Friday, January 07, 2011

Security Management Weekly - January 7, 2011

header

  Learn more! ->   sm professional  

January 7, 2011
 
 
Corporate Security
  1. "Piracy Concerns Over Apple's New Mac Download Store"
  2. "Police: Lone Suspect Behind 2 Arizona Shootings"
  3. "Renault Spying Case 'Involves Electric Cars'" France
  4. "Court Changes Law on Patent Damages"
  5. "Joint Effort: Dutch Utilities Help Police Smoke Out Pot Farmers"

Homeland Security
  1. "Incendiary Parcels Alarm Md."
  2. "Emergency Teams Will Practice Response To Terrorism Involving Chemical Weapon" Charleston County, S.C.
  3. "Napolitano: Counterterrorism Must Focus on Shipments of Everyday Chemicals"
  4. "US Urges Action to Prevent Insider Leaks"
  5. "U.S. Military Aid is Available for Hire in Yemen"

Cyber Security
  1. "Network Defense Gone Wrong" Distributed Denial of Service Attacks
  2. "Malware Creation Goes Off the Scale in 2010"
  3. "State Battles Data Leakage" Delaware
  4. "'SMS of Death' Could Crash Many Mobile Phones" Short Message Service
  5. "Why Are Health Data Leaking Online? Bad Software, Study Says"

   

 
 
 

 


Piracy Concerns Over Apple's New Mac Download Store
BBC News (01/07/11)

Several groups say that Apple's new Mac App Store, which allows Apple computer users to purchase and download applications, contains security flaws that could allow pirates to copy the programs without authorization. One flaw that affects a number of applications being offered through the store involves copying and pasting the purchase code, which makes it possible to use programs that are normally being offered for purchase for free. Meanwhile, a group called Hackulous has said that it has developed a program that is capable of defeating the protections on any software offered through the App Store. The program is scheduled to be released sometime in February.


Police: Lone Suspect Behind 2 Arizona Shootings
CNN International (01/06/11)

The Chandler Fashion Center in Chandler, Ariz., reopened late in the day on Wednesday following an earlier security scare. The incident began when U.S. Marshals and other law enforcement officers confronted a man outside the mall who they thought was a suspect in a shooting involving a police officer in December. The confrontation prompted the man to open fire on the law enforcement officers, who then returned fire. The man then ran into the Sears store, where officers lost track of him. According to a spokesman for the Arizona Department of Public Safety, the mall was then evacuated and surrounded. At about 12:30, police received reports that there was a hostage situation at a nearby Baja Fresh restaurant. During that hostage situation, the suspect fired warning shots at the restaurant and held at least two individuals captive before he was taken into custody before 2 p.m. Authorities believe that the man who ran into the mall was the same man who held the two individuals hostage at Baja Fresh, though they said that the man was not the person they originally thought he was. Jeff Carter of the U.S. Marshals said that the man looked like Daniel Munoz Perez, a fugitive who was accidentally released last month after allegedly shooting a police officer. However, the suspect in Wednesday's mall shooting, Adam Hernandez, was wanted in an armed robbery.


Renault Spying Case 'Involves Electric Cars'
Wall Street Journal (01/06/11) Landauro, Inti

Three employees of the French car maker Renault have been suspended from their jobs for allegedly being involved in corporate espionage. According to French Industry Minister Eric Besson, the employees are believed to have been trying to obtain information on Renault's electric car program. Now that they are suspended, the employees will no longer be paid, and will be prohibited from entering their workplace. They could also face additional disciplinary action, including termination. Meanwhile, Besson is calling for companies that receive support from the French government for their research and development efforts to take steps to protect themselves from spying.


Court Changes Law on Patent Damages
Wall Street Journal (01/05/11) Kendall, Brent

A ruling by the U.S. Court of Appeals for the Federal Circuit on Tuesday could place limits on the damage awards that some patent infringers are ordered to pay. Ruling in the patent infringement case Uniloc brought against Microsoft, in which Microsoft was ordered to pay $388 million for infringing on Uniloc's anti-piracy technology, the court said that it would stop following a rule that stipulates that patent infringers should generally pay a quarter of expected profits on the product that uses the patent. During the Uniloc trial, a Uniloc expert used that rule to determine that Microsoft should pay $560 million for allegedly infringing on the patent. A jury later reduced the award to $388 million, though the Court of Appeals threw that out as well. In its ruling, the court said that the 25 percent rule "fundamentally flawed" and inadmissible because it does not tie damage estimates to the fact of a particular case. A new trial will be held to determine how much damages Microsoft should pay.


Joint Effort: Dutch Utilities Help Police Smoke Out Pot Farmers
Wall Street Journal (01/03/11) Miller, John

Volt-hungry pot farms in the Netherlands have been stealing hundreds of millions of dollars of electricity a year. The problem has gotten so bad that Stedin Netbeheer BV, a grid operator with 1.8 million customers, is now sending employees on raids with armed police officers, using sophisticated grid analysis to unearth pot plantations. In December the firm launched an anonymous hot line and mailed out 30,000 scratch-and-sniff cards that smell like fresh cannabis. "People have this image of a nice hippie smoking," says Wolter Meijer, the company's top antifraud official. "The reality is danger and crime." Growing weed indoors requires water, carbon-dioxide generators and intense light and heat, which leads to hundreds of accidental fires a year. Heavy electricity use is big red flag for investigators, so cultivators try to avoid detection by tapping into the grid before the meter. That costs Stedin $15 million a year. Meijer's team of 32 are on the lookout for eight-hour spikes in power use, corresponding to heat-lamp patterns, and for outside air filters, convoluted wiring and roofs that quickly melt snow. The company first held talks with police in 2004 and has worked increasingly closely with authorities since then.




Incendiary Parcels Alarm Md.
Washington Post (01/07/11) P. B01 Glod, Maria; Wiggins, Ovetta; Wagner, John

There was a security scare at two buildings in Maryland on Thursday when workers opened two packages containing incendiary devices. The first package, which was addressed to Maryland Gov. Martin O'Malley, was opened at about midday in the mailroom of the Jeffrey Building in downtown Annapolis. The device inside the package produced flame, smoke, and an unusual smell when it was opened, though it did not cause any property damage. However, the worker who opened the package was injured by the flames. Roughly 15 minutes later, a package addressed to Maryland Transportation Secretary Beverley K. Swaim-Staley was opened at the Maryland Department of Transportation headquarters in Hanover, triggering a similar incendiary device. No damage was reported. In the wake of the incidents, both buildings were evacuated, nearby roads were blocked off, and all state mailrooms were put under quarantine. In addition, police dogs were sent to search the Transportation Department headquarters, while the Bureau of Alcohol, Tobacco, Firearms and Explosives sent specialists to both buildings. According to Gov. O'Malley, the person who sent the package to him may have been upset about the overhead highway signs that the state uses to ask citizens to be on the lookout for suspicious activity. A source noted that the package that was addressed to O'Malley contained a note that mocked the phrase "report suspicious activity," which is used on the signs, saying that it was "total [expletive]."


Emergency Teams Will Practice Response To Terrorism Involving Chemical Weapon
Post and Courier (SC) (01/07/2011) Findlay, Prentiss

The Emergency Management Department of Charleston County, Sc. has initiated drills to make sure first responders are prepared to handle a chemical weapon attack at a school. The drill, which is being held at the former Laing Middle School will involve police, firefighters, emergency medical specialists, and South Carolina National Guard members. "Our proximity to the port and major transportation routes could place us at risk for exposure to a wide range of emergency incidents," Mount Pleasant Fire Chief Herb Williams said. "Our staff is training to respond to and mitigate those incidents." The Weapons of Mass Destruction Regional Response Team includes about 85 volunteers from public safety agencies in the area and National Guard participants are members of the 43rd Civil Support Team trained to use equipment that detects radiological, chemical, or biological agents.


Napolitano: Counterterrorism Must Focus on Shipments of Everyday Chemicals
FoxNews.com (01/05/11) Levine, Mike

While in Europe, Department of Homeland Security (DHS) Secretary Janet Napolitano on Wednesday encouraged U.S. allies to be wary of individuals purchasing everyday chemicals that could be combined to create explosives and moved around the world. "It can be ... chemicals used in the manufacture of bombs, but you're also talking chemical, biological, potentially radiological (weapons). All the things that we need to be concerned about in today's threat environment," she said. Although further specifics of the kinds of chemicals causing concern have not been released, officials have indicated that DHS may release a list of 14 "precursor" products that may not be dangerous on their own, but are commonly used for bomb making by extremists. Already, the U.S. and its partners have a Global Shield program in place designed to prevent the use of such chemicals as ammonium nitrate, which is often found in fertilizers, in bombs. Moving forward, a statement from the European Policy Center indicates that Napolitano will "share her vision for securing the global supply chain through a layered security approach to identify, deter and disrupt threats in partnership with Europe and other international actors."


US Urges Action to Prevent Insider Leaks
BBC News (01/05/11)

Jacob J. Lew, the director of the White House Office of Management and Budget, has sent a document to senior officials at federal agencies that use classified material that asks them to create programs that could identify those who could potentially divulge state secrets. Such programs would aim to detect changes in behavior of employees who may have access to secret documents. For instance, psychiatrists and sociologists could be used to determine the "relative happiness" or the "despondence and grumpiness" of these workers in order to determine whether they are trustworthy, the document noted. The document also asked whether federal agencies that use classified material are using lie-detector tests or are taking steps to identify staff members who are traveling out of the country an unusually large number of times, as well as those who have foreign contacts or preferences. The measures outlined in the document aim to prevent a repeat of the WikiLeaks case, in which a soldier allegedly stole classified documents and passed them on to the site.


U.S. Military Aid is Available for Hire in Yemen
Wall Street Journal (01/04/11) Coker, Margaret

A U.S. lawmaker is expressing concern about reports that Yemen is misusing some of the military equipment it was given to combat terrorists and other security threats. Since 2003, the U.S. has given two dozen vessels to the Yemeni Coast Guard with the understanding that the ships were not to be used in private commercial operations. However, Yemen has reportedly rented out the patrol boats, as well as some of its servicemen, to commercial ships that are in need of protection against pirates. The services are provided through San'a-based Lotus Maritime Security Services and the Channel Islands-based Gulf of Aden Group Transits (GoAGT). Both of these companies offer security packages for commercial ships that include heavily armored patrol vessels and uniformed, armed personnel for $55,000 for roughly three days. Rep. Peter King (R-N.Y.), who will take over as chairman of the House Committee on Homeland Security when the G.O.P. takes control of the House, said the reports raise a number of serious questions that will need to be answered by his panel when Congress reconvenes. An official with the Yemeni government has defended the use of the Coast Guard vessels in providing protection for commercial ships, saying that the arrangement was not being used by someone to get rich, since all the fees for the services were paid to the Yemeni government.




Network Defense Gone Wrong
IEEE Spectrum (01/11) Schneider, David

There recently has been an increase in the number of distributed denial-of-service (DDoS) attacks, the most basic of which involves overloading the targeted file server with requests, effectively blocking out legitimate users. Many companies use several servers spread far apart, known as content-delivery networks, as a defense against DDoS. However, a research effort led by Case Western Reserve University professor Michael Rabinovich found that content-delivery networks could make Web sites more vulnerable to DDoS attacks. The researchers found that attackers can add a query string to the target URL, tricking the content-delivery network's server into passing it along to the origin server, which will supply the file. Essentially, the attacker can force an edge server to consult the origin server at any time. Additionally, the attacker's computer can cancel the connection immediately after requesting a file, a method that requires little computing power. However, some in the industry say the scenario laid out by Rabinovich is unrealistic. "This attack doesn't happen in practice, so customers don't bother," says Duke University professor and Akamai vice president for research Bruce Maggs.


Malware Creation Goes Off the Scale in 2010
V3.co.uk (01/05/11) Muncaster, Phil

Roughly 33 percent of all malware in circulation was created in 2010, and social media, black hat search engine optimization techniques, and zero-day vulnerabilities were the most common conduits of infection, according to Panda Security's latest annual report. The PandaLabs Annual Report 2010 revealed that the security vendor's database currently contains 134 million unique files, of which malware constitutes 60 million. Trojans are most prevalent with 56 percent of all samples, trailed by viruses and worms, while sham anti-virus solutions have propagated rapidly since 2007 to account for 11.6 percent of all malware. However, the rate at which the number of new threats is growing fell over the past year, Panda says. New threats have more than doubled every year since 2003, but increased by just 50 percent last year. 2010 also was notable for the heightened success with which law enforcers and other officials fought the growth of cyber crime, Panda says. "Even though there is a long way to go before we can feel truly secure, at least we are heading in the right direction," the report says.


State Battles Data Leakage
GovInfoSecurity.com (01/05/11) Chabrow, Eric

Delaware has taken several steps to prevent data leaks, according to state CSO Elayne Starkey. For instance, Delaware has begun using an email scanning tool that aims to prevent Social Security numbers from being accidentally released. The tool scans email messages looking for a Social Security number or a nine-digit number that may be a Social Security number. Any email that contains a Social Security number is blocked by the tool, and the sender is alerted that the message was not sent. Those who attempt to send an email containing a nine-digit number that may be a Social Security number are given a warning that there is a possibility that a Social Security number may be contained in their message. Starkey notes that the use of the scanning tool has not caused any business problems for the state. Meanwhile, Delaware has implemented a new security policy for employees' personal smartphones. Under the policy, those who want to use their own smartphone on the state's network must have their devices pre-approved and must agree to abide by state security policies. In addition, those who want to use their own smartphones while on the job must agree to use strong passwords, inactivity timeout monitors, and encryption. In the event the device is breached, users must agree to have their data remotely wiped.


'SMS of Death' Could Crash Many Mobile Phones
Technology Review (01/04/11) Naone, Erica

Low-end mobile phones are vulnerable to hackers using short message service (SMS) communications, according to research presented at a recent conference in Germany. Compared to smartphones, low-end mobile phones feature limited functionality, less powerful processors, less memory capacity, and the inability to load new software without the permission of the carrier. Nonetheless, Technische Universitaet Berlin students Collin Mulliner and Nico Golde successfully attacked several low-end phones by setting up a miniature cellular network, using open source software to create a base station with which to communicate with the phones. Their malicious SMS communications affected the phones without any response from the user. Mulliner says a specific user could be targeted, but also notes that a large number of phones could be knocked out by sending a set of five SMS messages--to the five most popular models--to every device on a specific network. Network operators could prevent such problems by updating firmware on existing phones or by filtering out potentially disruptive SMS messages traveling across their networks.


Why Are Health Data Leaking Online? Bad Software, Study Says
Wall Street Journal (01/03/11) Valentino-DeVries, Jennifer

Researchers at Dartmouth College published a study last month that found that sensitive healthcare data is being leaked online through peer-to-peer file sharing services. During a two-week period in 2009, the researchers were able to use these services to find more than 200 files that contained Social Security numbers, insurance numbers, names, addresses, and dates of birth. In addition, the researchers found that many people were using P2P services to find sensitive documents. During their study, the researchers tracked people using search terms such as "public health passwords" and "Columbia Center for AIDS Research." According to M. Eric Johnson, the director of the Center for Digital Strategies at Dartmouth's Tuck School of Business, these searches may have been used to find information for corporate espionage, or to find numbers that could be used to commit fraud. Johnson blamed the presence of sensitive healthcare data on P2P networks on several factors, including healthcare systems that are difficult to use. This forces healthcare industry employees to download files onto their home computers, where they are usually forgotten, Johnson said. Johnson said the problem could be addressed by investing in cloud computing technology, which will make it possible for smaller businesses to have access to software that is easy to use. However, Johnson noted that cloud computing opens data up to other threats, including the threat from large-scale hackers.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment