Search This Blog

Wednesday, November 24, 2010

Security Management Weekly - November 24, 2010

header

  Learn more! ->   sm professional  

November 24, 2010
 
 
Corporate Security
  1. "U.S. Warns Ships of Confirmed Terror Threat" Off the Coast of Africa
  2. "Gunfire From Spanish Trawler Thwarts Pirates" Indian Ocean
  3. "ATM Fraud Gets Even More Brazen"
  4. "Group Highlights Workplace Assaults" Taiwan
  5. "With No Laws Against It, Workplace Harassment Takes a Toll"

Homeland Security
  1. "Color-Coded Terror Alerts May End"
  2. "U.S. Sends Carrier to Korea Region"
  3. "TSA Chief: Resisting Scanners Just Means Delays"
  4. "Germany Heightens Security in Response to Terror Threat"
  5. "Nuclear-Weapons Drivers Drank on Job, Report Says"

Cyber Security
  1. "NIST Issues Guidance to Secure WiMAX" National Institute of Standards and Technology; Wireless Internet Technology
  2. "Half of All Businesses Never Erase Sensitive Data: Survey"
  3. "Adobe Reader X Sandboxing Security Technology Arrives"
  4. "Admin Passwords: Achilles Heel of Security"
  5. "Encryption Adoption Driven by PCI, Fear of Cyberattacks" Payment Card Industry Data Security Standards

   

 
 
 

 


U.S. Warns Ships of Confirmed Terror Threat
CNN International (11/22/10)

The U.S. Maritime Administration has said that it has verified a claim by a terrorist group that it attacked a tanker off the coast of Africa last July. The group, the al-Qaida linked Abdullah Azzam Brigades, said in August that a suicide bomber had attacked the Japanese tanker M. Star on July 28. The U.S. Maritime Administration is urging ships that pass through shipping lanes in the Middle East and along the African coast to exercise caution, as the Abdullah Azzam Brigades could launch further attacks in the region. The agency specifically mentioned the Strait of Hormuz, the southern Arabian Gulf, and the western Gulf of Oman as areas that were particularly risky.


Gunfire From Spanish Trawler Thwarts Pirates
Agence France-Presse (11/22/10)

Private security guards on board a Spanish tuna trawler were able to chase off Somalian pirates who approached the ship in the Indian Ocean on Monday. The two pirate ships that came near the trawler fled after the security guards fired several warning shots into the air, according to the Echebastar company, which operates the trawler, Capolibre Alai. This is the second pirate attack that the trawler has escaped. The other occurred in the waters off Madagascar. The Spanish government permits fishing vessels operating in the area to employ armed security in order to prevent such attacks. This permission was granted after a trawler known as the Alakrana and its 36-member crew were held hostage for more than a month off the coast of Somalia. They were only freed after a ransom worth approximately $4 million was paid to the pirates.


ATM Fraud Gets Even More Brazen
Wall Street Journal (11/20/10) Blumenthal, Karen

Identity theft and debit-card fraud continues to rise as criminals increasingly target banks' automated teller machines to "skim" card information and personal-identification numbers. In previous years, most fraud occurred at independent ATMs or at retail points of sale, but in the first six months of 2010, fraud at bank-owned ATMs made up more than 80 percent of the breaches, according to fraud-detection software provider Fair Isaac. Attacks on retailers are also on the rise, with card numbers, cardholder names, and PINs being skimmed from payment terminals. Avivah Litan, fraud analyst at research firm Gartner, estimates that fraud involving debit cards, PINs, and point-of-sale equipment has risen 400 percent in the past five years. One tactic is a "flash attack," in which gangs use stolen information to create counterfeit debit cards. The gangs then dispatch cronies to hundreds of ATMs in several cities at once, each withdrawing a small dollar amount that adds up to tens of thousands in losses. Some skimming devices are able to fit inside ATM card readers, and small pinhead-sized cameras record hands punching PINs, looking like legitimate security equipment. Most consumers and even banks cannot tell that a machine has been compromised. Perpetrators often place skimmers on outdoor ATMs on Saturday mornings and remove them by Monday morning, passing on the stolen data within hours. Some countries have adopted so-called chip-and-PIN debit cards that have an added layer of protection, but U.S. banks and retailers are hesitant to adopt the technology because of the expense involved.


Group Highlights Workplace Assaults
Taipei Times (11/19/10) P. 2 Lok-sin, Loa

The Modern Women’s Foundation has called for employers to do more to help employees who may be victims of abuse by their spouses or coworkers. As many as 115 attacks or cases of abuse by spouses or partners took place between January 2009 and June 2010, resulting in death or injuries to 173 people, said foundation chairwoman Pan Wei-kang at a news conference in Taipei. Most abuse occurs at home, but the workplace is the second most likely location. Wang Lih-rong, a professor of social work at National Taiwan University, emphasized that employers have a role in addressing abuse and harassment. "If you don’t help your employees, you’re actually losing money, though the losses may not show in the books,” Wang said. “When an employee is harassed and does not get any help from the company, he or she will become less focused and less efficient at work, which can harm relations between your company and your clients and hurt overall performance of the company as other colleagues may have to compensate for the victim employee — bad performance can damage the company’s image." Employers may help victimized employees by providing a more flexible work schedule or counseling. Demonstrating such a willingness to help can also boost the company's general morale.


With No Laws Against It, Workplace Harassment Takes a Toll
Detroit Free Press (MI) (11/15/10) Casey, Laura

Workplace bullying is a growing concern throughout the U.S. A recent study by Zogby International found that 53 million workers, or 35 percent of all employees, had been directly affected by a bully in the workplace. The study also found that nearly two-thirds of bullies are men, and that 58 percent of employees who are bullied are women. In addition, the study found that when women are bullies, they target other women 80 percent of the time. Much of this bullying usually takes place because the bully is jealous of his victim's accomplishments and work ethic, said Gary and Ruth Namie, who co-founded the Workplace Bullying Institute in 1997. Although workplace bullying can have severe effects on victims, including suicide, heart attacks, and depression, victims often have little legal recourse to stop the bullying. That is because workplace bullying is not illegal so long as it does not fit the legal definition of harassment and as long as it is not based on discrimination. As a result, victims of workplace bullying rarely win lawsuits against their employers. While a workplace bullying victim could always tell his employer about the problem, doing so could backfire by causing the bullying to be intensified. That means that workplace bullying victims must simply cope with the bullying, take time off work, or look for another job. However, some states are considering legislation that would define an "abusive work environment" and would make both bullies and employers liable for any harm to workplace bullying victims.




Color-Coded Terror Alerts May End
Associated Press (11/24/10) Sullivan, Eileen

Federal agencies are reportedly considering a draft proposal that calls for scrapping the color-coded terror alert system that was put in place in the wake of the September 11, 2001 terrorist attacks. One of the options outlined by the proposal includes eliminating the five-tiered color-coded system--which has been criticized for being too vague to be of much use to the public--and replacing it with a system that includes just an "elevated" and an "imminent" threat level. When the threat level is at elevated, the public would be expected to maintain a minimum level of vigilance against possible terrorist activity. When the threat level is raised to imminent, the government would provide as much detail as possible about the terrorist threat without jeopardizing national security in the process. Under the system, the nation would not be at the imminent threat level for more than a week. However, details of the new system are still being worked out by the Obama administration and several government agencies. The Department of Homeland Security says that it does not know when the new alert system would be rolled out. DHS also refused to discuss the draft proposal, saying only that it is "committed to providing specific, actionable information on the latest intelligence."


U.S. Sends Carrier to Korea Region
Wall Street Journal (11/24/10) Ramstad, Evan

The death toll from North Korea's attack on a South Korean island on Tuesday rose to four as Seoul began taking the first steps to punish Pyongyang for the artillery assault. On Wednesday Seoul announced that South Koreans would be forbidden from entering North Korea, and that shipments of humanitarian aid to the North--including medicine and cement--would be halted. South Korea could also retaliate for the attack by closing down an industrial park that is located in North Korean territory and is operated by South Korean companies. In addition, the South could begin using large loudspeakers that are positioned near the border between the two countries to send propaganda messages to North Korean troops deployed to the area. Meanwhile, the U.S. said that the U.S.S. George Washington and several other ships would participate in a joint exercise with the South Korean navy in the Yellow Sea on Sunday. The exercise has been planned for several weeks now, U.S. and South Korean officials said, though the announcement could give Seoul and Washington the chance to determine how China has reacted to the North Korean attack. Chinese officials protested a similar drill that was to have taken place in the Yellow Sea in July, and some say they expect Beijing to do so again for the upcoming exercises.


TSA Chief: Resisting Scanners Just Means Delays
Associated Press (11/23/10)

Transportation Security Administration (TSA) chief John Pistole is calling on holiday travelers not to participate in National Opt-Out Day, a protest against the full-body scanners that have raised privacy concerns because they produce detailed images of airline passengers' naked bodies. The organizers of the protest are calling on airline passengers to opt out of being scanned on Wednesday and instead submit to a more time consuming pat down search, in the hopes that forcing TSA agents to conduct a large number of pat downs will create significant delays. Pistole has acknowledged that the protest has the potential to snarl airline travel on what is the busiest travel day of the year, which in turn would only hurt those "who want to go home and see their loved ones." So far there is little if any indication that passengers are protesting against the scanners by choosing to be patted down by TSA agents. However, Paul Ruden a spokesman for the American Society of Travel Agents, said just one or two airline passengers protesting the scanners would be enough to cause "huge" delays.


Germany Heightens Security in Response to Terror Threat
Time (11/23/10) Moore, Tristana

Germany has taken on a number of new security measures in light of what it considers to be "concrete information" regarding a potential attack at the end of the month. These measures have included closing parts of the Reichstag to tourists and stepping up security at train stations, airports, and markets. Other measures include stationing heavily armed police officers at government offices and canceling any police leave until the end of the year. Law enforcement agencies say there are up to 130 Islamic militants of German origin who could be planning an attack. Although the German public remains confident, some observers say Germany's police and intelligence communities may not be up to dealing with this threat, leading to calls for increased military involvement public safety efforts.


Nuclear-Weapons Drivers Drank on Job, Report Says
Associated Press (11/22/10)

A report released Monday by the Energy Department's assistant inspector general has found that there were a number of alcohol-related incidents involving government agents who were responsible for transporting nuclear weapons and components in trucks from 2007 through 2009. Of the 16 such incidents that the report examined, two were particularly disconcerting because they took place during "secure transportation missions," in which the agents were checked into local hotels and vehicles under secure conditions. In one of those incidents, which took place in 2007, an agent transporting nuclear weapons and components was arrested for public intoxication. The report also highlighted a 2009 incident in which two agents were handcuffed and temporarily detained by police after being involved in an incident at a bar. According to the report, such incidents, while infrequent, may represent "a potential vulnerability" in the national security mission of the Office of Secure Transportation, which is responsible for transporting nuclear weapons and nuclear components. However, the report did not uncover any systemic problem or evidence that agents drove drunk while on duty, said officials from the Energy Department's National Nuclear Security Administration, which supervises the agents. The report urged officials to implement a zero tolerance policy for alcohol-related incidents.




NIST Issues Guidance to Secure WiMAX
GovInfoSecurity.com (11/19/10)

The U.S. National Institute of Standards and Technology (NIST) has announced new guidelines to secure WiMAX technology. The guidelines recommend that organizations establish a sturdy wireless metropolitan area network security policy and enforce it, review WiMAX technical countermeasures before adopting a vendor's WiMAX technology, require mutual authentication for WiMAX devices, and implement FIPS-validated encryption algorithms that use FIPS-validated cryptographic modules to secure data communications. The report details WiMAX wireless communication topologies, components, certifications, security features, and related security issues. NIST says the primary threats to WiMAX focus on disrupting the radio links between WiMAX nodes. These radio links enable line-of-sight and non-line-of-sight signal transmission. Links from line-of-sight WiMAX systems are usually more difficult to attack than those from non-line-of-sight platforms because an attacker would have to physically locate equipment between the transmitting nodes to upset the confidentiality or security of the wireless link.


Half of All Businesses Never Erase Sensitive Data: Survey
eWeek (11/18/10) Preimesberger, Chris

Although 49 percent of businesses say they employ some sort of policied data erasure system, 75 percent of those do not erase data securely, according to a Kroll Ontrack survey. The survey also found that fewer than 50 percent of businesses regularly use a process of erasing sensitive information from old computers and hard drives. Most of the businesses that do deploy some type of data erasure do not do so securely, Kroll found. This exposes most organizations to data breaches, which affect businesses at least once per year, according to another Kroll study. The survey also found that 40 percent of businesses gave away their hard drive to another person, and 22 percent say they do not know where their old computer went. Deleting files from a hard drive only categorizes the files to be rewritten, which does not necessarily happen, says Kroll's Jim Reinert. "Furthermore, reformatting the drive only removes the entries in the index or table of contents that point to the data," he notes. "And, physically destroying a drive is not a guaranteed method of protection."


Adobe Reader X Sandboxing Security Technology Arrives
eWeek (11/18/10) Prince, Brian

Adobe Systems has released Adobe Reader X, which incorporates sandboxing technology the company has promoted as an answer to some of its recent security woes. The sandboxing technology is directed at Windows users, who are overwhelmingly the victims of the attacks against the PDF-viewing software. The technology resembles what Google built into Chrome as well as what Microsoft packaged into Office 2010 Protected Viewing Mode. Now, Adobe Reader comes with its own Protected Mode, which the company told eWeek encapsulates a significant stride ahead in softening the blow of an attempted attack. The introductory release of Adobe Reader Protected Mode sandboxes all write calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. Future releases will enhance the technology to address read-only activities as well, though the company says the timeline for that is yet to be determined. Triggered by default, Protected Mode essentially means all functions required by Reader to display PDF files are run inside the sandbox. If the reader must carry out an action not permitted in the sandbox environment, such as writing to the user's temporary folder, those requests are routed through a broker process operated by a set of policies for what is and is not permitted.


Admin Passwords: Achilles Heel of Security
CSO Online (11/17/10) Bradley, Tony

IT administrators and information security professionals sometimes fail to enforce IT security policies that require administrative passwords to be changed on a regular basis in order to prevent security breaches. One reason why such passwords are sometimes not changed is the fact that the passwords are hard-coded into scripts and macros, which means that any change must be done manually across a number of different systems. If this manual modification process is not performed properly, it could have a negative impact on the business. However, there are a number of free tools that are available that allow IT admins to change the administrative password on several different remote systems all at once. IT admins that use these tools should be sure that the password change is reflected in Web scripts and custom applications. In addition, IT admins should be sure to change the administrative password during non-business hours, such as at night, on a weekend, or during a holiday break. After the change is complete, any dependent business processes should be thoroughly tested to ensure that everything is working properly.


Encryption Adoption Driven by PCI, Fear of Cyberattacks
Network World (11/16/10) Messmer, Ellen

Organizations are primarily motivated to adopt encryption by the need to comply with PCI data security standards and fears about potential cyberattacks, according to a recent Ponemon Institute survey of nearly 1,000 IT managers. Of the IT managers who took part in the study, 69 percent said that their organizations were implementing encryption in order to comply with some type of regulation. Of these, 64 percent said they were being driven by the need to comply with PCI DSS. In 2007, just 15 percent of IT managers said they were implementing encryption because they wanted to comply with the standards. Ponemon says the need to comply with PCI DSS is becoming an important motivating force behind efforts to deploy encryption because organizations that do not comply with the standards are unable to perform credit card transactions. Meanwhile, 97 percent of the survey's respondents said that cyberattacks were the biggest threat to their ability to carry out their missions successfully. In addition, nearly 90 percent of survey respondents said they experienced at least one data security breach, up from 85 percent last year. The percentage who said they experienced five or more data breaches per year rose 3 percent from 2009.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: