Friday, January 22, 2010

Security Management Weekly - January 22, 2010

header

  Learn more! ->   sm professional  

January 22, 2010
 
 
Corporate Security

Sponsored By:
  1. "Hillary Clinton Calls on China to Probe Google Attack"
  2. "22 Indicted in FBI Sting on Paying Foreign Bribes"
  3. "Many Cloud Computing Offerings Not PCI DSS Compliant"
  4. "Online Consumers Seek Out Stronger Security"
  5. "Women in the Security Sector"
Homeland Security

  1. "Al Qaeda's Deep Tribal Ties Make Yemen a Terror Hub"
  2. "American Ex-Convicts Suspected of Link to Yemen Militants"
  3. "FBI Broke Law in Phone Searches: Report"
  4. "Lapses Hurt Intelligence Effort After Failed Jet Attack"
  5. "Potential Defects in Cockpit-Door Locks Worry Officials"
Cyber Security

  1. "DIY Cybercrime Kits Power Growth in Phishing Attacks"
  2. "Companies Fight Endless War Against Computer Attacks"
  3. "Every IT User Is at Risk From Cyberattacks"
  4. "Google Attack Puts Spotlight on China's 'Red' Hackers"
  5. "Google Attack Used Internet Explorer Flaw"

   

 
 
 

 


Hillary Clinton Calls on China to Probe Google Attack
BBC News (01/21/10)

The United States is calling on China to investigate the recent cyber attacks on Google. In a speech at the Newseum journalism museum in Washington, D.C., U.S. Secretary of State Hillary Clinton said that companies such as Google should refuse to support "politically motivated censorship," noting that China along with Tunisia and Uzbekistan had increased censorship. "We look to Chinese authorities to conduct a thorough investigation of the cyber intrusions," she said. "We also look for that investigation and its results to be transparent." Separately, Clinton called for tough action against people and states that carried out cyber attacks. "Countries or individuals that engage in cyber attacks should face consequences and international condemnation," she said. "In an interconnected world, an attack on one nation's networks can be an attack on all."


22 Indicted in FBI Sting on Paying Foreign Bribes
Associated Press -- Business News (01/20/10) Yost, Pete

Twenty-two executives and employees of suppliers to military and law enforcement agencies were arrested on the eve of the 2010 Shooting, Hunting, & Outdoor Trade Show in Las Vegas. The arrests come after a 2 1/2-year undercover sting operation aimed at uncovering bribes made to foreign officials. According to the Justice Department, this is "the largest single investigation and prosecution of individuals in the history of the 1977 Foreign Corrupt Practices Act (FCPA)" It is also the first time large-scale undercover tactics have been used to enforce the FCPA. Those being charged represent eight states and companies in the United Kingdom, Israel, and Peru. None of the 21 people arrested in Las Vegas entered pleas, and U.S. Magistrate Judge Peggy Leen ordered most of them to surrender their passports and appear in federal court in Washington on Feb. 3. It is alleged that the defendants, who were trying to win a multimillion dollar deal to outfit a presidential guard, agreed to pay a 20 percent commission to a sales agent they believed to be representing the defense minister of an African country. The sales agent was an undercover FBI agent, and at least one other FBI agent was acting undercover as a procurement officer for the African nation. The 22 individuals face allegations of conspiracy and violations of the FCPA, which carry a maximum five-year prison sentence; as well as conspiracy to engage in money laundering, which carries a maximum sentence of 20 years.


Many Cloud Computing Offerings Not PCI DSS Compliant
Pivotal Payments (01/19/10) Trigliari, Joseph

Many cloud computing solutions used by businesses that have merchant accounts do not support compliance with the PCI Data Security Standard (DSS), according to former Siebel Systems chief information security officer David Mortman. Among the cloud computing services that do not support compliance with PCI DSS is Amazon Web Services, Mortman says. He notes that this solution is not suitable for PCI DSS-related data because it does not provide the requisite encryption offerings. However, there are some cloud computing services that are PCI DSS compliant, and businesses with merchant accounts should use these if they want to adopt a cloud computing solution, Mortman says. Similar concerns are being expressed about virtualization offerings. However, businesses can address the PCI compliance issues associated with virtualization offerings by separating virtual machines that process cardholder data from ones that do not onto two different virtual networks.


Online Consumers Seek Out Stronger Security
Computer Weekly (01/20/10) Ashford, Warwick

Most users of online services want stronger forms of encryption, according to a worldwide RSA survey of online consumers. In the past, service providers were often hesitant to implement higher levels of authentication because they were afraid of scaring off users, but 90 percent of those who took part in RSA's survey said they would use stronger forms of authentication if they were available. Among those who use online banking services, 80 percent say they want stronger forms of authentication. Users of government Web sites, health care services, and social networking sites also called for better security measures. Given this strong desire for better forms of authentication, security is now seen as a proven competitive advantage for service providers such as financial institutions, says RSA's Mark Crichton.


Women in the Security Sector
Security Management (01/01/10) Lanfranchi, Mimi

The modern security professional is part of a multicultural work force and represents a variety of ethnic, racial, religious, and gender backgrounds. However, some people still believe that the average security employee is a male with a military or law enforcement background, and while many security are professionals, more and more women are entering the field. Security is one of the fastest-growing professions in the world. Women can provide a unique variety of skills and services to the ever-changing security field. "There are many more women in the security sector today, than when I entered the sector over 20 years ago," says Bonnie Michelman, Director of Police, Security, and Outside Services for Massachusetts General Hospital. "When you demonstrate your credibility in your profession, whether you are male or female, young or old, minority or majority, people respond favorably." Women interested in entering the security field should join their local chapter of ASIS International, which is dedicated to increasing the effectiveness and productivity of security professionals nationwide, according to Eleonora Tumbiolo, District Manager for AlliedBarton Security Services. "Join a committee of your local chapter and be an active member who networks with others. Take the Certified Protection Professional (CPP) exam from ASIS which allows you to become Board Certified in Security Management. This is similar to a CPA for accountants." Tumbiolo also suggests refining communication skills. "While women tend to be good communicators, it helps to become comfortable in public speaking which enhances your communication skills with employees, clients and upper management," says Tumbiolo. ASIS International offers a formal women's mentoring program, and is currently accepting applications for mentors and mentees.




Al Qaeda's Deep Tribal Ties Make Yemen a Terror Hub
Wall Street Journal (01/22/10) Levinson, Charles

Al Qaeda has put down deep roots in Yemen after nearly a decade of rebuilding its terror network in that country. The effort has complicated U.S.-backed efforts to battle the group. Yemen's Al Qaeda in the Arabian Peninsula is a largely homegrown movement, with carefully cultivated ties to the local population, setting it apart from other affiliates of al Qaeda, and possibly making it more difficult to eliminate. In Iraq and Saudi Arabia, al Qaeda's footprint weakened significantly as local support for the group turned sharply against it. To avoid a similar fate in Yemen, the group has worked hard to gain favor with local tribes. "They've worked hard to put deep, and what they hope are lasting, roots that will make it very difficult for them to be rooted out of Yemen," says Gregory Johnsen, a Yemen expert at Princeton University. "They've done a good job of looking at the mistakes that other versions of al Qaeda have made elsewhere." Yemen has emerged as one of the biggest and most dangerous hubs for al Qaeda operations. U.S. officials have tied al Qaeda militants based here to two attacks against U.S. targets, including the attempted Christmas Day airline bombing allegedly by Nigerian Umar Farouk Abdulmutallab. The push into Yemen, say U.S. officials, shows the group's increased ability to wage jihad against the U.S. and its allies, a main al Qaeda goal. Gen. Yahya Saleh, nephew of Yemen's president and the head of one of the country's counterterrorism forces, acknowledges the alliances some tribes have with al Qaeda. Still, he says, "the tribes in Yemen are practical. They know there will be a heavy price to pay for harboring al Qaeda, and more and more, [the tribes] will not be willing to pay that price." A power struggle between the government and the patchwork of tribes across Yemen is also hurting counterterrorism efforts. Recently, allegedly heavy-handed tactics by security forces targeting alleged al Qaeda cells have helped push some tribal sheiks into alliances with al Qaeda.


American Ex-Convicts Suspected of Link to Yemen Militants
Los Angeles Times (01/20/10) Miller, Greg

The Senate Foreign Relations Committee has released a report that found that as many as 36 Americans who became Muslims while in U.S. prisons traveled to Yemen over the past year, possibly to be trained by al-Qaida. According to the report, which was released ahead of a Wednesday hearing on the growing threat from al-Qaida in Yemen, the former convicts traveled to the impoverished Arabian peninsula nation under the pretense of studying Arabic. After they arrived, the ex-convicts disappeared and are believed to have traveled to al-Qaida training camps in ungoverned sections of Yemen, the report said. The report also noted that the trips by the ex-convicts to Yemen are just one piece of evidence that al-Qaida is increasingly trying to recruit American residents and citizens in Yemen, Somalia, and the U.S. In addition, the report said that al-Qaida in the Arabian Peninsula--the group that is believed to be responsible for the failed attempt to bomb Northwest Airlines Flight 253 late last month--has become a dangerous new threat to the U.S. after being on the verge of collapse a couple of years ago. U.S. counterterrorism officials say that they are concerned about the report's findings, since they seem to show that al-Qaida has broadened its recruitment efforts in Yemen to attract "nontraditional followers" who can carry out more ambitious terrorist plots. Some are also concerned that those who traveled to Yemen to receive terrorist training may more easily enter the U.S. than foreigners.


FBI Broke Law in Phone Searches: Report
Reuters (01/19/10) Zakaria, Tabassum

The Washington Post has found that the FBI collected over 2,000 records on U.S. phone calls between 2002 and 2006 by citing terrorism emergencies that did not exist or by convincing phone companies to provide them. In addition, the Washington Post found that counterterrorism officials did not follow procedures that are intended to protect civil liberties, and that officials with the FBI issued approvals to justify collecting the phone records. However, these practices, which ended in 2006, never involved FBI officials obtaining the content of phone conversations, said FBI spokesman Michael Kortan. He also noted that FBI employees never used informal methods to obtain phone records except when there was a "legitimate investigative interest." Meanwhile, FBI general counsel Valerie Caproni said that the bureau's practices technically violated the Electronic Communications Privacy Act, and that it should have stopped the requests for the phone records from being made. Steps have been taken to ensure that requests are not made in similar ways in the future, Kortan said.


Lapses Hurt Intelligence Effort After Failed Jet Attack
Los Angeles Times (01/21/10) Miller, Greg

In an appearance before the Senate Homeland Security Committee on Jan. 20, Intelligence Director Dennis C. Blair testified that authorities may have been too quick to read Northwest Airlines bombing suspect Umar Farouk Abdulmutallab his Miranda rights and allow him to have access to an attorney. In addition, Blair said that a newly-created team of interrogators should have been called in to interrogate Abdulmutallab, who is accused of trying to blow up Northwest Airlines Flight 253 on Christmas Day by attempting to detonate explosives he had sewn into his underwear. Blair noted that this interrogation team--which is made up of experts from the FBI, CIA, and other agencies--was specifically created to question terrorism suspects. But the team was not called in to question Abdulmutallab in part because those who established the unit failed to envision scenarios in which interrogators were used to question someone who was captured in the U.S., Blair said. Some lawmakers at the hearing said that the failure to bring in the team of interrogators may have cost the U.S. a chance to glean valuable intelligence from Abdulmutallab, who may have had significant information about al-Qaida in the Arabian Peninsula, the group that has claimed responsibility for the failed Christmas attack. After Wednesday's hearing, Blair issued a statement saying that his testimony had been misconstrued and that the FBI had gathered important intelligence from its questioning of Abdulmutallab. However, Blair and several other counterterrorism officials testified that they were not consulted on the decisions to Mirandize Abdulmutallab or provide him with access to an attorney.


Potential Defects in Cockpit-Door Locks Worry Officials
Wall Street Journal (01/21/10) Pasztor, Andy

Aviation regulators from around the world are pushing airlines to complete repairs on the secure cockpit doors on at least 1,600 airplanes, including rough 800 Boeing 747 jumbo jets and hundreds of commonly used Airbus models, including the Airbus A320. Regulators, including the Federal Aviation Administration and its European counterpart, the European Aviation Safety Agency, say the doors--which are designed to keep unauthorized individuals from gaining entry to flight decks--have electrical controls or bolts that can jam or fail to operate properly. Officials are concerned that the defects in the doors could pose a security risk. In addition, the problems with the doors could create safety issues if they prevent the doors from being opened in the event of a rapid decompression in the cockpit. The repairs on the doors are expected to last until the spring. Problems with the doors have been reported on a regular basis over the last several years. Airline pilots have filed a number of reports detailing a variety of different issues with the doors, including defects in the doors' electrical systems that could cause them to jam in the open position or smolder after being locked. Some defects could also allow the doors to be opened by nearby radio transmissions.




DIY Cybercrime Kits Power Growth in Phishing Attacks
USA Today (01/18/10) P. 3B; Acohido, Byron

Security researchers say that cybercriminals are increasingly using inexpensive do-it-yourself (DIY) kits to launch phishing campaigns. DIY kits contain everything a cybercriminal needs to launch phishing attacks, including fake emails that are designed to look like legitimate messages from well-known companies. The messages typically ask the recipient to click on a link, which will infect their PC with a banking Trojan that steals the log in information for their financial accounts. Some messages also turn the victim's machine into a bot that can be used to send out additional phishing emails. In addition to fake messages, some DIY kits contain tools that cybercriminals can use to bypass antivirus software. The increased availability of these kits has been blamed for the 77 percent increase in unique banking Trojans intercepted by PandaLabs in 2009, as well as the 10-fold increase in phishing emails blocked by App River last October. App River researcher Fred Touchette says the problems caused by DIY kits are not likely to go away anytime soon, given the fact that the kits make it too easy to get malware into circulation.


Companies Fight Endless War Against Computer Attacks
New York Times (01/17/10) Lohr, Steve

The growing sophistication of cyberattackers and the susceptibility of even the best defensive measures is highlighted by the recent attacks against Google from within China, according to security experts. Despite the billions of dollars that government agencies and corporations are spending each year on specialized anti-malware programs, malicious hackers appear to have the edge. A recent Computer Security Institute (CSI) survey of nearly 450 companies and government agencies found that 64 percent reported malware infiltration, versus 50 percent the previous year. CSI director Robert Richardson says that malware is an ever-growing threat, and notes that "now the game is much more about getting a foothold in the network, for spying." Security experts cite employee awareness and training as a critical defense measure, as many malware infections stem from old-fashioned scams such as phishing schemes. "Fighting computer crime is a balance of technology and behavioral science, understanding the human dimension of the threat," says former FBI agent Edward M. Stroz. Although sharing information and knowledge with customers online is viewed as essential to achieving greater flexibility and efficiency, it raises the threat of outside incursions. Some experts say the long-term solution to the threat of malevolent hackers is to steer the software industry on a path toward maturation, with standards, defined responsibilities, and accountability for security lapses directed by forceful self-regulation or by the government.


Every IT User Is at Risk From Cyberattacks
Financial Times (01/20/10) P. 19; Twentyman, Jessica

The recent cyberattacks on Google's infrastructure underscore the fact that everyone who uses information technology (IT) is vulnerable to attacks. However, different users have to worry about different threats. Corporations, for example, primarily have to worry about SQL injection attacks launched by botnets. These attacks, in which commands are sent to a Web application's underlying database through the application's data entry fields, can be used to steal sensitive data such as credit card numbers. Unfortunately, traditional firewalls cannot protect corporate networks from SQL injection attacks because the commands sent during these attacks look just like normal Web traffic. The best strategy cybersecurity professionals can implement to protect against SQL injection attacks is to look for vulnerabilities in the code of Web applications, though this is a painstaking process. Compounding the problem is the fact that there are a number of political and technical obstacles that prevent law enforcement agencies from going after botnets that launch SQL injection attacks, says Dimension Data's Neil Campbell. For example, most countries do not have a workable definition of what cybercrime is, let alone the resources and the knowledge to deal with the problem. In addition, international law enforcement agencies have not yet developed robust responses to cybercrimes.


Google Attack Puts Spotlight on China's 'Red' Hackers
Reuters (01/20/10) Lee, Melanie; Hornby, Lucy

The recent cyber-attack on Google has brought to light the presence of Chinese hackers, known as the Hong Ke. These hackers, often called red visitors in China, usually cannot be connected officially to the Chinese government or military, though some cybersecurity experts report that they believe it's likely either could have supported the recent Google attack. The Honker Union, China's most famous group of Hong Ke, denies that it had any involvement in the Google incident or any other politically-motivated attack. According to one of its hackers, the Honker Union works "only for the security of China's Web sites." Despite these protestations, the Honker Union was involved in a 2001 cyber-war with U.S. hackers over the Hainan spy plane incident and recently attacked Iranian Web sites in retaliation for the Iranian Cyber Army's infiltration of the Chinese search engine Baidu. Unfortunately, it may be difficult to trace the perpetrators of the attacks on Google, because hacking is a major industry in China. Would-be hackers can buy hacking lessons online and tutors are often available via interactive chat sessions. Some hackers also train at schools like the Communication Command Academy in order to gain access to sensitive information, says cyber-expert James Mulvenon. According to Mulvenon, China could now have as many as 50,000 military hackers trained or in training. However, his figures could not be independently verified.


Google Attack Used Internet Explorer Flaw
InformationWeek (01/14/10) Claburn, Thomas

China's December 2009 cyberattack against Google and 33 other firms took advantage of a zero-day vulnerability in Internet Explorer. "In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer," says McAfee CTO George Kurtz. "We informed Microsoft about this vulnerability and Microsoft is expected to publish an advisory on the matter soon." The advisory says the flaw "exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution." Google revealed the attack in a Jan. 12 blog post, saying it had led to the breach of some of the company's intellectual property. Some information technology security analysts have proffered that a weakness in Adobe's Reader or Acrobat software was to blame, but Adobe, also a victim of the attack, said it found no evidence to suggest its software was at fault.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment