Friday, September 23, 2011

Security Management Weekly - September 23, 2011

header

  Learn more! ->   sm professional  

September 23, 2011
 
 
Corporate Security
  1. "MacroSolve Targets Major Firms in Patent Infringement Lawsuit"
  2. "ATF Probes Blast That Injured Lawyer, 2 Kids" Bureau of Alcohol, Tobacco, Firearms, and Explosives; Michigan
  3. "AlliedBarton Chairman Looks at How to Stem Tide of Workplace Violence"
  4. "Ship Insurers Backing Armed Guards as Piracy Grows"
  5. "Conn. Casinos Seek Break on Paying for Security"

Homeland Security
Sponsored By:
  1. "U.S. Accuses Pakistan of Militant Ties"
  2. "NYPD Eyed US Citizens in Intel Effort"
  3. "Stingray Phone Tracker Fuels Constitutional Clash"
  4. "Blast Kills Chief of Peace Council in Afghanistan"
  5. "Delta Considers Stronger Cockpit Security"

Cyber Security
  1. "Email Main Source of Data Leaks in Organizations: Survey"
  2. "Federal IT Top Worries: Complex Attacks, Inside Threats"
  3. "Internet Providers Asked by U.S. to Set Virus Defense Standards"
  4. "Researchers to Detail Hole in Web Encryption"
  5. "Japanese Defense Contractor Hit by August Cyberattack"

   

 
 
 

 


MacroSolve Targets Major Firms in Patent Infringement Lawsuit
Tulsa World (OK) (09/23/11) Evatt, Robert

Texas-based mobile app maker MacroSolve Inc. has filed a patent infringement suit against AT&T, Citigroup, Dell, Groupon, Living Social, and Salesforce.com. Representatives from MacroSolve say the suit is part of the firm's effort to protect and monetize a patent awarded to the company in October 2010. The company has already sued 30 other smaller companies and settled with several. It has also identified an additional 250 companies it is considering suing, bringing an estimated $30 million to $40 million to the company over the next several years. The patent in question gives MacroSolve the rights to the process by which a company or individual creates an app, sends it to be downloaded to mobile devices, collects information from users, and sends it back to a central database. MacroSolve maintains that these processes cover every existing or potential mobile app that sends data from the user back to the makers or administrators of the app. In order to fight the suit, defense teams for the large companies MacroSolve is suing would need to prove the patent is too broadly worded and that it should be invalidated. The bar to do so is high, but the well-funded firms MacroSolve is now targeting may potentially have the resources to give them the advantage.


ATF Probes Blast That Injured Lawyer, 2 Kids
Detroit News (09/22/11) Donnelly, Francis X.; Pardo, Steve

Federal investigators and police in Michigan are probing a car bombing that targeted a Monroe, Mich., attorney. The car bombing took place on the evening of Sept. 20, when Erik Chappell--who practices family law in Michigan and Ohio and represents companies in commercial and employment disputes--was driving his two sons to football practice in Monroe. The bomb exploded in their Volvo station wagon, destroying the vehicle and injuring Chappell and the two boys. Those who know Chappell professionally say they have no idea why someone would target him. Authorities are offering a $10,000 reward for information in the case. A number of leads are currently being pursued, but authorities currently do not have any suspects in the case, said Donald Dawkins, a spokesman for the Bureau of Alcohol, Tobacco, Firearms, and Explosives office in Detroit.


AlliedBarton Chairman Looks at How to Stem Tide of Workplace Violence
SecurityInfoWatch.com (09/21/11)

According to a 2008 report by the United States Bureau of Labor Statistics, more than 2 million American workers experience some type of workplace violence incident each year. An average of two people are killed and 87 are injured each day as a result of workplace violence. Based on these statistics, the Center for Disease Control has classified workplace violence as a national epidemic. Bill Whitmore, chairman, president and CEO of AlliedBarton Security Services, recently spoke on the issue of workplace violence at a closed ASIS media session in Orlando, Fla. "Workplace violence is a day-to-day reality that cannot be ignored," Whitmore said. "Every organization has to understand its fundamental dynamics, risk, and costs to their business." In order to avoid legal liability from workplace violence, employers must have, at the very least, a written policy on how the company will avoid violence, education programs for employees and managers on how to deal with threats, and "adequate" security. Liability cases where employers have failed to take such proactive, preventive measures have an average jury award of $3.1 million per person, per incident. However, as Whitmore pointed out, there are more costs associated with workplace violence than just potential liability. "Preventing violence in the workplace and making workers comfortable in the workplace has definite ROI," he explained. Having policies in place to achieve that goal is admirable, but those policies are of little use unless they are effectively applied and conveyed to employees at different levels of the company. To do so, Whitmore suggested companies put together a team to handle workplace violence prevention that includes representatives from all relevant areas of the company.


Ship Insurers Backing Armed Guards as Piracy Grows
Reuters (09/20/11)

Officials from the maritime insurance industry who attended the International Union of Maritime Insurance's (IUMI) annual conference on Tuesday said that they increasingly support the idea of using private armed guards on merchant vessels to protect the ships from attacks by Somali pirates. Until now, shipowners and insurers have been hesitant to accept armed private guards onboard ships, due to concerns about bringing weapons into some territorial waters and fears that the presence of armed guards would result in violence escalating in the event of a pirate attack. But now IUMI President Ole Wikborg has endorsed the idea, saying that armed guards will help protect vessels and property traveling through the Indian Ocean. However, Wikborg acknowledged that the use of armed guards will not end the problem of piracy. The Security Association for the Maritime Industry is hoping to have the first private security companies accredited by the second quarter of next year. After these companies have been accredited, they will be able to provide armed guards to merchant vessels. Despite the opposition by some, there are roughly 1,000 private guards onboard private ships to protect against attacks by Somali pirates, according to the French maritime economics institute ISEMAR.


Conn. Casinos Seek Break on Paying for Security
Associated Press (09/18/11)

Representatives from Connecticut's Mohegan and Mashantucket Peqot Indian tribes are in talks with Gov. Dannel P. Malloy's administration about security at the two casinos they operate. Over the past three years, the amount of money that the Mashantucket Peqot tribe has had to reimburse the state for police, as well as liquor control officers and auditors, at its Foxwoods Resort Casino has risen to $7.3 million. The Mohegan tribe, meanwhile, reimbursed Connecticut $6.8 million for police, liquor control officers, and auditors at its Mohegan Sun casino during the last fiscal year, an amount that has also risen over the past three years. State police at the two casinos have special units that respond to thefts, assaults, and various other crimes that take place in gaming areas. In addition, state police contribute their expertise on gambling-related crimes. However, the Mohegan Tribe has its own police force, which is made up of officers that perform similar tasks, according to Chuck Bunnell, the tribe's chief of staff for external affairs. In addition, the number of officers from the tribal force that patrol the Mohegan Sun casino is much higher than the number of state police officers that are on duty on any given shift, Bunnell said. As a result, the Mohegan tribe, as well as the Mashantucket Peqot tribe, is concerned that there is a duplication of security efforts. The two tribes are hoping to review the security provided by the state so that they can cut their costs if possible.




U.S. Accuses Pakistan of Militant Ties
Wall Street Journal (09/23/11) Barnes, Julian E.; Rosenberg, Matthew; Entous, Adam

Joint Chiefs of Staff Chairman Adm. Mike Mullen appeared before a congressional panel on Thursday and charged Pakistan's spy service with having ties to the militant group that has been blamed for the recent attack on the U.S. Embassy in Afghanistan. According Mullen, the Haqqani network--which also attacked NATO's headquarters in Kabul on the same day it attacked the U.S. Embassy--is a "veritable arm" of the Inter-Services Intelligence (ISI) agency. Mullen added that the policy of the Pakistan government is to provide support to militant groups like the Haqqani network, as well as the anti-India terrorist organization Lashkar-e-Taiba, because doing so furthers its interests. Following Mullen's testimony, military officials said that there was no evidence that ISI had directed the attack against the U.S. Embassy and the NATO headquarters, though they did say that the service has provided strategic support to the Haqqani network. Pakistan, for its part, has long denied that the ISI provides support to the Haqqani network. Meanwhile, Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.) said Thursday that the Haqqani network should be designated a foreign terrorist organization so that the U.S. government could more easily crack down on its finances. A similar appeal made by Feinstein last year was unsuccessful.


NYPD Eyed US Citizens in Intel Effort
Associated Press (09/22/11)

The Associated Press has obtained evidence that shows that the New York Police Department conducted surveillance on American citizens who were originally from Morocco even though they had done nothing wrong. The surveillance was conducted as part of the NYPD's Moroccan Initiative, which itself was part of the department's counterterrorism efforts. As part of the initiative, undercover officers took pictures of restaurants that were frequented by Moroccans, and took notes on where Moroccans bought their groceries. Officers also watched which hotels Moroccans visited and which mosques they prayed at. The information that was recorded by the officers was then entered into the NYPD's computers so that officers would have information about the city's entire Moroccan community in the event the department received a specific top about a Moroccan terrorist. It remains unclear when the Moroccan Initiative began and whether or not it is ongoing. However, the program reportedly began with the help from the CIA after the 2003 suicide bombings in Casablanca and the 2004 Madrid train bombing, which was blamed on Moroccan terrorists. Soon after the initiative began, police were told that they should gather intelligence on the Moroccan community because there were fears that Moroccan terrorists would attack New York City as well, even though there was no specific threat against the city. An investigation into the legality of the CIA's relationship with the NYPD is ongoing.


Stingray Phone Tracker Fuels Constitutional Clash
Wall Street Journal (09/22/11) Valentino-DeVries, Jennifer

Federal law enforcement officials are currently facing several legal challenges regarding stingray devices, which use mobile phone signals to track a suspect's location, even if the phone is not currently in use. Stingrays are one of several types of devices the FBI is using to track location, often without a search warrant. On Nov. 8, the Supreme Court is scheduled to hear arguments about whether or not it is constitutional for law enforcement to put a GPS tracker on a suspect's car without a search warrant. Similarly, the Senate and the House are both considering bills that would require a warrant before tracking a cell phone's location. The stingray is a generic term for a device that works much like a cell phone tower, connecting to phones and measuring signals in order to triangulate the phone's location. The best known stingray maker is Harris Corp., which is based in Florida. According to Harris representatives, they only sell products to law-enforcement and other government agencies. Similar devices are sold by other manufacturers and can be carried by hand or mounted in cars. In addition to the FBI, records indicate that the U.S. military also uses stingrays as well as local police in Minnesota, Arizona, Miami, and Durham, N.C. The FBI and the Department of Justice argue that they do not need to obtain a search warrant to use the devices because stingrays fall under the category of "pen registers," which require a lesser order. Pen registers track signals from phones, but do not receive the content of communications. Lawmakers and the courts have yet to officially take a stand on whether or not tracking a person's location constitutes a search and would require a warrant. One of the issues still under debate regarding stingrays is the FBI's habit of deleting the data they reveal. Legal experts say they find it "odd" that the agency would delete evidence prior to trial. The law requires any information found under a search warrant to be returned to the judge. Even if the courts find the use of stingrays to be constitutional, deleting the data still calls the FBI's practices into question. The FBI says it deletes location information because it does not use it as evidence.


Blast Kills Chief of Peace Council in Afghanistan
New York Times (09/21/11) P. A1 Rubin, Alissa J.

Burhanuddin Rabbani, the leader of the council charged with developing a peace agreement with the Taliban, was assassinated in his home on Tuesday by a suicide bomber. The attacker had been in contact with the High Peace Council over the past five months, and was able to get into Rabbani's home in Kabul by telling a council member that he had a message to give Rabbani from the Taliban leadership group known as the Quetta Shura. The attacker was allowed to enter Rabbani's home and detonated the bomb that he had hidden in his turban as he embraced the council leader. No one has yet to take responsibility for the attack, though either the Taliban, the Haqqani network, or elements of al-Qaida could have been involved. The attack on Rabbani has shown that some in Afghanistan are resistant to going along with the peace process. In addition, the bombing also underscored the ability of enemies of the Afghan government to infiltrate seemingly secure locations to carry out attacks. Some say that the death of Rabbani will make it difficult for the peace process to continue, as he was one of the few people in Afghanistan who had the ability to convince the Taliban's enemies, the former Northern Alliance, to move towards reconciliation. Just hours after Rabbani's death, some of the Northern Alliance's leaders took to the airwaves to denounce the peace process and say that the Taliban could not be trusted. However, Afghan President Hamid Karzai has said that the peace process will continue despite Rabbani's death.


Delta Considers Stronger Cockpit Security
Wall Street Journal (09/20/11) Pasztor, Andy

Delta Air Lines is reportedly considering adding new cockpit-security gates to some of its aircraft. The gates, which are expandable and fold in and out like an accordion, will be installed just outside the cockpit doors of some aircraft to temporarily prevent passengers from accessing the front section of the cabin when the cockpit door is opened for various reasons. Delta flight attendants currently use carts or other objects to block passengers from accessing the front section of the plane's cabin when the cockpit door is opened to allow pilots to use the bathroom, move to one of the plane's crew rest areas, or leave or return to the cockpit for another reason. Industry officials say that Delta hopes that the installation of the new cockpit-security gates will free flight attendants from having to do that, which in turn will allow them to pay more attention to passengers. In addition, the use of carts or other objects to block the front section of the cabin also prevents passengers from accessing the bathrooms that are located at the front of the aircraft. If Delta decides to install the cockpit-security gates, it will be the second major U.S. airline to do so. United installed similar gates on many of its Boeing 757 jets several years ago, and plans to install them on other types of aircraft in the future.




Email Main Source of Data Leaks in Organizations: Survey
eWeek (09/21/11) Rashid, Fahmida Y.

Email may be integral to an organization's day-to-day operations, but it is also becoming one of the primary sources of data leakage, according to a recent Ponemon Institute report. In a survey of 830 information technology, security, and compliance experts, more than 50 percent said improper email use among employees is the main source of data leaks within the organization. Roughly seven in 10 respondents said employees have breached security policies and frequently send sensitive data through insecure email channels, and 60 percent use personal email accounts to send organizational data, the survey found. About 63 percent believe workers mistakenly send confidential information to recipients outside the office. Additionally, 70 percent of the compliance and security experts surveyed are worried about data lost via email on mobile devices. Email is "such a significant tool that employees are inclined to circumvent policy and email sensitive information, so they can effectively perform their responsibilities in a timely manner," says Ponemon Institute chairman Larry Ponemon. Considering the volume of data stored on mail servers, a data breach could result in the theft of highly sensitive information. Worry also surrounds mobile devices, as employees are increasingly checking email while outside of the office.


Federal IT Top Worries: Complex Attacks, Inside Threats
InformationWeek (09/21/11) Montalbano, Elizabeth

The biggest issue worrying federal IT professionals is the increased sophistication of cyberattacks and insider threats, according to a new Market Connections survey of 200 federal IT decision makers. Federal IT teams also continue to struggle with budget cuts and long waits for supervisor approval in their initiatives to secure their infrastructure, the study found. Seventy-one percent of respondents to a new federal cybersecurity questionnaire cited the increased intricacy of attacks as the greatest security risk that they expect to face in the next 12 months. Improper use of information by internal personnel was the second biggest risk, listed by 63 percent of respondents. One surprising find of the study was that cloud computing ranked relatively low on the list of federal cybersecurity worries, with only 35 percent of respondents citing it as a key risk in the next year. The survey found that phishing remains the leading threat federal agencies face, with nearly 50 percent of respondents saying that their department or agency has contended with a phishing attack in the last 12 months. Fifty-fiver percent of respondents said it takes too long to get consent from supervisors to put solutions in place to shield networks, while 53 percent said federal budget cuts also negatively affect cybersecurity objectives.


Internet Providers Asked by U.S. to Set Virus Defense Standards
Bloomberg (09/21/11) Engleman, Eric

The departments of Homeland Security and Commerce are calling on Internet service providers to voluntarily take steps that would combat the threat posed by botnets, which they said have become a growing problem over the last several years. In their proposal, the departments called on ISPs to monitor their customers' computers to determine if they have been infected with botnets. ISPs could then notify customers that their machines are infected and provide them with instructions on how to remove the botnet. Such steps would be part of an industry standard that ISPs could create for dealing with botnets. To encourage ISPs to adopt such a standard, they could be given immunity from lawsuits stemming from cyberattacks on their customers' computers. In addition to calling for the creation of a voluntary industry standard, the departments also said that a resource center could be established to help people dealing with botnet infections on their computers. This center could be operated by the industry, the government, or both. According to Homeland Security spokesman Chris Ortman, the proposals will help DHS evaluate the effectiveness of using voluntary notification of botnet infections in reducing and guarding against cyber threats.


Researchers to Detail Hole in Web Encryption
CNet (09/20/11) Shankland, Stephen

Security researchers Juliano Rizzo and Thai Duong will demonstrate an attack that compromises Transport Layer Security (TLS) 1.0 at the Ekoparty conference in Argentina. The TLS encryption mechanism secures Web sites accessed using [Secure Hypertext Transfer Protocol (HTTPS)], and is the successor to Secure Sockets Layer (SSL). The attack is called Browser Exploit Against SSL/TLS, and reportedly works by getting a victim's browser to run JavaScript code that cooperates with a sniffer that closely monitors the victim's actual network communications. The attack, which takes about 10 minutes, allows an authentication cookie to be stolen. Rizzo and Duong will show how the attack can be used to decrypt a cookie used to access PayPal's electronic payment site. TLS is widely used by financial sites, and companies such as Google, Facebook, and Twitter are pushing for its further use on the Web. University of Virginia researcher Karsten Nohl says the vulnerability should give software makers the incentive to catch up with a fix that was available years ago.


Japanese Defense Contractor Hit by August Cyberattack
Wall Street Journal (09/20/11) Nakamichi, Takashi

Mitsubishi Heavy Industries announced that it was hit by a cyber-attack in the middle of August. The company said the attack infected some of its networks in Japan with viruses, but said it has not discovered any leak of sensitive information. Mitsubishi said that 45 servers and 38 personal computers were infected with viruses at 11 facilities in the country, including its submarine manufacturing plant and a factory that creates engine parts for missiles. The spokesman for the company said it was unclear who was responsible for the attack. Mitsubishi is conducting an investigation that it expects to complete by the end of September.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

1 comment:

  1. just linked this article on my facebook account. it’s a very interesting article for all...



    Miami Mitsubishi

    ReplyDelete