firefox Hit by Multiple Drive-by Download Flaws"
  5. "States Mismanage Student Information, Study Concludes" Fordham University Center on Law and Information Policy Also Finds States Collect More Student Data Than They Need

   

 
 
 

 


Guard Hailed As a Hero
Boston Globe (10/29/09) Ebbert, Stephanie; Schworm, Peter

Security guard Paul Langone has thus far been cleared of any wrongdoing after he shot and killed a patient who was stabbing a psychiatrist at the Massachusetts General Hospital clinic. Thus far the official investigation of the incident indicates that Langone entered a clinic room after hearing screams. At that point he found therapist Astrid Desrosiers being stabbed by a patient. Langone ordered the patient to drop his weapon, but was ignored, and Langone was forced to open fire. Thanks to Langone's actions, which are being described as heroic by investigators, Desrosiers is reportedly now on her way to recovery. Although Langone has been asked by authorities not to speak to the press at this stage in the investigation, his father described him as a well-trained special officer- a designation given to security guards who work at private companies, but who are licensed by Boston police. Langone did not work at the clinic, and his father did not say why he was there. However, the clinic is housed in a building with a number of other hospital, dental, and medical research offices.


Settlement Reached in Case of Muslim Clerics and Flight 300
Wall Street Journal Law Blog (10/28/09)

A lawsuit filed by six Muslim clerics against U.S. Airways, the Metropolitan Airports Commission, which runs the Minneapolis-St. Paul International Airport, and several other individuals has been settled. The lawsuit was filed after an incident on a U.S. Airways plane in 2006, in which a passenger told a flight attendant that the six clerics were praying loudly and cursing U.S. policies in Iraq before they boarded the aircraft. The men then asked for seat belt extenders, which could be used as weapons. After consulting with the FBI, the pilot and airport police removed the men from the flight. After undergoing questioning by airport police, the men were determined to not be a threat and were allowed to take a different flight home. The clerics subsequently sued on the grounds that their Fourth Amendment rights, which offer protections from unlawful search and seizure, had been violated. Minnesota federal Judge Ann Montgomery granted a summary judgment for U.S. Airways in July, though she left in place causes of action against several other defendants. In her ruling, Judge Montgomery wrote that law enforcement officers have the "responsibility to operate within the bounds of the Constitution," and cannot use the threat of a September 11-style attack to go beyond those bounds. She added that "no reasonable officer could have believed that they could arrest Plaintiffs without probable cause" and that the plaintiff's rights that were violated were "clearly established." Despite the ruling and the settlement, Minneapolis-St. Paul International Airport says it has no plans to change its policies.


Ex-AMD CEO Ruiz Said to Be Tied to Galleon Insider-Trading Case
Bloomberg (10/28/09) King, Ian

A person familiar with the investigation into an alleged insider-trading ring tied to Galleon co-founder Raj Rajaratnam has said that former Advanced Micro Devices (AMD) Chief Executive Hector Ruiz is involved in the case. According to the individual, Ruiz is the unnamed "AMD executive" who prosecutors say told Danielle Chiesi, a former consultant at New Castle Funds who is a defendant in the insider trading case, about the timing of the spin-off of his company's manufacturing operations into a joint venture with the government of Abu Dhabi. In transcripts of recorded conversations between Ruiz and Chiesi, who has been arrested on charges of using material nonpublic information to trade stocks, the former AMD CEO told Chiesi that the agreement to spin off AMD's manufacturing arm as part of an $8.4 billion investment from Abu Dhabi's government would come before AMD announced earnings on October 16, 2008. Chiesi then allegedly directed New Castle Funds, a former Bear Stearns hedge fund, to purchase shares of AMD before the spin-off announcement was made. On the day the agreement was announced, Oct. 7, AMD's shares rose 8.5 percent. However, New Castle Funds did not profit from the timing of the announcement because last year's financial crisis helped drag AMD's stock price back down. Despite being named in the complaint against Chiesi, Ruiz has not been charged with any wrongdoing. Chiesi, for her part, has said that she will plead not guilty to the charges against her.


Building Security: 7 Basic Blunders
CSO Online (10/01/09) Vol. 8, No. 8, P. 22; Goodchild, Joan

There are seven mistakes security managers commonly make that compromise the physical sureness of their buildings. First is assembling a guard services contract without inside knowledge of how the company is managed. Second is prioritizing appearance and aesthetics over effectiveness. Tim Giles, a security consultant and former head of IBM's security operations in the U.S. and Canada, says technologies such as hidden cameras and ground-level lighting are often pretty to look at, but do little for perimeter security. A third misstep is failing to secure all of a building's entrances. "Every door is another opportunity to get in," Giles reminds. Fourth, allowing upper-level managers and executives to be lax on the rules, such as monitoring other employees to see if they are wearing ID badges. Fifth is neglecting to properly learn new security technologies. "Companies will have a contractor come in an install the cameras, and then there is no follow up to learn how to really use it," Giles says. A sixth error is failing to lock and secure critical rooms within a building. Overdoing security is another frequent misstep committed by security managers. "I'm opposed to going into a facility and having them do as much security as they can do," he said. "If you overdo it to where it doesn't make sense, within six months people will have figured out ways to get around security and it will be a waste of money. It has to match the risk and culture of the business."


Employee Surveillance Protocol
Provider (10/09) Vol. 35, No. 10, P. 71; Alaniz, Richard D.

Organizations that do not pay attention to what goes on in the workforce could be vulnerable to the misuse of resources by employees. According to the American Management Association and The ePolicy Institute's "2007 Electronic Monitoring & Surveillance Survey," two-thirds of all respondents monitor Internet activity, and almost as many (65 percent) use filtering software to block pornographic and social networking sites. Close to 45 percent monitor workers' email, while four in 10 employers hire individuals to manually read it. Litigation and exposure risks are pushing more employers to keep an eye on workers. Aside from mitigating legal and security risks, the implementation of tracking devices in vehicles and mobile devices results in tangible savings for employers. The issue of GPS and other kinds of monitoring is still new in many jurisdictions, though a number of federal courts have ruled that employer surveillance of unionized workers is a relevant bargaining chip. By creating reasonable and legal policies and training workers on them, employers can earn worker trust while experiencing the savings and increased efficiency spurred by monitoring systems.




Michigan to Close Prison Considered for Guantanamo Detainees
Wall Street Journal (10/30/09) P. A10; Kellogg, Alex P.

The Standish maximum security prison in Standish, Mich., one of the facilities that is being considered as a possible place to detain terrorism suspects from Guantanamo Bay, is set to close on Saturday. However, several local and county officials are still pushing for the Guantanamo detainees to be sent to the facility. A decision about where to send the detainees is not expected to be made for several more weeks, an official with the Obama administration said in an e-mail on Thursday. Although some local and county officials are in favor of moving Guantanamo detainees to Standish, others are more skeptical. Among them is Michigan Gov. Jennifer Granholm (D), who has said that the Obama administration needs to assure her that moving the suspects to Standish would not pose a risk to the state. Rep. Peter Hoekstra (R-Mich.), meanwhile, continues to oppose the idea of bringing Guantanamo detainees to the state. Hoekstra, who is a candidate in next year's Michigan gubernatorial election, says bringing the detainees to Standish will make the state a target for terrorists.


FBI Defends Decision To Shoot Mosque Leader
Detroit Free Press (MI) (10/30/09) Schmitt, Ben; Erb, Robin; Battaglia, Tammy Stables; et al.

Seven suspects appeared in U.S. District Court in Detroit for detention hearings on Oct. 29. They face charges related to a criminal conspiracy that reportedly involves both firearms and stolen goods offenses; but, they were not charged with any form of terrorism. Despite not being part of a jihadist organization, prosecutors cautioned that there could still be retaliation for the FBI's killing of the group's leader, Laqman Ameen Abdullah. The FBI has defended its decision to fire on Abdullah, who was imam of the Masjid Al-Haqq mosque in Detroit. According to officials, Abdullah was armed and fired first during a raid of a warehouse in Dearborn, Illinois. In addition to those arrested, between two and three members of the group are still at large. No agents were injured in the raid, but one of the FBI service dogs was killed in the gun fire.


Obama Endorses Military Commissions for Guantanamo Detainees
Christian Science Monitor (10/28/09) Richey, Warren

President Obama on Wednesday signed the Military Commissions Act of 2009, a piece of legislation that retains the military tribunal system of trying terrorist suspects, albeit with some changes. Under the legislation, the basic structure of the existing military commissions will remain the same, though terrorist suspects are given rights that they did not have under the Bush administration's version of the system. For example, statements obtained through torture or through cruel, inhuman, or degrading treatment are deemed inadmissible evidence under the new law. However, the legislation does allow the secretary of defense to adopt policies that allow coerced statements and hearsay evidence to be admitted in military commission trials. In addition, the legislation signed by President Obama gives terrorist suspects the right to attend their entire trial, so long as they are not being disruptive, and to examine all the evidence against them. The law specifically says that defendants are allowed to examine any exculpatory evidence or any evidence that may call into question the credibility of a government witness. The law also calls on Pentagon officials to take steps to ensure that terrorist suspects receive good legal assistance. Supporters of the law say it balances the needs for fairness and due process with the need for flexibility when prosecuting terrorist suspects. Critics, however, say that it establishes a system that does not provide terrorist suspects with the rights they are entitled to under the U.S. Constitution and the Geneva Conventions.


Two Charged in Plot on Danish Paper
Wall Street Journal (10/28/09) Perez, Evan

U.S. prosecutors have arrested David Coleman Headly, a U.S. citizen, and Tahawwur Hussain Rana, a Pakistani native with Canadian citizenship, for conspiring with a Pakistani militant to attack the Danish newspaper that printed cartoons of the Prophet Muhammad in 2005. According to officials, the plot involved an attack on the Copenhagen offices of the Jyllands-Posten newspaper and killing an editor and a cartoonist. Both men are charged with providing material support to terrorism and face up to 15 years in prison if convicted. Headley is also charged with conspiracy to murder and maim in a foreign country. Criminal complaints against Headley say that he traveled to Copenhagen, under the guise of a businessman looking to advertise at the newspaper. While there, he reportedly took video footage of the Jyllands-Posten offices and other locations. He also reportedly traveled to Pakistan to communicate with associates of Ilya Kashmiri, the militant who organized the plot.


FBI Lagging on Translation Efforts: Report
Reuters (10/26/09) Pelofsky, Jeremy

A report issued by Justice Department Inspector General Glenn Fine on Monday found that the FBI is having difficulty keeping up with its growing workload of terrorism cases because of the problems it is having in hiring and retaining linguists. According to the report, the FBI lost 3 percent of the 1,338 linguists it had at its peak in March 2005. Meanwhile, the length of time it takes to hire a contract linguist at the FBI has grown from an average of 16 months to an average of 19 months, the report found. In addition, the report noted that the FBI did not meet its goals in hiring linguists for 12 languages last year. The report did not identify the languages for which the FBI was unable to meet its hiring goals since that information is classified. The report also noted that the problems in recruiting and retaining linguists has made it difficult for the FBI to review foreign language electronic files and wiretaps and other surveillance collected in terrorism and criminal cases. Between FY-2006 and FY-2008, 31 percent of the roughly 46 million electronic files the FBI collected in those cases was not examined, the report said. Between FY-2003 and FY-2008, roughly 25 percent of the 4.8 million hours of audio surveillance that had been collected was not reviewed. Some of the audio surveillance and electronic files that were not reviewed were found to be part of the top tier of counterterrorism and counterintelligence cases in FY-2008. The FBI has disputed some of the findings in the report, saying that some of the material was duplicates and that it would be wasteful to translate and review all of its electronic files.




Cyber Attack Puts Ethics Documents in Hands of Reporter
The Hill (10/29/09) Crabtree, Susan

Rep. Zoe Lofgren (D-Calif.), the chairwoman of the House ethics committee, and Rep. Jo Bonner (R-Ala.), the committee's ranking member, have revealed that a cyber attack allowed a reporter from the Washington Post to obtain one of the panel's confidential documents. According to Lofgren and Bonner, the stolen document was likely the House ethics committee's weekly report, which lists all the calls the panel has received from member offices during a particular week. Bonner noted that the attack on the committee's computer systems was an isolated incident, and has only occurred one time. Both he and Lofgren said that the computer system is secure, despite the recent attack.


Federal, Industry Reps Call for National Standards to Report Data Breaches
NextGov.com (10/28/09) Aitoro, Jill R.

Security professionals at a panel discussion on Oct. 28 urged the U.S. Department of Homeland Security to create a national standard to encourage companies and individuals to disclose data breaches to federal authorities so that they can assess the intensity of cyberattacks and investigate cybercrime. "Creating a national standard with international coordination is key [to] holding companies accountable for protecting data," said Symantec CIO David Thompson. He said a national breach notification system is essential, since companies and individuals are the chief targets for cybercriminals driven to steal bank credentials and credit card information. Thompson and the FBI's Jeffrey Troy said a national breach notification standard would outline a more accurate overview for security vendors and federal agents monitoring the kinds of threats that wrongdoers are perpetrating. Troy also said such a standard would aid in cybercrime investigations, but the reports would not be used to probe individual companies. "We don't want companies just protecting themselves, [because] whatever malware [they] get infected with are going to be used against the company next door and the company across the world," Troy said. "Our strategy requires the largest amount of information on attacks."


Passwords 101: How to Protect Your Company's Data
Wall Street Journal (10/28/09) Richmond, Riva

Strong password protection is essential to ensure the security of company data. Small companies often do not employ the same level of protection as large companies, making them even more vulnerable to a breach. Experts say that small companies should take the time to teach employees better password strategies. Workers should choose passwords that are difficult to guess- with at least seven characters- including numbers, capital letters, and symbols. They should also have different passwords for different company and Web applications, and should change these passwords at least every 90 days. These passwords should not be written down or recorded in any way, and should not be shared with anyone. System administrators should also be sure that they can control which employees have access to data, and that they cut off access for former employees. There are a number of technologies that can help companies achieve these objectives, but the first step any company needs to take is to look at its own specific security needs. As Todd Chambers, an executive at access-management company Courion Corp. says, "There is a risk-management process that every business should go through." Such an assessment should take into account the sensitivity of data the company stores and how much damage would be done to the company and its customers if that data were to be breached. If the company does not store sensitive data, employing the services of competent IT personnel may be sufficient to protect information. However, companies that do have sensitive data should consider hiring security experts to set up and maintain an adequate cybersecurity system.


Firefox Hit by Multiple Drive-by Download Flaws
ZDNet (10/28/09) Naraine, Ryan

At least 11 critical vulnerabilities have been discovered in Mozilla's Firefox Web browser. These vulnerabilities make users prone to a variety of drive-by download attacks, which require no user interaction. For example, one vulnerability allows the memory of the victim's machine to be corrupted, which in turn can allow a hacker to run arbitrary code. In addition, a heap-based buffer overflow in Mozilla's string to floating point number conversion routines allows attackers to develop malicious JavaScript code containing a very long string to be converted to a floating point number. This could result in the improper allocation of memory and the execution of an arbitrary memory location, which could in turn allow hackers to run arbitrary code on the victim's machine. Another vulnerability exists in an XPCOM utility that unwraps doubly-wrapped objects before returning them to chrome callers. This vulnerability could result in chrome privileged code calling methods on an object that was created or modified by Web content, which in turn could allow an attacker to execute malicious JavaScript code with chrome privileges. Mozilla is planning to patch these vulnerabilities soon. However, Firefox version 3.5.4 already contains patches for these vulnerabilities.


States Mismanage Student Information, Study Concludes
Washington Post (10/28/09) P. A6; Anderson, Nick

A new study from the Fordham University Center on Law and Information Policy has found that U.S. states collect more information about students than they need. According to the study, at least 16 states use or allow the use of Social Security numbers to identify students. In addition, at least 23 states note the reason why students withdraw from school in their files, such as mental health issues or other types of illnesses. States began collecting this information in the 1990s as part of the standards-and-testing movement, and data collection is continuing to grow with the encouragement of the Obama administration. Federal officials are hoping to link the information to test scores in order to evaluate instruction, and to eventually track students from pre-kindergarten through college in order to raise college completion rates. However, some are concerned that the sensitive information that states are including in students' files could be vulnerable to theft by hackers when students leave school. States say they are taking steps to protect the information they collect. Nearly all the states are building or planning to build virtual education data warehouses that include strong privacy protections. In addition, states such as Virginia have implemented policies and programs to prevent the unauthorized access of the data they collect, says Charles Pyle with the Virginia Department of Education.


Abstracts Copyright © 2009 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

1 comment:

Anonymous said...

Can anyone recommend the well-priced Managed Service tool for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central software monitoring
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!