Friday, June 25, 2010

Security Management Weekly - June 25, 2010

header

  Learn more! ->   sm professional  

June 25, 2010
 
 
Corporate Security

Sponsored By:
  1. "Outsourced Payment Card Services to Take Off by 2015"
  2. "U.S. Unveils Broad Crackdown on Piracy, Counterfeit Goods"
  3. "Factories in Bangladesh Reopen"
  4. "Dutch Submarine to Help Fight Piracy"
  5. "Five Ways to Jump-Start a Transition to Strategic Security"
Homeland Security

Sponsored By:
  1. "John Pistole Closer to Landing TSA Job"
  2. "House Panel Streamlines Strategy on WMD Threats" Weapons of Mass Destruction
  3. "Lawmakers Accuse Military of Disregarding Warnings on Payoffs in Afghanistan"
  4. "Supreme Court Upholds Law Against Advising Terrorists"
  5. "Would-be Bombers Have Found Little Success in U.S."
Cyber Security

Sponsored By:
  1. "Hackers Aren't the Only Threat to Privacy"
  2. "First Generic Top Level Domain Signs Up to DNSSec" Domain Name System Security Extensions
  3. "Apple Leaves iPad Vulnerable After Monster iPhone Patch Job"
  4. "ICANN Chief Calls for Cooperation on Internet Security" Internet Corporation for Assigned Names and Numbers
  5. "How to Move to Advanced Cryptography"

   

 
 
 

 


Outsourced Payment Card Services to Take Off by 2015
ZDNet Asia (06/24/10) Kwang, Kevin

Retailers facing the stress of contending with rising card data maintenance costs and the need to counter online fraud should consider secure payment services such as data encryption and tokenization, according to an RSA study. One solution the study advocates is an outsourced service arrangement, in which protection of card data would be handled by a third-party service vendor, thus enhancing electronic card data security while realizing substantial savings on PCI security standard compliance. "As merchant responsibilities associated with storing payment card data continue to increase, these new centralized repositories [operated by third-party vendors] allow retailers to preserve all the marketing and operational advantages of tracking card information while transferring a large portion of the risk by removing the card numbers from the retailers' card environments," says First Data's Craig Tieken. He projects that many retailers will adopt the outsourced services model by 2015, leading to the creation of a new industry standard for securely processing payment card transactions.


U.S. Unveils Broad Crackdown on Piracy, Counterfeit Goods
Los Angeles Times (06/23/10) Martinez, Jennifer

Vice President Joe Biden on Tuesday announced the launch of a new program that aims to reduce piracy and the sale of counterfeit products. Among the steps that will be taken to address the problem of piracy and the sale of counterfeit goods is the hiring of more than 50 FBI agents this year to deal with intellectual property abuses. In addition, the Office of Management and Budget's Intellectual Property Enforcement agency will review current efforts to reduce the theft of the intellectual property of U.S.-made goods overseas. Those efforts will focus mainly on China, which is the source of the overwhelming majority of counterfeit goods. The program announced by Vice President Biden also calls for the creation of an interagency committee that would take steps to reduce the sale of counterfeit drugs and medical products, and for foreign law enforcement agencies to take down rogue Web sites and prosecute those who violate intellectual property laws. The new program has been praised by groups like the U.S. Chamber of Commerce and trade groups from the U.S. entertainment industry, which has been hard hit by piracy. However, Mark Esper of the U.S. Chamber of Commerce's Global Intellectual Property Center warns that the e-books and publishing industry will likely be the next targets of intellectual property thieves and those engaged in piracy.


Factories in Bangladesh Reopen
Associated Press (06/23/10)

The garment industry in Bangladesh began returning to normal on Wednesday when about 700 factories that had been shut down earlier this week because of violent demonstrations reopened. Abdus Salam Murshedy, the president of the Bangladesh Manufacturers and Exporters Association, said that factory owners decided to reopen their facilities after the government assured them that enough security would be on hand during their talks with garment workers protesting their low pay. The workers took to the streets of a major industrial center outside the capital of Dhaka earlier this week to demand an increase in the minimum wage. During those protests, workers attacked factories and clashed with police. Hundreds of people were injured in the violence.


Dutch Submarine to Help Fight Piracy
CNN International (06/23/10) Walker, Brian

Dutch Defense Minister Eimert van Middelkoop announced Tuesday that the Netherlands would deploy a submarine to the waters off the coast of Somalia to help fight piracy in the region. According to Middelkoop, the submarine--which will be part of NATO's Ocean Shield anti-piracy initiative--will be used to monitor communications between pirates at sea and warlords in Somalia. In addition, the submarine will help the international anti-piracy force to patrol a larger area. Pirates have begun attacking ships as far as 1,000 nautical miles from the Somali coast in response to the presence of the international naval coalition in the region. However, the number of pirate attacks dropped significantly in the first several months of 2010 compared to the same period last year, according to the International Maritime Bureau.


Five Ways to Jump-Start a Transition to Strategic Security
Security Director's Report (06/10) Vol. 2010, No. 6,

Here are five things a security executive can do to begin the transition from a lock-the-doors approach to security to a more modern approach that aligns security and business. First, create a security master plan, a written document that details long-term security goals and the roadmap for realizing them. Security professionals say such a document provides direction, helps communicate security strategy to executives, and ensures that new programs and technologies are in line with previously agreed-upon goals. Second, communicate with other departments to ensure the security department is not being left out of the organization's broader, comprehensive security initiatives. Next, step back to see the bigger picture of what security means in terms of people, processes, and the organization at large. Even today 20 percent of security directors see enterprise security risk management (ESRM) as limited to the integration of IT and physical security, according to CSO Roundtable's benchmarking survey of ESRM. Fourth, avoid being a salesman. If the CSO only recommends more investment in security initiatives, the CEO will always perceive security as the go-to people for implementation -- not strategic advice. And finally, judge security effectiveness not on whether a device or technology works 100 percent all the time, but on whether it can provide information that executives can take advantage of to make better strategic choices about security.




John Pistole Closer to Landing TSA Job
Washington Post (06/25/10) P. B03; Davidson, Joe

The Senate Homeland Security and Governmental Affairs Committee took several actions on Thursday, including approving the nomination of John Pistole as the next head of the Transportation Security Administration. Since Pistole's nomination has already been approved by the Senate Committee on Commerce, Science, and Transportation, it will now go to the full Senate, where it is expected to be approved. The approval of Pistole's nomination would give the TSA its first full-time director since President Obama was inaugurated. The administration's two previous nominees withdrew from consideration. Meanwhile, the Senate Homeland Security and Governmental Affairs Committee also approved the Protecting Cyberspace as a National Asset Act, which calls for the government to take a number of actions to protect the nation's computer networks from attack, including reforming the its cyberspace workforce. As part of that effort, federal agencies will develop plans for recruiting, hiring, and training cyberspace workers, while the Office of Personnel Management would create new techniques for recruiting students interested in cyberspace-related jobs to work for the federal government. Finally, the legislation would grant the Department of Homeland Security temporary hiring and pay flexibility to hire employees for a new National Center for Cybersecurity and Communications, which would be responsible for developing initiatives aimed at protecting private- and public-sector computer networks.


House Panel Streamlines Strategy on WMD Threats
NorthJersey.com (06/24/10) Jackson, Herb

The House Homeland Security Committee has unanimously approved a bipartisan bill designed to create a coordinated government-wide response to a nuclear, biological, or chemical attack on U.S. soil. The bill's primary purpose is to address turf wars between federal agencies and local governments as well as first responders such as police, firefighters, and rescue teams. It would also provide funding for labs to research chemical agents, stockpile vaccines, and perform background checks on workers handling dangerous materials. Specific recommendations include a mandate that first responders be among the first vaccinated in the event of a biological attack. Additionally, it calls for public discussion to settle unanswered questions in regards to investigations and jurisdiction. It is not clear when the bill could come to the floor of the House. One potential hurdle it faces is that it deals with issues that fall under the purview of committees on Energy and Commerce, Transportation and Infrastructure, Agriculture, Foreign Affairs, and Intelligence.


Lawmakers Accuse Military of Disregarding Warnings on Payoffs in Afghanistan
Los Angeles Times (06/23/10) Love, Julia

Legislators on the House subcommittee on national security and foreign affairs on Tuesday laid into military officials for disregarding warnings that Afghan warlords were extorting protection money from private security contractors paid to protect supply convoys for U.S. troops. At the hearing, Rep. John F. Tierney (D-Mass.) called the situation a "recipe for disaster" and said that, "Further consideration must now be given to determine whether the Department of Defense's failure to properly manage or oversee its supply chain logistics contracts has undermined the overall U.S. mission." Military officials responded that they were alarmed by the extortion allegations and that they are currently conducting their own investigation into the problem. In the meantime, the congressional report on the subject recommends that military commanders take direct responsibility for the private companies guarding the supply chain and that they administer trucking and security contracts separately.


Supreme Court Upholds Law Against Advising Terrorists
Los Angeles Times (06/22/10) Savage, David G.

In a 6-3 decision handed down on Monday, the U.S. Supreme Court upheld a law that makes it a crime to provide material support to terrorist groups, even if that support consists of advising them to resolve their disputes peacefully. The ruling was made in a case in which University of Southern California Professor Ralph Fertig and the Los Angeles-based Humanitarian Law Project challenged the law on the grounds that the government should not be able to forbid peace advocates from urging terrorist groups not to commit acts of violence. Fertig specifically argued that he the law violated his freedom of speech because it prevented him from advising the outlawed Kurdistan Workers' Party (PKK) to resolve its disputes with Turkey through the United Nations. In his ruling, Chief Justice John Roberts said that the law does not ban Fertig and others from speaking on their own on behalf of the Kurds, but said that they run afoul of the law when they give groups like the PKK legal advice. Roberts noted that while such advice may seem harmless, it actually "bolsters the terrorist activities" of the organization. Justice Stephen Breyer, Ruth Bader Ginsburg, and Sonia Sotomayor dissented, saying that the First Amendment should protect those who advise terrorist groups to use peaceful means to resolve their disputes, unless there is evidence that these individuals were aiding in illegal terrorist acts.


Would-be Bombers Have Found Little Success in U.S.
National Public Radio (06/21/10) Temple-Raston, Dina

Experts say that there are a number of reasons why car and suicide bombings will not become as common in the U.S. as they are in Afghanistan and Iraq. For instance, bomb makers in countries such as Afghanistan have easy access to military-grade explosives, while their counterparts in the U.S. have to use household products because of stringent regulations on explosives. In the case of the attempted Times Square bombing last month, suspect Faisal Shahzad was unable to buy a type of fertilizer that can be used as an explosive because such products have been regulated since the 1995 Oklahoma City bombing. Najibullah Zazi, the suspect in the attempted plot to bomb the New York City subway and other targets last year, was forced to buy hair dye at beauty supply stores in order to concentrate it into explosive material. It remains unclear whether Zazi was able to do that. Another reason why car and suicide bombings have been hard to pull of in the U.S. is because the tighter security that has been put in place over the last several years has made it more difficult to bring in the teams of people that are necessary to carry out bomb plots. As a result, bomb plots in the U.S. often rely on just one or two people. Finally, experts say that car and suicide bombings may not become common in the U.S. because testing a bomb often draws a great deal of attention.




Hackers Aren't the Only Threat to Privacy
Wall Street Journal (06/23/10) P. B5; Worthen, Ben

Sensitive information such as Social Security and credit card numbers that has been left exposed or poorly protected by governments and companies can be stolen in ways that do not involve hackers breaking into systems. For example, sensitive financial information is sometimes available over the peer-to-peer networks that many people use to share music and video files. Dartmouth College professor Eric Johnson says a recent search of peer-to-peer networks using terms such as hospital names uncovered a document that included the Social Security numbers of more than 20,000 individuals. The same search also found a document from a medical-testing lab that included patients' insurance information and diagnoses, Johnson says. Such documents are often downloaded by cybercriminals and the information they contain is sold in Internet chat rooms. In addition to peer-to-peer networks, sensitive data also can be accessed by individuals who are able to bypass weak security systems, says Sellitsafe president Steven Peisner. He says information on roughly 15,000 stolen accounts is being published on the Internet each month.


First Generic Top Level Domain Signs Up to DNSSec
V3.co.uk (06/23/10) Muncaster, Phil

The .org generic Top Level Domain has become the first domain to execute the DNSSec protocol, an upgrade that will help to protect against Domain Name System (DNS) attacks. "The public's interest is at the core of our mission at .org, especially as Internet use continues to grow exponentially," says .org CEO Alexa Raad. "DNSSec serves as tamperproof packaging for DNS by preventing identity theft as a result of man-in-the-middle attacks, and enabling innovation in applications that rely on DNS." ICANN CEO Rod Beckstrom acknowledges that DNSSec will not solve all Internet security problems, but it is moving the Internet toward a safer existence. Leslie Daigle, chief internet technology officer at the Internet Society, considers DNSSec to be a building block for securing the Internet, and says it is important to find technologies and services that can be used with DNSSec.


Apple Leaves iPad Vulnerable After Monster iPhone Patch Job
Computerworld (06/22/10) Keizer, Gregg

Apple has released a security update that patches 65 security vulnerabilities in the iPhone 3G and 3GS and the second- and third-generation iPod Touch. The majority of the vulnerabilities patched in the update, known as iOS 4, were critical vulnerabilities that could have been exploited by an attacker to gain control over an iPhone or an iPod Touch. One of the vulnerabilities was a flaw in Webkit, an open source browser engine that runs the Safari and Google Chrome browsers on a variety of mobile devices, which could be exploited to quickly hack an Apple iPhone 3GS. The upgrade also included patches for other vulnerabilities in Webkit. Some or all of the vulnerabilities that were addressed by the patch also may exist on the Apple iPad, as well as the first generation iPhone and iPhone Touch. However, the upgrade will not be released for the iPad until this fall. It remains unclear how many of the 65 vulnerabilities that were addressed by the patch affect the iPad. Some of the vulnerabilities that were fixed by the patch were not added to the Common Vulnerabilities & Exposure database until a month after the iPad was launched in April, though others may have been corrected before the tablet computer was introduced. The first-generation iPhone and iPod Touch may still be vulnerable to attacks that exploit the flaws because they cannot be used with iOS 4.


ICANN Chief Calls for Cooperation on Internet Security
V3.co.uk (06/21/10) Muncaster, Phil

ICANN CEO Rod Beckstrom, speaking at the opening session of ICANN's 38th international meeting in Brussels, requested greater cooperation between all Internet entities to guarantee the safety and stability of the Domain Name System (DNS). "We need to work within our family of organizations, large and small, formal and informal, to draw on the wealth of expertise around us," Beckstrom said. "No one wants to experience in real life the repercussions of a major DNS outage. We have an opportunity to take strong preventative measures now so that we may try to avoid a major disruption to our daily lives." The meeting will hold sessions on the DNSSec security protocol, generic top-level domains, and commitments by ICANN and the U.S. government to improve the organization's accountability.


How to Move to Advanced Cryptography
Government Computer News (06/21/10) Jackson, William

The U.S. National Institute of Standards and Technology has issued two draft publications, Special Publication 800-130 and SP 800-131, as part of its Cryptographic Key Management Project. The first publication, SP 800-130, includes descriptions of the components of cryptographic key management systems. In addition, the document outlines the documentation requirements for the design of a key management system. The second document, SP 800-131 includes specific guidance for how to move towards the use of stronger cryptographic keys and algorithms. The document, which is based on years of key management experience, aims to help prepare for changes in the use of cryptography that will come about as existing algorithms become compromised and the technology to crack algorithms becomes more sophisticated. Both documents are part of a 10-year project that aims to provide agencies with help in adopting strong cryptography. The documents also aim to address key management issues at agencies that use cryptography to secure and authenticate data.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

1 comment:

  1. Anonymous6:36 AM

    [color=#473624][u]Interesting post! thank you for sharing this information. security-world.blogspot.com really got under my
    [/u][/color] [url=http://nuscin-online.info]skin,[/url] [color=#473624][u]bookmarked... Keep up the good site...[/u][/color]

    ReplyDelete