Search This Blog

Friday, December 04, 2009

Security Management Weekly - December 4, 2009

header

  Learn more! ->   sm professional  

December 4, 2009
 
 
Corporate Security

  1. "Spanish Anti-Piracy Measure Under Fire"
  2. "Copper Wire Thefts at East County Utility" Manatee County, Fla.
  3. "Czech: Iraq Planned Attack on Radio Free Europe"
  4. "Restaurants Sue Vendor for Unsecured Card Processor"
  5. "A Realistic Approach to Compliance Ensures More for Your Security Spend"
Homeland Security

  1. "'Poor Judgment' Blamed in State Dinner Lapse"
  2. "Lieberman 'Restless' While Awaiting Report About Fort Hood Massacre Suspect Hasan"
  3. "Homeland Security Chief Warns of Threat from al-Qaeda Sympathizers in U.S."
  4. "Manhunt Ends With Cops Slayings' Suspect's Death"
  5. "Russia Train Bombing: A Return of Terrorism?"
Cyber Security

  1. "5 Key Cybersecurity Areas for DHS to Tackle"
  2. "Feds Tighten Up Cybersecurity Hiring Policies"
  3. "Internet Explorer Users Face New Zero-Day Threat"
  4. "Survey Shows Cyberattacks Are Getting More Disruptive"
  5. "Securing the Information Highway"

   

 
 
 

 


Spanish Anti-Piracy Measure Under Fire
New York Times (12/04/09) Pfanner, Eric

The Spanish government has proposed new rules that aim to reduce the digital piracy of copyrighted material such as music and movies. Under the proposed regulation, a government-sponsored commission would be created to investigate and shut down Web sites that are believed to be used as a pipeline for pirated material. But the proposal has been criticized by copyright holders in Spain who said that going after Web sites is not an effective way of dealing with digital piracy. They are calling on Spain to adopt a law similar to one in France that forbids those who have illegally downloaded copyrighted material from using the Internet. The measures have also been criticized by representatives of Web-based businesses and others who said in an online manifesto that "the Internet should be free and not have any interference from groups that seek to perpetuate obsolete business models and stop the free flow of human knowledge."


Copper Wire Thefts at East County Utility
Bradenton Herald (FL) (12/01/09) Nudi, Carl Mario

Peace River Electric Cooperative officials have reported that three more incidents of cooper wire theft have occurred. Approximately 28,000 feet to 32,000 feet was taken from pole, but the thieves only took neutral wire, so service was not affected. The value of the stolen wire was at least $8,000. “For a few dollars of copper they’re putting their life in danger,” said Nell Withers McCauley, Peace River Electric spokeswoman. “People don’t really know how dangerous it is.” Police officials say that copper thefts have increased recently. The thefts were broader a few years ago, when copper plumbing and electrical wiring was stolen because of high prices, but these thefts seem to only be targeting utility companies. Copper wiring was stolen from the utility in November, and someone even cut the wiring from 22 light poles that are owned by Peace River Electric. The thieves have not been caught yet because the isolated areas where the incidents are occurring make it hard to find them.


Czech: Iraq Planned Attack on Radio Free Europe
Associated Press (11/30/09) Janicek, Karel

The Czech counterintelligence service, the Czech Security Information Service, said Monday that Saddam Hussein had planned to attack Radio Free Europe/Radio Liberty in Prague earlier in the decade. According to the service, the plan--which was aimed at stopping RFE/RL broadcasts into Iraq--involved Iraqi spies using a diplomatic vehicle to smuggle an RPG-7 anti-tank missile, six machine guns, and other weapons into Prague for the attack. In addition, the plan--which was uncovered in 2000, though it remains unclear when the attack was supposed to occur--called for the spies to pose as diplomats and to fire the RPG-7 missile at the radio station from the window of a nearby apartment building. However, the spies were expelled from the Czech Republic shortly after the plot was uncovered. The weapons that were to have been used in the attack were handed over to Czech authorities by officials at the Iraqi Embassy in Prague in April 2003.


Restaurants Sue Vendor for Unsecured Card Processor
Wired News (11/30/09) Zetter, Kim

Seven restaurants in Louisiana and Mississippi have filed a class-action lawsuit against Radiant Systems, the maker of a point-of-sale (POS) system that they say was not compliant with the PCI Data Security Standard (DSS). According to the plaintiffs, Radiant's Aloha POS system violated the PCI DSS because it stored all of the data embedded in the magnetic stripes of credit and debit cards after transactions had been completed. Also named in the lawsuit is retailer Computer World, which sold and maintained the Aloha POS system. The plaintiffs note that Computer World made them vulnerable to security breaches because it failed to secure a remote-access program that it installed on the Aloha POS system to allow its technicians to correct technical problems from off-site. The plaintiffs say that this allowed a hacker to access the POS system from at least 19 businesses, install malware on those systems, steal credit card data as cards were swiped, and send that data to a Romanian email address. The lawsuit seeks to recover millions of dollars in damages the plaintiffs say they incurred as the result of the breach, including fines for not being PCI compliant, the cost of forensic audits to determine the source of the breach, chargebacks to cover fraudulent charges made by criminals on customer accounts, and reimbursements to card providers who had to issue new cards to affected customers. Radiant says the allegations are without merit.


A Realistic Approach to Compliance Ensures More for Your Security Spend
Security Director's Report (11/09) Vol. 2009, No. 11,

Because employee negligence is the cause of so many corporate security breaches, nearly all security researchers are in accord in urging companies to take more time to train workers. Companies are beginning to internalize the message. The 2008 numbers on corporate spending for employee data security awareness training indicate that it accounted for a larger percentage of the IT budget. As observance of security policy is often not compulsory, it is helpful to weigh a management strategy promoted by experts at the University College of London and Hewlett-Packard Labs. They suggest dividing organizational security goals into a "compliance budget" to get a better view of how individuals approach the costs and benefits of following organizational security measures. For instance, if a security policy requires the encryption of data stored on USB devices, an employee will usually examine the policy's pros and cons using the following approach: individual cost of compliance -- time spent copying data due to encryption or unencryption; individual benefit of compliance -- no threat of sanctions for failing to follow policy; cost of compliance to organization -- more time spent transferring data cuts into productivity; and the benefit of compliance to the organization -- no danger of a costly and humiliating data leak as the result of a lost drive. By getting a better hold on their workers' present "compliance budget," security executives can use it as a model for budgeting money and spending on areas most likely to impact employees' weighing of costs and benefits.




'Poor Judgment' Blamed in State Dinner Lapse
Los Angeles Times (12/04/09) Hennessey, Kathleen

Secret Service director Mark Sullivan has testified before the House Homeland Security Committee that the decision to admit an uninvited Virginia couple to the recent state dinner was due to a lapse in judgment on the part of individual agents and not part of a larger problem with White House security. Sullivan assured the committee that security procedures used at the event were the same as state dinners during other administrations, with agents instructed to notify a supervisor and the White House social office if someone attempted to enter the dinner without an invitation, which reportedly did not happen. For this reason, three uniformed agents have been placed on paid administrative leave during the investigation. Unlike some events and other state dinners, however, White House staffers were not posted at checkpoints with Secret Service agents. Since the event, the White House has said that it will post staff at each gate as a matter of policy. In his testimony, Sullivan also defended the Secret Service against assertions that the event may not have been adequately staffed due to a reported rise of threats against President Obama. Sullivan maintains that the number of threats against Mr. Obama is comparable to the two previous administrations and the president has said that he is "100 percent" confident in his protection.


Lieberman 'Restless' While Awaiting Report About Fort Hood Massacre Suspect Hasan
Dallas Morning News (TX) (12/04/09) Michaels, Dave

Sen. Joe Lieberman (I-Conn.), the chairman of the Senate Homeland Security Committee, expressed frustration on Thursday with the investigation into the Nov. 5 shooting at Fort Hood, Texas. Lieberman, whose committee has launched a probe into the shooting, said that his investigators have not been able to interview members of an FBI-led terrorism task force who knew about the contact suspected shooter Maj. Nidal Malik Hasan had with Anwar al-Awlaki, a radical Islamic cleric in Yemen who ran a Web site that called on Muslims to practice jihad and killed soldiers. In addition, some of the documents the Senate Homeland Committee has requested have not been produced, Lieberman said. As a result, Lieberman said he is "restless" about the investigation, though he added that he understands that federal agencies may not have turned over the information they had about Hasan because "they have a lot they are doing."


Homeland Security Chief Warns of Threat from al-Qaeda Sympathizers in U.S.
Washington Post (12/03/09) Hsu, Spencer S.

During a speech to the American Israel Friendship League in New York on Wednesday, Homeland Security Secretary Janet Napolitano said that al-Qaida followers are in the U.S. and would like to attack targets here in and in other countries around the world. Napolitano backed up her assertion by citing the case of Najibullah Zazi, the Denver man who was arrested in September for allegedly testing homemade bombs similar to the ones used in the 2004 Madrid train bombing. Zazi also allegedly trained with al-Qaida in Pakistan. Napolitano noted that the arrests of terrorist suspects such as Zazi disproves the notion that U.S. anti-terrorism efforts overseas will eliminate the threat of terrorism here at home. "The fact is that home-based terrorism is here," Napolitano said. "And like violent extremism abroad, it is now part of the threat picture that we must confront."


Manhunt Ends With Cops Slayings' Suspect's Death
Associated Press (12/02/09) Johnson, Gene

A Seattle police officer Tuesday morning shot and killed Maurice Clemmons, the man who eluded law enforcement for two days after shooting and killing four police officers in a coffee shop in the Tacoma, Wash., suburb of Parkland. According to Assistant Seattle Police Chief Jim Pugel, Clemmons was killed after Officer Benjamin Kelly pulled over to check out a stolen car with its hood up and engine running. As Kelly was sitting his in patrol car filling out paperwork, he sensed someone coming up from behind him. Kelly stepped out of the car and immediately recognized Clemmons, who then made a move for the gun he had taken from one of the police officers killed in Sunday's shooting. After Clemmons refused orders to freeze and put up his hands, Kelly opened fire, hitting Clemmons at least twice. Meanwhile, the investigation into the Nov. 29 ambush at the Parkland coffee shop is continuing. However, it remains unclear what Clemmons' motive was for shooting the police officers. Investigators did find that Clemmons told several people the night before the shooting that he was going to kill police officers and that they should watch the news, though they dismissed what Clemmons said, saying it was "crazy-talk."


Russia Train Bombing: A Return of Terrorism?
Christian Science Monitor (11/28/09) Weir, Fred

The recent explosion on a Russian intercity train that killed at least 26 people and injured more than 100 has once again raised fears of terrorism for many Russians. Official reports indicate that the explosion on the train was caused by a device planted by unidentified terrorists. Terrorism was once a constant concern for Russians. A decade ago, civil unrest in the southern republic of Chechnya set off a series of unexplained bombings in Moscow and two other Russian cities that killed almost 300 people. During the years that followed, terrorists also killed hundreds in attacks on a Moscow theatre, a rock concert, a school in Beslan, and two airliners. The more-recent train bombing was caused by a homemade explosive device planted on the heavily-traveled railroad tracks between St. Petersburg and Moscow. The explosives, which reportedly included the equivalent of seven kilograms of TNT, threw three train cars off the tracks. Although most of Russia has remained free of terrorism until this bombing for the past five years, security experts have warned that it was only a matter of time before extremist insurgents in the northern Caucasus region returned to attacking civilians in major Russian cities. Despite these suspicions no specific group has claimed responsibility for the bombing, and experts warn that the list of suspects are not restricted to extremists in the Caucasus.




5 Key Cybersecurity Areas for DHS to Tackle
GovInfoSecurity.com (12/03/09) Chabrow, Eric

Cathleen Berrick, the managing director for homeland security and justice at the Government Accountability Office, provided a written statement at the recent Senate Commerce Science and Transportation hearing on post-9/11 transportation challenges that outlined five key cybersecurity challenges DHS should address. Berrick said DHS needs to bolster cyber analysis and warning capabilities, complete actions identified during cyber exercises, improve the cybersecurity of infrastructure control systems, strengthen DHS' ability to help recover from Internet disruptions, and address cybercrime. She said DHS has made progress in strengthening cybersecurity, but further action is warranted. "DHS has since developed and implemented certain capabilities to satisfy aspects of its responsibilities, but it has not fully implemented GAO's recommendations and, thus, more action is needed to address the risk to critical cybersecurity infrastructure," Berrick said.


Feds Tighten Up Cybersecurity Hiring Policies
Information Security (12/02/09)

The U.S. Office of Personnel Management has been working with the National Security Council Interagency Policy Committee (IPC) to tighten hiring policies for federal cybersecurity professionals. As part of that effort, OPM will launch cybersecurity competency models for cybersecurity employees. The plan calls for IT security professionals to be divided into three categories: the IT infrastructure, operations, maintenance, and information assurance category; the domestic law enforcement and counterintelligence category; and the specialized cybersecurity operations category. In addition, federal agencies will have until mid-January to send OPM documents such as position descriptions, vacancy announcements, crediting plans, training plans, performance management plans, or competency models of cybersecurity work. After submitting these documents, federal agencies will then be asked to provide subject matter experts to help assess policy requirements. OPM Director John Berry says the program will "identify the critical elements of success for the covered workforce, ensuring classification, selection, development, and performance management programs are based on a valid framework."


Internet Explorer Users Face New Zero-Day Threat
Government Computer News (12/01/09) Leffall, Jabulani

Microsoft is investigating a zero-day security vulnerability that was recently discovered in several versions of its Internet Explorer Web browser. The flaw—which affects Internet Explorer 6 Service Pack 1 on Windows 2000 SP4, and Internet Explorer 6 and 7 on Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008—could allow an attacker to access and delete a cascading style sheet (CSS) object. That in turn could make it possible for an attacker to run malicious code on a victim's machine, Microsoft said, though the attacker would first need to get the user to visit a malicious Web page. In a security advisory released in late November, Microsoft said that there were a number of steps users could take to protect themselves from such attacks, including changing the security zone settings in Internet Explorer to high. Microsoft also urged users to configure active scripting settings and turn on data execution prevention in Internet Explorer. It remains unclear when or how Microsoft will distribute a patch for the vulnerability. The company could opt to release a patch as part of its monthly patch release or as part of an out-of-brand fix.


Survey Shows Cyberattacks Are Getting More Disruptive
NextGov.com (12/01/09) Aitoro, Jill R.

Cyberattacks powerful enough to break through computer networks and interrupt online business services are increasing precipitously, according to a recent Computer Security Institute survey of public and private sector IT professionals. Infections from software built to break into or damage a computer system were "easily the most prevalent" type of cyberattack this year, the survey found. Nearly two-thirds of the 443 respondents said they had experienced malware attacks in 2009, compared to 50 percent the previous year. Frequently these attacks were implemented in multiple stages, in which the malware downloaded different tools to exacerbate the severity of the contamination once inside the network. Eight percent of survey participants were employed by the federal government. Reports of malware infection are likely to continue increasing as hackers "spend more energy customizing malware to make it more effective in targeted attacks," the survey's report said. Twenty-five percent of survey respondents said targeted attacks were involved in at least some of their security instances, and 4 percent said they had witnessed 10 or more such intrusions.


Securing the Information Highway
Foreign Affairs (12/09) Vol. 88, No. 6, P. 2; Clark, Wesley K.; Levin, Peter L.

The computer networks, software, and hardware of the United States are under constant threat of attack, and Washington must take quick and decisive action to protect these vital assets, write former NATO Supreme Commander Wesley K. Clark and CTO to the Senior Adviser to the Secretary at the U.S. Veteran Affairs Department Peter L. Levin. The authors draw parallels between cyberthreats and biological diseases, and note that "bodily immune systems work best when they are autonomous, adaptable, distributed, and diversified; so, too, with electronic security." They write that "as with their biological analogues, healthy electronic systems will focus protection at the gateways to the outside world (such as a computer's ports), rapidly implement sequential reactions to invading agents, learn from new assaults, remember previous victories, and perhaps even learn to tolerate and coexist with foreign intruders." Clark and Levin say the existence of a vulnerability will inevitably be discovered by a cybercriminal, and professional saboteurs will likely be unable to resist the lure of embedding intentional security holes. Clark and Levin write that the complete eradication of all threats to electronic security is both technically infeasible and unaffordable. "The best the United States can achieve is sensible risk management," they argue. "Washington must develop an integrated strategy that addresses everything from the sprawling communications network to the individual chips inside computers." Diversification of the U.S. digital infrastructure is a starting point, while securing the hardware supply chain is an additional step. The adaptability of hardware means that the current configuration and deployment of computer networks will not have to undergo a fundamental shift.


Abstracts Copyright © 2009 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: