Friday, April 22, 2011

Security Management Weekly - April 22, 2011

header

  Learn more! ->   sm professional  

April 22, 2011
 
 
Corporate Security
  1. "Navy Chief: Piracy Syndicates Feeding Off Ransom Payments" Somalia
  2. "PCI-DSS Compliance Helps Prevent Data Breaches Despite IT Doubts: Survey" Payment Card Industry Data Security Standard
  3. "Microsoft Takes Patent Fight to Supreme Court"
  4. "Recent Slayings Put Spotlight on Workplace Attacks, Rising in Area" Washington, D.C., Area
  5. "Funding Success Tips" Funding for Security Departments

Homeland Security
  1. "Royal Nuptials Test U.K. Security Force"
  2. "FBI Investigates Columbine Links to Mall Fire" Colorado
  3. "Color Code Terrorism Warnings Go Dark"
  4. "Few Answers on Teen Who Fell From Plane"
  5. "Senate Bill Would Suspend 100 Percent Scanning Deadline"

Cyber Security
  1. "The Botnets That Won't Die"
  2. "iPhone Secretly Tracks User Location, Say Researchers"
  3. "Data Theft From Computer Security Breaches Declines, Report Says"
  4. "Strong Protection for Weak Passwords"
  5. "66 Percent of Security Software Submitted With Flaws"

   

 
 
 

 


Navy Chief: Piracy Syndicates Feeding Off Ransom Payments
Bloomberg (04/22/11)

According to U.S. Chief of Naval Operations Adm. Gary Roughead, groups of pirates in Somali villages are selling shares in planned attacks to investors. Roughead noted that after these investors purchase shares in a planned attack, they become entitled to a portion of the ransom payment for the hijacked ship. The ransom payments are also used by the pirates to invest in things such as larger boats, more weapons, and improved electronic-detection systems, Roughead said. The One Earth Future Foundation has noted that the average ransom payment has increased from $150,000 in 2005 to $5.4 million in 2010. These higher ransom payments are making it more profitable for pirates to launch attacks on ships, which in turn has forced vessels to use longer shipping routes in order to avoid the pirate-infested waters off the coast of East Africa, the foundation said. The use of these longer shipping routes has added at least $2.4 billion to shipping costs.


PCI-DSS Compliance Helps Prevent Data Breaches Despite IT Doubts: Survey
eWeek (04/19/11) Rashid, Fahmida Y.

Although many organizations still do not believe that complying with the Payment Card Industry Data Security Standards makes them more secure, PCI-DSS-compliant organizations experience fewer breaches, according to the Ponemon Institute. Ponemon's 2011 PCI DSS Compliance Trends Study found that 64 percent of organizations that are compliant with PCI DSS did not have any data breaches involving credit card data in 2009 and 2010. About the same percentage of PCI DSS compliant organizations reported experiencing no more than one data breach involving any kind of data, not just credit card data. However, just 38 percent of organizations that were not in compliance with PCI DSS reported having no data breaches involving credit card data in the past two years. Only 22 percent of non-PCI DSS-compliant organizations reported having one or fewer data breaches involving any type of data. The study also found that 88 percent of IT security professionals did not believe that PCI DSS had any effect on the number of data breaches their companies suffered, while only 39 percent said that being PCI compliant would improve data security.


Microsoft Takes Patent Fight to Supreme Court
Wall Street Journal (04/18/11) Bravin, Jess

The U.S. Supreme Court on April 18 heard arguments in the patent infringement case involving Microsoft and the Toronto software company i4i LP. Microsoft has been ordered to pay $290 million to i4i because the Canadian company holds a patent for a feature that is included in Microsoft Word. Microsoft has said that the feature was based on existing technology and was not a patentable invention. The company is now arguing that the judgment against it should be overturned because lower courts erred in requiring it to provide "clear and convincing" evidence that i4i's patent is invalid. The standard of proof in civil lawsuits is typically the lower standard of providing a preponderance of evidence. During the hearing, Microsoft attorney Thomas Hungar argued that invalid patents would be enforced if the judgment were allowed to stand. Justice Antonin Scalia responded to Hungar's arguments by citing a 1934 precedent from the U.S. Supreme Court that held that patents are presumed to be valid unless "clear and cogent evidence" is presented to the contrary. However, Justice Samuel Alito said that Congress made no reference to requiring plaintiffs in patent infringement lawsuits to meet the clear and convincing standard of evidence when it revised the patent statute in the early 1950s. An attorney for i4i, meanwhile, said that Congress was aware of the 1934 Supreme Court opinion as well as almost 30 years of lower court precedent requiring clear and convincing in order to declare a patent void. A decision in the case is expected by July.


Recent Slayings Put Spotlight on Workplace Attacks, Rising in Area
Washington Examiner (04/16/11) Harnick, Andrew

The number of workplace homicides in the Washington, D.C., area is on the rise, despite the fact that such killings are on the decline nationwide. According to the Bureau of Labor Statistics (BLS), there were 39 workplace homicides in Washington, D.C., Maryland, and Virginia in 2009, up from 18 in 2004. By comparison, the number of workplace homicides nationwide dropped nearly 7 percent from 559 to 521 during the same period of time. BLS has said that the decline in the number of workplace homicides nationwide is the result of a number of factors, including the lay offs and cuts that were made in the wake of the recession. Alan Lipman, the director of the Center for the Study of Violence, said that there are fewer acts of violence when employees are working fewer hours. Better prevention efforts have also helped bring down the number of workplace homicides nationwide, experts said. The Washington, D.C., region is believed to be bucking the nationwide trend because the job market there is better and because it is a high-stress environment in which to work. A study by the American Psychological Association last year found that 69 percent of people in the Washington, D.C., region believed that their work was a somewhat or very significant cause of stress.


Funding Success Tips
Security Magazine (04/11) Vol. 48, No. 4, P. 34

Darrell Clifton, the director of safety for Circus Circus Reno, says security departments can do a number of things to achieve funding success. The first is amortization, where the security department works with vendors to spread expenses over several months. A video system valued at $50,000, for instance, can potentially be purchased on a component basis based on the equipment expense limit. Another strategy is having different departments share an expense for certain high-priced systems like access control or security video systems. The use of ROI can also be useful for applications like access control, guard shacks, and so on. For example, if payroll for a certain post is $100,000 annually and the equipment to replace staff costs $50,000, ROI would be six months. Federal grants and partnerships can often be secured via government agencies that deal with emergency management or homeland security. Such grants may be applicable to areas like training, preparedness, or special equipment for facilities. Finally, security departments can pay their own way by using a variety of revenue-generating channels. This includes charging restitution from embezzlers and thieves, using boots on a vehicle instead of having them towed by a towing company, selling lost and found merchandise to employees or on the Internet, and providing training classes to outside groups on subjects like CPR, defensive tactics, and other generic security topics.




Royal Nuptials Test U.K. Security Force
Wall Street Journal (04/22/11) Bryan-Low, Cassell

Security will be tight for Prince William and Kate Middleton's April 29 wedding in London. For instance, nearly 5,000 police officers will be assigned to security for the event. These police officers may be given the authority to stop and search terrorism suspects during the wedding, said Cmdr. Bob Broadhurst, the head of public order at Scotland Yard who will serve as head of security during the wedding. Meanwhile, large sections of London will be cordoned off and closed to traffic. In addition, helicopters will perform aerial security sweeps before the wedding in order to ensure that there are no security threats on rooftops and other areas that are difficult to see from the ground. During the ceremony, the helicopters will continue to monitor the area with cameras so that security officials in a special operations room can identify any potential security problems. Police are hoping to stop a range of threats from disrupting the wedding, including threats from anarchist protesters, Irish republicans, and extremists inspired by al-Qaida.


FBI Investigates Columbine Links to Mall Fire
AFP (04/22/2011)

Southwest Plaza Mall in Littleton, Colo., had to be evacuated on Wednesday after an unexploded pipe bomb and two propane tanks were found on the premises on the 12th anniversary of the deadly shootings at Columbine High School. The FBI is now investigating the situation and is looking into potential links to the Columbine attacks. The Columbine killers used similar explosive devices at their school, which is two miles from the mall. FBI representatives said they are not classifying the case as domestic terrorism nor are they ruling out the idea of a copycat. Thus far, they have identified a person of interest in the case, who is described as a white man with graying hair and a gray mustache.


Color Code Terrorism Warnings Go Dark
Wall Street Journal (04/21/11) P. A4 Johnson, Keith

The color-coded terror-alert system that was implemented in the wake of the September 11, 2001 terrorist attacks will be shut down on April 26 and replaced with a new system that aims to provide the public with more specific information about credible terrorist threats. The system, known as the National Terrorism Advisory System, will use intelligence gathered by the Department of Homeland Security, the FBI, the CIA, and other agencies to provide alerts to the public. Those alerts, which will be delivered over the Web and through e-mail and social networking sites, will describe threats as being either "elevated" or "imminent." According to Homeland Security Secretary Janet Napolitano, the main difference between the new system and the color-coded system it is replacing is the fact that the new system recognizes that the country faces a constant threat of terrorism. As a result, the new system will only provide the public with alerts about credible threats that are above the elevated baseline of terrorist threats that the nation faces. In addition, alerts provided under the new system will expire within two weeks, unless new intelligence indicates that the warnings should be extended past that time.


Few Answers on Teen Who Fell From Plane
Boston Globe (04/20/11) Guilfoil, John M.; Cramer, Maria

The report released by the Charlotte-Mecklenburg (N.C.) Police Department on the case of the 16-year-old boy who died after stowing away in the wheel well of a flight from Charlotte last fall is being criticized by an attorney representing the boy's family. Christopher Chestnut, an attorney who was hired by Tisdale's father, said that ambiguity of the report suggests that authorities conducted a weak investigation into the incident, which ended when Tisdale fell from the plane and landed on a street in Milton, Mass. According to the heavily redacted report, Delvonte Tisdale got onto the Boeing 737-400 after it left the gate at about 6:30 p.m. on Nov. 15. The report noted that the plane idled on the ground for half an hour, but it did not conclusively say that Tisdale got into the aircraft's wheel well during that time. In addition, the report noted that there is evidence that Tisdale did not pass through security checkpoints and that he did not climb into the aircraft's wheel well while it was at the gate, but said that there is no evidence that he went through the airport's terminal to gain access to the tarmac. The report concluded that Charlotte's airport is not patrolled by enough law enforcement officers, and that the airport needs to develop a better working relationship with the Charlotte-Mecklenburg Police Department. The department defended the report by saying that it was forced by the Transportation Security Administration to redact a significant amount of information that was deemed too sensitive to be released to the public.


Senate Bill Would Suspend 100 Percent Scanning Deadline
Journal of Commerce Online (04/18/11) P. WP Edmonson, R.G.

The SAFE Port Reauthorization Act that is currently being considered by Congress calls for the suspension of the July 2012 deadline for scanning 100 percent of containers before they are loaded onto ships bound for the U.S. That deadline was initially laid out in a bill passed by the House in 2007. The Department of Homeland Security and Customs and Border Protection have resisted complying with the deadline, saying that the technology to scan all containers bound for the U.S. does not exist. The 100 percent screening requirement has also been criticized by Sen. Susan Collins (R-Maine), one of the co-sponsors of the SAFE Port Reauthorization Act, who said that it would severely restrict commerce and would cost the nation billions of dollars while providing little additional security. In addition to suspending the deadline for scanning containers bound for the U.S., the SAFE Port Reauthorization Act also provides $300 million in funding for the port security grant program each year for five years. The bill would also reauthorize the Customs & Automated Targeting System, the Customs-Trade Partnership Against Terrorism (C-TPAT), and the Container Security Initiative. Finally, members of the C-TPAT would be provided with security training, improved information sharing between Customs and the private sector about threats from terrorists, and other new benefits.




The Botnets That Won't Die
Technology Review (04/21/11) Kleiner, Kurt

Researchers warn that coordinated attacks on conventional botnets could lead spammers and criminal organizations to pursue more resilient communication schemes. Although conventional botnets are controlled by a few central computers, botnets that use peer-to-peer communications protocols pass messages from machine to machine. The controller inserts a command into one or more of the peers and it is spread gradually throughout the network. Some botnets using peer-to-peer communications have been implemented, but authorities have been able to infiltrate and disrupt them by spreading phony commands, files, and information. Meanwhile, Los Alamos National Laboratory's Stephen Eidenbenz and colleagues have designed and simulated a botnet that potentially would be even more difficult to shut down--one that would randomly configure itself into a hierarchy, with peers accepting commands only from machines higher up in the hierarchy, and would reconfigure the hierarchy every day.


iPhone Secretly Tracks User Location, Say Researchers
Computerworld (04/20/11) Keizer, Gregg

Apple iPhones and iPads track users' locations and store the data in an unencrypted file on the devices and on owners' computers, according to two researchers. The data is in a SQLite file on devices with 3G capability. The file, named consolidated.db, includes locations' longitude and latitude, a timestamp, and nearby Wi-Fi networks. "There can be tens of thousands of data points in this file," the researchers say. To view the location file on an iPhone remotely, an attacker would have to exploit a pair of vulnerabilities, one to hack Safari and another to gain access to the root directory, says researcher Charlie Miller. The biggest threat to users would be if the device is lost, making the data available to whoever finds it. The researchers created an application that extracts the data from a Mac and displays the location history on a map. "Why this data is stored and how Apple intends to use it--or not--are important questions that need to be explored," according to the researchers.


Data Theft From Computer Security Breaches Declines, Report Says
Bloomberg (04/19/11) Rahn, Cornelius

The number of data records compromised in computer security breaches fell between 2009 and 2010, according to a report by Verizon Communications. The report, which was based on research Verizon conducted in conjunction with the U.S. Secret Service and the Dutch National High Tech Crime Unit, found that the number of compromised records fell from 144 million in 2009 to 4 million last year. The decline was the result of data thieves focusing more heavily on smaller, non-financial businesses, the report noted. The report found that many of the data breaches impacted hotels, restaurants, and retailers, particularly those that had 100 employees or less. Verizon's Wade Baker says cybercriminals are attacking smaller companies because they do not have the ability to defend themselves and can be targeted by non-selective, broad attacks. Baker notes that the financial industry is still being targeted by data thieves, despite the decrease in the amount of data being stolen. Meanwhile, a separate TrustWave report that found that 85 percent of data compromised in data breaches was related to payment cards.


Strong Protection for Weak Passwords
Max Planck Gessellschaft (04/19/11) Laptyeva, Tetyana V.

Max Planck Institute researchers have developed a password protection system based on a combination of characters and a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA). The researchers also used mathematical techniques from the physics of critical phenomena to make the CAPTCHA safer. "We thus make the password protection both more effective and simpler," says Max Planck researcher Konstantin Kladko. The researchers used the CAPTCHA in the image, which can only be solved by humans, as the actual password. They further encrypted the password using a combination of characters. The team then let the system develop chaotically for a period of time, resulting in an image that no longer contains a recognizable word. Although the new system only requires relatively weak passwords, the real strength is in the CAPTCHA's encrypted password, according to the researchers.


66 Percent of Security Software Submitted With Flaws
InformationWeek (04/19/11) Schwartz, Mathew J.

More than two out of three security applications and 82 percent of customer-focused applications initially have a dangerously low level of security, compared with just 58 percent of applications in general, according to a Veracode report, which examined 4,835 applications that were submitted to its application testing service. Discovering higher numbers of vulnerabilities in security platforms is especially alarming, since users are buying the programs for security applications. The report also found that 80 percent of all submitted Web applications failed to make a dent in the top 10 most critical vulnerabilities, as identified by the Open Web Application Security Project. In addition, the report found that cross-site scripting vulnerability volume has remained flat since January 2009, while SQL injection vulnerabilities have dropped by 2.4 percent per quarter. However, more than 90 percent of all software products analyzed by Veracode were resubmitted and eventually achieved an acceptable quality level within a month, while security products reached an acceptable level in three days, on average.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment