Search This Blog

Friday, August 26, 2011

Security Management Weekly - August 26, 2011

header

  Learn more! ->   sm professional  

August 26, 2011
 
 
Corporate Security
Sponsored By:
  1. "At Least 53 People Killed in Mexico Casino"
  2. "Bellagio Bandit Gets 3 to 11 Years for Chip Heist" Las Vegas
  3. "DA Moves to Abandon Strauss-Kahn Charges" Alleged Rape of New York City Hotel Maid
  4. "NFL: Multiple Fans Shot After 49ers Game" San Francisco
  5. "'Flash Mobs' Pose Challenge to Police"

Homeland Security
  1. "Maryland Teen Arrested by FBI in Jihad Jane Plot, Sources Say"
  2. "Quake Renews Call to Enforce Pill Law" Distribution of Radiation Pills Following Natural Disasters
  3. "U.S., Allies Join Manhunt for Gadhafi"
  4. "With CIA Help, NYPD Moves Covertly in Muslim Areas"
  5. "Iran Shows U.N. Advanced Nuke Equipment"

Cyber Security
  1. "Third Man Charged in Crackdown on 'Anonymous' Hackers" U.K.
  2. "Chinese State TV Alludes to U.S. Website Attacks"
  3. "How Security Pros Can Make Compliance Initiatives Work for Them"
  4. "Baking Security Into Open WiFi Networks"
  5. "NSTIC Director: 'We're Trying to Get Rid of Passwords'" National Strategy for Trusted Identities in Cyberspace

   

 
 
 

 


At Least 53 People Killed in Mexico Casino
Wall Street Journal (08/26/11) De Cordoba, Jose; Casey, Nicholas

At least 53 people were killed in an attack on a casino in the Mexican city of Monterrey on Thursday. The attack took place at about 3:30 in the afternoon, when six men drove up in two cars to the Casino Royale, which is located in an upper-middle class part of Monterrey. Witnesses said that the men were wearing hoods when they entered the building and began shouting obscenities and firing their weapons in the air. The gunmen then began pouring gasoline all over the casino and set it ablaze. Some of the roughly 80 people who were in the casino at the time of the attack ran to the bathrooms for shelter, though they were unable to escape from the flames. Rescue workers are still searching for victims, and the death toll in the attack is expected to increase. The attack was apparently linked to the Zetas and the Gulf Cartel, the two drug cartels that are fighting one another in Monterrey in order to gain control of the drug markets and drug routes into the U.S. Thursday's attack was the second attack on an entertainment center in Monterrey in as many months. A bar that was a known drug distribution center was attacked by gunmen last month, resulting in the deaths of 21 people. More than 1,000 people have died as the result of drug-related violence in Mexico's Nuevo Leon state, where Monterrey is located, so far this year.


Bellagio Bandit Gets 3 to 11 Years for Chip Heist
Associated Press (08/24/11) Garcia, Oskar

Anthony Michael Carleo was sentenced to three to 11 years in prison in a Las Vegas courtroom on Aug. 23 for robbing the city's Bellagio resort last December. Armed with a handgun, Carleo stole $1.5 million in chips from the resort, which is located on the Las Vegas Strip. After robbing the casino, Carleo escaped on a motorcycle. He was arrested after he tried to sell several $25,000 chips to an undercover police officer. After Carleo was arrested, authorities discovered that he had plans to rob Caesars Palace, which is also located in Las Vegas. It remains unclear whether Carleo will be ordered to repay the chips, most of which have been recovered. An attorney for Carleo said that his client should not be ordered to repay the chips because they are largely worthless. Following the robbery, MGM Resorts International took the type of $25,000 chips that were stolen out of circulation and replaced them with another design. Carleo has also been accused of robbing the Suncoast Hotel & Casino in Las Vegas of nearly $19,000 in cash several days before the robbery at the Bellagio. He will be sentenced in that case on Aug. 25.


DA Moves to Abandon Strauss-Kahn Charges
Wall Street Journal (08/23/11) Rothfeld, Michael

Prosecutors in New York City are planning to drop charges against Dominique Strauss-Kahn, the former head of the International Monetary Fund who has been accused of violently sodomizing a New York City hotel chamber maid in May. The maid, 33-year-old Nafissatou Diallo, alleged that Strauss-Kahn was naked in his room at the Sofitel New York Hotel when she entered to clean it, and that after she entered the suite he grabbed her to prevent her from leaving. Diallo said that Strauss-Kahn then sodomized her. However, prosecutors decided to drop the charges against Strauss-Kahn because they had reason to doubt the truthfulness of Diallo's story. One reason why authorities began to doubt Diallo was that she had given three different versions of her whereabouts after the alleged rape. In addition, authorities said that she lied about being gang raped by soldiers in Guinea while she was there on an asylum application. Prosecutors also said that while there was evidence that there was a sexual encounter between Strauss-Kahn and Diallo, there was no evidence that it was forced. Prosecutors noted that the doubts about Diallo's truthfulness would have made it very difficult to convict Strauss-Kahn in court. Strauss-Kahn has admitted to having a sexual encounter with Diallo but has said that it was consensual.


NFL: Multiple Fans Shot After 49ers Game
Associated Press (08/22/11) Collins, Terry

Three people were injured in three violent incidents at San Francisco's Candlestick Park on Saturday. In one of the attacks, which took place following the preseason game between the San Francisco 49ers and the Oakland Raiders, a 24-year-old man was shot several times in the stomach in the stadium's parking lot. Although the victim suffered severe injuries, he was able to stumble to stadium security for help. A 20-year-old man was also injured in a separate shooting after the game. In the third incident, a man was knocked unconscious in a bathroom during the game. That incident is not believed to be related to the other two. It remains unclear what prompted the two shootings in the stadium parking lot. Although the first victim was reportedly wearing a shirt that said "F--- the Niners," it is not known whether the person who shot him was prompted to do so by emotions surrounding the game between the rival 49ers and Raiders. Police are continuing to interview witnesses and look for suspects. Meanwhile, the NFL and the mayors of San Francisco and Oakland condemned the incidents and called for an end to violence at sporting events. The three incidents come several months after a San Francisco Giants fan was severely beaten after a game at Dodger Stadium in Los Angeles.


'Flash Mobs' Pose Challenge to Police
USA Today (08/19/11) Jervis, Rick

A large number of retailers have been affected by flash mobs, according to the National Retailer Federation. A recent NRF survey of more than 100 retailers found that 80 percent had been the victims of multiple-offender crimes in the past 6 months, and that 10 percent had been hit by a criminal flash mob. In two such incidents, dozens of young people went into convenience stores in Germantown, Md., and Washington, D.C., and stole large numbers of items from store shelves. Police say that the suspects in such crimes often use cell phones and social networking sites like Twitter and Facebook to connect with one another and share information. As a result, police officers in Philadelphia--a city which has been experiencing problems with flash mob violence--have begun closely watching Facebook and Twitter pages for indications that a violent incident is about to take place. Police in the city are also capable of shutting down cell phone service in neighborhoods where there is an imminent danger of violence, though they have not yet had to do so. Such tactics, which were recently used by San Francisco's Bay Area Rapid Transit system in dealing with a protest, are controversial. Also controversial is the monitoring of social media sites by police. Gene Policinski, the executive director of Vanderbilt University's First Amendment Center, said he believes that its acceptable for law enforcement to view publicly available social networking sites but that breaching personal information without having a warrant or shutting down cell phone service to prevent a crime could violate citizens' constitutional rights.




Maryland Teen Arrested by FBI in Jihad Jane Plot, Sources Say
Philadelphia Inquirer (08/26/11) Shiffman, John

The FBI has arrested a 17-year-old Ellicott City, Md., boy for allegedly conspiring in a terrorism plot with Colleen LaRose, the Pennsylvania woman also known as Jihad Jane. According to prosecutors, LaRose used the Internet to communicate with, recruit, and incite militants to carry out jihad. Prosecutors also said that in 2009 LaRose traveled to Ireland to meet several co-conspirators and to marry a jihadist to help with the plot to kill the Swedish cartoonist Lars Vilk, whose 2007 drawings depicting the prophet Muhammad offended some Muslims. That plot was never carried out, and it remains unclear as to why it failed. Shortly before LaRose traveled to Ireland, the Maryland boy--who has been identified only as Mohammed K. since he is a juvenile--met LaRose in a jihadist chat room. He then posted a solicitation for funds to support LaRose's terrorist plot. Authorities also believe that Mohammed was involved in the recruiting efforts for the plot. The specific charges against him have not been revealed. Mohammed's family has said that they believe that LaRose took advantage of him in trying to carry out her plans.


Quake Renews Call to Enforce Pill Law
Wall Street Journal (08/25/11) Smith, Rebecca

The Aug. 23 earthquake in Virginia, following up on the much larger earthquake and tsunami last March in Japan, has prompted renewed calls for implementing a law requiring the president to authorize the distribution of pills to people living near nuclear plants that would minimize one potentially lethal effect of accidental radiation exposure. In each of the recent quakes, nuclear reactors temporarily lost grid power, a condition that poses the threat of radiation release if reactors overheat and cannot be sufficiently cooled. In the case of Japan's quake and tsunami, there was massive damage to reactors, which overheated when electricity was lost for many days, leading to the release of radiation. Virginia's 5.8-magnitude quake caused the North Anna nuclear power station to trip out of service, but generators kicked in and normal connections were restored within 24 hours. The pills can prevent thyroid cancer by saturating the thyroid gland with a harmless type of iodine, keeping it from absorbing radioactive iodine that might be inhaled or ingested after a radiation release. Each 65mg pill provides about a day's worth of protection. The law never was implemented because the Bush administration, in early 2008, used a waiver in the law that allowed the president to skip the distribution in an extended area beyond an existing 10-mile emergency planning zone if a "more effective prophylaxis or preventive measures" was identified. At least 30 members of Congress have asked the Obama White House to take a fresh look, too, even though President Obama's science adviser said—eight months before the accident in Japan—that no change was warranted. The Science and Technology Office now supports a reassessment, a spokesman said on Aug. 23.


U.S., Allies Join Manhunt for Gadhafi
Wall Street Journal (08/25/11) Entous, Adam; Gorman, Siobhan

The United States and its allies have announced that the Central Intelligence Agency (CIA) and other intelligence services have joined the Libyan rebels' search for former leader Col. Moammar Gadhafi. The CIA has also offered its assistance to safeguard mustard gas and other chemical weapons that the Gadhafi regime had stockpiled at sites across the country in order to prevent them from falling into the hands of terrorist groups. Intelligence sources report that they think Gadhafi fled his compound in Tripoli before the rebel forces stormed the capital. Officials also say they have several leads on where he may be hiding. Officials are hopeful that they can find Gadhafi as quickly as possible, because he remains a threat to Libyan stability for as long as he remains at large.


With CIA Help, NYPD Moves Covertly in Muslim Areas
Associated Press (08/24/11)

In the aftermath of the Sept. 11 terrorist attacks, the New York Police Department enlisted the help of the CIA in remaking its Intelligence Division to gather and analyze information about possible terrorist threats, an investigation by the Associated Press has found. The efforts to shift the focus of the NYPD's Intelligence Division, whose primary responsibility was once to drive dignitaries around New York, began in January 2002 when former CIA head of operations David Cohen arrived at the department. Wanting to remake the Intelligence Division into a unit that would analyze intelligence, run undercover operations, and build a network of informants, Cohen asked his former colleagues at the CIA to give him someone that would help him build such an operation and provide him with the latest intelligence. Larry Sanchez, who had served as a CIA official at the United Nations, was assigned to the task, and helped train officers on how to gather information. Former police officials said that Cohen then created a unit known as the Demographic Unit to use NYPD officers of various Middle Eastern and South Asian nationalities to infiltrate neighborhoods filled with immigrants of the same nationality to gather intelligence and pass the information onto police handlers. However, a NYPD spokesman has denied the existence of the Demographic Unit, and the department has said that it does not infiltrate ethnic neighborhoods. Another unit that was created by Cohen and Sanchez, the Terrorist Interdiction Unit, was focused on developing and handling informants. Among the informants used by the unit were so-called "mosque crawlers" that monitored sermons given by imams. The efforts have been called a "rogue domestic surveillance operation" by critics, though officials say that the program does not violate a city law banning officers from using religion or ethnicity as a basis for law enforcement action.


Iran Shows U.N. Advanced Nuke Equipment
Associated Press (08/23/11)

Iran has granted U.N. atomic inspectors access to a site where it is developing advanced centrifuges that could potentially be used to make nuclear fuel and arm warheads. This marks the first time that the International Atomic Energy Agency (IAEA) was able to tour Iran's heavy water production plant. Iran is currently under four sets of U.N. Security Council sanctions because it refuses to suspend its heavy water reactor program as well as its uranium enrichment activities. Iran denies that any of its activities are designed to create nuclear weapons, and that it only wants to conduct research and produce nuclear fuel. However, Iran's work on advanced centrifuges has increased concerns that this is not the case because, once operational, the new centrifuges will be able to enrich up to three times the speed of the country's current model. At this time, the IAEA has no record of Iran producing weapons-grade uranium. U.S. State Department spokeswoman Victoria Nuland commented on the situation, saying Iran's recent enrichment moves are looking more and more suspicious. "The Iranian nuclear program offers no plausible reasons for its existing enrichment of uranium up to nearly 20 percent, nor ramping up this production, nor moving centrifuges underground," she said. "And its failure to comply with its obligations to suspend its enrichment activities up to 3.5 percent and nearly 20 percent have given all of us in the international community reason to doubt its intentions."




Third Man Charged in Crackdown on 'Anonymous' Hackers
Wall Street Journal (08/26/11) Bryan-Low, Cassell

A third person has been charged in the U.K. in connection with the recent denial-of-service attacks launched by Anonymous, LulzSec, and other related groups against Sony, the FBI, and other organizations. According to British authorities, 22-year-old Peter David Gibson--who was arrested in early April--has been charged with conspiring with others to impair the operation of or hinder access to a computer or the data it stores. Also charged in the case is 18-year-old Jake Davis, who faces charges of obtaining unauthorized access to a computer system and conspiring with others to launch attacks against the Web site of Britain's Serious Organized Crime Agency. One of Davis's alleged co-conspirators is 19-year-old Ryan Cleary, a prominent figure in both Anonymous and LulzSec who is believed to have infected computers to create a botnet that was then used to launch attacks against SOCA's Web site. More than a dozen people have also been charged in the U.S. in connection with the distributed denial-of-service attacks. Most of those individuals are thought to have been involved in an attack on PayPal last year.


Chinese State TV Alludes to U.S. Website Attacks
Wall Street Journal (08/25/11) Page, Jeremy

Experts say that footage that was broadcast on Chinese state television last month could undermine Beijing's claims that it does not engage in cyberattacks. In the video, which was shown as part of a 20-minute report on cybersecurity, a researcher at the Chinese army's Academy of Military Sciences is shown giving a detailed analysis of global cybersecurity issues. The video also shows a computer screen displaying a software application containing the Chinese words for distributed denial-of-service attack. In addition, the words "Attack systems..PLA (People's Liberation Army) Electronic Engineering Institute" are shown on another screen. That same screen also includes an interface that asks the user to choose an attack target from a list of Web sites associated with the banned Falun Gong spiritual movement. The video then shows a Web site being chosen and someone clicking on a large button that says "Attack." The IP address for the Web site that was chosen for attack is registered to the University of Alabama in Birmingham. Andrew Erickson and Gabe Collins of the China SignPost analytical service say that the video could be a decade old if it is real, given the fact that DDOS attack shown in the video was very basic, and because there were a number of DDOS attacks on targets associated with Falun Gong 10 years ago.


How Security Pros Can Make Compliance Initiatives Work for Them
Dark Reading (08/24/11) Mackey, Richard

Those who are responsible for implementing industry IT compliance initiatives at an organization and those who are responsible for enterprise security are sometimes at odds with one another. The legal, audit, and human resources departments that are responsible for compliance at an organization may believe that IT and information security professionals do not understand what would happen if the organization was found to not be in compliance with a regulation or contract. IT security professionals, meanwhile, may think that business departments do nothing to improve security and have no idea what kind of cost and effort it takes to implement the controls that are needed for compliance. Although it can be easy for IT security professionals and those who are responsible for compliance to see themselves as being enemies, their organizations will benefit if IT sees compliance as a driver for security requirements instead of as an obstacle to security. In fact, the two groups working together can help make compliance a tool to justify the budget for security controls. To be effective in achieving compliance, IT needs to understand and monitor regulatory requirements and play an active role in interpreting those requirements and mapping them to controls. IT also needs to realize and accept that noncompliance is a threat that it must manage, even if there has not been a security breach. Finally, IT needs to assume responsibility for compliance, include compliance as part of its mindset, and accept the benefits of large set of business drivers that can both meet regulatory requirements and bolster security.


Baking Security Into Open WiFi Networks
Dark Reading (08/22/11) Higgins, Kelly Jackson

Researchers, including those from IBM's X-Force team, have released a proof-of-concept version of Secure Open Wireless Access (SOWA) technology, which is designed to provide users with secure connections to open-access wireless networks. The encrypted connections mitigate the risk of users connecting to a rogue wireless access point or their traffic getting sniffed or hijacked. SOWA uses digital certificates associated with a WLAN's SSID to ensure that the user is connecting to the network that he intends to connect to. "Insecure wireless is a constant reality. When you are using open wireless networks, your traffic is unencrypted and subject to be monitored," says Tom Cross, threat intelligence manager at IBM X-Force and lead researcher for SOWA. While the new technology shows significant promise, it is currently only available for Linux-based systems, and widespread adoption will require support for Windows and Mac OSX.


NSTIC Director: 'We're Trying to Get Rid of Passwords'
Network World (08/18/11) Messmer, Ellen

The federal National Strategy for Trusted Identities in Cyberspace (NSTIC) program is making progress in its effort to identify and support alternatives to using passwords when authenticating the identities of individuals logging into online applications. NSTIC will create an identity ecosystem under a partnership between the private sector and the federal government. This ecosystem will consist of established methods for clearly assessing identity in issuing credentials through approved assessors. The private sector is expected to take the lead on that aspect of the program, as the government wants to get out of the identity business, says Jeremy Grant at the National Institute of Standards and Technology's National Program Office for NSTIC. As for NIST, it will be facilitating the creation of consensus-based standards rather than writing standards and specifications to foster interoperability in the identity ecosystem. Don Thibeau, the chairman of the Open Identity Exchange (OIX), whose membership interacts with NSTIC, praises the move away from passwords, saying that they do not help security and may even make it worse. Thibeau expects private companies to be conducting their own pilot projects later this year, and that OIX will sponsor some interoperability and security pilots between several Web email systems in order to define security best practices on a cross-platform basis.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: