Search This Blog

Friday, October 29, 2010

Security Management Weekly - October 29, 2010

header

  Learn more! ->   sm professional  

October 29, 2010
 
 
Corporate Security
Sponsored By:
  1. "Domestic Violence is a Workplace Issue, Say Law Firms"
  2. "All Eyes on France as Officials Enforce New Antipiracy Law"
  3. "Police in Call for New Powers to Close Down Rogue Scrap Metal Merchants" United Kingdom
  4. "Prescription-Drug Use an Issue for Employers"
  5. "Executive Protection: The Private-Sector Model Is Broken"

Homeland Security
  1. "Trip Plan Sparked FBI's Terror Sting" Washington, D.C., Metro Terrorist Plot
  2. "Recruiting Station Shots Linked to 2 Incidents" Virginia
  3. "Feds Arrest N.Va. Man in D.C. Metro Bomb Plot"
  4. "Republicans Probe Gitmo Transfers to Europe"
  5. "U.S. Military Sees Additional Document Leaks Ahead"

Cyber Security
  1. "Businesses Unsure How to Protect Cloud Data: Survey"
  2. "Users Complacent About Mobile Security, Finds Research"
  3. "Sites Ending in .Com, .VN Are the Riskiest, McAfee Finds"
  4. "Security Flaws Found in Systems That Track Recovery-Related Spending at Transportation"
  5. "As E-Voting Comes of Age, Security Fears Mount"

   

 
 
 

 


Domestic Violence is a Workplace Issue, Say Law Firms
Law.com (10/29/10) Hobbes, Meredith

Domestic violence is a serious problem that can sometimes affect the workplace, regardless of industry. Although there have been cases of abusers killing their victims at their workplace, the abuser does not actually need to be present at the office in order to cause a disruption, according to a recent domestic violence and the workplace seminar held by Kilpatrick Stockton in Atlanta. During the seminar, participants discussed how employers can help domestic violence victims. For example, human resources directors should be on the lookout for potential signs of abuse such as disruptive phone calls, sudden performance changes, or missed work. The employer's first concern in a situation of suspected abuse should be to help the employee keep their job, because financial independence can help the survivor get away from their situation. Unfortunately, supervisors and co-workers are often hesitant to intervene if they suspect someone is being abused because they do not know how to help. However, speakers at the seminar encouraged participants to ask co-workers if they feel safe in their home should they think abuse may be a factor. Participants were also asked to connect employees with community organizations that can provide the counseling and support. Several people suggested putting pamphlets in both the men's and women's bathrooms with contact information for domestic violence aid organizations, so people in abusive situations do not have to draw attention to themselves when looking for resources. Another option is to host lunch-and-learn programs on the subject of domestic violence.


All Eyes on France as Officials Enforce New Antipiracy Law
Wall Street Journal (10/27/10) Colchester, Max

France has begun enforcing a new law that aims to crackdown on Internet users who illegally download films and music from the Internet. As part of the effort to crackdown on Internet piracy, which is believed to cost France's music industry $978 million per year, the French government has hired a private company to monitor file-sharing sites to catch those illegally downloading music or videos. The private company then passes the IP address of offenders on to "Hadopi," which is the acronym for the agency that is responsible for implementing the anti-piracy law. After receiving the IP addresses of illegal downloaders from the company, Hadopi contacts Internet service providers to get the e-mail addresses of the offenders so that they can be warned to stop. If users are found to have illegally downloaded music or videos again within six months, they are sent another warning via registered letter. Charges can be brought and the user can be banned from the Internet for a year if there is a third offense. Enforcing the law has been difficult, as some Internet service providers have been hesitant to cooperate. Officials in South Korea, Taiwan, and the U.K. have enacted anti-piracy laws similar to the one in France, and they are watching how Paris implements its statute.


Police in Call for New Powers to Close Down Rogue Scrap Metal Merchants
Bolton News (Lancashire, U.K.) (10/26/10)

With metal theft in the U.K. on the rise, British police chiefs are calling for new powers to shut down scrap metal merchants who buy stolen copper wire. According to the British Transport Police, there have been 1,855 cable related incidents so far this year. BTP also said that it has arrested 500 suspected metal thieves. Bolton, England, has been hit especially hard by a number of high-profile metal thefts, including a raid on M&A Pharmaceutical in Wingates, which resulted in more than £100,000 in damage. The BTP says that metal stolen in thefts like the one at M&A Pharmaceutical is generally exported via scrap yards and often ends up in China, where copper is being stockpiled. Meanwhile, the association of chief police officers and the British Metal Recycling Association have designed a code of conduct for scrap metal dealers, which includes taking reasonable steps to ensure that they do not buy stolen metal.


Prescription-Drug Use an Issue for Employers
Seattle Times (10/25/10) Zezima, Katie; Goodnough, Abby

Employers are struggling to find ways to address their employees' growing use of prescription drugs that could cause safety problems in the workplace. According to an analysis of more than 500,000 drug tests by the workplace drug test provider Quest Diagnostics, the number of employees who tested positive for prescription opiates between 2005 and 2009 increased by more than 40 percent. But many employers have not addressed prescription drug use among their employees, even though they could be held liable for industrial accidents, defective products, and on-the-job injuries caused by a worker who abuses prescription drugs, said Mark de Bernardo, the executive director of the Institute for a Drug-Free Workplace. One reason why many employers have not addressed prescription drug use is that it can be difficult to prove that a worker is impaired by a prescription drug. Although employers can ask employees who work in positions where safety is important to notify them about their prescription drug use, they cannot be certain that they will do so. It can also be difficult to develop policies governing the use of prescription drugs because the Americans with Disabilities Act forbids companies from asking their workers about their prescription drug use unless they are seen acting in ways that could be unsafe or in ways that show that they cannot perform the duties of their jobs for medical reasons. But experts say that companies can protect themselves from the problems caused by prescription drug use by establishing thorough and consistent policies that describe which drugs workers can be tested for and under what circumstances. In addition, supervisors should be trained to look for signs that workers are impaired by prescription drugs so that they can legally be tested.


Executive Protection: The Private-Sector Model Is Broken
CSO Online (10/01/10) Vol. 9, No. 8, P. 30 Falkenberg, Christopher

Chief executives often face unique threats that are not faced by company presidents, requiring a different approach to security. Private-sector leaders may be targeted for a variety of reasons, including their wealth and community presence, and business controversies -- for instance, companies that perform product testing on animals, make pharmaceuticals, or drill for oil can attract threats. Many protection agencies neglect to consider job-specific security requirements, and whether their employees are adequately qualified for the job. Christopher Falkenberg, president of Insite Security, argues in this column that the model for executive protection in the private sector is broken, and that the security industry has failed to offer up real solutions for executives and their families. He says that executive protection must be approached from the ground up. Examine the legitimate risks to the executive and his or her family: Where do they live? How can vulnerable situations be avoided? Is there a pattern or threatening behavior? "This is a wakeup call for the industry -- to both private sector providers and corporate security providers -- the service offering is predicated on a model that doesn't apply to them," says Falkenberg. "Executives don't live in the 'presidential' market place. As security professionals, we need to find the best intersection between conveniences and effective security."




Trip Plan Sparked FBI's Terror Sting
Wall Street Journal (10/29/10) Perez, Evan

Officials have revealed how they came to learn about the 34-year-old Pakistani-American man who allegedly planned to attack the Washington, D.C., Metrorail system. According to officials, 34-year-old Farooque Ahmed of Ashburn, Va., came to the attention of investigators after he and an associate attempted to make contact with a terrorist organization to help them travel to Afghanistan or Pakistan so that they could fight U.S. forces in those countries. After determining that Ahmed was potentially dangerous, the FBI devised a sting operation in which an undercover agent posing as an operative with a terrorist group asked the suspects for their help in gathering information for the planned bombings. Such stings have become a popular tool for disrupting domestic terrorist plots in the wake of the September 11, 2001 attacks. Former FBI agent Peter Ahearn said that sting operations are useful because they make potential terrorists afraid that anyone they contact could be an undercover agent. However, lawyers for the seven members of a Miami religious group who were arrested in 2006 for plotting to attack the Sears Tower in Chicago and federal buildings say that undercover informants seemed to entrap their clients. That case resulted in two mistrials, though a third trial resulted in the conviction of five of the defendants on terrorism-related charges.


Recruiting Station Shots Linked to 2 Incidents
Washington Post (10/29/10) P. B10 White, Josh; Glod, Maria

The FBI has linked a shooting at a Marine Corps recruiting station in Chantilly, Va., earlier this week with previous shootings at the Pentagon and the National Museum of the Marine Corps in Triangle, Va. According to the FBI, the weapon that was used at the recruiting station shooting was also used in the incidents at the Marine Corps museum and the Pentagon, which took place on Oct. 17 and Oct. 19, respectively. In addition, all three shootings took place late at night or early in the morning when the buildings were empty or when it was unlikely that people would be around. The Marine Corps recruiting station was also vacant at the time of the shooting. Authorities say that they do not have a motive for any of the shootings, though they say they are following all possible leads.


Feds Arrest N.Va. Man in D.C. Metro Bomb Plot
Washington Post (10/28/10) Finn, Peter; Hsu, Spencer S.; Gibson, Caitlin

An Ashburn, Va., man was arrested on Wednesday on charges of planning to bomb four stations on Washington, D.C.'s Metro system. According to an official with the Obama administration, 34-year-old Farooque Ahmed--a naturalized U.S. citizen who is originally from Pakistan--came to the attention of authorities after he tried to obtain several unspecified materials. Law enforcement officials then launched a sting operation against Ahmed, during which he allegedly told federal agents posing as Islamic radicals that he would conduct video surveillance of the Arlington Cemetery, Pentagon City, Crystal City, and Court House Metro stations in Virginia. In addition, Ahmed allegedly suggested the best time to attack the stations and the best locations to place bombs. Ahmed then later gave authorities the video and sketches he made of the Metro stations, according to a federal indictment. Intelligence sources said that it does not appear that Ahmed received training from al-Qaida or any affiliated organizations, though other terrorism investigations have turned up ties between suspects and overseas terrorist organizations several days after arrests were made. Despite the plot, officials say that the public was never in any danger.


Republicans Probe Gitmo Transfers to Europe
Wall Street Journal (10/27/10) Perez, Evan

Republicans are currently challenging the Obama administration's decision to transfer some Guantanamo Bay detainees to prison in Europe. Republican staffers for the Senate Intelligence Committee were paid to travel to Spain, Germany, France, and other countries to see if they could uncover any evidence that the security around the detainees was lacking. Although President Obama ordered Guantanamo Bay closed on his second day in office, Republicans have been largely successful in blocking that attempt. Transferring detainees to Europe and some other countries has been the administration's most successful strategy, with 66 detainees already moved. Staffers aware of the trip have declined to comment on whether or not they found any evidence of the lack of security they were looking for or any evidence of the detainees being in contact with al-Qaida or other militant groups. They did say, however, that the way the detainees were monitored was different from what the administration described in some cases.


U.S. Military Sees Additional Document Leaks Ahead
Wall Street Journal (10/27/10) Barnes, Julian E.; Lauria, Joe

A Pentagon spokesman said Tuesday that the Web site WikiLeaks could soon publish more material that was stolen from classified military computer networks. Among the files that WikiLeaks could release is a large encrypted document called "insurance" that users can download from the site. However, WikiLeaks has not released a decryption key for the document. In addition, it remains unclear whether the Pentagon has decrypted the insurance file. According to Pentagon spokesman Col. David Lapan, the Department of Defense does not know exactly what information WikiLeaks has because it is not entirely certain what the contents of the insurance file are. Another defense official noted, however, that the Pentagon's investigation into Private First Class Bradley Manning--who has been arrested and charged with giving WikiLeaks classified material--has given DoD some idea of what may be in the insurance file. As part of that investigation, authorities were able to examine computers used by Manning to find other material he downloaded and may have given to WikiLeaks. Manning has allegedly bragged to another hacker that he had access to a number of diplomatic cables. Speculation about the release of more documents by WikiLeaks comes several days after the site released nearly 400,000 U.S. military reports from the war in Iraq, which included documents detailing thousands of unreported civilian deaths and the involvement of U.S. officials in the torture of Iraqis by local security forces.




Businesses Unsure How to Protect Cloud Data: Survey
eWeek (10/27/10) Eddy, Nathan

The cloud is still a virtual no man's land when it comes to the security of the information stored there. That is the conclusion of Courion's first annual 2010 Access Assurance Survey, which found that one in seven companies admit they recognize there are potential access breaches in their cloud platforms, but they do not know how to locate them. The survey also revealed that there is widespread confusion about who is in charge of securing information in the cloud, with nearly 80 percent of respondents unable to identify the chief entity responsible. The worldwide survey of 384 business managers from large companies—86 percent of which had 1,000 or more employees—indicated that cloud security controls are not keeping up with the rapid pace of cloud adoption. Furthermore, the dearth of knowledge about which platforms or applications workers may access is actually on the rise, up nearly 10 percent from 2009. Close to half of the respondents said they believe a compliance audit of their cloud-based applications could reveal some unauthorized access by users. An additional 15.7 percent confessed they are cognizant of the existence of potential access violations, but they do not know how to find them. Although more than 65 percent said that the company from which the data originates, the application provider, and the cloud service provider are all accountable, an additional 13 percent expressed uncertainty. Businesses are less confident this year than last year that they can deter fired employees from accessing one or more information technology systems. "These results show that many organizations are not currently doing the proper due diligence to ensure that sensitive data is being accessed by the right employees on-premise, not to mention when data is housed by a third party provider," the report states. "The responses indicate that the problem is getting worse, and is only being exacerbated by the increasing use of cloud-based applications, which creates more access violation risk."


Users Complacent About Mobile Security, Finds Research
BBC News (10/27/10)

People have some conflicting attitudes about mobile security, according to a Juniper Networks survey of 6,000 people in 16 countries. The study found that 80 percent of people said that security was a top priority when purchasing or using a smartphone. However, the survey also found that 70 percent of people store sensitive data on their mobile devices without using any type of security measures. In addition, the survey found that the use of smartphones by employees can compromise the security of corporate networks. Among the employees who took part in the survey, 59 percent said that they used their smartphone for business without obtaining permission to do so. The survey also found that there has been a 250 percent increase in the number of threats to mobile devices over the past year. Nearly two-thirds of all reported smartphone infections were spyware that was capable of monitoring communication from the mobile device, while an additional 17 percent of infections were text message Trojans that charged fees to the victim's cell phone bill.


Sites Ending in .Com, .VN Are the Riskiest, McAfee Finds
SC Magazine (10/26/10) Kaplan, Dan

Dot-com is the top-level domain most likely to infect computers with malware. Previously, Cameroon's .cm ccTLD was the top TLD for malware, according to third annual study of the Web's most dangerous areas conducted by McAfee. Fifty-six percent of Web sites tagged as "risky" ended in .com, according to the most recent survey. That figure is out of a total of 6.2 percent of about 27 million sites that are considered to pose a risk, up from 5.8 percent a year ago. Sites registered under Vietnam's .vn ccTLD are considered the most risky of country domains, with 29 percent posing a potential security threat. Cameroon is now ranked second in that category.
"Cybercriminals target regions where registering sites is cheap and convenient and pose the least risk of being caught," says McAfee Labs research director Paula Greve. "A domain that's safe one year can be dangerous the next." The risk factor for Singapore's .sg domain dropped significantly following an improved crackdown on scam registrations orchestrated by domain managers.


Security Flaws Found in Systems That Track Recovery-Related Spending at Transportation
NextGov.com (10/25/10) Sternstein, Aliya

U.S. Transportation Department Web sites that publish stimulus spending updates could be prey for attackers looking to hack visitors' computers and alter data, according to the department's inspector general. Last December, the IG's office began investigating safeguards for the platforms that follow the $48 billion Congress authorized Transportation to invest in infrastructure projects that create jobs, such as high-speed rail and road expansions. The Recovery Act requires agencies to keep the public abreast of stimulus spending via Recovery.gov, but most agencies also manage in-house Web platforms for financial management and more transparent reporting. The IG's report revealed 1,759 high-risk threats to Web sites under Transportation's purview. Recovery-related databases and servers also were frequent targets of attack, but at a lower risk. The threats were present because Transportation neglected to configure its sites, databases, and servers according to uniform controls, the report says. "One particular vulnerability, found on eight of the 13 Web sites, could allow hackers to use the Web sites to launch attacks on users' computers," says IG's Earl Hedges.


As E-Voting Comes of Age, Security Fears Mount
Agence France-Presse (10/24/10) Lever, Rob

New technologies that allow voters to cast ballots using the Internet or other electronic means are gaining popularity in the United States and elsewhere, despite growing security concerns. Thirty-three U.S. states are allowing some email, fax, or online ballots in 2010, according to the Verified Voting Foundation (VVF). These systems have the potential to increase voter participation but their security remains in question. For example, University of Michigan computer scientists recently hacked into a Washington D.C. pilot Internet voting system and changed the password directing the system to play the university fight song. "Within the first three hours or so of looking at the code we found the first open door and within 36 hours we had taken control of the system," according to Michigan professor Alex Halderman. He says that during the attack they discovered that hackers from Iran and China also were trying to hack into the system. "After this, there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure," says VVF chairman David Jefferson.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: