Friday, March 05, 2010

Security Management Weekly - March 5, 2010

header

  Learn more! ->   sm professional  

March 5, 2010
 
 
Corporate Security

  1. "Stores Land in Gun-Control Crossfire"
  2. "Ind. General Assembly Approves Bill Barring Employers From Banning Guns on Workplace Property"
  3. "Medical Pot Not Welcome in Workplace" Colorado
  4. "Average Annual Cost of PCI Compliance Audit? $225k"
  5. "States Consider Banning Credit Checks on Job Applicants"
Homeland Security

  1. "Gunman Killed After Shooting 2 Police Officers at Pentagon Entrance"
  2. "Obama Aides Near Reversal on 9/11 Trials"
  3. "U.S. Will Determine Who Can Board Some Canadian Flights"
  4. "Q+A - Maritime Terrorism Could Have Global Economic Impact"
  5. "No Finish in Sight for 'Virtual' Border Fence"
Cyber Security

  1. "Homeland Security Seeks to Thwart Cyber-Attacks"
  2. "Feds Weigh Expansion of Internet Monitoring"
  3. "US Plan to Make Hacking Harder Revealed"
  4. "Jihad in Cyberspace"
  5. "New Zero-Day Involves IE, Puts Windows XP Users at Risk"

   

 
 
 

 


Stores Land in Gun-Control Crossfire
Wall Street Journal (03/04/10) O'Connell, Vanessa; Jargon, Julie

The debate between gun-control advocates and supporters of the "open carry" movement, which would permit gun owners to carry holstered pistols in public places, has recently centered on a number of the nation's major retailers. At this time, businesses have the final say on whether someone is permitted to carry a firearm on their premises. There are a number of major retailers who do not have a specific policy banning guns, such as Starbucks, Wal-Mart, Home Depot, Best Buy, Barnes and Noble, and Target. These stores have been labeled "OC friendly" by gun advocates while lists are also being made to facilitate boycotts of companies that have no-weapons signs. It is legal to openly carry a loaded handgun in 29 states without any form of government permission. An additional 13 allow an unconcealed loaded handgun with a carry permit. In other states, such as California, where it is only legal to openly carry an unloaded weapon, growing numbers of gun activists have started using OC-friendly businesses as spots to protest what they argue are unfair limits on their permits to carry a concealed weapon. In response to these protests, gun-control activists have begun circulating petitions asking companies like Starbucks to prevent individuals from carrying an unconcealed firearm on their premises. Once such petition has reportedly garnered 28,000 signatures thus far. The IWW Starbucks Workers Union has also issued a statement, saying that Starbucks has not made an effort to "widely engage its workers who are directly affected by open-carry gun laws."


Ind. General Assembly Approves Bill Barring Employers From Banning Guns on Workplace Property
Associated Press (03/04/10)

The Indiana General Assembly on Thursday passed legislation that allows most workers in the state to keep guns concealed in their cars while they are at work. However, the bill includes exemptions for a number of different types of companies and organizations, including public utilities, chemical plants, and agencies whose drivers transport individuals with developmental disabilities. The bill was passed despite claims that it would lead to an increase in workplace violence. Supporters of the legislation, however, say that it simply allows people with legal rights to carry firearms to keep them in their cars while at work. The bill now goes on to Gov. Mitch Daniels for his signature.


Medical Pot Not Welcome in Workplace
Pueblo Chieftain (CO) (03/03/10) Roper, Peter

Although Colorado voters legalized medical marijuana in 2000, the drug remains unacceptable in many workplaces. For example, Pueblo County officials have advised workers that medical marijuana will be treated much the same has alcohol. County employees have been advised against using medical marijuana on the job or coming to work under its influence. Supervisors who believe a worker may be under the influence can require them to get tested. According to the Department of Public Health and the Environment, the number of state-approved marijuana cards has risen to approximately 20,000, despite conflicting state laws. While Amendment 20 specifically excludes the workplace as a location for using medical marijuana, there is also a state law protecting employees from being fired for engaging in a legal activity while away from the job. In California, however, the state Supreme Court ruled in January 2008 that a private employer could fire a worker for using medical marijuana on the basis of company drug policies and the fact that it remains illegal under federal law. Both Oregon and Washington state courts have also upheld this right.


Average Annual Cost of PCI Compliance Audit? $225k
Network World (03/01/10) Messmer, Ellen

The yearly average cost of a PCI Data Security Standards compliance audit for merchants is $225,000, according to a survey of 155 qualified security assessors (QSAs) by the Ponemon Institute. Ten percent of audited businesses end up paying at least $500,000 annually, yet 2 percent do not pass such audits. More than half of QSA respondents said their clients feel that PCI DSS is too expensive, while 20 percent said their clients expressed satisfaction with compliance costs. Fifty-two percent of QSAs said that merchants are failing to proactively manage data privacy and security in their environments. Sixty percent of QSAs said the most effective technology used by their clients is encryption, although the industry currently lacks a specific mandate for end-to-end encryption of cardholder data. The Ponemon report also notes that 41 percent of merchants depend on "compensating controls" under the PCI rules.


States Consider Banning Credit Checks on Job Applicants
Associated Press (03/01/10)

Employers have long used credit checks to gauge job candidates' honesty and sense of responsibility. However, organizations may not be allowed to run credit checks on potential employees as much as they would like if lawmakers in some states have their way. Missouri and at least 15 other states are considering bills that would outlaw most credit checks performed during job screenings. A bill is also being considered by a U.S. House committee that would prevent employers from using credit checks during hiring for most positions. However, the state and federal bills have exemptions for cases where information in a credit report is relevant to the position, such as when someone is being considered for a job at a bank or an accounts-payable office. Supporters of the bill say limits need to be placed on the credit checks because people's past financial problems should not prevent them from finding a job. But the bills have been criticized by human resource managers, who say that they could make it difficult for employers to make good hiring decisions. Opponents of the bills point to a 2008 survey that found that someone who lives beyond their means and has difficulty meeting financial obligations--information which is contained in a credit report--are the two most common warning signs of employees who commit fraud in the workplace.




Gunman Killed After Shooting 2 Police Officers at Pentagon Entrance
Washington Post (03/05/10) Klein, Allison; Williams, Clarence; Wilgoren, Debbi

Two Pentagon police officers posted near an entrance linking the U.S. Defense Department headquarters with the building's subway station were wounded on March 4 in the evening when a gunman opened fire on them without warning. Witnesses and police say that the gunman, 36-year-old John Patrick Bedell of California, casually walked up to the entrance and reached into his pocket as if he was going to show the officers his security pass so that he could enter the Pentagon. But Bedell instead pulled out a 9-millimeter semi-automatic weapon and immediately opened fire on the officers, hitting one in the shoulder and another in the thigh. They and another officer returned fire at Bedell, hitting him in the head. Bedell, who police say was carrying another 9-milimeter weapon and a number of magazines of ammunition, later died from his injuries. In the aftermath of the attack, the Pentagon was temporarily locked down, while the facility's subway station was closed through March 5. According to Richard S. Keevill, the Pentagon's chief of police, it appears that Bedell acted alone and did not have any ties to a terrorist plot. He also noted that police are investigating whether anger at the government motivated Bedell to open fire on the officers.


Obama Aides Near Reversal on 9/11 Trials
Washington Post (03/04/10) Kornblut, Anne E.; Finn, Peter

President Obama's advisors are reportedly nearing a recommendation that Khalid Sheik Mohammed, the self-proclaimed mastermind of the 9/11 terrorist attacks, be prosecuted in a military tribunal, according to administration officials. Such a recommendation would reverse a decision made by Attorney General Eric H. Holder to try Mohammed and his alleged co-conspirators in civilian court in New York City. Sources say the president's advisors feel increasingly thwarted by bipartisan opposition to a federal trial in New York as well as demands, primarily from Republicans, that Mohammed and his alleged co-conspirators are tried under a military commission. If the reversal goes forward, the White House may be able to secure from Congress the funding and legal authority it needs to close the U.S. military prison at Guantanamo Bay, and replace it with a facility within the United States. The announcement regarding the President's decision is expected to come before he leaves for Indonesia on March 18. If Mr. Obama does decide to try the case in military court, Mohammed and his alleged co-conspirators will have to be rearraigned, since charges against them were dropped in January ahead of their planned civilian trial. That means that a military trial against the men would have to "start back at square one," a military official who spoke on condition of anonymity said. However, nothing would prevent the government from using Justice Department lawyers to help try the case before a military commission.


U.S. Will Determine Who Can Board Some Canadian Flights
Montreal Gazette (Canada) (03/04/10) Dougherty, Kevin

Airlines around the world will have to begin complying with the United States' Secure Flight program beginning this December. Under the program, which was created by the 2004 Intelligence Reform and Terrorism Prevention Act, airlines will have to submit the names of most passengers who are flying to, from, or over the United States to the Department of Homeland Security 72 hours before their flights. Passengers on flights between two Canadian cities that happen to pass over the U.S. will be excluded. The information will be given to the Transportation Security Administration, which will check passengers' names against terrorist watch lists. If a passenger's name is matched to a name on a terrorist watch list, he will not be allowed to board his flight. The program has been criticized by the General Accounting Office and others who say that it will result in more airline passengers being misidentified as potential terrorists. However, Homeland Security spokeswoman Andrea McCauley said that there will likely be fewer false positives than there are using the current no-fly list system.


Q+A - Maritime Terrorism Could Have Global Economic Impact
Reuters (India) (03/04/10) Marshall, Andrew

The Singapore Shipping Association said Thursday that a terrorist group is planning to attack oil tankers in the Strait of Malacca, the busy shipping lanes that lie between the Malaysian peninsula and Sumatra. There are concerns that terrorists that hijack oil tankers, or vessels that carry other types of flammable material, could use them as "floating bombs" that could be detonated in order to disrupt shipping or destroy a port. However, analysts say that concerns that terrorists could detonate oil tankers are overblown, since crude oil is not particularly flammable. A more likely target could be ships carrying ammonium nitrate, a type of fertilizer that is highly explosive when mixed with fuel oil. Should such an attack be successful, it could have significant consequences if it disrupted shipping in the Strait of Malacca or a major port such as Singapore. According to the World Economic Forum's Global Risks 2010 report, a major terrorist attack that resulted in the closure of a port for several weeks would have "severe economic consequences" on trade because it would result in "major disruptions in complex just-in-time supply chains that comprise the global economy."


No Finish in Sight for 'Virtual' Border Fence
Washington Times (03/01/10) Anderson, Jeffrey

The Department of Homeland Security (DHS) is currently reevaluating the high-tech component of plans to create a virtual border fence along the U.S.-Mexico border following a series of critical Government Accountability Office (GAO) reports regarding the project. Since February 2007, the GAO has released several reports warning Congress and DHS that the virtual border-protection system needed better oversight and accountability, and that it lacked realistic measures of cost, timing, and benefits. The GAO also pointed out that Boeing, the contractor tasked with making the project a reality, had failed to show how the $1.1 billion system would meet the objectives of the Secure Border Initiative (SBI). The SBI is based on a multiyear, $4 billion DHS proposal designed to secure the 2,000-mile U.S.-Mexico border. According to the GAO these problems have been the cause of numerous delays that have plagued the virtual fence project. In September 2009, the GAO estimated that the project, originally scheduled for completion in 2009, would likely not be ready until at least 2016- provided it continues at all. The Obama administration has requested $574 million for the program in fiscal year 2011, nearly a 30 percent cut from the $800 million Congress approved in 2010. However, the GAO as well as some lawmakers are questioning the need to spend more money on a project that has not yet proven to be workable.




Homeland Security Seeks to Thwart Cyber-Attacks
San Francisco Chronicle (03/05/10) P. D1; Martinez-Cabrera, Alejandro

The federal government is taking a number of different steps to improve cybersecurity, Homeland Security Secretary Janet Napolitano said during her keynote address to the RSA Conference in San Francisco on Wednesday. For instance, the Department of Homeland Security is planning to hire a number of cybersecurity professionals, Napolitano told the gathering of thousands of security experts. Napolitano added that she would like to see some security experts in the private industry come to work for the federal government, which she said needs "the best minds to meet the challenge" of securing the nation's IT networks. Another part of the government's strategy for improving cybersecurity, Napolitano said, is educating users about cybersecurity. Napolitano noted that education is important because technology cannot protect networks unless "professionals and (people)… understand how to stay safe online." As part of DHS' efforts to improve people's knowledge about cybersecurity issues, Napolitano said, the agency will launch a cyber-security public awareness campaign similar to forest fire prevention and anti-smoking campaigns.


Feds Weigh Expansion of Internet Monitoring
CNet (03/04/10) McCullagh, Declan

A future expansion of Internet communications monitoring to the private sector is being considered by the U.S. Department of Homeland Security (DHS) and the National Security Agency (NSA). DHS cybersecurity official Greg Schaffer says the department is assessing whether its Einstein 3 system for detecting and preventing cyberattacks "makes sense for expansion to critical infrastructure spaces" over time. The White House recently verified that Einstein 3 entails attempting to block in-progress electronic attacks by sharing information with the NSA. Although some civil liberties advocates say the technology could be used to snoop on private networks, Schaffer defuses such notions. "As a practical matter, you're looking at data that's relevant to malicious activity, and that's the data that you're focused on," he says. "It's not necessary to go into a space where someone will say you're acting like Big Brother." If successful, Einstein 3 could help less-prepared companies ward off cyber intrusions. At the recent RSA Conference, DHS Secretary Janet Napolitano emphasized the need for greater cooperation between the public and private sectors on cybersecurity, noting that "we need to have a system that works together."


US Plan to Make Hacking Harder Revealed
Financial Times (03/03/10) P. 4; Menn, Joseph

The Obama administration has declassified part of its plan to improve the security of cyberspace in an attempt to cultivate greater collaboration between government and civilian groups. More cooperation between the private sector and the U.S. National Security Agency is the centerpiece of the Comprehensive National Cybersecurity Initiative (CNCI). The declassified abstract of the plan reveals that the U.S. Department of Homeland Security will operate a new security system, called Einstein 3, that analyzes email and other data traffic into and out of federal networks. CNCI also urges merged oversight of federal spending on research and development in cybersecurity, with a particular focus on "leap-ahead" technology. Although the initiative acknowledges that traditional security approaches "have not achieved the level of security needed," it says the federal government is now outlining "grand challenges" for the research community to help solve the most difficult problems. In addition, CNCI calls for greater sharing between government agencies and private companies of the knowledge that the former group obtains about cyberthreats.


Jihad in Cyberspace
Counter Terrorist (03/10) Vol. 3, No. 1, P. 58; Bumgarner, John; Mylrea, Michael

Jihadist groups are exploiting the free and open frontier of cyberspace as a safe haven where they can orchestrate, train for, and fund physical acts of terrorism. Their activities are enabled by social networking sites, encryption programs, and other Web-based services. Extremists can prevent or detect infiltration by counterterrorist operatives by taking advantage of user controls available on many social networking sites. Conversely, jihadists can avoid detection by concealing themselves on social networking sites, for instance by using masking methods to avoid phrases or terms that would raise red flags. Some extremists lower the risk of infiltration even further by setting up their own portals that run on systems controlled by third-party hosts who are not aware of the extremists' activities. Organizers of extremist Web forums have started to hide their communications via advanced encryption programs, making monitoring of jihadist operations by law enforcement agencies increasingly difficult. The extremist portals also are the source of training materials, and virtual jihadist training is expanding thanks to online video streaming. Extremist groups have tapped video applications as a tool for practicing psychological warfare by guiding persuasive communications toward a target audience to spread their ideologies and publicize their attacks to have the maximum emotional impact. The Internet also is a jihadist tool for executing terrorist operations such as the 2008 Mumbai attacks. Before the attacks, the extremists researched their targets remotely using sites such as Google Earth, and reportedly exchanged information with their handlers in other locations through the Internet. There also are allegations that Al Qaeda has used online imagery technologies to study potential U.S.-based targets, such as natural gas storage facilities and nuclear power plants. As cyber-extremist organizations continue to thrive, more sophisticated initiatives to combat them will need to be deployed.


New Zero-Day Involves IE, Puts Windows XP Users at Risk
Computerworld (02/28/10) Keizer, Gregg

Microsoft recently confirmed that it is examining a vulnerability in VBScript that attackers could exploit to insert malware on Windows XP operating systems running Internet Explorer (IE). Hackers could use the vulnerability to plant malicious code onto victims' computers, and users who have downloaded IE7 or IE8 are at risk. Microsoft says it is already addressing the issue. "Microsoft is investigating new public claims of a vulnerability involving the use of VBScript and Windows Help files within Internet Explorer," says Microsoft's Jerry Bryant. "The current state of our investigations shows that Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not affected."


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment