Search This Blog

Friday, July 16, 2010

Security Management Weekly - July 16, 2010

header

  Learn more! ->   sm professional  

July 16, 2010
 
 
Corporate Security

  1. "Visa Moves to Reduce Payment Card Data in Retail Systems"
  2. "Thieves Strike U.K. Metals Warehouse"
  3. "Pulse Rolls Out Internet PIN-Debit Payments as Acculynk Gains More Traction"
  4. "NM Gunman Shoots Girlfriend, Kills Two at Plant" New Mexico
  5. "Toyota Loses Domain Name Trademark Appeal"
Homeland Security

  1. "Port Authority Cuts Its Copters" Port Authority of New York and New Jersey
  2. "'Barefoot Bandit' Case Hints at Gap in National Security" Airplane Thefts at Private Airports
  3. "Uganda Suggests Locals Aided Attacks"
  4. "Bioterrorism Experts Condemn a Move to Cut Reserve Money"
  5. "US Should Better Define, Counter Islamic Extremism"
Cyber Security

  1. "Cybersecurity Consensus: 'We Haven't Done Enough'"
  2. "NIST Proposes Tracking Cyber Attacks Via Web Services"
  3. "Sinister Take on Search Engine Optimization"
  4. "Researchers Find Privacy Flaws in Chatroulette"
  5. "Researchers Unsheathe New Tool to Battle Botnets"

   

 
 
 

 


Visa Moves to Reduce Payment Card Data in Retail Systems
Computerworld (07/15/10) Vijayan, Jaikumar

Visa has launched a new security effort that could make it unnecessary for merchants to store the full, 16-digit debit and credit card numbers on their systems. Visa wants card issuers and acquiring banks to accept truncated, disguised, or otherwise concealed card numbers from merchants for dispute resolution cases. Part of the initiative will involve Visa urging card issuers, acquirers, and processors to adopt systems that do not rely on primary account number (PAN) data for dispute resolution and other issues, says Visa's Eduardo Perez. Visa does not mandate that merchants store PAN data, although it does require them to safeguard the data in compliance with PCI Data Security Standards. Visa also announced a series of best practices for tokenization, in which PAN data is replaced by a set of proxy numbers that can then be employed for dispute resolution and other purposes. Perez says that for now Visa is only recommending that processors and banks implement the changes as part of an overarching effort to enhance security, and is also asking them to consider storing the PAN data themselves rather than mandating that retailers do it.


Thieves Strike U.K. Metals Warehouse
Wall Street Journal (07/15/10) Hotter, Andrea; Pleven, Liam

Growing demand for commodities and rising prices have made metal an attractive target for thieves in the U.S. and the U.K. According to British Transport Police officials, there has been a significant increase in metal theft over the last six months in the U.K. In the latest incident on May 31, thieves stole several hundred tons of nickel and copper from a warehouse in Liverpool that was owned by JPMorgan's Henry Bath & Son. The theft took place in spite of the stricter security measures that were put in place following JPMorgan's security review of Henry Bath. It remains unclear how the theft took place. However, authorities say that they believe that whoever stole the metal might be storing it somewhere in the U.K. before taking it to a smelting facility to make it smaller or change its appearance. The thieves will then try to sell the metal at a scrap yard, officials say. In the U.S., meanwhile, authorities are investigating the theft of roughly $500,000 worth of copper rod from a mill in Carrollton, Ga., in April. That theft is believed to be linked to several thefts of copper and other metals in a number of southern states over the last couple of months.


Pulse Rolls Out Internet PIN-Debit Payments as Acculynk Gains More Traction
PaymentsSource (07/14/10) Hernandez, Will

Discover Financial Service's Pulse network has announced plans to deploy Acculynk's PaySecure Internet PIN-debit payment product following a successful pilot. Acculynk enables consumers to use PIN-debit cards to make purchases online by integrating its PaySecure software into a merchant's online checkout system. Pulse's Judith McGuire says the pilot confirmed that consumers would use the payment option when offered the opportunity, and they feel comfortable with the process. Pulse projects that banks whose customers use PaySecure as a payment option will see a reduction in their fraud costs. Javelin Strategy and Research president James Van Dyke says the PIN-debit option should become more appealing as consumers seek ways to be more directly engaged in protecting sensitive information. Acculynk also has promoted PaySecure as an incentive to retailers as the product comes with a reduced interchange rate. Acculynk CEO Ashish Bahl says the company will have 60 million to 90 million cards active for PaySecure by year's end.


NM Gunman Shoots Girlfriend, Kills Two at Plant
Associated Press (07/13/10) Holmes, Sue Major

Thirty-seven-year-old Robert Reza has been identified as the gunman who attacked a facility in Albuquerque, N.M., owned by the fiber-optic and solar-power manufacturer Emcore Corp. Two people were killed in the attack and four other people were wounded, including Reza's girlfriend who was reportedly the target of the shooting. Reza also shot and killed himself. Law enforcement officials believe that the shooting was triggered by a bitter child custody dispute between Reza and his girlfriend, and that the girlfriend had told co-workers that she planned to report Reza for domestic violence. It is unknown how Reza, a former Emcore employee himself, was able to force his way past company security. Police Chief Ray Schultz called the Emcore campus a "very secure facility" and reported that detectives and FBI agents had been able to confirm eyewitness accounts using facility surveillance footage.


Toyota Loses Domain Name Trademark Appeal
CNet (07/12/10) Ashe, Suzanne

The U.S. Ninth Circuit Court of Appeals in San Francisco, Calif., ruled that an authorized Lexus dealer, known as Fast Imports, owned by Lisa and Farzad Tabari, can use the word "Lexus" in its domain name. Toyota sued the Tabaris because they argued that consumers would be confused by the use of the name Lexus in the Tabaris' domain name, in addition to the use of Lexus photos and the Lexus logo. Toyota also was unhappy with the Internet domain names buy-a-lexus.com and buyorleaselexus.com. The federal court ruled in favor of Toyota, and told the Tabaris to remove the word "Lexus" from its Web sites. The Tabaris appealed the case and the three-judge panel found that the federal court's decision was too broad, and the domain names could not be confused with Toyota's owned Web sites. Specifically, the Tabaris use the term Lexus to describe their business of buying and selling Lexus cars. "Trademarks are part of our common language, and we all have some right to use them to communicate in truthful, nonmisleading ways," wrote Chief Judge Alex Kozinski. "Many of the district court's errors seem to be the result of unevenly matched lawyering, as Toyota appears to have taken advantage of the fact that the Tabaris appeared pro se."




Port Authority Cuts Its Copters
Wall Street Journal (07/16/10) Gardiner, Sean

The Port Authority of New York and New Jersey has decided to permanently close its police department's helicopter unit in order to save $3.6 million per year. According to Port Authority spokesman Stephen Sigmund, the agency decided to eliminate the helicopter unit because it was not an important part of the work being done by the Port Authority Police Department. An analysis conducted by the Port Authority found that no unusual incidents were reported during the 258 flights the helicopter unit made between August 2008 and the end of April 2009. Sigmund added that the elimination of the helicopter unit will not have an adverse effect on the security of the Port Authority's airports, bridges, and tunnels. However, the Port Authority Police Benevolent Association, the Port Authority Police Department's union, disagreed, saying that the elimination of the helicopter unit could leave the Port Authority's facilities vulnerable to terrorist attacks.


'Barefoot Bandit' Case Hints at Gap in National Security
AOL News (07/15/10) Lohr, David

Aviation observers say the alleged theft of several airplanes by 19-year-old Colton Harris-Moore over a two-year period raises important questions about the security at private airports. A Congressional Research Service report indicates that 429 airplanes were stolen in the U.S. between 1990 and 2006. In recent years, the country has invested millions in airport security, but the majority of that funding has gone into security inside the airport. According to the Congressional Research Service, this oversight could leave the U.S. vulnerable to terrorists who may be interested in using general-aviation aircraft to carry out attacks both domestically and abroad. The Aircraft Owners and Pilots Association (AOPA), which represents the general-aviation industry, has responded to these concerns by pointing out that every general-aviation airport does not have the same security needs, making it unlikely that standardizing security practices for these facilities would be effective. Furthermore, AOPA representatives argue that general-aviation aircraft do not make good terrorist weapons. "It's far easier to get a car or truck and load it," says AOPA media relations director Chris Dancy. Commenting specifically on the thefts allegedly committed by Harris-Moore, Dancy argues that the last plane he stole was supposedly in a fenced-in airport with closed-circuit cameras in place. The plane was locked and sitting in a locked hangar. "There's not much more [they] could have done to secure that plane," Dancy protests. However, some security experts disagree, arguing for the use of motion sensors, keypad locks, and multiple locks on the aircraft itself in order to better prevent theft.


Uganda Suggests Locals Aided Attacks
Wall Street Journal (07/14/10) Connors, Will; Bariyo, Nicholas

Officials in Uganda say that the Somali extremist group al Shabaab may have carried out the terrorist attacks that rocked the capital of Kampala on Sunday with the help of a local extremist group. According to Ugandan police and military officials, a Muslim extremist group known as the Allied Democratic Forces may have also been involved in Sunday's bombings, which killed 76 people. The ADF, which is based in the mountains near the Ugandan-Congolese border, is believed to have been involved in terrorist attacks in the past. For example, the ADF is thought to have been behind a number of bombings in Kampala in the late 1990s and the early 2000s. A Ugandan military official noted that the army had obtained evidence from an ADF rebel that was arrested last month that the group was involved in Sunday's attacks, though the exact nature of that evidence has not been revealed. The official added that al Shabaab would have needed the ADF's help in carrying out Sunday's bombings. However, terrorism expert Andrew McGregor said he doubted that al Shabaab would have needed any outside help to carry out the attacks.


Bioterrorism Experts Condemn a Move to Cut Reserve Money
Los Angeles Times (07/13/10) Dilanian, Ken

Lawmakers are coming under fire for cutting funds from a program that aims to help the country respond to a biological attack or a flu pandemic. Under the appropriations bill that the House passed on July 2, $2 billion would be cut from Project BioShield, a program that was designed to purchase drugs and vaccines for use in the event of a biological terrorist attack. House Appropriations Committee Chairman David R. Obey (D-Wis.) said the cuts are necessary in order to prevent other programs from going under. But bioterrorism experts have criticized the cuts, saying that they are proof that the White House and Congress are failing to address the threat posed by a terrorist attack involving biological weapons. Experts say that the country needs to prepare for such an attack because it could result in the deaths of 400,000 Americans and do $2 trillion in damage to the U.S. economy. For its part, the Obama administration has said that limited success has been seen in the BioShield program. The White House has also said that it is taking steps to address the possibility of a biological attack, including developing a program that would distribute drugs through the mail and working to increase development of new drugs that could be used in the event of an attack.


US Should Better Define, Counter Islamic Extremism
Associated Press (07/12/10) Baldor, Lolita C.

The Obama administration has released its new National Security Strategy, which scales back the use of the term "Islamic extremism" in reference to al-Qaida and other terrorist groups as part of efforts to strengthen ties with Muslim communities in the U.S. A report published by a D.C.-based think tank criticizes this decision, arguing that the administration could clearly articulate the terrorist threat presented by Islamic extremists "without denigrating the Islamic religion in any way." The report argues that the U.S. must work to better define distinctions between the Islamic faith and Islamic extremism, identify radicalizers within Islamic communities, and empower leaders who can contest those radical teachings. Despite these criticisms, the report also acknowledged that the Obama administration has already strengthened efforts to work with the Muslim community in the U.S. and abroad while expanding counterterrorism operations and trying to erode support for al-Qaida and its affiliated groups. Furthermore, the administration has defended its decision to remove references to Islamic extremism arguing that the shift in emphasis undermines al-Qaida's efforts to frame the violence it perpetrates as a justified holy war.




Cybersecurity Consensus: 'We Haven't Done Enough'
Washington Times (07/15/10) P. A9; Waterman, Shaun

President Barack Obama addressed a meeting of about 150 people, including representatives from the technology industry and other vital sectors, to discuss U.S. efforts to protect computer networks from cyberattacks. Those who attended the meeting, which was led by White House Cybersecurity Coordinator Howard Schmidt, Homeland Security Secretary Janet Napolitano, and Commerce Secretary Gary Locke, generally agreed that not enough has been done to improve cybersecurity. During his remarks, Obama noted that some progress has been made over the last year and a half, including efforts to develop a national plan to coordinate the public and private sector's response to a cyberattack. Schmidt also noted that the recent change in the way federal departments report progress on improving IT security represents a step in the right direction. Following the meeting, Schmidt released a progress report that detailed the administration's efforts to create a national cyberincident response plan that coordinates public and private responses to cyberattacks.


NIST Proposes Tracking Cyber Attacks Via Web Services
InformationWeek (07/14/10) Hoover, J. Nicholas

A new study by scientists from the U.S. National Institute of Standards and Technology suggests that software developers could create a framework that could aid in the investigation of cyber attacks. According to the scientists, such a framework would consist of Web services called Forensic Web Services, which would record transactions between pairs of services based on XML, Simple Object Access Protocol, and other standards. These records, which would be secured with encryption technology, could be pieced together to get an idea of what kinds of transaction scenarios take place during cyber attacks. This analysis would then be given to forensic examiners and to customers of Forensic Web Service that suffer an attack to determine what the target of the attack was. In addition, the data could be used in court to win tougher sentences against those convicted of launching cyber attacks. However, Forensic Web Service would have to be integrated with other Web services and act as a trusted, independent third party service in order for that data to be admissible in court.


Sinister Take on Search Engine Optimization
Financial Times (07/13/10) Menn, Joseph

Cybercriminals are increasingly using search engine optimization (SEO) to trick computer users into visiting malicious Web sites, according to security researchers. As part of this strategy, known as black hat SEO, cybercriminals are inserting certain keywords into articles in the hopes of making the pages rank higher in search results. In addition, criminals are stealing content from legitimate Web pages and rewriting it, a technique that makes it difficult to distinguish between malicious pages and legitimate sites. Criminals also are hacking into legitimate sites in order to create links to their own pages. This technique allows pages run by criminals to be ranked higher in search results, since they are linked to from legitimate sites. Finally, criminals are using Google Trends to create malicious Web pages containing keywords related to events that are in the news. Once users visit these optimized malicious sites, their computers are infected with malicious code that can turn the machines into drones that send out spam. Users also can have their financial information stolen, either by the malicious code or by a pop-up that sells fraudulent security software. Security experts are calling on search engines to take steps to protect users from cybercriminals using black hat SEO by sharing information about how their search engine rankings are computed.


Researchers Find Privacy Flaws in Chatroulette
Computerworld (07/13/10) McMillan, Robert

Researchers at the University of Colorado at Boulder (UCB) and McGill University recently described three types of cyberattacks that could be launched against Chatroulette users. The researchers demonstrated how the service could be misused by hackers, such as through the use of a video phishing attack, in which the hackers would play a short video of an attractive woman who appears to be chatting with the victim, with the audio disabled. The researchers were able to trick users into thinking they were actually chatting with a pretty woman, which would make it easier to con them into friending scammers on Facebook or visiting malicious Web sites. "If you can present an attractive persona there, people start to trust the person on the other side and they lower their guard and they start to reveal information about themselves," says UCB professor Richard Han. The researchers also found a way to make Chatroulette's anonymous chats much less than anonymous by using IP-mapping services to get a general idea of user's location. The researchers also warn that a computer program could be created that acts as a middleman between Chatroulette conversations, connecting two users and recording what they say.


Researchers Unsheathe New Tool to Battle Botnets
Network World (07/12/10) Cooney, Michael

University of Illinois at Urbana-Champaign researchers have developed a method to use a botnet's own technology to defeat it. The researchers created an inference algorithm, called BotGrep, that collects a set of observations, such as an IP address pair with no port or packet-level information of a communications graph, and generates a list of hosts suspected as being part of the botnet. "Specifically BotGrep works by searching for connections within the communication graph--since these botnet topologies are much more highly structured than background Internet traffic, we can partition by detecting sub-graphs that exhibit different topological patterns from each other or the rest of the graph," the researchers say. "Based on experimental results, we find that under typical workloads and topologies our techniques localize 93-99 percent of hosts with a false positive probability of less than 0.6 percent."


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: