Search This Blog

Friday, July 27, 2007

Security Management Weekly - July 27, 2007

header

  Learn more! ->   sm professional  

July 27, 2007
 
 
CORPORATE SECURITY  
  1. " Barry Mania" San Francisco Giants Tighten Security as Barry Bonds Nears Home Run Record
  2. " Disaster Plans Falter After the Blast" Steam Pipe Blast Tested NYC Businesses' Disaster Plans
  3. " Holmes, Hewitt, Longoria Among Celebrities at Game" Security Guards Protect Soccer Star David Beckham During His U.S. Debut
  4. " Ponemon Institute Releases Yearly Database Security Survey"
  5. " The Valley of Surveillance" Phoenix Surveillance Camera System Uses Mesh Technology
  6. " Dealing With Workplace Bullies: Tips for HR"
  7. " Security: A Business Enabler, Not Disabler" Corporate Computer Centers Should Be Designed With Security in Mind

HOMELAND SECURITY  
  8. " Airports Told to Be on the Lookout" TSA Alert Warns of Terrorist Dry Run Aboard Airliners
  9. " Mauritians Pioneer Emergency Preparedness Training in Second Life"
  10. " Poll: More Coastal Residents Would Not Evacuate for Hurricane"
  11. " State-Run Sites Not Effective Vs. Terror" Report Finds Fault With Antiterrorism Fusion Centers
  12. " Campus [In] Security" Community Colleges Review Campus Security
  13. " Crude Oil and Corruption" Multinational Oil Companies in Nigeria Are Under Assault

CYBER SECURITY  
  14. " IPhone Flaw Lets Hackers Take Over, Security Firm Says"
  15. " Managing Technology Patching Holes" Spear Phishing and Unvalidated Inputs Threaten Networks


   









 

"Barry Mania"
San Francisco Chronicle (07/21/07) P. A1 ; Fimrite, Peter

The Coast Guard, San Francisco police, and Major League Baseball's San Francisco Giants are collaborating to provide security at AT&T Park in preparation for the moment when controversial Giants slugger Barry Bonds breaks the all-time home run record. Bonds, who has been dogged by accusations of steroids use, is now just two home runs shy of breaking baseball's most hallowed record. Beginning Monday, Bonds and the Giants will play a string of seven home games, and security at AT&T Park has been ramped up in case Bonds sets the record during this stretch. Special precautions are being taken to protect the fan who ends up snagging the record-setting home run ball, which is expected to become a valuable artifact. Security guards will immediately whisk the fan away from the stands and place the fan in a safe area, says Giants spokeswoman Staci Slaughter. "If they want to watch the rest of the game, we will put the ball in a safe for them," explains Slaughter. The ball itself--like all balls that are now pitched to Bonds--will be authenticated with a special logo stamp. The Coast Guard will watch over the McCovey Cove area of water outside the stadium, where pleasure craft frequently gather in the hopes of retrieving home runs that land in the water. Boats will not be allowed to come within 1,000 feet of a barge where fireworks will be set off when Bonds sets the record.
(go to web site)

"Disaster Plans Falter After the Blast"
Crain's New York Business (07/22/07) ; Cordova, Elisabeth Butler; Fung, Amanda

Despite being one of the best prepared cities for disaster, according to an AT&T survey, New York City businesses discovered this month that even emergency plans cannot prepare workers for panicked reactions and logistical problems related to technology. City emergency staffers and Consolidated Edison workers were still cleaning up after the steam pipe explosion on July 18, and about 200 businesses were forced to close their doors for several days. The blast damaged Verizon's communication lines, leaving many firms without phones for a couple of days, while other businesses found that employees left their cell phones on their desks when they evacuated offices. Other firms found that their meeting place during evacuations were confiscated by local officials to treat wounded pedestrians. Many businesses were struggling to get back up even several days later because they failed to plan for backup or offsite computer servers.
(go to web site)

"Holmes, Hewitt, Longoria Among Celebrities at Game"
Associated Press (07/21/07)

Several security guards were on hand to provide personal protection for English soccer star David Beckham, who made his much-hyped U.S. debut in Carson, Calif., Saturday night as a member of the Los Angeles Galaxy. Due to Beckham's presence, several celebrities were among the crowd in the stadium, including Gov. Arnold Schwarzenegger and actresses Katie Holmes, Jennifer Love Hewitt, and Eva Longoria. As Beckham took the field and sat on the team bench, a crush of nearly 100 photographers swarmed him before a group of 10 security guards forced the photographers back.
(go to web site)

"Ponemon Institute Releases Yearly Database Security Survey"
Access Control & Security Systems (07/24/07)

Trusted insiders are a significantly unmonitored risk for many businesses, while most organizations lack the technology or practices to combat such threats, concludes a new report from Application Security and the Ponemon Institute. The survey was designed to assess database security in an endeavor to evaluate the manner in which organizations safeguard their databases and how they respond to potential threats. Corporate information technology respondents were polled, focusing on four areas: The IT environment within organizations, including size and complexity; the urgency in deployment of database security measures; the relative importance of database security versus other security information practices; and the priorities that drive database security initiatives within the organization. The survey found that larger organizations tend to rank customer and employee data secondary to securing intellectual property, and as such, most of the data that has been exposed since 2005 has been either customer or employee information. Although most organizations are aware of database threats, 40 percent of respondents state said their organization lack the tools to implement database monitoring while others were unsure whether or not their databases are monitored. A majority of those polled noted that there would be marginal or no staffing increases in the next year.
(go to web site)

"The Valley of Surveillance"
Governing (07/07) Vol. 20, No. 10, P. 38 ; Perlman, Ellen

Phoenix, Ariz., has acquired a surveillance camera system that allows police to keep an eye on the city's activities. The nearly $500,000 system allows Phoenix police to follow camera images from police headquarters, in patrol cars, or via handheld gadgets. The system allows police to rotate the cameras 360 degrees and have enough bandwidth to obtain almost real-time video. In addition, the cameras can perform "smart searching" of the video, without having to view the entire footage. While opponents contend that erecting cameras just moves violators to another location to avoid being caught on film, authorities note that it throws criminals off-balance, and that forcing them to uncharted areas places them at a disadvantage and enables police to possibly apprehend them as they are making errors. Phoenix's cameras are moved on a regular basis and are set up in regions where criminals are predicted to attack next. The cameras employ mesh technology, which transports images and information to the online nodes erected around a region. The mesh structure manufactures coverage "umbrellas" and information moves from one umbrella to another.
(go to web site)

"Dealing With Workplace Bullies: Tips for HR"
Workforce Management (07/01/2007) ; Mueller, Robert

Coping with a bullying supervisor can be one of the toughest parts of an human resources (HR) professional's job, but not all difficult supervisors are bullies. Separating individual communication problems from an overall pattern of intimidation is essential. When an employee complaint arises, the first step the HR department needs to take is discreetly, but legally, rule out other possible causes for supervisor strife. Both the supervisor and the employee filing the complaint could be dealing with substance abuse, stress, cultural insensitivity, potential disciplinary problems, or personal problems--none of which indicate a bully. After eliminating these possibilities, the HR department should seek out possible former victims even if they have left the company. This practice will help determine if they are dealing with an isolated incident or a trend of abuse. Observing the way other employees react to the supervisor is essential in making a clear distinction. Finally, experts recommend looking into the supervisor's overall work performance. A bully may be detected by analyzing their company spending and their interactions with equals and clients.
(go to web site)

"Security: A Business Enabler, Not Disabler"
Baseline (07/07)No. 74, P. 41 ; McCormick, John

Purdue University professor Eugene Spafford, recipient of the ACM's President's Award for his "extensive and continuing record of service to the computing community, including major companies and government agencies," says one of the biggest weaknesses in corporate computer centers are business processes, operating systems, and applications that are developed and implemented with convenience or cost, rather than security, in mind. He says it is "just plain wrong" to assume that patches and add-ons will ensure the security of such products, when in fact security must be designed into the products from the outset. Spafford explains that part of this effort involves "having informed, empowered individuals who have the appropriate training and background to be making decisions about what goes in, and that those decisions are based on an adequate understanding of risk." A lack of knowledge about specific risks and the value of components constitutes a major failing, and Spafford says CIOs must obtain a comprehensive perspective of resources in need of protection and their associated risks. Spafford recommends that managers ask questions concerning whether the proper applications/operations/business processes are running, who ultimately decides new acquisitions and the architecture as project momentum builds, and whether risk is properly integrated in those decisions. He also suggests that people should get in a mindset that views security as a enabler rather than a disabler.
(go to web site)

"Airports Told to Be on the Lookout"
Associated Press (07/25/07)

The Transportation Security Administration has issued an unclassified alert to federal air marshals, its own officers, and other law enforcement officers warning them to be on the lookout for terrorists practicing to carry explosive components onto airliners. The alert is based on seizures in September at airports in San Diego, Milwaukee, Houston, and Baltimore of items including "wires, switches, pipes or tubes, cell phone components" and claylike substances such as block cheese. "The unusual nature and increase in number of these improvised items raise concern," says the alert.
(go to web site)

"Mauritians Pioneer Emergency Preparedness Training in Second Life"
L'Express (07/23/07) ; Beedasy-Ramloll, Jaishree

Idaho State University researchers have established a virtual town where first responders can receive disaster training in the popular Web-based 3D virtual world Second Life. The town, which includes a police station, hospital, and residences, is located in Second Life's Play2Train section, which is a federally-funded collaborative effort involving the U.S. Centers for Disease Control and Prevention and several universities. Real-life first responders can use their computers to visit the Play2Train area, where they can participate in several types of virtual training events, including Alternative Care Facility Mobile Quarantine and Healthcare Facility "Sidewalk Triage" for an Avian Flu Pandemic. The Second Life virtual world is populated by real-life people who control their "avatars" in the fictional world; these avatars are capable of interacting with and communicating with other avatars within the virtual world. Thus, the avatars can participate in the disaster-training exercises--including instructional courses and table-top exercises--which have some advantages over real-world training in that simulated weather conditions such as rain, snow, and lightning can be added to provide realism to the training. The researchers behind the Play2Train effort believe that the training exercises in the virtual world could eventually supplant real-world exercises.
(go to web site)

"Poll: More Coastal Residents Would Not Evacuate for Hurricane"
Miami Herald (07/24/07) ; Gresko, Jessica

A new Harvard University survey of 5,000 adults living in the coastal regions of eight Southern states finds that 31 percent of respondents would refuse to evacuate during a hurricane, and 5 percent might refuse to evacuate depending on the particulars of the situation. The 2006 version of the same survey found that only 23 percent of coastal residents said they would refuse to evacuate. The 2007 study also finds that 27 percent of respondents say they would be resistant to evacuating because they would not want to abandon a family pet. The survey also shows that 78 percent of respondents believe they are prepared for a major hurricane. In addition, 60 percent of the 500 New Orleans residents who participated in the study said they had no idea where evacuation shelters are located, compared with 40 percent for the rest of the survey respondents. The respondents gave several reasons for refusing to evacuate, among them that their homes are strong and safe, that roads would be congested, and that evacuating would be risky.
(go to web site)

"State-Run Sites Not Effective Vs. Terror"
USA Today (07/23/07) ; Hall, Mimi

The 42 anti-terrorism "fusion" centers that have been created in 37 states have thus far proved inefficient at sharing information to combat terrorism, according to a new report from the Congressional Research Service. The fusion centers were created with the aim of increasing information-sharing among federal, state, and local law enforcement officials. But many of the centers have strayed from their central anti-terrorism mission and have instead "increasingly gravitated toward an all-crimes and even broader all-hazards approach," the report says. The Department of Homeland Security (DHS) has provided states with some $380 million in funding to create the fusion centers. One common problem plaguing the centers is that federal agents have resisted sharing information with local police, said Sen. Susan Collins (R-Maine), who believes there should be a requirement that federal analysts be posted at each center. One DHS official predicts that by the end of 2008, 35 DHS analysts will be working in the centers.
(go to web site)

"Campus [In] Security"
Community College Journal (07/01/2007) Vol. 77, No. 6, P. 12 ; Collett, Stacy

One day prior to the attack at Virginia Tech, the American Association of Community Colleges (AACC) hosted a panel of community college presidents and security executives to discuss how to prevent and respond to security threats on college campuses. Ironically, one of the topics focused on was how college heads could communicate emergency information to students, staff, and faculty quickly and simultaneously during an emergency, something which Virginia Tech's administrators were severely criticized for failing to do following the attack on their campus. "It was strange," said South Texas College (STC) chief project officer David Plummer, a panelist at the AACC event. "I don't think anybody has a perfect plan for a Virginia Tech [type] incident. That's not your most likely scenario, but you still need to plan for it." Plummer knows firsthand of the need to plan for such contingencies. In 1998, two men staged an armed robbery at a crowded evening course registration session on the STC campus. STC is currently studying the communications issue, looking into everything from sirens to new technology. Plummer says he would like to see the implementation of a system capable of sending multiple messages via e-mail, cell phones, and pagers to ensure students receive a warning whether on or off campus. Emerging from Virginia Tech and other violent incidents at colleges is a greater focus on security. Campuses are adding wireless cameras, boosting security patrols, and installing more emergency call boxes and bright lighting in remote areas. Also, schools are collaborating with city and county officials in emergency response. Another focus has been on post-incident counseling and the identification of students who might be at risk of committing a violent crime.
(go to web site)

"Crude Oil and Corruption"
Security Management (06/07) Vol. 51, No. 6, P. 66 ; Elliott, Robert

Shell, ExxonMobil, and other multinational oil companies in Nigeria's volatile Niger Delta region are facing serious attacks on their oil facilities and pipelines, including bombings and employee kidnappings, on a near-daily basis. The attacks are perpetuated by armed militants and, in some cases, economically depressed local townspeople who use tools to break into oil pipes in remote locations and steal oil, creating oil leaks and environmental pollution. The theft of oil from pipelines results in the loss of 50,000 barrels of crude oil per day in Nigeria, according to security officials, who explain that the thefts are often part of a larger criminal network that uses off-shore barges to transport the stolen oil and sell it to parties in other countries. The security situation in Nigeria is worsened by the corruption and ineptitude that permeates Nigerian society and government--so corrupt that the country's vice president last year is said to have been one of the biggest oil thieves plaguing the multinationals. Nigerian law requires that the multinationals employee many Nigerians, and these employees have contributed to internal corruption and sabotage at the oil companies, including the theft of confidential and proprietary data. The government security forces that protect the oil facilities are also often corrupt and ineffective, prompting the multinationals to take security into their own hands. For example, Shell is implementing a three-tiered security strategy that emphasizes human intelligence, public relations, and security technology.
(go to web site)

"IPhone Flaw Lets Hackers Take Over, Security Firm Says"
New York Times (07/23/07) P. C4 ; Schwartz, John

Researchers at Independent Security Evaluators have discovered a vulnerability in Apple's iPhone that hackers can exploit to take control of the device. Independent Security's Dr. Charles A. Miller, a former National Security agency employee with a doctorate in computer science, recently demonstrated to a reporter how a hacker can take advantage of the vulnerability to gain access to the personal information stored on an iPhone. In his demonstration, Dr. Miller used his iPhone's Web browser--a version of Apple's Safari Web browser--to visit a Web page that he designed. Once he had logged onto the site, the Web page injected a bit of code into the iPhone that made the device transmit a set of files to the attacking computer that included recent text messages, telephone contacts, and email addresses. Dr. Miller noted that hackers could also use the vulnerability to program the phone to make calls or turn it into a portable bugging device. Steven M. Bellovin, a professor of computer science at Columbia University, said the hack appears to be genuine. He added that such vulnerabilities are inevitable, given the fact that cell phones are becoming more and more like computers. "We've been hearing for a few years now that viruses and worms were going to be a problem on cell phones as they became a little more powerful, and we're there," he said. Bellovin noted that the iPhone is a full-fledged computer, "and sure enough, it's got computer grade problems."
(go to web site)

"Managing Technology Patching Holes"
Government Executive (07/01/07) Vol. 39, No. 11, P. 53 ; Holmes, Allan

Although known vulnerabilities such as viruses and malware remain a major threat to networks, two other threats are becoming a greater risk to networks as well. One of those threats is spear phishing, in which a hacker uses an email message to trick employees into providing personal information about themselves or their colleagues. The hacker then uses that information to create a false identity or to gain access to online accounts. The other threat is unvalidated inputs or input checking, in which a hacker inserts a command in a string of characters within a field that asks for personal information. The inserted command tricks the underlying database into providing its entire list of names and personal information. These two threats now account for two thirds of all cyber attacks, according to Alan Paller, director of research at the SANS Institute. The other third comes from the failure to patch systems on a routine basis. Most system administrators fail to create a patch management process because doing so takes a great deal of time. However, system administrators can take several steps to make the job easier, including conducting a risk assessment of their networks to find out where data is stored, and identifying conduits to that data.
(go to web site)

Abstracts Copyright © 2007 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: