Friday, November 06, 2009

Security Management Weekly - November 6, 2009

header

  Learn more! ->   sm professional  

November 6, 2009
 
 
Corporate Security

Sponsored By:
  1. "The DHS Private Sector Preparedness (PS-Prep) Program and Standards" ASIS Commissioner Says DHS PS-Prep Program Promotes Voluntary Private-Sector Preparedness
  2. "Inside-Trade Probe Snares 'Octopussy'" Investigation Into Alleged Galleon Insider-Trading Ring Widens
  3. "Hub Police, Hospital Security Chiefs Meet" Hospital Security Officials in Boston Meet With City Police to Discuss Ways to Improve Security
  4. "Oxycontin Thefts Keeping Authorities Busy"
  5. "Medical Pot Creates Workplace Dilemma"
Homeland Security

  1. "Rampage Kills 12, Wounds 31" Fort Hood, Texas
  2. "Terrorism Amendment Dies in the Senate" Measure Would Have Prevented Terrorism Suspects From Being Tried in Civilian Courts
  3. "Italian Court Convicts 23 Americans of Kidnapping Muslim Cleric"
  4. "Homeland Security Backs Cell Phone Sensors to “Crowdsource” Detection of Deadly Chemicals"
  5. "Smaller-Scale Terrorism Plots Pose New and Worrisome Threats, Officials Say "
Cyber Security

  1. "Federal Data Protection Law Inches Forward"
  2. "FBI Warns of $100M Cyber-Threat to Small Business"
  3. "Animated Ink-Blot Images Keep Unwanted Bots at Bay "
  4. "Is AES Encryption Crackable?"
  5. "Pressure Grows to Name National Cybersecurity Coordinator"

   

 
 
 

 


The DHS Private Sector Preparedness (PS-Prep) Program and Standards
Continuity Central (11/03/09) Siegel, Marc H.

ASIS Commissioner Dr. Marc H Siegel describes the intent of the DHS PS-Prep Program as promoting "voluntary private sector preparedness." There are three standards identified for adoption as part of the PS-Prep Program, which are designed to represent distinct approaches for improving preparedness. However, ASIS supports a system in which businesses are not forced to choose among these three standards, but are permitted to develop voluntary standards that work best for their organization. Siegel argues that adoption or choice of any preparedness standard should not be about pursuing certification, but should be based on what makes the most sense in the context of an organization's business mission. In fact, Siegel maintains, third-party certification can be a barrier to small- and medium-sized businesses working to improve preparedness. In order to help businesses create a holistic approach to disruptive events, the ASIS Organizational Resilience (OR) Standard was developed. Now, ASIS and the British Standards Institution (BSI) have launched a joint development standard initiative. This new standard will not replace the OR Standard as they are two different standards. Additionally, neither the OR Standard or the new American National Business Continuity Management Standard is based on or contains content from the 2005 ASIS Business Continuity Guidelines, with the exception of several definitions.


Inside-Trade Probe Snares 'Octopussy'
Wall Street Journal (11/06/09) Guth, Robert A.; Efrati, Amir

Federal prosecutors have widened their crackdown on insider trading on Wall Street, in Silicon Valley, and other U.S. business hubs. A 24-page criminal complaint filed in New York federal court names 14 individuals who were allegedly part of an insider trading group that generated $20 million in illegal profits. According to the complaint, the group included several hedge-fund traders, two lawyers, a former junior analyst at a credit-rating firm, and a technology-company executive. Five of those charged in the complaint have already pleaded guilty and have agreed to aid prosecutors in their investigation. Some of the elements of the group's operations were straight out of a James Bond movie, including packages of money, throwaway cell phones, and a central figure identified as "Octopussy," also known as Zvi Goffer, a former trader at the Galleon Group and the Schottenfeld Group. The government alleges that Goffer and his affiliates used nonpublic information to trade stocks of a number of companies, including Avaya Inc., 3Com Corp., Alliance Data Systems Corp., and Axcan Pharma Inc.


Hub Police, Hospital Security Chiefs Meet
Boston Globe (11/06/09) Cramer, Maria

Security chiefs from Boston hospitals met with city police on Thursday to talk about ways to make their facilities safer in the wake of stabbing of a Massachusetts General Hospital psychiatrist by her patient two weeks ago. Among the topics of discussion at the meeting was how to improve radio communications between hospital security officers and police. According to Daniel Linskey, the Boston Police Department's superintendent-in-chief, hospital security officers need to be able to radio police directly when a crime occurs instead of being forced to rely on someone to call 911. Linskey also said that the Boston Police Department wants to conduct drills at city hospitals to prepare for emergencies such as shooting rampages. Bonnie Michelman, the director of police security and outside services at Mass General, said she found the meeting helpful and that she hoped to continue discussing ways to improve public safety with Boston police. Meanwhile, officials at Mass General are conducting an internal review of security and are planning to hire a security specialist to analyze their current safety policies and procedures. Security at the hospital has been under scrutiny since the recent stabbing of psychiatrist Astrid Desrosiers by her patient, 37-year-old Jay Carciero. In addition, a female hospital employee was recently assaulted by a Level 3 sex offender in a hospital bathroom.


Oxycontin Thefts Keeping Authorities Busy
Chattanooga Times Free Press (TN) (11/04/09) P. AT1; Koch, Jacqueline

Several drug store chains are dealing with thefts of Oxycontin, the painkiller known as the "poor man's heroin" because it is cheaper and its effects are similar to those of the street drug. Walgreens, for example, is taking steps to curb pharmacy robberies in Washington state, which records more of these crimes than any other state in the nation. According to Walgreens spokesman Robert Elfinger, the company trains its employees on how to react in certain situations and uses digital surveillance cameras to provide clearer images of pharmacy robbers. He also noted that the cameras capture a snapshot of everyone who enters the store, though these snapshots are not retrieved unless an incident occurs. Drugs stores in the Chattanooga, Tenn., area, meanwhile, are also taking steps to curb the theft of Oxycontin, including immediately alerting police to thefts of the drug and sharing information. Although the theft of Oxycontin is rare in Tennessee, several incidents have occurred over the last several weeks. Police say that a Walgreens in East Ridge, Tenn., and a Rite Aid in Chattanooga were recently robbed of Oxycontin. Authorities were able to arrest those involved in the robbery of the East Ridge Walgreens, though they are still working the case of the Chattanooga Rite Aid robbery.


Medical Pot Creates Workplace Dilemma
Detroit Free Press (MI) (11/02/09) Gray, Kathleen

Employers in Michigan are finding it difficult to handle the state's medical marijuana law, which took effect in April. One area of difficulty is whether or not company policies on drug testing still apply in the wake of the adoption of the law. Some workers who are among the 5,108 state residents who are registered as medical marijuana users say they do not feel that their employers have the right to know whether they are using the drug medicinally, so long as they get their work done and do not come to work high. Employers, however, do not believe that the issue of whether an employee is a medical marijuana user is a totally private one. Many employers are also confused by the conflicting language in the law. For instance, the law protects medical marijuana users from any disciplinary action taken by his employer because of his use of the drug. However, another section of the law says that employers are not required to allow employees to ingest marijuana in the workplace, nor are they required to accommodate employees who are working while under the influence of the drug. Kurt Sherwood, an attorney with a Detroit-based law firm that recently held a seminar on employment issues like the use of medical marijuana by workers, advised employers to continue to enforce their regular rules, saying that failing to do so would be like "opening up a Pandora's box."




Rampage Kills 12, Wounds 31
Washington Post (11/06/09) Slevin, Peter

A 39-year-old Army psychiatrist at Fort Hood, Texas, allegedly opened fire in the base's soldier readiness facility on Nov. 5, killing 12 people and injuring 31 others in what is the largest mass shooting ever to take place on a U.S. military base. During the incident, the suspected shooter, Maj. Nidal M. Hasan, used a pair of pistols to exchange fire with a civilian policewoman. Both were hit, though both survived. It remains unclear why Hasan, who is in custody in a hospital, opened fire in the soldier readiness facility. According to Col. Terry Lee, who worked with Hasan, the Army psychiatrist who trained to treat soldiers under stress may have been upset about the continued U.S. involvement in Iraq and Afghanistan. Lee added that Hasan had grown "more agitated" and "more frustrated" because President Obama had not ordered a pullout from the two wars. It also remains unclear whether the military knew if Hasan posed a risk to his colleagues.


Terrorism Amendment Dies in the Senate
Politico (11/05/09) Gerstein, Josh

The Senate has voted against an amendment that would have prevented suspects accused of helping plan the Sept. 11 terrorist attacks from being tried in the U.S. court system. The measure, which was offered by Sen. Lindsey Graham (R-S.C.), was supported by all 40 Senate Republicans and four Democrats. If it had been passed, the measure would have prevented the Obama administration from bringing Khalid Sheikh Mohammed and others allegedly involved in the 9/11 plot before civilian courts on U.S. soil. Sen. Jim Webb (D-Va.), who supported the amendment, said that he believed a military tribunal was the only appropriate venue to try international terrorism suspects as enemy combatants because federal court procedures for turning over evidence to defense lawyers and for calling military and intelligence-agency witnesses "could lead to the exposure of classified materials."


Italian Court Convicts 23 Americans of Kidnapping Muslim Cleric
Chicago Tribune (11/05/09) De Cristofaro, Maria; Rotella, Sebastian

Italian Judge Oscar Magi on Wednesday convicted 23 Americans and two Italians for participating in a 2003 plot to kidnap militant Muslim cleric Osama Moustafa Hassan Nasr, also known as Abu Omar, in Milan and fly him to Egypt. Omar claims he was tortured and abused for months while in Egypt. Among the Americans who were convicted was Robert Seldon Lady, the former CIA chief in Milan. Lady--who, like the other Americans, was convicted in absentia--received an eight-year prison term for being one of the masterminds behind the plot to kidnap Omar and send him to Egypt. The other Americans received five-year sentences, while the Italians received three-year terms. None of the Americans who were convicted are likely to spend any time in an Italian prison unless they travel to Europe. According to Armando Spataro, the lead prosecutor in the case, the convictions send the message that illegal means such as kidnapping terrorism suspects and sending them overseas, a practice known as extraordinary rendition, cannot be used to fight terrorism. However, U.S. officials have said that American spy agencies will continue to use extraordinary renditions, though the practice will be conducted under increased oversight.


Homeland Security Backs Cell Phone Sensors to “Crowdsource” Detection of Deadly Chemicals
Xconomy (11/02/09) Bigelow, Bruce V.

The Department of Homeland Security (DHS) has announced that it spent approximately $3 million over the past year to fund three different research programs designed to develop miniaturized sensor technologies for detecting deadly chemicals. According to DHS officials, these sensor strips will be small enough to fit inside a cell phone. All three research groups have now successfully tested prototypes for the sensors. Although widespread use of these sensors is years away, when it is implemented the sensor could be integrated with cell phone operating systems so that when volatile chemical compounds are detected, an alarm would be triggered on the user’s phone. At the same time, data about the chemical would be transmitted to first responders and federal emergency operations centers. DHS says that cell phone users would be able to opt-in to the sensor program, but if it achieves widespread use there could be hundreds or thousands of the sensors at a terrorist's target location at any given time.


Smaller-Scale Terrorism Plots Pose New and Worrisome Threats, Officials Say
New York Times (11/02/09) Johnston, David; Schmitt, Eric

Counterterrorism officials are becoming increasingly concerned that groups with ties to al Qaida in Pakistan could be planning smaller scale attacks on American soil. These concerns are fueled by recent cases in which suspects in the attacks are long-time residents of the United States, who traveled to tribal regions of Pakistan to receive training from al Qaida and other militant groups. As a result of this training, these suspects appear to be better prepared and more security conscious than other attackers since 2001. The model of young men who have lived for years in the United States before traveling overseas and connecting with militant Islamist groups is not confined to Pakistan. There have also been cases of suspects traveling to Somalia to receive training with members of Al Shabab, a militant Muslim group fighting the Ethiopians.




Federal Data Protection Law Inches Forward
Computerworld (11/05/09) Vijayan, Jaikumar

The U.S. Senate Judiciary Committee has approved the Personal Data Privacy and Security Act of 2009, which would establish a national standard for data protection and breach notification. If passed, the law would probably override similar data protection ordinances that 46 U.S. states have already approved. Under the proposed statute, all private and government entities managing sensitive data would be mandated to deploy specific risk evaluation and vulnerability testing measures, and implement measures for controlling access to sensitive data, spotting and logging unauthorized data accesses, and shielding in-transit and idle data. In addition, the bill would introduce a federal breach notification standard requiring companies to alert not just individuals affected by a data breach, but also credit reporting agencies and the U.S. Secret Service in certain instances. Exemptions would be provided for entities that have taken appropriate measures to insulate data, such as encryption. However, Gartner analyst John Pescatore warns that the proposed law's provisions requiring breached entities to report to the government "will create an entire new set of bureaucracy within the U.S. Secret Service and the [Federal Trade Commission]." He argues that Congress should concentrate on a national disclosure statute that cannot be preempted by states. "That would bring value to both the people whose identities are being stolen and the businesses which need to be driven harder to protect it," says Pescatore.


FBI Warns of $100M Cyber-Threat to Small Business
IDG News Service (11/03/09) McMillan, Robert

A new FBI alert has been issued that warns small businesses, municipal governments, and schools about a significant increase in automated clearinghouse (ACH) fraud, in which cybercriminals are stealing millions of dollars from organizations through an ongoing cyber attack. As part of this attack, cybercriminals send an email to a business or organization's bookkeeper or financial officer that aims to trick them into downloading keylogging software. If the business or organization uses an online banking service, the cybercriminal can use the software to steal the victim's login credentials and create ACH transfers to "money mules," or people who are tricked into transferring the money overseas where it cannot be found. As part of the scam, cybercriminals also are launching distributed denial-of-service attacks against ACH processors in order to prevent them from recalling transfers before the funds can be sent overseas. The FBI says cybercriminals have attempted to steal roughly $100 million through this scam. The bureau notes that cybercriminals are primarily attacking organizations that tend to work with smaller regional banks, which are often not capable of stopping the fraudulent ACH transfers. Compounding the problem is the fact that some banks do not have proper cybersecurity measures in place to protect against this attack, the FBI says.


Animated Ink-Blot Images Keep Unwanted Bots at Bay
New Scientist (11/03/09) Barras, Colin

Indian Institute of Technology Dehli computer scientist Niloy Mitra says that Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) security tests would be more difficult for computers to solve, and easier for humans, if they were animated. Mitra, along with Tel Aviv University's Daniel Cohen-Or and colleagues in Taiwan, have developed "emerging images," which are seemingly random assortments of blotches from which a coherent image emerges after a few seconds. To create the emerging image, the researchers developed an algorithm that identifies key features within an original image and converts those features into an array of ink blots. The algorithm then removes a number of the splats to make it harder for bots to reconstruct the original shape while leaving enough information for a human to identify the image. The number of splats and the background noise can be adjusted to make the emerging image easier or harder to spot. Tests on 310 volunteers showed that 98 percent recognized more than 80 percent of the emerging images at the easy setting. And a test of three state-of-the-art software systems found that computers were only able to identify whether an image contained a horse or a human 51 percent to 60 percent of the time. When the researchers used the algorithm to convert three-dimensional animations into emerging videos, they found that all volunteers could spot the animated figure even when the emergence setting was on very hard. Mitra says adding animation makes recognition much easier for humans and much more difficult for computers.


Is AES Encryption Crackable?
TechNewsWorld (11/03/09) Germain, Jack M.

The Advanced Encryption Standard (AES) system was long believed to be invulnerable to attack, but a group of researchers recently demonstrated that there may be an inherent flaw in AES, at least theoretically. The study was conducted by the University of Luxembourg's Alex Biryukov and Dmitry Khovratovich, France's Orr Dunkelman, Hebrew University's Nathan Keller, and the Weizmann Institute's Adi Shamir. In their report, "Key Recovery Attacks of Practical Complexity on AES Variants With Up to 10 Rounds," the researchers challenged the structural integrity of the AES protocol. The researchers suggest that AES may not be invulnerable and raise the question of how far is AES from becoming insecure. "The findings discussed in [in the report] are academic in nature and do not threaten the security of systems today," says AppRiver's Fred Touchette. "But because most people depend on the encryption standard to keep sensitive information secure, the findings are nonetheless significant." AirPatrol CEO Ozzie Diaz believes that wireless systems will be the most vulnerable because many investments in network media are wireless, and there is no physical barrier to entry. Diaz says that exposing the vulnerability of the AES system could lead to innovations for filling those gaps. Touchette says that AES cryptography is not broken, and notes that the latest attack techniques on AES-192 and AES-256 are impractical outside of a theoretical setting.


Pressure Grows to Name National Cybersecurity Coordinator
InformationWeek (11/02/09) Hoover, J. Nicholas

In the five months since U.S. President Obama announced that he would personally choose a national cybersecurity coordinator, some members of Congress are growing impatient. In September, the co-chairmen of the House Cybersecurity Caucus said the appointment's delay was a source of deep concern. In October, Rep. Yvette Clarke (D-N.Y.) asked members of the TechAmerica trade organization to pressure the White House to appoint the federal cybersecurity czar. More recently, Sen. Joe Lieberman (I-Conn.) said that he would introduce a bill with Sen. Susan Collins (R-Maine) that would make the coordinator a Senate-confirmed official, and noted that the position was necessary "to ensure that everyone is working off the same playbook." The lack of a White House cybersecurity coordinator means that there is no confluence for government-wide collaboration on cybersecurity, says SANS Institute research director Allan Paller. Still, he says the U.S. government has taken significant action on cybersecurity in the last few months, including the Defense Department's consolidation of cybersecurity initiatives under National Security Agency director Keith Alexander and a new cybercommand.


Abstracts Copyright © 2009 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment