Friday, June 17, 2011

Security Management Weekly - June 17, 2011

header

  Learn more! ->   sm professional  

June 17, 2011
 
 
Corporate Security
  1. "Firms Adjust to Hacks"
  2. "China Orders Prison Terms in iPad Leak"
  3. "Nokia, Apple Settle Patent Litigation"
  4. "PCI: New Guidance Addresses Risks" Payment Card Industry
  5. "Congress Seeks to Prevent Rapes at VA Facilities" Veterans Affairs

Homeland Security
  1. "Zawahiri Faces Hurdles as bin Laden Successor"
  2. "Hotels Warned of 'Mumbai-Style' Terror Threat"
  3. "Pakistanis Arrest Five CIA Informants"
  4. "CIA Will Direct Yemen Drones"
  5. "Doors Left Open to Terror Threat" Congressional Investigation Into Visa Overstays

Cyber Security
  1. "Long Wait for RSA Security Tokens"
  2. "Payroll Services Firm ADP Investigates Online Breach"
  3. "Smartphones and Tablets Create Huge Corporate Security Challenge"
  4. "Senate Website Gets Hacked"
  5. "IMF Mum on Details of Network Cyberattack" International Monetary Fund

   

 
 
 

 


Firms Adjust to Hacks
Wall Street Journal (06/17/11) Worthen, Ben; Troianovksi, Anton

Companies are begin to change how they respond to data security breaches. When breaches took place in the past, companies were usually unprepared and often had to update and clarify their statements about the incidents. But now companies can turn to lawyers, public-relations specialists, forensics investigators, and other experts to help them to determine what information they should reveal and how to reassure those who have been affected by a breach. In addition, some companies now have breach-response plans in place before breaches take place. This shift in how companies are responding to data security breaches can be seen in Epsilon Data Management's response to its March security breach, which resulted in the theft of consumer e-mail addresses. The company assembled a crisis team within two days after the breach was discovered, and used a response plan that involved notifying clients about the incident and letting them know what language it planned to use when notifying victims. Epsilon also issued a press release to provide its clients with "some air cover," said Bryan Kennedy, the company's chief executive.


China Orders Prison Terms in iPad Leak
Wall Street Journal (06/16/11) Chao, Loretta

Three people have been sentenced to prison terms of 14 to 18 months for stealing information about Apple's iPad 2 before it was released. Among those convicted was Xiao Chengsong, the general manager of the electronics-accessories manufacturer Shenzhen MacTop Electronics. Xiao was sentenced to 18 months in prison and fined 150,000 Yuan for offering money and discounts on MacTop products to an employee of an Apple supplier in exchange for information about the iPad 2. Xiao wanted the information so that his company could produce protective cases for the tablet computer. The employee of the Apple supplier, Hou Pengna, then paid a research-and-development employee at the company to obtain digital images of the back cover of the iPad 2 from last September, six months before the device was publicly announced. Hou was sentenced to a year in prison and fined 30,000 Yuan, while the research-and-development employee, Lin Kecheng, was sentenced to 14 months and fined 100,000 Yuan.


Nokia, Apple Settle Patent Litigation
Wall Street Journal (06/14/11) Chopping, Dominic; Sandstrom, Gustav

Nokia announced Tuesday that has reached an agreement with Apple to settle all of the patent infringement claims the two companies have brought against each other. The dispute between Apple and Nokia began in 2009, when Nokia claimed that Apple's iPhone violated 10 of its patents. Nokia made similar claims about Apple's iPad shortly thereafter. Apple responded by countersuing. In March, Nokia filed another complaint with the U.S. Trade Commission that charged Apple with infringing on its patents in nearly all of its products. The complaints made by Nokia deal with a number of its patents, including patents for handset features and technologies like touch scrolling and display illumination. Under the terms of the settlement, Apple and Nokia will drop all of their current lawsuits and enter into a license covering some of each others' patents. Nokia will also receive a one-off payment from Apple, as well as continuing royalties.


PCI: New Guidance Addresses Risks
BankInfoSecurity.com (06/14/11) Kitten, Tracy

The PCI Security Standards Council has issued new guidance about the risks related to virtualized systems that help merchants assess security issues proactively before launching new deployments. PCI Council general manager Bob Russo says virtualization offers cost reduction, infrastructure neutrality, and other benefits, but risks need to be minimized by ensuring that virtualized systems and services adhere to the protections described in the PCI Data Security Standard (DSS). "There is no single method for securing virtualized environments," he notes. The supplement to PCI DSS addresses such topics as the different types of virtualization, differences between virtualization and cloud computing, and the appropriate way to implement mixed-mode virtual environments in conjunction with PCI. The supplement also provides complementary information to PCI-DSS 2.0. The supplement says that if virtualization technologies are used in a cardholder data environment, PCI DSS requirements must be applied. It also points out that organizations must identify and document all interactions with payment transaction processes and payment card data, as well as observes that controls and procedures will vary for each environment based on how virtualization is used.


Congress Seeks to Prevent Rapes at VA Facilities
Associated Press (06/13/11)

Congress is currently holding hearings on a Government Accountability Office (GAO) report that found nearly 300 reports of sexual assaults in Veterans Affairs (VA) treatment facilities. According to the GAO, the VA currently relies too heavily on patients to identify themselves as sexual predators so that they can be safely housed away from others in treatment. It also found facilities with broken security cameras and alarms, and found that sexual assaults are not always properly reported in the VA system. Additionally, the report indicated that the VA has unclear reporting expectations and inconsistent definitions of assault. Senior members of the House Veterans' Affairs committee said they have filed legislation that would require the VA to fix these oversights.




Zawahiri Faces Hurdles as bin Laden Successor
Washington Post (06/17/11) P. A1 Warrick, Joby; Sheridan, Mary Beth

Ayman al-Zawahiri could face a number of challenges as the new head of al-Qaida, experts say. According to U.S. intelligence officials, terrorism experts, and former associates of al-Zawahiri, the new leader of al-Qaida is in charge of an organization that is much more dysfunctional, disloyal, and less united than it was when it was run by Osama bin Laden. Another problem that al-Zawahiri faces is his own personality, experts say. U.S. officials believe that his lack of charisma and his rigid, harsh personality could make it difficult for him to try to rebuild al-Qaida. In addition, there are doubts that al-Zawahiri could get a network of operatives to carry out a complex terrorist attack. Huthaifa Azzam, who has known al-Zawahiri since the 1980s, said that he does not think that the al-Qaida chief could pull off something like the Sept. 11 attacks, which was carried out by highly-motivated individuals in a number of different places. Finally, experts say that it will be difficult for one person to control al-Qaida's many different affiliates in places such as Yemen, Somalia, and North Africa.


Hotels Warned of 'Mumbai-Style' Terror Threat
Fox News (06/16/11) Levine, Mike

The FBI has scheduled a series of meetings with hotel industry leaders in major cities throughout the United States to warn them that hotels may be the target of a planned al-Qaida attack. The warning was based on intelligence gathered from a checkpoint in Mogadishu, Somalia, where Fazul Abdullah Mohammed was killed on June 12. Mohammed was one of the FBI's most-wanted terrorists for allegedly planning the 1998 bombings of U.S. embassies in Africa that killed a total of 224 people, including 12 Americans. Sources indicate that a thumb drive was found with Mohammed that contained the details of a plan to attack the Ritz Carlton in London. Operatives would stay in strategically chosen rooms on the first floor and set them on fire in order to trap guests staying above them. Authorities said that such a plan might not be feasible as first responders and sprinkler systems would likely be able to stop the fire from spreading. Still, authorities are not taking any chances as they hope to prevent any hotel attack like the one in Mumbai, India in 2008 that left 174 people dead and more than 300 others wounded.


Pakistanis Arrest Five CIA Informants
Boston Globe (06/15/11) Schmitt, Eric; Mazzetti, Mark

Five of the Pakistani informants who helped the CIA find Osama bin Laden have been arrested by Pakistan's top military spy agency. Among those arrested was a Pakistani army major who copied the license plates of vehicles visiting bin Laden's compound. It remains unclear what has happened to the informants that were arrested. The arrests underscore the damage that has been done to the relationship between the U.S. and Pakistan since the raid on bin Laden's compound in Abbottabad. The Pakistani military has begun to separate itself from U.S. intelligence and counterterrorism operations against militant groups, angering officials in the U.S. who want to take steps to further weaken al-Qaida in the aftermath of bin Laden's death. In addition, Pakistani spies from the Directorate for Inter-Services Intelligence (ISI) have been unwilling to take part in surveillance operations for the CIA. Meanwhile, restrictions have been placed on U.S. drone flights. The CIA has responded by moving some of its drones from Pakistan to Afghanistan. From there the drones are sent on missions against terrorist groups that have taken refuge in Pakistan's tribal areas.


CIA Will Direct Yemen Drones
Washington Post (06/14/11) P. A1 Miller, Greg

Officials say that the U.S. will expand the use of armed drone aircraft to go after terrorists in Yemen, which is home to the al-Qaida affiliate that has been blamed for the attempted attack on an airplane bound for Detroit in 2009 and the plot to send explosives to the U.S. in packages last year. As part of the expansion, the CIA will begin operating Predator drones and other unmanned aircraft in Yemen. The CIA-operated aircraft would be used in conjunction with U.S. military drones, which have been operating in Yemen for the better part of a year now. However, there are concerns that the threat from al-Qaida in Yemen has grown much that the drone patrols conducted by the military are insufficient. Less than 12 military drones have been used to conduct patrols over Yemen over the past year, a number that is far lower than the number of drones used in Iraq or Afghanistan. There are a number of reasons why the U.S. military's drone campaign has been limited, including a lack of adequate resources and limitations on runway capacity at a U.S.-operated airfield in Djibouti where the drones are based. In addition to supplementing the military's drone campaign, the use of CIA drones will have other benefits as well, including the ability to continue attacks on terrorists even if the political situation in Yemen changes and cooperation between San'a and Washington is reduced or ended altogether. The CIA operates under a different legal authority than does the military, giving it more leeway in carrying out strikes in Yemen if the political environment in that country changes.


Doors Left Open to Terror Threat
Houston Chronicle (06/13/11) Powell, Stewart M.

A report from the Government Accountability Office (GAO) has found that the government does not know how many foreign visitors are in the country at any given time. The report, which discussed the findings of a 14-month investigation by the GAO, noted that the lack of a system to track foreign visitors who enter the country legally and then overstay their visas is putting the nation at risk of a potential terrorist attack. Since it does not have access to biometric departure data, the report noted, the Department of Homeland Security (DHS) must instead rely on biographic information submitted on paper forms. Matt Chandler, a spokesman for DHS, noted that the department has found it difficult to develop a cost-effective system to match the digital records of arriving foreigners with the paper records of those who are leaving the country. The technology exists for such a system, though it would cost as much as $13 billion over a 20-year period, several studies and pilot projects have found. Another problem is the fact that U.S. Immigration and Customs Enforcement spends just 3 percent of its investigative time looking into cases of foreigners overstaying their visas. These problems are significant because some foreigners who have overstayed their visas have had ties to terrorism. Of the 399 people who were convicted on terrorism-related charges over the past nine years, 36 had entered the country legally and overstayed their visas.




Long Wait for RSA Security Tokens
Wall Street Journal (06/17/11) Ante, Spencer E.; Tibken, Shara

The computer security firm RSA, which makes tokens that generate random passwords, is clarifying the steps it plans to take to respond to a security breach involving the theft of information related to those tokens and an attack on client Lockheed Martin. Earlier this month, RSA Chairman Arthur W. Coviello Jr. said that his company would provide security monitoring or replace the SecurID tokens used by virtually all of its customers. Although RSA's customers thought that the company was offering to replace all of its SecurID tokens free of charge, it said that it was actually only offering to replace tokens for customers that were protecting intellectual property, or about one-third of its customers that use SecurID tokens. It could take at least two months to replace those tokens. The remaining SecurID users, primarily banks that serve consumers, are being provided only with transaction and authentication monitoring services. Meanwhile, many RSA customers are trying to determine how to protect themselves in the wake of the security breaches at RSA and Lockheed Martin. Some are opting to use security tokens from RSA rival SafeNet, while one bank is opting to only replace SecurID tokens used by employees who access critical information.


Payroll Services Firm ADP Investigates Online Breach
Wall Street Journal (06/16/11) Troianovski, Anton

A data security breach has taken place at Automatic Data Processing's benefits-administration unit, the payroll services firm announced Wednesday. According to ADP, the breach affected just one client at its Workscape subsidiary, which provides payroll, human-resources, and benefits services to a number of different companies. The system that was breached is part of a platform that is no longer being sold by Workscape. It remains unclear what kind of data may have been compromised during the breach. It also remains unclear who the affected client is and when the breach took place. ADP said only that the breach was uncovered during routine monitoring of its systems.


Smartphones and Tablets Create Huge Corporate Security Challenge
Network World (06/15/11) Messmer, Ellen

Some companies are opting to allow their employees to use their own smartphones and tablets while at work, in spite of the security risks involved. Thomson Reuters, for example, allows its employees to use devices such as the Apple iPhone and iPad to sync up with its corporate e-mail system. However, there are more difficulties involved in allowing employees to use their own devices than there are in the practice of centrally-managing and securing the BlackBerrys Thomson Reuters had been giving its employees. Thomson Reuters also remains concerned about employees downloading apps to their personal devices, since these apps can sometimes be infected with malware. Meanwhile, other companies are also allowing workers to use personal smartphones and tablets, albeit with some stipulations. About 3,000 devices have been enrolled in Unisys's "Bring Your Own Technology Program," which allows employees to use personal smartphones and tablet computers for many business functions, except for accessing the corporate database. Participants must also agree to surrender their devices to Unisys in the event the company needs to conduct an investigation into security problems. Other companies, like the insurance company Chubb, continue to prohibit employees from using personal devices at work out of fear that business-related information could be compromised.


Senate Website Gets Hacked
Wall Street Journal (06/14/11) Morse, Andrew; Sherr, Ian

LulzSec, the group that was responsible for the recent security breaches at Sony and PBS, said Monday that it hacked the U.S. Senate's main Web site. During that breach, LulzSec hackers were able to obtain a configuration file for the senate's main Web site, which they subsequently posed on their own Web site. The material in the configuration file suggests that the LulzSec hackers were not able to access sensitive information during the breach. The hackers were also not able to access the senate's computer network, according to a spokeswoman for the senate. Meanwhile, LulzSec also said Monday that it breached a Web site operated by software maker Bethesda Softworks. The company has said that its network was breached and that hackers were able to obtain some usernames, e-mail addresses and/or passwords, but that no personal financial information or credit-card data was stolen.


IMF Mum on Details of Network Cyberattack
Wall Street Journal (06/13/11) Reddy, Sudeep; Gorman, Siobhan; Perez, Evan

The International Monetary Fund has not said whether or not the hackers who carried out the recent cyberattack on its network were able to access confidential information. However, the hackers may have been able to access insider information that could have an impact on financial markets, said Tom Kellermann, a former cybersecurity specialist at the World Bank. Kellermann also noted that the cybercriminals may have been able to access IMF plans concerning bailouts for cash-strapped countries. Kellermann said that whoever carried out the attack used sophisticated methods, including conducting a significant amount of reconnaissance prior to the hack and using code that was written especially to break into the IMF's network. Following the attack, the World Bank severed a network link with the IMF that involved non-public, non-sensitive information.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment