Search This Blog

Friday, January 28, 2011

Security Management Weekly - January 28, 2011

header

  Learn more! ->   sm professional  

January 28, 2011
 
 
Corporate Security
Sponsored By:
  1. "Studios Seek to Cap Piracy Threat From Thousands of DVDs Sent to Awards Voters"
  2. "Education May Be PCI's Main Hurdle" Payment Card Industry
  3. "Oil Cargoes at Risk From Somali Pirates: Shippers"
  4. "ASIS Launches Standards Initiative" American National Standards
  5. "NYPD's Lessons Learned From Tucson-Style Shootings"

Homeland Security
  1. "Egypt Fires Water Cannons at Nobel Winner, Protesters"
  2. "'Concise' Terror Alerts to Replace Color Codes"
  3. "Philippine Officials See Link to Islamic Militants in Bus Explosion"
  4. "Confusion, Blame Follow Moscow Airport Bombing"
  5. "4 Detroit Police Officers Shot, Gunman Dead in 'Horrifying' Attack"

Cyber Security
  1. "Hackers Turn Back the Clock with Telnet Attacks"
  2. "Headless Conficker Worm Lives in Computers"
  3. "After Hacks, Facebook Unlocks New Security Mechanisms"
  4. "Honda Data Breach Highlights Need to Set Strong Cloud Security Policies"
  5. "Hackers Get Access to N.J. School Data System"

   

 
 
 

 


Studios Seek to Cap Piracy Threat From Thousands of DVDs Sent to Awards Voters
Canadian Press (Canada) (01/27/11) Nakashima, Ryan

During the movie awards season, film studios send thousands of DVDs to voters in order to encourage support for their potential competitors. However, of these screeners, some end up as the source of pirated online content. In order to prevent this type of piracy, some studios have had voters directly download their films through iTunes. The films are set to expire 24 hours after they have been viewed. Despite these precautions, experts say that someone who is really determined to make a copy of the film will find a way, even if they have to just film the screen with a video camera. And Ernesto Van Der Sar, founder of the piracy news site TorrentFreak, says that "Copying a stream is even easier than copying a DVD." His confidence is discouraging for the Motion Picture Association of America (MPAA), which estimates that as much as $25 billion is lost to piracy worldwide each year. Thanks in part to the MPAA's lobbying efforts, the penalty for uploading movies to Web sites can be up to three years in prison and a fine for first-time offenders, and the penalties are higher for repeat offenders or those looking to profit from piracy. The Justice Department convicted 207 people of intellectual property theft in 2010. Several of those cases reportedly involved awards screeners.


Education May Be PCI's Main Hurdle
Green Sheet (01/26/11)

The biggest challenge to realizing PCI compliance is employee education about appropriate data security procedures, according to a Cisco survey of 500 IT professionals at U.S. businesses. Forty-three percent of respondents identified educating employees on the proper handling of cardholder data as the primary challenge, while 32 percent said the main obstacle to compliance was upgrading antiquated systems. Cisco's Fred Kost says the survey's most surprising conclusion was that the main hindrance to PCI compliance was related to people rather than technology, while another unexpected finding was that no single PCI requirement out of the 12 was seen as being responsible for the most issues. Thirty-seven percent of respondents listed tracking and monitoring all access to network resources and cardholder data as the biggest issue, while 32 percent and 30 percent, respectively, listed the requirements to develop and maintain secure systems and applications and to shield stored cardholder data as the most problematic. The survey also found that 60 percent of respondents are employing point-to-point encryption to streamline compliance initiatives and as a possible way to shrink the scope of future evaluations. More than 33 percent of respondents indicated that PCI compliance required them to increase the number of virtual security appliances, while another 30 percent said they needed to bolster their virtualization software using guidance from the PCI Security Standards Council and security solution vendors.


Oil Cargoes at Risk From Somali Pirates: Shippers
Business Insurance (01/25/11)

Several shipping associations, including BIMCO, the International Chamber of Shipping, INTERCARGO and INTERTANKO, have released a joint statement urging the world's governments to increase the naval firepower used to combat Somali pirates. According to the statement, reinforcements are needed because pirates have begun changing their tactics, threatening oil tankers far from the African coast and improving their own weapons capabilities. "They make greater use of so-called mother ships, some of them large hijacked vessels, which has vastly expanded their range of operation to encompass much of the Arabian Sea between the Gulf of Aden, Somalia and India," the statement claims. "Over 40% of the world's seaborne oil supply now passes through waters at high risk from pirate attack." In light of pirates' expanding scope in the area, London's marine insurance market has widened the areas at high risk for pirate attack to include the Gulf of Oman and a wider stretch of the Indian Ocean. Additionally, John Drake, a senior risk consultant with security firm AKE Ltd., said attacks on ships were likely to increase. "AKE believes the problem will get worse. The pirates have more buying power, so they can purchase more weaponry, navigational equipment and skiffs," he said. "They can also bribe more officials and hire more men, many of whom will be attracted to the industry by its increasing success."


ASIS Launches Standards Initiative
SecurityInfoWatch.com (01/24/11)

ASIS International has announced plans to develop two American National Standards that will be used to support the International Code of Conduct for Private Security Service Providers. The first of the standards, known as "Management System for Quality of Private Security Company Operations - Requirements with Guidance," will help private security companies comply with legal requirements and conform to best practices. The second standard, known as "Conformity Assessment and Auditing Management Systems for Quality of Private Security Company Operations," includes requirements for organizations that audit and certify private security companies. Both standards will provide private security companies with criteria that they can use to create a management system that will ensure that quality services are provided, as well as one that will be accountable to the Code of Conduct.


NYPD's Lessons Learned From Tucson-Style Shootings
Wall Street Journal (blog) (01/20/11)

The New York Police Department on Jan. 20 gave security officials from the city's private sector an analysis of active shooter attacks that have taken place over the last 45 years. The analysis noted that the overwhelming majority of such attacks, which are similar to the Jan. 8 shooting in Tucson, Ariz., involve a single attacker that is actively killing or attempting to kill people in a confined and populated area. According to Jessica Tisch, the director of policy and planning at the NYPD's counterterrorism squad, the fact that 98 percent of active shooter attacks are carried out by just one individual makes them more difficult to detect before they take place. The analysis also found that 46 percent of active shooter attacks ended after law enforcement or bystanders used force against the attacker, while 40 percent ended after the attacker committed suicide. Meanwhile, the NYPD's Capt. Michael Riggio provided advice to corporate business security officials in attendance at a conference in Manhattan on how to handle active shooter attacks. He said that companies should prepare drills that simulate such attacks and create a room stocked with medical supplies that employees can flee to in the event a shooter is in the building. Riggio also noted that employees should be trained to not approach police officers responding to an active shooter attack, and to evacuate the building with their hands open and above their heads. Finally, Riggio said that if employees cannot avoid a confrontation with the shooter, they should arm themselves with whatever they can find and attack him as aggressively and violently as possible.




Egypt Fires Water Cannons at Nobel Winner, Protesters
MSNBC (01/28/11)

Anti-government protests continued in Egypt on Friday, one day after pro-democracy leader and former U.N. nuclear watchdog Mohamed ElBaradei returned to the country. Protests began in Cairo following Friday noon prayers, forcing police to use water cannons against ElBaradei and his supporters. Police also used batons against ElBaradei's supporters in order to disperse the crowds. At least five leaders of the Muslim Brotherhood, an Islamist Egyptian opposition group, were arrested following the protests. Five former parliament members who belonged to the Muslim Brotherhood were also arrested, along with a large number of rank-and-file members of the group. Meanwhile, Egyptian authorities shut of Internet and cell-phone data services in what may have been an attempt to disrupt the organization of the protests. Protests outside of Cairo also turned violent on Thursday. In Suez, protesters set a fire station ablaze and stole weapons that they used on police. More than 90 police officers were injured in the violence, as were an untold number of protesters. In northern Sinai, protesters fired rocket-propelled grenades at a police station from the roofs of nearby buildings. More demonstrations are likely after Friday afternoon prayers.


'Concise' Terror Alerts to Replace Color Codes
Washington Post (01/28/11) P. A03 Miller, Greg

Homeland Security Secretary Janet Napolitano on Thursday outlined the new terror alert warning system that will replace the color-coded system that was put in place following the September 11, 2001 terrorist attacks. The new system, which will be implemented in 90 days, will reduce the number of threat levels from five under the color-coded system to two. Alerts will be categorized as being either "imminent" or "elevated" and will be issued as statements from the Department of Homeland Security. Those statements will include a summary of the potential threat, information about steps that are being taken to ensure the safety of the public, and recommendations about steps that the public can take. The phasing out of the old system, which was criticized for scaring the public and doing little to raise awareness about possible terrorist threats, comes amid an increase in the number of terrorist plots being conceived inside the U.S. Among the homegrown plots that have been uncovered in the past two years was the plot by Najibullah Zazi to attack the New York City subway system and Faisal Shahzad's plot to detonate a car bomb in Times Square. Zazi was a legal permanent U.S. resident, while Shahzad was a naturalized U.S. citizen.


Philippine Officials See Link to Islamic Militants in Bus Explosion
Voice of America News (01/26/11)

Philippine officials report that Tuesday's bus bombing in Manila, which killed give and injured at least 13 others, was similar to terrorist attacks by Muslim separatists in the southern part of the nation. However, the officials did not blame any specific group for the attack. Responsibility for the bombing has not been claimed. Abu Sayyaf, a group linked to al-Qaida, was blamed for a similar attack on a bus in Manila in 2005, which occurred on the same road. Four people were killed in that attack. The bombing follows a travel warning issued about three months ago by the United States and other nations that the Philippines may be facing an increased terrorist threat. President Benigno Aquino acknowledged the government had received intelligence reports last year of potential terrorist attacks in Manila. But he said intelligence officials did not believe the groups had enough resources to carry them out.


Confusion, Blame Follow Moscow Airport Bombing
Washington Post (01/25/11) Englund, Will

A bomb with the equivalent of either 11 or 15 pounds of TNT went off in the unsecured area outside of customs in Moscow's Domodedovo Airport on Monday, killing 35 people and injuring at least 100 others. Police say that the attack was similar to ones carried out in the past by Chechens and other Islamic separatists from Russia's North Caucasus region. However, no group has been blamed for the attack. As the investigation into the bombing gets underway, there remains some confusion about how the attack was carried out. One Russian investigator said that the attack was carried out by two suicide bombers, one male and one female.

Another source said that the suicide bomber who carried out the attack was a man who worked alone. The source added that the attack was able to succeed because security personnel had intelligence that a female bomber may have been planning to carry out an attack. The aftermath of the attack also brought plenty of finger pointing, with Russian President Dmitry Medvedev saying that the airport's managers should be held accountable for lapses in security. Airport managers countered by saying that the bombing was not their fault because police are responsible for providing security, though police said that airport personnel should be responsible for security. Meanwhile, authorities in Russia and around the world said that airport security would be tightened in the wake of the attack.  For additional coverage of this story, please click here.



4 Detroit Police Officers Shot, Gunman Dead in 'Horrifying' Attack
Detroit Free Press (MI) (01/24/11) Damron, Gina; Anderson, Elisha; Rossiter, Joe

Four Detroit police officers were shot on Sunday afternoon after a gunman walked into the Detroit Police Department's Northwestern District police station and opened fire. According to Police Chief Ralph Godbee Jr., the officers in the police station performed exactly as they were trained to, taking cover and returning the shooter's fire. When the shooting rampage was over, the gunman had been killed by police and four police officers were suffering from gunshot wounds. All of the officers are expected to recover, Godbee said. In the wake of the shooting, concerns are being raised about the security of Detroit's community police precincts and districts. At the Northwestern District station, there are no metal detectors or bulletproof glass, an employee who works in the building said. In addition, police officers sit below the station's high desk and cannot see if someone entering the building has a weapon in his hands, said retired police Sgt. David Malhalab. However, security at the city's police precincts will be reviewed in the aftermath of the shooting, Godbee said. He added that changes could be made to the screening process that is used on citizens before they are allowed to enter police stations. Sunday's shooting was not the first such incident at a Detroit police station. In May 1998, a gunman walked into the city's 9th Precinct station and opened fire. The gunman was hit by a number of shots and later died, though no officers were injured.




Hackers Turn Back the Clock with Telnet Attacks
Computerworld (01/27/11) Kirk, Jeremy

New research from Akamai Technologies reveals that hackers seem to be increasingly using the Telnet remote access protocol to attack corporate servers via mobile networks. Akamai's latest quarterly report on Internet traffic trends, which covers July through September 2010, shows that 10 percent of attacks that stemmed from mobile networks were directed at Port 23, which Telnet uses. That signals a somewhat mystifying spike in the aging protocol. Telnet is a remote access tool used to gain access to remote servers, but it has been gradually replaced by SSH, also known as Secure Shell. Administrators are generally urged to turn off Telnet if the protocol is not used to deflect attacks targeting it, but some forget. Although those attacks were launched from mobile networks, Akamai said that it did not appear that mobile technologies were the source. "As noted previously, we believe that the observed attack traffic that is originating from known mobile networks is likely being generated by infected PC-type clients connecting to wireless networks through mobile broadband technologies and not by infected smartphones or similar mobile devices," the report stated.


Headless Conficker Worm Lives in Computers
Agence France-Presse (01/26/11) Chapman, Glenn

The people who control the Conficker computer worm have been prevented from using it to control computers and create a botnet, according to a Conficker Working Group report. However, the report says that more than 5 million computers remain infected with variations of Conficker, which spreads via the Internet or USB memory sticks and takes advantage of networks or computers that do not have the latest Windows security patches. Nevertheless, the working group has been touted as an example of the benefits that can result from collaborative efforts between traditionally competitive rivals. The group included security researchers from Microsoft, IBM, the Internet Corporation for Assigned Names and Numbers, Cisco, Facebook, VeriSign, and many others. "In many ways, Conficker did serve as a test run for the cybersecurity community to learn where their strengths and weaknesses were," the report says. Conficker's authors have not been caught, and the report notes that they may never have intended to use the botnet. "It is likely that the Conficker Working Group effort to counter the spread did make it more difficult for the author to act with impunity, but the author did not seem to have tried his or her hardest," the report says.


After Hacks, Facebook Unlocks New Security Mechanisms
CNN (01/26/11) Milian, Mark

Facebook has announced new security features after hackers hijacked profiles for CEO Mark Zuckerberg and French President Nicolas Sarkozy. The first of these features, called "social authentication," will periodically ask users to match pictures of their friends to their names. "The vast majority of people who have used Facebook have never experienced a security problem," Alex Rice, a Facebook security engineer, wrote on the company blog. "However, if we detect suspicious activity on your account, like if you logged in from California in the morning and then from Australia a few hours later, we may ask you to verify your identity so we can be sure your account hasn't been compromised." Facebook has also begun allowing users to browse its site using a secure connection that encrypts all information to and from the site.



Honda Data Breach Highlights Need to Set Strong Cloud Security Policies
eWeek (01/24/11) Rashid, Fahmida Y.

In light of data breaches that occurred over the holidays, including a December attack that hit 2.2 million Honda customers, IT administrators need to curtail what data is actually shared with cloud service operators. Corporations working with cloud service providers need to carefully consider what information is being shared to sufficiently protect consumer privacy, security experts say. The protection should be discussed in the contract, ensuring a threshold of security, before the company turns over the information. There are many benefits of the cloud, but "all that goes out the window when there is a data breach," says Novell's Ben Goodman. When the cloud provider gets hacked, the firm that hired the company is responsible, he notes. Companies "outsource the job, not the responsibility," Goodman says. Such was the case when an email marketing company that Honda partnered with experienced a data breach in December. Thieves raided a database containing names, Honda portal logins, email addresses, and 17-character vehicle identification numbers. The inclusion of VINs in the stolen data was unique, as Honda shared its customer information with the firm for email marketing services.


Hackers Get Access to N.J. School Data System
IDG News Service (01/24/11) McMillan, Robert

A system used by the Plainfield, N.J., Board of Education to manage student records and communicate with parents and students was recently breached. The board of education notes that someone posted the administrative username and password for the district's Genesis Student Information System on a message board called 4chan. A link to the Genesis system's login page was posted as well. That allowed some 4chan members to break into the system and alter prices for school lunches, access the school's emergency notification system, and change graduation requirements. However, no permanent damage was done to the school district's electronic files, says interim superintendent Anna Belin-Pyles. She points out that steps are being taken to correct any problems caused by the breach and to secure the Genesis system. Belin-Pyles also notes that a criminal investigation into the breach has been launched.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: