Friday, April 20, 2012

Security Management Weekly - April 20, 2012

header

  Learn more! ->   sm professional  

April 20, 2012
 
 
Corporate Security
Sponsored By:
  1. "More Than $4 Million in Counterfeit Athletic Clothing Seized at South Sacramento Warehouse"
  2. "Iris Recognition Report Evaluates 'Needle in Haystack' Search Capability"
  3. "Employee Theft Causes Major Heartache in Offices"
  4. "Piracy and Private Security: Laws and Guns"
  5. "What's the Risk of GRC?" Governance, Risk, and Compliance

Homeland Security
Sponsored By:
  1. "Women Found on Both Sides of Terrorism Fight"
  2. "Secret Service Scandal Could Spark More Firings"
  3. "CIA Seeks New Authority to Expand Yemen Drone Campaign"
  4. "Subway Plot Was Message to President" 2009 New York City Subway Bombing Plot
  5. "Afghan Assaults Signal Evolution of a Militant Foe"

Cyber Security
  1. "Flashback Malware Eradication Campaign Slower Than Expected"
  2. "BYOD Continues to Challenge Agencies Struggling to Develop Policy" Bring Your Own Device
  3. "Was Double Agent Responsible for Stuxnet Attack on Iran?"
  4. "Homeland Security Chief Contemplating Proactive Cyber Attacks"
  5. "In Cyber Security Contest, Teens Practice Defending America"

   

 
 
 

 


More Than $4 Million in Counterfeit Athletic Clothing Seized at South Sacramento Warehouse
Sacramento Bee (04/19/12) P. 3B Locke, Cathy

Agents with U.S. Immigration and Customs Enforcement's Homeland Security Investigations unit executed a search warrant at a warehouse in Sacramento, Calif., on April 17 and discovered an estimated $4 million worth of knock-off athletic apparel and other goods. Dan Lane, the assistant special agent in charge with Homeland Security Investigations, said that upon entering the warehouse agents found rows of shelving 40 feet high, stacked with loads of apparel and other items. Among the items seized were counterfeit Adidas jerseys, shorts and shoes. In addition, the warehouse housed a large amount of sports memorabilia. Most of the items had come from Southeast Asia, and most of them were meant to be sold at flea markets in the Sacramento area as well as some retail outlets across the country. The investigation into the counterfeiting operation was launched after the Homeland Security Investigations unit was contacted by a firm that helps companies such as Adidas in dealing with counterfeiting. The investigation is ongoing.


Iris Recognition Report Evaluates 'Needle in Haystack' Search Capability
NIST News (04/17/12) Brown, Evelyn

U.S. National Institute of Standards and Technology (NIST) researchers recently conducted a study evaluating the performance of iris recognition software from 11 organizations and found that some techniques produced very rapid results. The researchers say their study is the first independent comparison of commercially available algorithms that use iris recognition to find an individual match within a large database of potential identities. NIST evaluated 92 iris recognition algorithms from nine private companies and two university labs. The challenge was to identify individuals from a database of eye images taken from more than 2.2 million people. "This ability to pick out a 'needle in a haystack' quickly and accurately is crucial, and we found some algorithms can search a haystack thousands of times larger than others," says NIST researcher Patrick Grother. Success rates ranged from 90 to 99 percent among the algorithms, which means that some programs produced 10 times more errors than others. "When combined with the feedback that this study provides to the industry and the use of the iris in combination with other biometrics, the findings will push accuracy toward 100 percent," Grother says.


Employee Theft Causes Major Heartache in Offices
Santa Monica Daily Press (CA) (04/16/12) Archibald, Ashley

Employee misconduct or theft is not always a cut and dry issue, especially in many cases when the employee did not feel like they had done anything wrong. According to the National Retail Federation, 43 percent of the total losses in the retail industry in 2010 resulted from employee theft, and a 2007 study by the Institute for Corporate Productivity found that at least a quarter of all respondents said that theft of company office supplies, products, and electronic equipment has risen as a result of the recession. These incidents represent different levels of a problem, says California State University's David Whitney, who studies industrial-organizational psychology. "When we're at work, there's a belief of things that we're going to provide the organization and what the organization will provide to us," he says. "Part of that is the written contract, what we do for them and what they'll do in exchange. There's a psychological contract that goes along with that as well." Whitney goes on to explain that both employees and employers acknowledge that it is pretty much "the norm" if a worker might take a few more pens than they truly need. Such incidents are seen as "an expected cost of business." Where Whitney often sees problems arise is often when an employer crosses an invisible line, violating unwritten employee expectations about how the company or manager should behave. For example, if an employee has not received a raise in three years, they may feel considerably less guilty about taking items of larger value, or acting out in other ways. He encourages employers to prevent this kind of behavior by treating workers fairly and ethically, not giving them the occasion to feel slighted. This fairness does not just mean that companies must give in to employee demands. Instead, experts suggest setting out clear standards of behavior and consequences for employees, including some "minor" behaviors such as taking excessive breaks or viewing inappropriate content on work computers.


Piracy and Private Security: Laws and Guns
The Economist (04/14/2012)

Private security guards used to protect ships from pirates as they ply the waters of the Indian Ocean operate under a complicated legal framework that human rights organizations say needs to be clarified. The United Nations Convention on the Law of the Sea calls for guards to follow the laws of the nation whose flag flies on the vessel they are stationed on. However, there is also little regulation in place governing private security guards on ships in international waters. A set of best practice standards for private security teams was created in 2009, though those standards do not carry the force of law. Human rights organizations say that new regulations need to be written to govern the conduct of private security guards in order to prevent additional deaths of innocent people who are mistaken for pirates. The International Maritime Organization will consider this issue at a meeting next month, and is prodding countries to write rules for armed guards on ships at sea. The U.K., for example, wants to implement a voluntary set of rules by the end of the year that would spell out when it is acceptable for private security guards to use deadly force. The rules would also provide details about the systems for company auditing and accountability. Those rules could influence regulations adopted by other countries in the future. But since such rules would be voluntary and would come with extra costs, they could force security firms to move into territories with less-stringent regulations. That in turn could result in the development of a two-tiered private security industry: one that is regulated and one that is not.


What's the Risk of GRC?
CSO Magazine (04/12) Vol. 10, No. 3, P. 24 Violino, Bob

The information management and electronic commerce systems provider Fiserv once found it difficult to get a complete picture of where it stood with regard to enterprise risk and enterprise compliance. Fiserv Senior Vice President and Chief Risk Officer Murray Walton said that this was because there were so many different ideas within the company about what risk assessment and monitoring meant. There were also a number of understandings about what was required or expected, as well as a number of different methods and practices being used to assess risk and compliance, Walton said. While Fiserv was able to manage risk, albeit with considerable effort, Walton said that it was difficult to document that risk to its board of directors or regulators and to see what was "beyond the horizon." Fiserv chose to address these problems by adopting a governance, risk, and compliance (GRC) application known as RiskVision. One of the benefits of RiskVision is that it provides managers with a color-coded risk map that shows exactly where the risks are within the organization, which in turn helps managers know whether they should be focusing on things like remediation efforts, investments, policies, or people issues. Similar risk profiles produced using the manual process that Fiserv previously utilized would have taken six months, compared with three months now, and would have required the use of more employees and additional spending. However, Walton said that companies should remember that technology is only a tool in the GRC process. He added that companies should be sure to have an overarching process in place that helps them assess their business and its assets, vulnerabilities, and ability to stomach risk before they can decide which tools are best for them.




Women Found on Both Sides of Terrorism Fight
CNN.com (04/20/12) Kelly, Suzanne

Although women tend to be on the fringes of terrorist organizations, a growing number are carrying out terrorist attacks, said State Department terrorist analyst Heidi Panetta. In her remarks at the Center for Strategic and International Studies on Thursday, Panetta said that no less than 50 suicide attacks have been committed by women over the last seven years. Intelligence experts say that the use of women as suicide bombers can be appealing for terrorist organizations because they are seen as being less suspicious in many parts of the world. But despite the growing use of women in suicide bombings, there are still no female leaders of al-Qaida or its affiliates. Women are instead taking behind-the-scenes roles such as fund raising and recruitment. On the other side of the coin are women who try to fight terrorism. State Department Counterterrorism Coordinator Daniel Benjamin said that he witnessed this when he was in Yemen several weeks ago and met six ordinary Yemeni women who were working to fight the spread of terrorism in the country. Benjamin noted that one of the women had established a radio station for Yemeni youth that carried an anti-extremist message. Benjamin said that it is important to have women as well as men involved in counterterrorism efforts, adding that his bureau is looking into including gender in several of its policies for projects aimed at training women in national security measures and helping them improve their standing in civil society so that their voices can be heard.


Secret Service Scandal Could Spark More Firings
Associated Press (04/20/12) Caldwell, Alicia A.

The fallout from the recent U.S. Secret Service prostitution scandal is continuing to grow, with one lawmaker who has been briefed on the situation saying that there could be additional firings. The Secret Service announced Wednesday that three of the 11 agents who are accused of bringing prostitutes back to their hotel rooms in Cartagena, Colombia, ahead of a summit that was being attended by President Obama had lost their jobs. One of those agents was a supervisor who was allowed to go into retirement, while another was fired for cause. A third agent who was not a supervisor resigned. But now Rep. Peter King (R-N.Y.), who has received briefings from Secret Service Director Mark Sullivan about the investigation, is saying that there could be a few more dismissals sometime soon. Meanwhile, several investigations into the actions of the Secret Service agents are underway. Separate U.S. government investigations are currently being conducted in Washington, D.C., and Colombia. The Secret Services's investigators in Colombia are being shadowed by four congressional investigators assigned by King to the probe. Some lawmakers are concerned about the scandal because they say that the agents allowed foreign nationals to come into contact with sensitive security information when they brought the prostitutes back to their rooms. House Oversight and Government Reform Committee Chairman Rep. Darrell Issa (R-Calif.) has said that his panel could launch its own probe pending the outcome of the internal Secret Service investigation.


CIA Seeks New Authority to Expand Yemen Drone Campaign
Washington Post (04/19/12) Miller, Greg

The CIA has asked the National Security Council to expand its drone campaign against terrorists in Yemen. Under the CIA's proposal, the agency would be able to carry out drone attacks against suspected terrorists even in cases when the identities of those who could be killed in the strikes are not known. The CIA would instead use intelligence that indicates suspicious behavior to determine what the targets for its drone strikes would be. No decision has yet been made on approving the CIA's proposal. President Obama rejected a similar proposal made by the CIA more than a year ago. Critics of the CIA's request say that it could result in more people without ties to terrorism being killed in drone strikes. In addition, some say that it would be difficult for the CIA not to target insurgents in Yemen in those attacks, given the close ties between the insurgents and al-Qaida. If insurgents are killed in CIA drone strikes, a senior American official said, it could result in the perception that the U.S. is taking sides in a civil war in Yemen. However, supporters of the proposal say that the kinds of drone attacks that the CIA wants to carry out in Yemen have been more successful in killing senior al-Qaida operatives in Pakistan than strikes in which terrorist suspects were identified and located. A senior U.S. intelligence official countered by saying that the situation in the tribal areas of Pakistan is much less ambiguous than it is in Yemen. As a result, it is unlikely that White House officials will approve the CIA's request, the official said.


Subway Plot Was Message to President
Wall Street Journal (04/18/12) Campbell, James

Najibullah Zazi, who pleaded guilty in 2010 to planning to blow up the New York City subway the previous year, has said that the plot was aimed at sending "a message to the United States, especially Obama." Zazi testified that, during his terrorist training in Pakistan in 2008, he was told to carry out the attack within two months of the inauguration of the newly-elected President Obama. He eventually found that strategy to be impracticable, and decided instead to carry out his attack during Ramadan, which fell in August and September of 2009. Among the targets that Zazi said he examined were were the 3, 4 and 5 subway lines in New York City and Grand Central Terminal during the morning rush hour. As part of an agreement with the Justice Department, Zazi testified against his alleged co-conspirator, a Bosnia-born U.S. citizen named Adis Mendunjanin. Mendunjanin has pleaded not guilty to conspiring to use weapons of mass destruction in a plot to bomb New York's subway network in 2009. He is also contesting charges he conspired to commit murder in a foreign country and provided material support to al-Qaida.


Afghan Assaults Signal Evolution of a Militant Foe
New York Times (04/17/12) Schmitt, Eric; Rubin, Alissa J.

Sunday's coordinated attacks in Afghanistan by the Haqqani Taliban network underscore how the group has grown from being a crime mob to a leading militant organization, military and intelligence officials in Western nations say. The attacks were carried out by nearly 40 fighters in the capital of Kabul and in Jalalabad, Paktia Province, and Logar Province. However, there were likely many other people who helped with the attacks from behind the scenes, including the reconnaissance agents who helped choose the sites for the attacks, logistics experts who arranged the transportation of the fighters, and individuals who supplied the militants with weapons. Afghanistan Analysts Network Co-Director Thomas Ruttig said that too much significance should not be placed on the attacks, because they do not mean that the Taliban is capable of regaining power in Afghanistan. However, Ruttig did say that it was telling that the attacks were not prevented even though they took place in locations that U.S. troops have been focusing on. Afghan President Hamid Karzai has said that the success of the attacks could be chalked up to an intelligence failure on the part of NATO as well as the Afghan government. Meanwhile, one Western official said that the attacks raised two questions: whether the Haqqani militants were now able to carry out similar attacks repeatedly, and whether or not the Afghan government would be able to prevent such incidents once coalition troops are withdrawn from the country in 2014.




Flashback Malware Eradication Campaign Slower Than Expected
InformationWeek (04/18/12) Schwartz, Mathew J.

The number of Apple OS X devices infected with the Flashback malware has fallen by more than 80 percent, dropping from more than 600,000 infected machines to less than 99,000 as of April 17. The decline in the number of infections follows Apple's release of updates for Apple OS X 10.6 and 10.7, which patch the vulnerability in Java that is exploited by Flashback. The update for Apple OS X 10.7 also includes a feature that disables Java if it has not been used for 35 days. Meanwhile, companies have introduced tools that are capable of detecting and eliminating Flashback. Despite the 80 percent decline in the number of Flashback infections, Symantec Security Response researchers have expressed disappointment that the number of infected machines has not dropped more. The decline in the number of Flashback infections comes as security researchers are continuing to determine how the malware works. They already know that Flashback exploits a vulnerability in Java to facilitate drive-by download attacks against Macs, and that infected computers become part of botnets that could infect them with even more malicious code. But security researchers have now found that Flashback can receive new command-and-control server contact information by searching Twitter posts for certain hashtags.


BYOD Continues to Challenge Agencies Struggling to Develop Policy
Federal Computer Week (04/18/12) Tuutti, Camille

Many federal agencies' security policies and procedures are not keeping up with the growing bring your own device trend, which leaves these government networks increasingly vulnerable to attacks, according to a recent Network World/SolarWinds survey. The report on the survey found nearly 60 percent of public-sector agencies permit all personal mobile devices to connect to the enterprise network, though the same percentage also said their agency did not have the proper tools to handle non agency-issued mobile technologies on the network. More than 70 percent of respondents said they were either somewhat confident or very confident in knowing what personal mobile devices were accessing their agency's network. However, about 20 percent did not know how many or which personal devices are accessing their agency's network, and about 3 percent said "I have no clue" of the personal devices that use the network. Twenty-seven percent of respondents said they were unsure if their own personal device had ever caused a network security breach, while 6 percent conceded that their own device had exposed the network to risk.


Was Double Agent Responsible for Stuxnet Attack on Iran?
Defense Systems (04/17/12) McCaney, Kevin

Industrial Safety and Security Source (ISSSource) has issued a report about how the Stuxnet virus infected a computer used at Iran's Natanz nuclear facility in 2010. The report quotes current and former U.S. intelligence officials who say that an Iranian dissident who was working for Israel used a memory stick to infect the computer with the virus. The virus then utilized four zero-day exploits to attack a specific version of a programmable logic controller (PLC) that was used in uranium-enriching centrifuges at Natanz. The infection disrupted the centrifuges' rotational frequency, forcing Iranian officials to shut down uranium enrichment at Natanz for a week in November 2010. It was reported in February that Iranian engineers were finally able to remove the Stuxnet infection from their systems. Experts are warning that similar attacks could take place in the future against power grids, water processing plants, and other pieces of vital infrastructure. Security systems in prisons could also be vulnerable to a worm that is similar to Stuxnet, since they use PLCs as well. Some believe that it could be difficult to respond to a Stuxnet attack on U.S. infrastructure because much of that infrastructure is privately owned.


Homeland Security Chief Contemplating Proactive Cyber Attacks
Mercury News (04/16/12) Johnson, Steve

Department of Homeland Security (DHS) Secretary Janet Napolitano has announced that she is considering allowing tech companies to aid government efforts to develop "proactive" efforts to prevent cyberattacks originating in foreign countries, and potentially backed by foreign governments. She declined to give specifics, saying "Should there be some aspect that is in a way proactive instead of reactive?" and then answered her own question with "yes." She added, "it is not something that we haven't been thinking about." That said, she added that some restrictions would have to be placed on any such cyber activities. Some security officials and privacy advocates have expressed concern at the idea private companies would be allowed to participate in what is usually a government activity, particularly if Napolitano's plans involve offensive attacks against foreign entities, which they point out could be interpreted as acts of war. Despite these concerns, federal officials have already been recruiting widely from the private sector to gain their aid in preventing attacks on the nation's infrastructure and important data.


In Cyber Security Contest, Teens Practice Defending America
Los Angeles Times (04/16/12) Jennings, Angel

Teams of teens from 11 high schools around the country recently competed in the National High School Cyber Defense Competition. The competition, held in Oxon Hill, Md., called on the teens to defend the nation's computer system against hackers seeking to infiltrate U.S. infrastructure. The competition was observed by Department of Homeland Security (DHS) officials as well as executives from the major military contractor Northrop Grumman. Immediate prizes included scholarship money, a laptop, and dinner with President Obama; however, many of the competitors who did well could also be future recruits for DHS, Northrop Grumman, and other cybersecurity contractors. Each team was assigned to manage a network of 11 virtual databases and operating systems. Teams earned points for identifying vulnerabilities, keeping systems running, and detecting and defending against potential hackers. In 2010, Northrop Grumman alone hired a dozen student participants. This year the company says it is looking to fill 30 positions. Students who make the cut will remain on-call for summers and holidays throughout their college career. Upon graduation, some will be offered six-figure jobs.


Abstracts Copyright © 2012 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment