Thursday, December 31, 2009

Security Management Weekly - December 31, 2009

header

  Learn more! ->   sm professional  

December 31, 2009
 
 
Corporate Security

  1. "Shoplifters? Studies Say Keep an Eye on Workers"
  2. "U.S. Hacker Pleads Guilty, Faces 17-25 Years"
  3. "After Hacks, Louisiana Restaurants Sue POS Companies"
  4. "Somali Pirates Seize a Tanker and a Cargo Ship"
  5. "Mathew Tully: Personal E-Mail, Texting Raise Issues in the Workplace"
Homeland Security

  1. "Obama to Receive Prelim Report on Airline Attack"
  2. "Extra Security in Times Square for New Year's Eve"
  3. "U.S.-Born Cleric Linked to Airline Bombing Plot"
  4. "U.S. Probes Link Between Bomb Plot and Guantanamo Detainees"
  5. "Obama Curbs Secrecy of Classified Documents"
Cyber Security

  1. "New Policies on the Way to Better Secure House Lawmakers' Computers"
  2. "Cellphone Encryption Code Is Divulged"
  3. "More Attacks Expected on Facebook, Twitter in 2010"
  4. "DHS, Michigan Launch Unique Cybersecurity Partnership"
  5. "State's Computer Boss Gets Cyber Security Grant" California

   

 
 
 

 


Shoplifters? Studies Say Keep an Eye on Workers
New York Times (12/30/09) Greenhouse, Steven

With gift cards growing in popularity, some retail employees are discovering ways to exploit the cards and use them for theft. At a Saks store in New York, for example, an employee rang up $130,000 in false merchandise returns and transferred the money onto a gift card. Other employees, meanwhile, are giving worthless cards to customers who purchase gift cards and transferring their money onto cards for themselves. Although some of these employees are acting alone, others have been paid or pressured by members of organized crime rings to give them gift cards or tell them when and where security guards will be patrolling. There are a number of reasons why gift cards are increasingly being used in retail theft, including the fact that the cards are almost as good as cash and are much easier to conceal. In addition, gift cards are harder to track than credit cards and consumers do not have to show any form of identification when using them. With gift card fraud on the rise, retailers are taking a number of steps to fight back, including using loss-prevention specialists to monitor online auctions of gift cards. Online auction sites such as eBay are popular among thieves looking to sell gift cards. Other retailers are using technology that can tell them whether cashiers are refunding an unusually large amount of items. If the retailer determines that a cashier is issuing an abnormally large amount of refunds, it can use surveillance video to determine whether the cashier is repeatedly giving refunds to the same group of people.


U.S. Hacker Pleads Guilty, Faces 17-25 Years
Reuters (12/30/09) Finkle, Jim

Albert Gonzalez pleaded guilty in federal court to masterminding electronic hacks at companies that involved the theft of tens of millions of payment card numbers. Among the companies Gonzalez admitted targeting were Heartland Payment Systems, 7-Eleven, and the Hannaford grocery store chain. Gonzalez's admission follows an earlier guilty plea for intrusions at retailers TJX Cos, BJ's Wholesale Club, and Barnes & Noble. Gonzalez's lawyer requested that the court exercise leniency, given that his client suffers from Internet addiction, drug abuse, and Asperger's disorder. Gonzalez faces a prison sentence of 17 to 25 years, while a fellow conspirator was sentenced to two years in jail by a federal court for developing the software used to capture payment card data, and ordered to pay nearly $172 million in restitution.


After Hacks, Louisiana Restaurants Sue POS Companies
Dark Reading (12/29/09) Wilson, Tim

A group of 17 restaurants have filed two lawsuits against the maker and installer of a point-of-sale (POS) system that was allegedly hacked with a keylogger—a hack that exposed about 100,000 credit cards and cost local banks at least $1.2 million. According to the lawsuits, Radiant Systems, which makes the Aloha POS, and Computer World, which installed the system, said the system was current and compliant with the PCI Data Security Standard. However, the Aloha POS actually used older software that contained a number of security flaws, the restaurants said. In addition, one of the lawsuits claims that Computer World installed a faulty remote access system on some of the POS systems that used the word "computer" as the password. Finally, the lawsuits allege that Computer World did not remove the customer credit card information that existed on the systems before installing them. Radiant has denied the charges against it.


Somali Pirates Seize a Tanker and a Cargo Ship
New York Times (12/29/09) McDonald, Mark

Somali pirates hijacked two ships off the coast of Somalia on Dec. 28. In the first hijacking, the St. James Park--a British-flagged chemical tanker traveling from Spain to Thailand--was attacked in the Gulf of Aden. According to the European Union Naval Force Somalia, which is monitoring the St. James Park, the vessel and its crew of 26 were being taken toward Somalia. In the second hijacking, a Greek-owned cargo ship was seized by pirates off the coast of Somalia. Additional details were not provided by the European Union Naval Force. The incidents bring the number of hijackings in the Gulf of Aden and off the coast of Somalia to 47 this year, a new record. There have also been 214 attacks on vessels in those same waters in 2009, also a new record. The record number of attacks and hijackings comes despite the extra precautions ship owners are taking to prevent piracy. Those extra precautions have not included armed guards aboard vessels. Noel Choong, an official with the Piracy Reporting Center of the International Maritime Bureau said that he is not advising ship owners to place armed guards on their vessels, since pirates are not firing at crews during hijackings.


Mathew Tully: Personal E-Mail, Texting Raise Issues in the Workplace
Saratogian (NY) (12/27/09)

Up until recently it has been assumed that employers would be able to view workers' e-mails, texts, and any other digital information transferred using company property. However, two recent court cases may change this assumption. In the first case, a California appeals court ruled in favor of a police officer who filed suit against his department for obtaining a printout of his text messages sent while he was on the job. The Supreme Court is scheduled to hear the case in the spring of 2010, and the ruling could have a significant impact on text message privacy for workers around the country. The second case, which was heard by the U.S. District Court for the District of Columbia, involves a Department of Justice (DOJ) employee who filed suit in an attempt to keep his e-mail communications with a private attorney confidential. The Court found that the employee had a reasonable expectation of privacy in these e-mails, preventing the DOJ from interfering with his messages.




Obama to Receive Prelim Report on Airline Attack
Associated Press (12/31/09)

White House homeland security and counterterrorism adviser John Brennan on Thursday will give President Obama a preliminary report on the attempted bombing of a Northwest Airlines flight from Amsterdam to Detroit on Christmas Day. The report will look at how the suspect, 23-year-old Umar Farouk Abdulmutallab of Nigeria, was able to get on board the plane. Abdulmutallab's name was on a list of people with suspected terrorist connections, though his name was not placed on another, more restrictive list, despite the fact that his father warned U.S. officials in Nigeria that he was becoming radicalized. Had his name been placed on the more restrictive list, it may have caught the attention of U.S. counterterrorist screeners. The report will also look at the nation's efforts to track over 500,000 potential terrorists, and will include recommendations for how to prevent incidents similar to the attempted Christmas Day bombing of Northwest Airlines Flight 253 from happening again. The report could be just the first step in the Obama administration's efforts to change the nation's intelligence practices. The president has said that the sharing of critical information in the case of the attempted Christmas Day bombing may have prevented Abdulmutallab from ever boarding the aircraft.


Extra Security in Times Square for New Year's Eve
New York Times (12/30/09) Baker, Al

Security at New York's Times Square will be tight for the annual New Year's Eve celebration, despite the fact that officials say that there are no specific threats against the city. According to New York City Police Commissioner Raymond W. Kelly, there will be thousands of police officers in Times Square. Some of those officers will be armed with rifles and positioned on rooftops, while others will be in plainclothes looking for potential terrorists and thieves. In addition, some officers will be carrying devices that can detect radiation or the makings of a radiological bomb. Similar technology will be used on trucks, helicopters, and police boats patrolling the East and Hudson rivers. New York City's Environmental Protection Department will also be using devices to detect the presence of chemical or biological contaminants in the air. Kelly noted that none of these and other security measures that are being put in place are a response to the recent attempted bombing of a Northwest Airlines flight from Amsterdam to Detroit on Christmas Day. However, he did say that the botched terrorist plot has been factored into "counterterrorism overlay." "We assume here that New York is the No. 1 terrorist target in America," Kelly said. "We've done a lot, to my knowledge, even more than any other city in the world, to protect ourselves from a terrorist event."


U.S.-Born Cleric Linked to Airline Bombing Plot
Los Angeles Times (12/30/09) Meyer, Josh

The FBI reports that Anwar al Awlaki, a U.S.-born cleric believed to be living in Yemen, may have been involved in the recent attempted bombing of an airplane traveling from Amsterdam to Detroit. Awlaki operates a popular jihadist Web site and is also thought to have ties with the 9/11 hijackers. Intercepted communications suggest that Awlaki had contact with the suspect of the botched bombing, Umar Farouk Abdulmutallab. Previous investigations also showed that Awlaki had been in contact with Maj. Nidal Malik Hasan, the suspect in the recent attacks on Fort Hood. Abdulmutallab claims to have met with Awlaki and other high-ranking al-Qaida members while in Yemen to receive terrorist training earlier this year. Evan Kohlmann, a government counter-terrorism consultant, says Awlaki endorsed attacks by al-Qaida in Yemen and has played a role in negotiating alliances between al-Qaida and the Yemeni tribes that shelter the organization when the government cracks down. U.S. authorities are reportedly alarmed by Awlaki's new role within the al-Qaida affiliate because of his familiarity with the United States, its customs and security measures.



U.S. Probes Link Between Bomb Plot and Guantanamo Detainees
Wall Street Journal (12/30/09) P. A1; Perez, Evan; Solomon, Jay

Officials in the U.S. are investigating whether there are any connections between the failed attempt to bomb Northwest Airlines Flight 253 on Christmas Day and two former Guantanamo Bay detainees who are believed to be leaders of al-Qaida in the Arabian Peninsula. The Yemen-based group, which is thought to be led by Said Ali al-Shihri and Muhammad al-Awfi, who were released from Guantanamo in 2007, has claimed responsibility for the attempted bombing. In addition, the suspect in the botched terrorist attack, 23-year-old Umar Farouk Abdulmutallab of Nigeria, has told investigators that the bomb he used was given to him by operatives of al-Qaida in Yemen. News that two former Guantanamo detainees may have ties to the attempted bombing of an airplane has sparked renewed criticism of President Obama's efforts to close the controversial facility. However, the administration says that it still believes closing Gitmo is a good idea because it has been used by al-Qaida as "a rallying cry and recruiting tool."


Obama Curbs Secrecy of Classified Documents
New York Times (12/30/09) Savage, Charlie

President Obama has issued an executive order and a presidential memorandum indicating that the government should increase its efforts to declassify information whenever possible. As part of this new initiative, agencies will be required to conduct regular reviews of the kinds of information they make classified and to eliminate any obsolete secrecy requirements. Additionally, the order established a National Declassification Center at the National Archives designed to speed up the declassification process by centralizing their review instead of sending them back to different agencies. Mr. Obama has also set a four-year deadline for processing the 400-million-page backlog of classified records that relate to military operations during World War II, the Korean War, and the Vietnam War. Finally, the presidential order eliminates a rule put in place by the President Bush in 2003 that permitted the leader of the intelligence community to veto declassification decisions made by an interagency panel. Under the new rules, agencies who object to declassification will have to make a formal appeal to the president.




New Policies on the Way to Better Secure House Lawmakers' Computers
FederalNewsRadio (12/30/09) Miller, Jason

The House Office of the Chief Administrative Officer recently issued six recommendations to Speaker Nancy Pelosi (D-Calif.) and Minority leader John Boehner (R-Ohio) regarding strategies to improve the security of members and their staff's computers and wireless devices. According to Jeff Ventura, director of communications for the House Chief Administrative Officer, the focus of the recommendations is largely on training in how to handle sensitive data. Ventura reports that in 2010 House staffers will be required "to participate in a comprehensive training program in regard to computer security." These new recommendations come approximately 15 months after Chinese hackers broke into the office computers of Reps. Frank Wolf (R-Va.) and Pete Hoekstra (R-Mich.). Sen. Bill Nelson (R-Fla.) also reported being the victim of a cyber attack originating in China in 2009. The letter to Pelosi and Boehner includes recommendations that members and staff be provided with information on privacy and security procedures; ensure sensitive House information remains on House hardware and is encrypted when stored on a mobile device or transmitted via the Internet; install passwords on all House wireless equipment, which should automatically lock when not in use; require annual cybersecurity training for all House employees, scan all equipment of House members and staff before and after they return from overseas travel; and enhance firewall protection.


Cellphone Encryption Code Is Divulged
New York Times (12/29/09) P. B3; O'Brien, Kevin J.

German encryption expert Karsten Nohl says he has deciphered and published the secret code used to encrypt most of the world's cell phone calls in an effort to call attention to vulnerabilities in global wireless system security. The privacy of 80 percent of mobile calls worldwide is shielded by the 21-year-old global system for mobile communication (GSM) algorithm, whose security Nohl said was inadequate at the Chaos Communication Congress, a four-day conference of computer hackers that runs through Wednesday in Berlin. In August, Nohl challenged other hackers to assist him to crack the GSM code, and through the collaborative initiative the algorithm's code book was eventually reproduced through random combinations. Nohl says the code book was accessible on the Internet via services such as BitTorrent. Although the GSM Association devised a 128-bit successor to the 64-bit algorithm originally adopted in 1988, the majority of network operators have not upgraded to the new code. At the hacker conference, Nohl warned that the hardware and software required for digital surveillance of cell phone calls were freely available as an open source product in which the coding is available for individuals to customize. Nohl's decryption efforts were deemed illegal by the GSM Association, but ABI Research executive Stan Schatt says the disclosure, while not threatening in itself, makes the case that companies and governmental organizations should take the same measures to guarantee the security of their wireless conversations as they do with antivirus software for computer files.


More Attacks Expected on Facebook, Twitter in 2010
CNet (12/29/09) Magid, Larry

Facebook, Twitter, and other popular social networking sites should anticipate more attacks from hackers in the upcoming year, according to a report released Dec. 29 by McAfee Labs. Users of Adobe Systems products such as Acrobat Reader and Flash also are at high risk. Though Microsoft has more than its own share of problems, McAfee predicts Google's Chrome operating system will "create another opportunity for malware writers to prey on users." The security firm also anticipates savvy and more predatory Trojans that "follow the money," in addition to a "significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies." In a recent interview, McAfee Labs Director of security research and communications David Marcus says he expects a tidal wave of attacks against Facebook at the hands of cybercriminals. In addition to pernicious bugs like Koobface that infiltrate Facebook users' friends lists, Marcus anticipates an uptick in unauthorized Facebook applications. "A lot of the spammers and scammers will send fake Facebook application requests to users' inboxes," he notes. Marcus suggests that users only download applications by clicking " 'browse more applications' in the Facebook application installer."


DHS, Michigan Launch Unique Cybersecurity Partnership
FederalNewsRadio (12/28/09) Ramienski, Dorothy

The Department of Homeland Security (DHS) recently announced that it has partnered with the state of Michigan to improve cybersecurity. The partnership will use EINSTEIN ONE technology to automate the collection and analysis of computer network security information from both agency and government networks in order to track and fight potential attacks. According to Jenny Menna, director of critical infrastructure cyber-protection awareness for DHS's National Cybersecurity Division, the project will allow DHS to examine potential threats and relay that information to Michigan so that the state can resolve the threat. At the same time, the project will provide US-CERT with more useful data regarding sources of attacks on state governments. Menna reports that the project is expected to last for one year, and that DHS is also working on a variety of projects with other states. One such project is the multi-state ISAC, which Menna calls, "A central resource for state and local government that provides two-way information sharing with states at the 24/7 Cybersecurity Operations Center, which provides incident response and training and awareness [for] all 50 states and the District of Columbia."


State's Computer Boss Gets Cyber Security Grant
Fresno Bee (CA) (12/24/09) McIntosh, Andrew

California has received a $4.7 million grant from the U.S. government to improve cybersecurity. California CIO Teri Takai says $2.35 million of the grant will be used to conduct a statewide cybersecurity risk assessment. Another $1.35 will be used for California's Secureca.gov domain name system project, which aims to upgrade the underlying technology behind the state's Web sites and communications addressing. The remaining funds will be used to help the state's Emergency Management Agency improve emergency response across California. Takai wants to develop GIS maps of critical infrastructure and other important locations such as gathering places, vulnerable populations, shelters, and command centers. Bill Maile, a spokesman for Takai's office, says the funds will be a great help in advancing California's cybersecurity program and will be used to help prevent efforts to compromise the state's IT infrastructure and prevent hacking. The U.S. government's decision to award California the grant money comes several months after Takai's office released a report that found that hackers have been able to perpetrate major breaches of state systems over the past year. In one such incident, hackers were able break into restricted computer databases at the University of California, Berkeley between October 2008 and April 2009 to steal 97,000 Social Security numbers.


Abstracts Copyright © 2009 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

3 comments:

  1. Anonymous2:09 PM

    [url=http://rastimores.net/][img]http://rastimores.net/img-add/euro2.jpg[/img][/url]
    [b]autocad lt free downloads, [url=http://rastimores.net/]coreldraw graphics suite x4 keygens[/url]
    [url=http://rastimores.net/][/url] windows xp troubleshooting cheap software sites
    free acdsee classic [url=http://akreoplastoes.net/]order software cd[/url] student discount for software
    [url=http://rastimores.net/]how to order software[/url] adobe photoshop cs4 serial number crack
    [url=http://rastimores.net/]buy old software[/url] filemaker pro web publishing
    where to buy software online [url=http://rastimores.net/]6 software price[/url][/b]

    ReplyDelete
  2. Anonymous5:23 PM

    hot-wallpaper
    cdqv o / ur 79

    ReplyDelete
  3. Anonymous2:52 PM

    Hi writer
    after readin gIt reminds me of about related topics in in
    [url=www.avg-free-download.org]avg free download[/url]

    ReplyDelete