Friday, April 29, 2011

Security Management Weekly - April 29, 2011

header

  Learn more! ->   sm professional  

April 29, 2011
 
 
Corporate Security
  1. "ZTE Sues Huawei in China for Patent Infringement Over 4G Tech"
  2. "Workplace Deaths in Bethesda, Hostage Crisis in Silver Spring Prompt Workplace Safety Seminar" Maryland
  3. "Advocates Say Domestic Violence Spills Into Workplace"
  4. "Report Finds Workplace Violence Still a High Risk, but Awareness Growing"
  5. "France Telecom Employee Burns Self to Death Outside of Workplace"

Homeland Security
  1. "Bomb Kills at Least 14 in Morocco"
  2. "Egypt Gas Pipeline Bombing Halts Flow"
  3. "Lawmakers Under Threat"
  4. "Taliban Jailbreak Rattles Afghan South"
  5. "WikiLeaks Exposes Guantanamo Documents"

Cyber Security
  1. "PlayStation Hackers May Have Stolen Data From 75 Million Users, Sony Says"
  2. "Visa: Payment Card Industry Needs to Work Smarter, Not Harder, to Increase Security"
  3. "Attackers Can Use IPv6 to Launch Man-in-the-Middle Attacks"
  4. "Defining Enterprise Security Best Practices for Self-Provisioned Technology"
  5. "DHS Chief: What We Learned From Stuxnet"

   

 
 
 

 


ZTE Sues Huawei in China for Patent Infringement Over 4G Tech
Reuters (04/29/11) Yee, Chyen Lee; Yuntao, Huang

ZTE Corp has filed a patent infringement case against Huawei Technologies Co., regarding a fourth-generation long-term evolution (LTE) technology. This suit follows a similar legal challenge made by Huawei against ZTE in Europe for trademark infringement. Huawei claims that ZTE infringed on a series of patents for data card and LTE technology. The suit also claims that ZTE also illegally used a trademark registered to Huawei on some data card products.


Workplace Deaths in Bethesda, Hostage Crisis in Silver Spring Prompt Workplace Safety Seminar
Gazette.Net (04/28/11) Ruoff, Alex

The Greater Bethesda-Chevy Chase (Md.) Chamber of Commerce is holding a workplace safety seminar on May 3. During the event, police officers and business owners will present tips and procedures that will help employers keep their workers safe. One thing that companies can do to prevent workplace violence is to perform background and reference checks on job candidates, said Elise Ambrose, the owner of a company that helps employers perform such checks. Ambrose will be one of the speakers at the seminar. The event is being held in the wake of several incidents of workplace violence in Montgomery County, Md., which is the county where Bethesda and Chevy Chase are located. Among those incidents was the murder of an employee at the lululemon athletica store in Bethesda on March 11. The employee is believed to have been killed by one of her colleagues. In January, an employee at Suburban Hospital in Bethesda allegedly killed his supervisor. In addition, three people were taken hostage at the Discovery Communications building in nearby Silver Spring last September.


Advocates Say Domestic Violence Spills Into Workplace
WABE (04/28/11) Wirth, Michelle

Domestic violence, which affects 25 percent of women, can have an effect on the workplace. According to advocates for domestic violence victims, domestic violence can result in high rates of absenteeism, increased health care costs, and lower rates of productivity. Susan Rodriguez, a spokeswoman for the Partnership Against Domestic Violence (PADV), said that it is important that companies raise awareness about this problem so that they send the message to employees that they care. In order to do this, companies should develop policies to deal with domestic violence and the workplace and should provide managers and employees with prevention training to help them identify victims of workplace violence. Kaiser Permanente in Atlanta was able to identify at least seven cases of domestic violence after providing such training last year. One case involved a woman who was being abused and stalked by her husband. The company moved the employee and provided the woman's family with counseling, resulting in a successful outcome for the situation, said Linda Boatwright, the company's director of employee and labor relations. However, other domestic violence victims are not as lucky, as homicides are the second leading cause of death among women in the workplace.


Report Finds Workplace Violence Still a High Risk, but Awareness Growing
Security Director News (04/26/11) Stelter, Leischen

The recently-released 2011 Workplace Violence Fact Sheet shows that workplace homicides are the third leading cause of death at workplaces. The fact sheet noted that there are an average of 590 workplace homicides each year, meaning that more than 5,900 people have been killed while at work over the past 10 years. Those numbers do not include attempted workplace murders or suicides that happen at work, said Barry Nixon, the founder and executive director of the National Institute for the Prevention of Workplace Violence. Nixon added that the number of incidents of workplace violence appears to be on the decline, thanks in part to decisions by the government and a number of organizations to boost funding for security. In addition, Nixon noted that companies seem to be learning that preventing acts of workplace violence is better than simply reacting to such incidents, as more companies are asking his organization with help in developing preventative and proactive programs. Nixon said that there is more that companies can do to prevent acts of workplace violence, including engaging in regular and direct communications with employees about their role in preventing workplace violence, and training supervisors to properly handle employee concerns about the potential for violence.


France Telecom Employee Burns Self to Death Outside of Workplace
BetaNews (04/26/11) Conneally, Tim

The rash of suicides that has taken place over the last several years at France Telecom-Orange continued on Tuesday when a 57-year-old employee set himself on fire at the company's Merignac-Pichey branch. The man, who had worked for France Telecom for 30 years, is the second employee to kill himself this year and one of more than 50 who have taken their own lives since 2008. Many of the suicides have been committed by employees whose positions were eliminated as part of France Telecom's transition from the public sector to the competitive deregulated market. The French Supreme Court launched an investigation into the rash of suicides at France Telecom, as well as allegations of employee harassment, last year.




Bomb Kills at Least 14 in Morocco
Associated Press (04/29/11)

At least 14 people were killed on Thursday when a bomb went off in a café that is popular with tourists in Marrakech, Morocco. The bombing, which took place in Marrackech's Djemma el-Fna square, which is one of the country's top tourist attractions, also injured at least 23 people. Among the casualties were at least 11 foreigners. It remains unclear who was responsible for the bombing, which blew off most of the café's façade. A Moroccan government spokesman said that the country breaks up cells linked to al-Qaida in the Islamic Maghreb on a regular basis and has foiled several terrorist plots, though nothing led the government to believe that an attack was coming on Thursday. Morocco has been largely peaceful since a 2003 terrorist attack in Casablanca that killed 33 people, though there has been some terrorist activity since then. In April 2007, for example, two suicide bombers attacked the U.S. consulate in Casablanca. In Niger, al-Qaida in the Islamic Maghreb kidnapped four Frenchmen last year. The group is still holding the hostages.


Egypt Gas Pipeline Bombing Halts Flow
Wall Street Journal (04/28/11) Mitnick, Joshua; Bradley, Matt

Bedouins are believed to have been responsible for an attack on a natural-gas pipeline in Egypt's Sinai peninsula on Wednesday. The attack was carried out by five masked gunmen who infiltrated a measuring station located outside a town in Sinai. The attackers then placed a bomb on the pipeline that subsequently exploded. No one was injured in the attack, though the explosion cut off natural gas supplies to Israel and Jordan. The attack could be an indication that the political turmoil in Egypt has given Bedouins, who have been fighting an open war with Egyptian police for several years now, an opportunity to attack government targets. The bombing could also make it more difficult for Egyptian security forces to protect pipeline infrastructure. The Sinai Peninsula has become increasingly lawless since Egyptian police left the region following the anti-government protests that took place in the country in January. Bedouin leaders said that police have only returned to one city in North Sinai, and that the rest of the northern part of the region is still essentially lawless. However, a North Sinai security official said that police have returned to all areas of the peninsula.


Lawmakers Under Threat
The Hill (04/27/11) Yager, Jordy

FBI records released under a Freedom of Information Act request show that the bureau opened, investigated, and closed at least 26 cases of alleged threats against both Democratic and Republican lawmakers last year. The number of threats against lawmakers in 2010 was the highest on record. Nearly half of those threats occurred in the weeks before President Obama signed the controversial healthcare reform measure into law in March 2010. Among the lawmakers that received threats were then-House Speaker Nancy Pelosi (D-Calif.), Senate Minority Leader Mitch McConnell (R-Ky.), and current House Majority Leader Eric Cantor (R-Va.). The families of lawmakers were also threatened. Former Rep. Walt Minnick (D-Idaho), for example, received a letter in March 2010 warning him that he risked getting shot while taking his children to soccer practice. Most of the people behind these threats were not prosecuted, in part because the FBI was unable to identify individuals who made threatening calls to lawmakers. However, some individuals who threatened lawmakers have been successfully prosecuted, including a man who threatened former Rep. John Boccieri (D-Ohio).


Taliban Jailbreak Rattles Afghan South
Wall Street Journal (04/26/11) Abi-Habib, Maria; Totakhil, Habib Khan

Several hundred prisoners were freed from a prison in southern Afghanistan over the weekend by the Taliban. The prison break began shortly before midnight on Sunday, when armed Taliban militants appeared in the facility in Kandahar and urged the detainees--including a number of Taliban shadow governors and bomb makers--to follow them through a tunnel that had been built from the prison to a house about a mile and a half away. About six hours after the prison break began, guards at the facility noticed that all of the political prisoners were missing. According to the Taliban, 541 individuals--including 106 Taliban commanders--were freed from the prison, though Afghan officials put the number of escapees at 475. The escaped prisoners are believed to have dispersed throughout the region. However, Afghan security forces have recaptured 34 of the escaped inmates and have killed two others in a shootout. This is not the first time that prisoners at the facility have escaped with the help of the Taliban. The group also launched a prison break at the facility in 2008, freeing roughly 900 inmates. Canada, which oversaw security in Kandahar until 2010, subsequently took steps to boost security and train wardens at the prison.


WikiLeaks Exposes Guantanamo Documents
Associated Press (04/25/11)

Several U.S. and European newspapers on Sunday published Detainee Assessment Briefs (DABs), or military detainee assessments, dealing with inmates at the Guantanamo Bay detention facility. The files were given to the news organizations by WikiLeaks, though it remains unclear whether the documents were published with WikiLeaks' consent or not. The documents contain information on more than 700 interrogations with terrorist suspects as well as information on the intelligence value and the threat posed by detainees. Among the detainees mentioned in the documents was Khalid Sheikh Mohammed, the alleged ringleader of the September 11, 2001 terrorist attacks. The documents show that Mohammed ordered a Maryland resident to kill former Pakistani President Pervez Musharraf. In addition, the documents included information about the actions of Osama bin Laden and his top deputy in the wake of the Sept. 11 attacks. The release of the documents has been criticized by several officials in the Obama administration, who said that the documents were obtained illegally by WikiLeaks and should not have been published.




PlayStation Hackers May Have Stolen Data From 75 Million Users, Sony Says
Bloomberg (04/27/11) Edwards, Cliff; Alpeyev, Pavel

The personal data of tens of millions of customers of Sony's PlayStation Network and its Qriocity online service may have been compromised in a recent security breach. The breach on the PlayStation network, which provides customers with access to online games, movies, and television programs, took place from April 17 to April 19. The Qriocity service, which offers movies or music to users of Web-connected Bravia TVs and Blu-ray players in 11 different countries, was also affected by the breach because Sony had combined data about its PlayStation Network customers with Qriocity. The attack may have resulted in the theft of the credit-card data, billing addresses, and other personal information of 77 million PlayStation Network and Qriocity customers. However, there is currently no evidence that any credit card data has been taken, said Sony spokesman Patrick Seybold. The attacker or attackers are also believed to have taken users' names, e-mail addresses, birthdays, log-in information, and transaction histories. In the wake of the breach, Sony has asked a security firm to conduct a thorough investigation and to make its PlayStation Network more secure. Meanwhile, Sen. Richard Blumenthal (D-Conn.) is criticizing Sony for taking six days to notify its customers about the breach, and has said that the company should provide affected users with financial data security services and identity theft insurance.


Visa: Payment Card Industry Needs to Work Smarter, Not Harder, to Increase Security
Infosecurity (USA) (04/27/11)

Visa's Ellen Richey argued at the fourth Visa Global Security Summit that the payment card industry needs to adopt smarter technologies and risk evaluations to counter the threat of evolving cybercriminals. "We need to use all the intelligence we have at our disposal," she said. Richey cited tokenization and encryption as examples of techniques to make the card data environment smaller and lower the risk of exposure. She noted that card data is safer today, with nearly 100 percent of merchants worldwide no longer storing sensitive cardholder data on their systems and 75 percent of them having verified ongoing PCI compliance. Still, Richey pointed out that consumers continue to cite security as their leading worry when using payment cards, and referred to data showing that 61 percent of consumers think that cybercriminals are one step ahead of the card industry in terms of data security and fraud. Richey said earning consumer trust is a major challenge, noting that maintaining that trust is a central goal of summit attendees. She offered three fraud prevention suggestions—the spread of smarter payment devices that include chip-and-PIN cards, more intelligent payment transaction networks, and greater adoption of cardholder authentication methods such as two-factor authentication.


Attackers Can Use IPv6 to Launch Man-in-the-Middle Attacks
eWeek (04/26/11) Rashid, Fahmida Y.

Organizations face multiple information security challenges as they switch from IPv4 to IPv6, according to security analysts. The difficulties are exacerbated by the fact that some attackers are using the IPv6 address domain to inject attacks into IPv4 networks. Although many organizations have been slow to adopt IPv6, many cybercrooks have already made the switch, says Sophos' James Lyne. Many scammers are disseminating spam over the IPv6 infrastructure and taking advantage of poorly configured firewalls. Many modern firewalls are configured by default to just let IPv6 traffic go through, Lyne notes. Organizations not planning to use IPv6 traffic should be establishing rules to explicitly block IPv6 packets, according to Lyne. "From an industry standpoint, we are selling IPv6 wrong," he says, noting that there has been little discussion about how the standard's built-in features help bolster privacy. Rather, the general perception of IPv6 as being difficult to implement or confusing has made organizations vulnerable to possible attacks.


Defining Enterprise Security Best Practices for Self-Provisioned Technology
SearchSecurity.com (04/26/11) Wang, Chenxi

Almost 40 percent of information workers in different organizations are using some type of self-provisioned technology, while 25 percent of companies are using some type of cloud computing, according to a new Forrester survey. The survey also found that half of enterprises currently support a minimum of two mobile platforms. Although these technologies can create risks for companies, they also can improve productivity, which means that chief information security officers have had a difficult time keeping them out of their companies. However, security and risk professionals can follow several best practices in order to mitigate these risks, including establishing or participating in a central governing task force made up of representatives from security, enterprise architecture, legal and compliance, human resources, and major business functions. This task force should work to create a set of adoption standards that include technology platforms, risk tolerance levels, and conditions for adoption. Next, security and risk professionals should use the standard employee code of conduct to develop a set of acceptable use policies or guidance for self-provisioned technologies, though these policies and guidance should include specific stipulations for the use of technologies such as social media and mobile devices. CISOs also should communicate adoption standards and acceptable use policies to employees, preferably through the existing internal communications/marketing department, though this can also be done with the help of the human resources department or through employee training. Finally, the task force may need to be advised on whether or not to use technology to perform management oversight.


DHS Chief: What We Learned From Stuxnet
IDG News Service (04/25/11) McMillan, Robert

Homeland Security Secretary Janet Napolitano gave a speech to engineering students at the University of California, Berkeley, on April 25 about the Stuxnet worm, which was the first worm to target factory control systems. According to Napolitano, the lesson that needs to be learned from the Stuxnet attack is that the private sector needs to respond to cyberattacks more quickly. Napolitano noted that a rapid response is necessary because cybercriminals are using very sophisticated and innovative ways of attacking computer systems. Security expert Bob Radvanovsky, meanwhile, said that Siemens--whose equipment was targeted by Stuxnet--and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is responsible for communicating with the operators of industrial systems, could have been better about passing information about Stuxnet along to the public. Radvanovsky noted that ICS-CERT has never posted information that was not already known to those participating in his discussion list.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment