Search This Blog

Friday, March 19, 2010

Security Management Weekly - March 19, 2010

header

  Learn more! ->   sm professional  

March 19, 2010
 
 
Corporate Security

  1. "Workplace Gun Law 'Appropriate'" Indiana
  2. "Ex-Gallery Owner Pleads Guilty in $120 Million Art Fraud"
  3. "Lilly Drugs Stolen in Warehouse Heist"
  4. "Wal-Mart Worker Fired Over Medical Marijuana"
  5. "Dos and Don'ts of Documentation" Employee Performance
Homeland Security

  1. "Fence Frustrates Minutemen, Too" Border Security
  2. "Attorneys: Chicago Man Providing Info on Terrorism"
  3. "Gang Questioned in Mexico Killings"
  4. "Killings Cast Pall on Mexico Drug Plan"
  5. "Recent Changes Show Challenge of US Terrorists"
Cyber Security

  1. "Data Breaches are Heaviest at Hotels"
  2. "Measure Would Force White House, Private Sector to Collaborate in Cyber-Crisis"
  3. "Broadband Plan Gives FCC Wider Cybersecurity Role"
  4. "What are the Most Underrated Security Technologies?"
  5. "New Internet Browser Threat Sneaks By Traditional Defenses"

   

 
 
 

 


Workplace Gun Law 'Appropriate'
Gary Post Tribune (03/19/10)

A new Indiana law that allows some employees in the state to keep guns concealed in their cars while at work will not result in more workplace violence, said Mark Becker, the chief of police of Portage, Ind. Becker noted that someone who wants to shoot up their workplace would still do so regardless of whether it is legal to keep concealed firearms in vehicles parked on company parking lots. Becker's remarks came as Indiana Gov. Mitch Daniels signed the firearms legislation into law on Thursday. That legislation, which was approved the Indiana General Assembly the day before a shooting at the Indiana Department of Workforce Development Office in Portage on March 5, has been criticized by some who say that it would result in an increase in workplace violence. Supporters of the new law say it merely allows people who are legally allowed to carry weapons to keep them in their vehicles while at work.


Ex-Gallery Owner Pleads Guilty in $120 Million Art Fraud
Wall Street Journal (03/18/10) Bray, Chad

Lawrence B. Salander, the former co-owner of the now-bankrupt Salander-O'Reilly Galleries in New York City, pleaded guilty on Thursday to charges of stealing $120 million from investors and art owners over a period of more than three years. According to prosecutors, Salander defrauded his victims--who were his long-time friends and business colleagues--by selling artwork he did not own and keeping the money. Prosecutors also say that he convinced people to invest in fraudulent ownership interests involving art work. In addition, Salander offered artwork he never owned as collateral for a $2 million personal loan. Salander is expected to be sentenced to between six and 18 years in prison and will be ordered to repay the $120 million he admitted to stealing.


Lilly Drugs Stolen in Warehouse Heist
Wall Street Journal (03/17/10) Efrati, Amir; Loftus, Peter

Thieves stole $75 million in drugs from an Eli Lilly & Co. warehouse in Enfield, Conn., last weekend, in what was one of the biggest thefts of pharmaceuticals of all time. During the heist, the thieves disabled the warehouse's interior alarm system and broke into the building by cutting a hole in the roof and sliding down a rope. The thieves then spent hours inside the warehouse loading dozens of crates of prescription drugs onto a tractor-trailer. The heist at the Eli Lilly warehouse is just the latest in a long strong of thefts to strike the pharmaceutical sector over the last several years. According to Dan Burges, the director of intelligence at the U.S. division of the supply-chain security consultant FreightWatch International, there were 46 drug thefts valued at a total of $184 million in 2009, up from 35 thefts valued at a total of $41 million in 2007. So far this year, there have been 10 thefts of pharmaceuticals valued at a total of $110 million. As a result of these thefts, pharmaceutical companies are taking steps to protect their supply chains, including using tracking devices and services.


Wal-Mart Worker Fired Over Medical Marijuana
MSNBC (03/17/10) Tahmincioglu, Eve

Companies that operate in states that have legalized medical marijuana often face a dilemma when deciding how to handle employees who use the drug. Many of the 14 states that have legalized medical marijuana have not addressed the issue of how employees who use the drug are protected in their workplaces. As a result, some companies are choosing to fire employees who they know are legally allowed to use medical marijuana in an effort to avoid charges of negligence that could be made in the event that such employees injure a customer, said Richard Meneghello, an attorney for the Portland, Ore., law firm Fisher & Phillips. The issue has garnered increased attention after Wal-Mart decided to fire 29-year-old Joseph Casias, an employee at the company's store in Battle Creek, Mich., who used medical marijuana to help him deal with the pain caused by sinus cancer and an inoperable brain tumor. Although Casias had a medical marijuana card and a prescription for the drug from his doctor, and said he never went to work under the influence of the drug, Wal-Mart fired him because it was concerned about the "overall safety" of its customers and employees, said company spokesman Greg Rossiter. However, Michigan's medical marijuana law prohibits companies from discriminating against individuals who have medical marijuana cards. Michigan's Department of Civil Rights is investigating the case to see if Wal-Mart violated the state's disabilities protection laws. Casias, for his part, has not decided whether to legally challenge his termination.


Dos and Don'ts of Documentation
Security Management (03/10) Vol. 54, No. 3, P. 66; Thelen, Jim

It is important for companies to accurately document the performance of their employees as well as any interactions workers have with members of management, since doing so can help firms protect themselves from lawsuits stemming from adverse employment actions. In order to accurately document employee performance, companies must first build a strong foundation for record creation and retention. The process of laying such a foundation includes several steps, such as creating a culture of good record keeping and employment documentation and devising a written policy for record keeping and employment documentation. Such policies should address a number of issues, including a definition of which records they govern and the guidelines for retaining records. In addition, companies should ensure that employees who create and maintain employment records are adequately trained and that those who are charged with keeping records are held accountable. The employment records policies that companies devise should require these employees to report back to the CEO or board of directors each year about accountability under the policy. Finally, companies need to follow best practices of employment record keeping, including documenting an employee's performance, good or bad, as well as discussions about the employee's performance. Doing this will help ensure that any bad performance is recorded in the event that the employee is fired and subsequently files a wrongful termination lawsuit.




Fence Frustrates Minutemen, Too
Wall Street Journal (03/19/10) Campoy, Ana

As the Department of Homeland Security (DHS) has frozen spending for the virtual fence project along the U.S.-Mexico border, some citizens have taken it upon themselves to set up similar monitoring systems. However, these independent systems have encountered some of the same problems as the government's project. For example, a network of 20 solar-powered cameras set up by Web developer Jim Wood on a private ranch 50 miles east of San Diego often does not work because of water damage or lack of sunlight. In addition, the system's motion detectors have had to be turned off because they are triggered by vegetation movement in the wind. Similar problems have plagued DHS's Secure Border Network Initiative, causing the department to divert funding to more practical equipment such as mobile radios and laptops. Still, these cyber-minutemen appear dedicated to their task. Wood says that approximately 1,000 people have passed a test to gain access to camera signals along the border. If any suspicious crossers are spotted, group members alert the border patrol.


Attorneys: Chicago Man Providing Info on Terrorism
Associated Press (03/19/10) Robinson, Mike

David Coleman Headley, an American citizen who pleaded guilty on Thursday to conducting surveillance for Pakistani militant group Lashkar-e-Taiba prior to its attack on Mumbai that killed 166 people in November 2008, is reportedly providing investigators with information about terrorist networks. Sources say that Headley has become a valuable asset to the war on terrorism in exchange for a promise that he will not be executed. Headley still faces a potential life sentence. While specifics of the majority of Headley's information have not been released, his signed plea agreement describes how he met with terrorist leader Ilyas Kashmiri in Western Pakistan in 2009. Kashmiri allegedly put him in contact with a European source who could provide weapons and manpower for Headley's planned attack on a Danish newspaper. Under his cooperation agreement, Headley may also testify against Tahawwur Hussain Rana, his alleged co-conspirator in the plot to attack the newspaper in Denmark. Rana, a Canadian living in Chicago, has pleaded not guilty to conspiring to provide material support to terrorists.


Gang Questioned in Mexico Killings
Wall Street Journal (03/19/10) Casey, Nicholas

Law enforcement officials on Thursday questioned members of the El Paso, Texas-based gang Barrio Azteca, which is believed to have been involved in the murders of three people with connections to the U.S. consulate in Ciudad Juarez last weekend. FBI spokeswoman Andrea Simmons said that several members of the gang--which has ties to a Mexican drug cartel that is locked in a bloody dispute with another drug ring over the power to smuggle marijuana and cocaine into the U.S.--were arrested, though all of those arrests were related to outstanding warrants. No one was arrested for being directly involved in the killings of consulate employee Lesley Enriquez and her husband Arthur Redelfs, as well as Mexican citizen Jorge Alberto Salcido, whose wife was an employee at the U.S. consulate. It remains unclear why the three individuals were killed. Authorities say that gang members may have mistaken the three for other individuals being targeted.


Killings Cast Pall on Mexico Drug Plan
Wall Street Journal (03/18/10) Luhnow, David; Casey, Nicholas

Critics of Mexican President Felipe Calderon say that the recent killings of three people with connections to the U.S. consulate in Ciudad Juarez shows that the strategy of sending in troops to quell drug violence in the border city is not working. Violence has spiraled out of control in Ciudad Juarez since Calderon deployed 7,000 troops to the city to help end a turf war between two Mexican drug gangs vying to control the rights to smuggle narcotics into the United States. Since Calderon came to power in December 2006, there have been 5,349 drug-related murders in Ciudad Juarez, which represents nearly a third of the more than 18,000 killings recorded throughout Mexico in the same time period. Critics say that one reason why the influx of troops into Ciudad Juarez has failed to quell the violence is because the military does not have the training for intelligence work or counterinsurgency operations. According to Arturo Yanez, a former Mexican antidrug official, the government should do more to support local prosecutors and police, who are able to get the best intelligence. Others say that the Mexican army could develop the intelligence capacity needed to end the violence in Ciudad Juarez if it received more direct training from the U.S. military. However, Mexico is unlikely to ask the United States to provide such training because it fears that doing so would hurt its sovereignty. Meanwhile, aides to Calderon have signaled that the president could change his strategy for dealing with drug violence in the country. That new strategy could include a greater focus on intelligence work, as well as efforts to provide counseling for drug addicts, create jobs, and build new schools and parks.


Recent Changes Show Challenge of US Terrorists
Associated Press (03/17/10) Sullivan, Eileen; Barrett, Devlin

The recent arrests of several Americans accused of having terrorist connections--including Colleen LaRose, a Pennsylvania woman who allegedly met jihadists online and is believed to have been involved in a plot to kill a Swedish cartoonist--underscores the fact that homegrown extremism is increasingly becoming a threat to the U.S. According to former Homeland Security Secretary Michael Chertoff, there is no one reason why an individual may be attracted toward terrorism. He noted that a combination of factors, including psychology, sociology, and cultural influences, can push someone towards radical Islam. Chertoff said that he is not surprised by recent arrests of Americans with alleged terrorist ties, as officials have said for years that there would be an increase in homegrown extremism. With the arrest of LaRose and others, including accused Fort Hood shooter Maj. Nidal Malik Hasan, it appears that those predictions have come to pass, Chertoff said. As a result, Chertoff said, communities need to be on the lookout for behavior that may indicate that an individual is becoming radicalized. He added that law enforcement officials need to educate people about the different signs of terrorism.




Data Breaches are Heaviest at Hotels
Wall Street Journal (03/18/10) P. D3; Nassauer, Sarah

Research by several data-security firms shows that the hotel industry is the biggest target of hackers looking to steal credit-card data. Trustwave's SpiderLabs unit, for example, found that 38 percent of the data-breach investigations it launched last year took place at hotels. By comparison, 19 percent of SpiderLabs' data-breach investigations occurred at financial services companies. Verizon Business, meanwhile, said it has also noticed an increase in the number of hacks at hotels beginning last April. According to Nicholas Percoco, the senior vice president of Trustwave and the head of SpiderLabs, hackers tend to focus on one particular industry once they discover its weaknesses. In the case of the hotel industry, the most common weakness is the point-of-sale software used to process credit card transactions. Point-of-sale systems can be vulnerable to hackers when the third-party IT companies that hotels hire to manage these systems leave remote access user names and passwords blank or fail to change them from their default setting. This allows hackers to find the usernames and passwords needed to log in to the system and steal credit-card information. Trustwave and Verizon said companies can protect themselves from such attacks by following the PCI Security Standards Council Data Security Standards. Verizon says it has never investigated a successful data breach that took place at a merchant that was compliant with the PCI DSS.


Measure Would Force White House, Private Sector to Collaborate in Cyber-Crisis
Washington Post (03/17/10) P. A4; Nakashima, Ellen

U.S. Senate Commerce Committee Chair John D. Rockefeller IV (D-W.Va.) and committee member Olympia J. Snowe (R-Maine) are gearing up to reintroduce a piece of legislation first unveiled last year that aims to improve the security of the nation's computer networks. Under the legislation, known as the Cybersecurity Act, the White House would be required to work with the private sector to formulate a response to a crisis that affects vital computer networks. Such a response would involve determining which industry networks are considered "critical" and determining how those networks should be protected. In addition, the legislation would require federal agencies that have a role to play in securing the nation's computer networks, including the Defense Department and intelligence agencies, to help develop an emergency response plan. Not included in the legislation is controversial language from the 2009 version that would have given the president the authority to shut down portions of computer networks in the event of an emergency. Despite the deletion of the controversial language, experts say that they do not believe that the bill will pass Congress this year, due to the lateness of the current session and the fact that there is not a similar measure being considered in the House.


Broadband Plan Gives FCC Wider Cybersecurity Role
Computerworld (03/17/10) Vijayan, Jaikumar

The Federal Communications Commission's (FCC) newly-released National Broadband Plan contains several recommendations designed to improve cybersecurity. The report calls for the FCC to have an expanded role in cybersecurity development and to work closely with the Department of Homeland Security on cybersecurity issues. Specifically, the FCC is called on to create a cybersecurity "roadmap" that identifies the top five cyberthreats facing the United States and come up with a two year plan for addressing those threats. The plan also requires the FCC to enhance its network outage reporting requirements for broadband service providers and to work with the National Communications System to create priority network access and rerouting capabilities for law enforcement and public safety officials.


What are the Most Underrated Security Technologies?
CSO Online (03/17/10) Brenner, Bill

There are some security technologies that cybersecurity experts say are underrated. Among them is the whitelisting feature included in Web Application Firewalls, which only allows Web traffic that is known to be legitimate onto the network. Some IT professionals are hesitant to use whitelisting because they believe it is too difficult to limit what types of Web applications people can run and what types of Web sites they can visit, says consultant Andy Willingham. However, whitelisting would have completely prevented the security breach caused by Operation Aurora, even after a user clicked on a link for a malware-laden Web site, says ISM's Chris Young. Another underrated security technology is encryption, which is needed to protect data that a company is required to store on its network. CPU stress utilities, which can be used to flush out the exact memory address or addresses used by a CPU cache poisoning exploit, also are more valuable than most people think, says Kandy Zabka, a botnet researcher and moderator for the Infosec Island Forum. Finally, experts say that antivirus software and firewalls are an essential part of network security, even though some say that they are obsolete because they cannot keep up with new malware.


New Internet Browser Threat Sneaks By Traditional Defenses
Network World (03/16/10) Greene, Tim

An inconspicuous browser bug that exposes corporate networks to attackers is number one on the list of the most potentially potent new attacks that have been discovered by security experts scanning for vulnerabilities to exploit, according to a White Hat Security study. The one attack considered most virulent is called DNS rebinding in which nefarious users twist users' browsers into Web proxies that are under the control of the attackers, says White Hat chief technology officer Jeremiah Grossman who, with the assistance of other professionals, amassed the top 10 list of emerging threats. The attack operates by fooling browsers into locating internal servers on the victim's network at the command of the attacker, who can direct it to locate and transmit corporate data to an external machine, according to Grossman. The browser performs no unusual tasks, and DNS servers are not interfered with, he notes. "It's pretty much impossible to see. It leaves no traces," says Grossman.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: