Search This Blog

Friday, August 27, 2010

Security Management Weekly - August 27, 2010

header

  Learn more! ->   sm professional  

August 27, 2010
 
 
Corporate Security

  1. "Microsoft Investigates Halo: Reach Leak" Pirated Video Games
  2. "German Cabinet Backs Updated Privacy Law"
  3. "California Eyes Stronger Privacy Law"
  4. "Companies Try Efforts to Protect Workers in World's Danger Zones"
  5. "Security Blamed in van Gogh Theft" Cairo, Egypt
Homeland Security

  1. "FBI-ATF Turf Battle Hurts Bomb Probes, Official Says"
  2. "Pakistani Taliban Hint at Attacks on Aid Workers"
  3. "In Report, CIA Worried About U.S. Terror Exports"
  4. "Karzai Faces Struggle to Oust Contractors"
  5. "U.S. Weighs Expanded Strikes in Yemen"
Cyber Security

  1. "EU Cyber Assault Would Cost €86 Million, Expert Says"
  2. "Vulnerability Disclosures Increase by 36 Percent in 2010"
  3. "Federal CIOs Issue Cloud Computing Privacy Framework"
  4. "Registry Operator Afilias Embraces DNS Security " Domain Name System
  5. "IT Security Incidents Prompt Nashville, Tenn., to Strengthen Policy, Hire IT Security Chief"

   

 
 
 

 


Microsoft Investigates Halo: Reach Leak
Telegraph.co.uk (08/26/10) Skipworth, Hunter

Microsoft has announced that it will investigate a leak of its forthcoming Halo: Reach game, which began appearing on piracy Web sites weeks before its release date. Copies of the game, which is expected to be a major blockbuster, reportedly began appearing online after the game was made available to reviewers and journalists through the company's Xbox Live store. Microsoft is well known for its strict approach to piracy. It banned around 600,000 Xbox 360 users with hacked or pirated games from its online Xbox live service in 2009. A statement from Microsoft suggests a similar action will be taken against those who have downloaded copies of Halo: Reach. "Microsoft’s commitment to combat piracy and support safer and more secure gameplay for the 25 million members of the Xbox LIVE community remains a top priority," a spokesperson said. "All consumers should know that piracy is illegal and modifying their Xbox 360 console violates the Xbox LIVE terms of use, will void their warranty and result in a ban from Xbox LIVE."


German Cabinet Backs Updated Privacy Law
Wall Street Journal (08/26/10) Lawton, Christopher; Fuhrmans, Vanessa

The German cabinet said Wednesday that it supports a bill being considered by the country's parliament that would place limits on the ability of companies to monitor employees and gather information on job candidates. For instance, the legislation prohibits companies from secretly filming their employees. In addition, the bill prohibits employers from posing as a job candidate's friend in order to access information from his Facebook page. The legislation does allow employers to conduct some monitoring of employees and research on prospective employees, albeit with several limitations. For example, employers are allowed to monitor and control the use of telecom equipment for accounting or corruption purposes, though they are not allowed to know the content of such communication. In addition, employers will continue to be allowed to conduct Internet searches and access generally-available information on job candidates that is posted online, including information on job searching and networking sites such as LinkedIn. Those who violate the provisions of the legislation should it become law could be fined and face up to two years in jail, though experts say that enforcement will likely be difficult.


California Eyes Stronger Privacy Law
BankInfoSecurity.com (08/25/10) McGlasson, Linda

The California legislature has passed a fortified data breach notification bill that provides consumers with a higher level of consumer privacy protection, but it still must be signed by Gov. Arnold Schwarzenegger, who vetoed a similar bill last fall. California was the first state to make data breach notification mandatory through passage of legislation requiring businesses and state government agencies to inform victims in the event of a data compromise. The new bill would specify what information must be included in the alert. Should the governor approve the bill, the ordinance will require standard content of the notification to include a general description of the breach incident, the type of information exposed, the date and time of the intrusion, and a toll-free phone number of major credit reporting agencies for security breach notices in California. The law also would obligate public agencies, businesses, and people subject to California's security breach notification law to send an electronic copy of the breach notification to the attorney general, but only if more than 500 California residents are affected by a single breach. State Sen. Joe Simitian, who authored the new bill as well as the existing California breach statute, says he is "cautiously optimistic that this version of the bill will be signed into law."


Companies Try Efforts to Protect Workers in World's Danger Zones
USA Today (08/24/10) Yu, Roger

Today's global economy often requires people to enter at-risk areas where they can be exposed to natural calamities, war, terrorism, kidnapping, disease, and so on. Approximately 10 percent of employees who are transferred from the United States are assigned to countries that are considered "dangerous or have harsh conditions of living," according to Mariana Costa, an international employment lawyer. As a result, more and more U.S. companies are relying on detailed security briefings and employee training to prepare workers for assignments abroad. CARE, an international development organization, required employees bound for Haiti this year to take part in a 45-minute "stress consultation" that previewed issues they would encounter, such as widespread devastation and challenging living conditions. The sessions reminded workers about reactions to working in a continually high-pressure environment, and asked them to think about their coping mechanisms for stress. "What are some things that can reconnect you to what brings you hope and joy? Hopelessness is a byproduct of vicarious stress," says Lynne Cripe, CARE's director of employee engagement, support, and communications. Corporate travel managers are implementing "travel risk management" by adding restrictions to travel policies, gathering country intelligence reports, purchasing more insurance policies, monitoring employees' movements, and hiring medical evacuators and security companies. The U.S. Commerce Department's International Trade Administration estimates that from 2000 through 2009, the number of U.S. citizens traveling to Asia, South and Central America, the Middle East, and Africa increased by 47 percent to 12 million a year.


Security Blamed in van Gogh Theft
Associated Press (08/23/10)

A Vincent van Gogh painting worth an estimated $50 million was stolen Saturday from the Mahmoud Khalil Museum in Cairo, Egypt, on Saturday. According to prosecutor general Abdel-Meguid Mahmoud, the thieves stole the painting--which is called "Poppy Flowers" and "Vase with Flowers"--by cutting it out of its frame with a box cutter. Mahmoud added that the "feeble and superficial" security measures that were in place at the Mahmoud Khalil Museum were unable to stop the thieves from stealing the painting. None of the alarms at the museum were working, Mahmoud said, and only seven out of the 43 surveillance cameras that had been installed were operational. In addition, the daily rounds performed by the museum's guards at closing time were not adequate enough to protect valuable works of art, Mahmoud said. Meanwhile, the investigation into the theft of the painting--which has yet to be recovered--is continuing. A number of Egyptian officials, including museum director Reem Bahir and the head of the fine arts department at the Ministry of Culture have ordered to remain in Egypt until the investigation has been concluded.




FBI-ATF Turf Battle Hurts Bomb Probes, Official Says
Washington Post (08/27/10) P. A03; Markon, Jerry

Acting Deputy Attorney General Gary G. Grindler issued an internal memo on Aug. 3 as part of an attempt to end the long-running dispute between the FBI and the Bureau of Alcohol, Tobacco, Firearms, and Explosives over who has jurisdiction in bombing investigations. According to Grindler, the FBI will act as the lead investigators in bombings that are believed to be linked to terrorism, including bombings of courthouses, schools, shopping malls, and tourist attractions. ATF will have jurisdiction over all other types of bombings, Grindler said. Grindler added that clarifying which agency has jurisdiction in bombing investigations will help prevent an incident in which actionable intelligence does not get sent to the right people because of concerns about who will be the lead investigator. Experts agreed that the clarification was necessary, saying that the FBI and the ATF need to cooperate with one another to ensure that there is not another large-scale terrorist attack on U.S. soil. However, the memo is being criticized by some ATF agents who fear that it will allow the FBI to claim jurisdiction in high-profile bombing cases and prevent the ATF from bringing its expertise in explosives to the investigation. Other agents said that there could be delays in bombing investigations while the FBI decides whether the attacks are terrorism related. However, experts say that the ATF will continue to retain jurisdiction over most bombings, since the overwhelming majority are not linked to terrorism.


Pakistani Taliban Hint at Attacks on Aid Workers
Associated Press (08/26/10) Dawar, Rasool

The Pakistani Taliban has indicated that it may be planning attacks against foreign aid workers, saying their presence in Pakistan was "unacceptable." Azam Tariq, a spokesman for the Pakistani Taliban, said the foreign aid workers are being targeted because they had intentions other than to provide relief to flood victims. He would not say what those intentions were. Meanwhile, the U.N. has said that it would not be deterred by violent threats against the aid workers. In order to protect aid workers, the U.N. said its security experts will be working with U.N. agencies and other international organizations "to assess what the risks are and to minimize them." U.S. State Department spokesman P.J. Crowley said Washington is also taking the threat of attacks by militants seriously. "We have information of the potential targeting of foreign relief workers in Pakistan, as well as government ministries," Crowley told reporters in Washington, adding, "It just underscores the bankrupt vision that these extremists have and we are conscious of that threat."


In Report, CIA Worried About U.S. Terror Exports
Washington Post (08/26/10) Nakashima, Ellen

The Web site WikiLeaks released a secret document from a CIA think tank on Wednesday that concluded that the U.S. has exported terrorism for quite some time. The paper, which was produced by the CIA's Red Cell and is entitled "What if Foreigners See the United States as an Exporter of Terrorism'?," cited the case of David Headley as proof that the U.S. exports terrorism. Headley is a Pakistani-American man who has admitted to conducting surveillance as part of the 2008 terrorist attacks in Mumbai, which were carried out by Lashkar-i-Taiba. The paper also cited the case of Baruch Goldstein, an American Jewish doctor who emigrated to Israel in 1994 and joined an extremist group that launched an attack on a mosque in Hebron. The paper concluded that cases such as these could hurt relations between the U.S. and its foreign allies, and could prompt other countries to request the rendition of American terrorist suspects. There may even be a few cases in which foreign governments secretly extract American terrorist suspects from U.S. territory, the paper said. However, the CIA has downplayed the findings of the paper, saying that the document was written simply to "provoke thought and present different points of view."


Karzai Faces Struggle to Oust Contractors
Asia Times (08/26/10) Fisher, William

Afghan President Hamid Karzai is attempting to push ahead with his plan to oust all private security contractors from Afghanistan, calling them "mafia-like groups" being financed by U.S. taxpayers to carry out "terrorist activities." Karzai's critics say that the move to remove tens of thousands of private security personnel employed by international forces and foreign media outlets could undermine security and slow many foreign projects. Security working for economic organizations, embassies, consulates, and non-governmental organizations would be exempt from the rule. Karzai recently appeared on ABC's This Week to defend his decision, arguing that the money spent on security forces would be better put toward funding Afghanistan's police. "One of the reasons that I want them disbanded and removed by four months from now is exactly because their presence is preventing the growth and development of the Afghan security forces - especially the police force - because if 40,000 to 50,000 people are given more salaries than the Afghan police, why would an Afghan... man come to the police if he can get a job in a security firm, have a lot of leeway without any discipline? So naturally our security forces will find it difficult to grow. In order for our security forces to grow these groups must be disbanded." Karzai has received cautious support for his proposal from some members of Congress, including Sen. John Kerry (D-Mass.), the chairman of the Senate Foreign Relations Committee.


U.S. Weighs Expanded Strikes in Yemen
Wall Street Journal (08/25/10) Entous, Adam; Gorman, Siobhan

There is a growing consensus among U.S. lawmakers and intelligence officials that al-Qaida in the Arabian Peninsula (AQAP) and the Somali terrorist group al Shabaab could pose more of a threat to the nation's security than the al-Qaida leaders who were behind the Sept. 11 terrorist attacks. One reason why AQAP and al Shabaab could represent a bigger threat to the U.S. is because they are becoming better and better at recruiting new members, and because they are focused on launching smaller attacks that are harder to detect and stop. In addition, there are signs that AQAP and al Shabaab may be working together to plan attacks on American and Western interests in Europe and the U.S., said Rep. Pete Hoekstra (R-Mich.), the ranking member on the House intelligence committee. In response to this threat, the Obama administration could opt to use drones in Yemen and Somalia as part of a campaign to kill certain suspected terrorists. A similar campaign is already being used in Pakistan. The administration may already be moving forward with such a campaign in Yemen, since the U.S. military's Special Operations Forces and the CIA have been moving surveillance equipment, drones, and personnel into Yemen and several African nations that border Somalia. A campaign to kill terrorists in Yemen and Somalia would likely be supported by lawmakers from both parties, though the plan could be opposed by the Defense Department, since it feels that it has been responsible for the campaign against militants in Pakistan.




EU Cyber Assault Would Cost €86 Million, Expert Says
EU Observer (Belgium) (08/25/10) Rettman, Andrew

Charlie Miller, a former mathematician at the National Security Agency who currently works for Independent Security Evaluators in Baltimore, has outlined a cyberattack that could have devastating consequences for the European Union. Under Miller's scenario, the attack--which would cost €86 million to carry out and would require 750 people and two years of preparation--would begin with hackers working on behalf of a foreign government sending a malicious PDF attachment to staff members at organizations like the London Stock Exchange or the operator of France's electric grid. The employees at these organizations would be tricked into opening the attachment because it would appear as if it had been sent by a colleague. In opening the attachment, the employees would give the attackers the ability to monitor their keystrokes and record their passwords so that they could take over other computers. This in turn would allow the attackers to turn off the target's firewalls, which in turn would allow them to launch Denial of Service attack or install Remote Administration Tools to control the target's hardware. After enough targets had been compromised, the attackers could shut down electricity in the EU or disable phone and Internet communications, among other things. Miller noted that the best thing that the EU could to protect itself from such an attack is to invest in intelligence services that are capable of detecting a threat before it is carried out.


Vulnerability Disclosures Increase by 36 Percent in 2010
InformationWeek (08/25/10) Schwartz, Mathew J.

Vulnerability disclosures are at an all-time high, with 4,396 new vulnerabilities recorded in the first six months of 2010—a 36 percent increase over the same six-month period in 2009, according to a new IBM X-Force report. Web applications comprised the majority of the disclosures—55 percent—but the report warns that many more weaknesses may be present in custom Web programs. Hidden attacks, which permit attackers to push pernicious code past traditional security barriers, increased 52 percent between the first halves of 2009 and 2010. JavaScript obfuscation is one attack that is especially popular because it allows attackers "to hide their exploits within document files and web pages," the report says. But three of the five most commonly used online attacks observed between January and June 2010 involved PDF exploits. Such attacks reached their apex in April during a comprehensive spam campaign, largely propelled by Zeus and Pushdo botnets issuing massive loads of malicious PDF files over email. On the upside, phishing attacks have declined significantly, although the attacks' main goal, stealing financial information, remains the same.


Federal CIOs Issue Cloud Computing Privacy Framework
InformationWeek (08/25/10) Hoover, J. Nicholas

In a new document that outlines a proposal for a policy framework on privacy and cloud computing systems, the federal CIO Council said that federal agencies need to be aware of the privacy concerns that come with storing sensitive information in the cloud. For instance, cloud providers may be able to analyze or search data if the contractual terms of the service are set incorrectly. In addition, cloud computing providers may not inform the government of a breach and may fail to provide the government with a full and accessible audit trail. These and other privacy concerns can arise because cloud computing providers do not have to comply with the same laws and regulations that federal agencies do. Nevertheless, using cloud computing can improve privacy and make information owned by federal agencies more secure, so long as the cloud deployment is "thoughtfully considered," the federal CIO Council document said. This means that federal agencies need to ensure that the language in the contract with the cloud computing provider meets federal privacy needs and regulations and to conduct a Privacy Threshold Analysis to determine whether a cloud computing system creates risks to privacy. Finally, a Privacy Impact Assessment should be performed to assess and mitigate any risks that are found.


Registry Operator Afilias Embraces DNS Security
Network World (08/24/10) Marsan, Carolyn Duffy

Afilias plans to launch DNS Security Extensions (DNSSEC) on 13 of the domains it operates including .info, India's .in, and .asia before the end of 2010. The Internet's root servers began supporting DNSSEC on July 15. Since then, 26 top-level domains, including .org and .edu for universities, have begun digitally signing DNS look-ups with DNSSEC in order to prevent malicious activity. Once it is rolled out across the Internet, DNSSEC will prevent cache poisoning attacks on all Web sites. Afilias says it will support DNSSEC for the .info domain, which has 6.5 million registered names, in September, followed by .in and .asia in early October. Afilias will then roll out DNSSEC for the following domains before the end of the year: Mongolia's .mn; Seychelles' .sc; Honduras' .hn; Belize's .bz; Antigua and Barbuda's .ag; St. Lucia's .lc; St. Vincent and the Grenadines' .vc; Gibraltar's .gi; and Montenegro's .me. Afilias also will support DNSSEC for .aero, a Web site name extension restricted to the aviation industry.


IT Security Incidents Prompt Nashville, Tenn., to Strengthen Policy, Hire IT Security Chief
Government Technology (08/23/10) Wilkinson, Karen

When a data breach in late 2007 led to the exposure of more than 320,000 Nashville voters' personal information, it was the crisis point that propelled Nashville and Davidson County to assess and define IT security protocols, among other internal reforms. A laptop was snatched from the Davidson County Elections Commission office, along with other electronic devices, after someone shattered the window with a brick, says city technology chief Keith Durbin. Although no cases of identity theft as a result of the exposure were reported, the laptop was not encrypted, so the government had to assume the worst, he says. "It truly was a defining moment." The incident served as a wake-up call for the combined government, which oversees approximately 60 departments and agencies. Mayor Karl Dean, who took office months before the incident, triggered a series of executive orders that set up oversight boards and training programs, in hopes of mitigating future security incidents. An in-depth security policy is slated to take effect this fall, and Durbin is now hiring a chief information security officer to spearhead the effort.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: