Search This Blog

Friday, July 22, 2011

Security Management Weekly - July 22, 2011

header

  Learn more! ->   sm professional  

July 22, 2011
 
 
Corporate Security
  1. "Hospital Security Under Fire" Alberta, Canada
  2. "Panel to Take Up New Version of Data Breach Bill" National Guidelines for Data Breach Notifications
  3. "Law Protects Violence Victims in the Workplace" Hawaii
  4. "Chinese Upset Over Counterfeit Furniture"
  5. "Screening Employees and Contractors Crucial in Reducing Workplace Violence"

Homeland Security
  1. "Canada Says 30 Immigrants Suspected of War Crimes"
  2. "Department of Homeland Security Terror Report Warns of 'Significant Insider Threat' to U.S. Utility Facilities"
  3. "Terrorists From India Are Focus of Probe"
  4. "Al Qaeda Seen Aiming at Targets Outside U.S."
  5. "Post-9/11, Biggest Terror Threat Is Underground" Terrorist Threats to Subway Systems

Cyber Security
  1. "Hackers Post Data Said to be From NATO"
  2. "Hackers Shift Attacks to Small Firms"
  3. "16 Arrested as F.B.I. Hits the Hacking Group Anonymous"
  4. "New NIST Guidance to Feature Privacy Controls" National Institute of Standards and Technology
  5. "Google Sounds Alarm on Malware Problem"

   

 
 
 

 


Hospital Security Under Fire
Metro (Canada) (07/21/11) Williamson, Shelley

Following the escape of two mental-health patients from the Alberta Hospital in just two weeks time, Health and Wellness Minister Gene Zwozdesky is calling for security review to review protocols and ensure that further escapes do not happen. Melissa Ekkelenkamp walked away from the facility two weeks ago. On July 19, Douglas Campbell scaled a wall during a supervised basketball game and was able to outrun staff and police. Alberta Union of Provincial Employees President Guy Smith said that understaffing has always been a problem at the hospital.


Panel to Take Up New Version of Data Breach Bill
National Journal (07/19/11) Gruenwald, Juliana

Rep. Mary Bono Mack (R-Calif.) has drafted a new version of a data breach bill that establishes national guidelines for when companies and organizations must notify consumers and federal authorities about a breach. "My legislation is crafted around a guiding principle: Consumers should be promptly informed when their personal information has been jeopardized," Bono Mack says. "We need a uniform national standard for data security and data breach notification, and we need it now." The legislation requires businesses to notify consumers and the Federal Trade Commission within 48 hours of a breach following a risk assessment, but only if they are at risk for identify theft or fraud as a consequence of the breach. However, notification must be made within 45 days of a breach's discovery. The new bill provides more precise language for identifying individuals affected by an intrusion and for defining what comprises a data breach.


Law Protects Violence Victims in the Workplace
Maui News (HI) (07/19/11) Fujimoto, Lila

Hawaii has passed a new law designed to protect domestic violence victims in the workplace. Under the law, someone cannot be hired or fired because of circumstances related to domestic or sexual violence. The law applies if the employer has been told or knows that a worker is a victim of domestic violence. The law also requires employers to make "reasonable accommodations" in the workplace, including screening telephone calls, restructuring job functions, changing work location, installing locks or other security devices, and permitting flexible work hours. However, the law exempts employers from having to make these accommodations if they result in "undue hardship" for their operations. Employees are also required to produce a police or court record, a signed statement written by their attorney or advocate, victims services organization, medical or healthcare professional, or a member of the clergy to verify their protected status. Verified employees who are denied reasonable accommodations can sue to enforce the requirement and recover costs.


Chinese Upset Over Counterfeit Furniture
New York Times (07/18/11) Barboza, David

State-run media in China recently reported that DaVinci furniture stores in the country have been selling counterfeit luxury furniture. According to reports, some of the furniture that DaVinci has been passing off as being imported from Italy is actually produced at a factory in southern China. Consumers who have bought DaVinci products, meanwhile, have taken to the Web to post stories about how the furniture they purchased from the stores was cheaply made or reeked of horrible smelling lacquers. Customs officials have said that they had evidence that DaVinci was temporarily keeping the Chinese-made products in a warehouse in Shanghai, and that it was reimporting the products back into China after keeping them in Shanghai's Waigaoqiao Free Trade Zone for a day. DaVinci has been ordered by Shanghai's official consumer watchdog bureau to stop selling products with the label of the Italian brand Cappelletti, due to what it said were fake ads and unqualified labels. DaVinci Chief Executive Doris Phua has said that the allegations that her company is selling counterfeit products are false.


Screening Employees and Contractors Crucial in Reducing Workplace Violence
Security Magazine (07/11) Tate, William

A comprehensive background screening program is key strategy to reducing violence in the workplace, considering the best prognosticator of future violence is a review of the past. Background screening is now a common practice, and the check process can include county criminal record and national criminal file searches, drug testing, prior employment and education verification, license verifications, and other investigations that could uncover potential warning signs. Comprehensive background screening can take up to a week to complete, but the failure to rigorously check employees could lead to problems such as workplace violence, employee theft or fraud that could leave organizations vulnerable to employee injury or death, unsafe working conditions, brand and reputation damage and lawsuits for negligent hiring. Also, all vendors or temporary employees who come in contact with an organization's personnel and customers should be screened, including service and repair professionals, construction workers and food service workers. Additionally, employees and contractors should be re-screened annually; for example, an employee might have joined the organization with a clean record, but new information about a domestic dispute would be critical because such problems are sometimes brought into the workplace. Employees and contractors will better understand the need for such screening when it is properly communicated and presented as part of an organization's larger effort to maintain a violence-free workplace. Comprehensive screening typically does not bother people with clean backgrounds, and it may prompt people who have committed reckless acts to 'self-select' out of the interview process.




Canada Says 30 Immigrants Suspected of War Crimes
Wall Street Journal (07/22/11) Menon, Nirmala

The Canadian government has revealed that 30 men suspected of having committed war crimes, crimes against humanity, or genocide are living illegally in the country. Most of the men, who are from Africa, South Asia, the former Yugoslavia, and Iraq, are thought to have lived in Toronto at some point. Deportation orders for the men have been issued, and the Canadian government on Thursday released the photos and personal information of the suspects in the hopes that it would help law enforcement officials track them down and remove them from the country. It remains unclear what the exact nature of the men's crimes are. It is also unclear whether the suspects have been charged by any court. The release of the suspect's photos and personal information by Canadian government officials appears to be part of an attempt to counter criticism that Canada's immigration policies are too lenient. The move also comes as Canada is cracking down on illegal immigration and is being tougher on those applying for refugee status. On July 20, immigration officials in Canada announced that the citizenship of 1,800 people who became Canadian citizens through fraudulent means would be stripped.


Department of Homeland Security Terror Report Warns of 'Significant Insider Threat' to U.S. Utility Facilities
Daily Mail (UK) (07/21/11)

Sabotage by an insider at a major utility facility, including a chemical or oil refinery, could provide al- Qaida with its best opportunity for the kind of massive Sept. 11 anniversary attack Osama bin Laden was planning, according to U.S. officials. The Department of Homeland Security has issued a report warning about a possible threat from al-Qaida operatives who could carry out attacks on major utility facilities on or around the 10 year anniversary of the Sept. 11 attacks. Such attacks could consist of sabotage perpetrated by an insider working at a utility facility, the report says. The report noted that violent extremists have already been able to obtain insider positions at chemical and oil refineries, and have tried to "solicit" employees in the utility sector. Former Homeland Security chief of staff Chad Sweet noted that an attack on a utility might be appealing to al-Qaida because it would be the only way that the group could kill large numbers of Americans as Osama bin Laden had been planning to do before he was killed in a Navy SEAL operation in May. However, the Department of Homeland Security has said that it does not have any specific threats against U.S. utilities. Nevertheless, DHS spokesman Matt Chandler said that the department plans to work with its partners in the utility sector and at the state and local levels to protect utility facilities.


Terrorists From India Are Focus of Probe
Wall Street Journal (07/20/11) Bahree, Megha

The investigation into last week's attacks in Mumbai, which killed 20 people and injured 131 others, is continuing. One of the areas that investigators are looking at is the similarities that exist between last week's attack and several bombings or attempted bombings carried out by the Indian Mujahideen, an Indian Islamist group that is directed by the Pakistani terrorist organization that carried out the 2008 Mumbai attacks. Investigators say that three incidents involving the Indian Mujahideen over the past year all involved ammonium nitrate bombs equipped with digital timers, as did the most recent series of bombings in Mumbai. However, neither the Indian Mujahideen or any other terrorist group has claimed responsibility for last week's attacks. In addition to looking at the similarities between the recent Mumbai attacks and other terrorist incidents, police are also looking at closed-circuit TV footage that was recovered from the site of last week's bombings.


Al Qaeda Seen Aiming at Targets Outside U.S.
Wall Street Journal (07/19/11) Gorman, Siobhan; Barnes, Julian E.; Entous, Adam

U.S. officials say that al-Qaida will likely alter its strategy of attacking U.S. and Western interests now that it is under the leadership of Ayman al-Zawahiri. Instead of targeting the U.S. homeland, officials say, al-Qaida will likely be more inclined to attack U.S. and Western targets overseas, where it would be easier to carry out such plots. These attacks may target U.S. military, diplomatic, and government institutions overseas, said Rand Corp. political scientist Seth Jones, and could be similar to the 1998 bombings on the U.S. embassies in East Africa. This change in strategy is a better fit with al-Qaida affiliated groups like al-Qaida in the Arabian Peninsula, which are increasingly at the forefront of al-Qaida's war with the West. Al-Qaida in the Arabian Peninsula has shown that it will try to carry out any type of attack possible, even if it does not bring about a spectacular result. The adoption of this new strategy comes as al-Qaida's affiliates are working together more closely. Al-Qaida in the Arabian Peninsula, for example, is trying to develop a deeper relationship with the Somali militant group al Shabaab in order to get it to attack U.S. interests in Africa. It remains unclear how aggressive Zawahiri will be in implementing his new strategy.


Post-9/11, Biggest Terror Threat Is Underground
Associated Press (07/18/11)

Subway systems around the world have been a popular target for terrorists in the years since the Sept. 11 attacks. Among the attacks that have taken place was the 2005 attack on London's subways system, which resulted in 52 deaths and 700 injuries. Terrorists also bombed the main subway station in Minsk earlier this year, killing 12 people and injuring 200 others. New York City's subway system, which is comprised of more than 465 stations and 800 miles of track, has also been targeted, though there have been no successful attacks. In 2010, al-Qaida operative Najibullah Zazi admitted to planning a suicide bomb attack on the New York City subway system during rush hour. In addition, al-Qaida reportedly considered using cyanide in an attack on the subway system in 2003. Faced with these threats, authorities in New York City have taken several steps to beef up security in the subway system. For example, the New York Police Department has provided its 2,500 transit officers with training on how to identify terror suspects who may be watching the subways. Silent alarms and motion detectors have also been installed to prevent terrorists from tampering with ventilation systems as part of a chemical or biological attack. More than 30 bomb-sniffing dogs have also been deployed to the system.




Hackers Post Data Said to be From NATO
Wall Street Journal (07/22/11)

Hackers from the group Anonymous say that they have breached NATO's computer systems. In a post on its Twitter page on July 21, Anonymous released a document from 2007 that had the heading "NATO Restricted." Anonymous also said in its post that it planned to release more data in the coming days, though it also said that it would be irresponsible to publish most of the 1 gigabytes of data that it stole from NATO. An official from NATO said that the organization is aware of Anonymous' claims, and that security experts are investigating the possible security breach. The release of the NATO document by Anonymous follows the arrests of 14 people in connection with Anonymous' attacks on PayPal last December. Seven other individuals from the U.S., the Netherlands, and the U.K. were also arrested on charges of taking part in other cyberattacks.


Hackers Shift Attacks to Small Firms
Wall Street Journal (07/21/11) Fowler, Geoffrey A.; Worthen, Ben

Statistics show that small businesses are not immune to hacking attacks. The U.S. Secret Service and Verizon's forensic analysis unit, which investigates cyberattacks, responded to a total of 761 data breaches last year, 482 of which took place at companies with 100 employees or less. Many of those attacks are geared toward stealing credit-card information that hackers can sell or use to commit credit-card fraud. Visa says that 95 percent of the credit-card data breaches that it discovers take place at some of the smallest companies it works with. There are a number of reasons why hackers are targeting smaller companies, including the fact that these businesses usually have weak security. City Newsstand Inc., which is located in the Chicago area, suffered a credit-card data security breach last year in part because the business's owner used a weak password for software that could be used to remotely access the store's point of sale system. In addition, hackers can breach the systems of small businesses much faster than they can break into the systems of their larger counterparts. Former hacker Bryce Case Jr. noted that hackers could steal data from dozens of small businesses in the same amount of time that it would take them to break into the systems of a major company. Finally, studies have shown that small businesses generally do not believe that they are at risk of a cyberattack.


16 Arrested as F.B.I. Hits the Hacking Group Anonymous
New York Times (07/19/11) Sengupta, Somini

The FBI announced July 19 that more than a dozen people across the country have been arrested in connection with attacks carried out by the hacker group Anonymous. Among those who were arrested were 14 individuals in 10 different states who are charged with carrying out an attack on PayPal's Web site last December. During that attack, the hackers allegedly used a program known as Low Orbit Ion Cannon to send large amounts of data to the site in order to knock it offline. That attack was launched in retaliation for PayPal's decision to suspend accounts that had been established for making donations to WikiLeaks. Also arrested was a Florida man who is accused of breaching the Web site of Tampa Infragard, an organization that has ties to the FBI, and a New Jersey man who allegedly stole files from AT&T's computer systems while he was a contractor for the company. Those files were then allegedly distributed by LulzSec, a hacker group that branched off from Anonymous. Former federal prosecutor Ross W. Nadel said that the arrests could serve as a deterrent against future attacks, though San Francisco attorney Jennifer Granick, who specializes in computer crimes, said that prosecuting the alleged hackers will be difficult.


New NIST Guidance to Feature Privacy Controls
GovInfoSecurity.com (07/19/11) Chabrow, Eric

The connection between privacy and security is getting codified in the latest version of the National Institute of Standards and Technology's definitive security control guidance. In anticipation of a year-end revision of Special Publication 800-53, NIST recently posted a draft appendix with the preliminary title, Security and Privacy Controls for Federal Information Systems and Organizations, which will be incorporated into the fourth revision of SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations. NIST's Ron Ross defines privacy, with regard to personally identifiable information, as a core value that can be realized only with appropriate legislation, policies, and associated controls to guarantee compliance with requirements. "Privacy and security controls ... are complementary and mutually reinforcing in trying to achieve the privacy and security objectives of organizations," Ross writes in the preface of the draft appendix. With the privacy additions, the guidance would provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements; establish a connection and relationship between privacy and security controls to enforce respective privacy and security requirements that may overlap in theory and in practice; and promote tighter cooperation between privacy and security officials to help achieve the objectives of top leaders in enforcing requirements, among other things.


Google Sounds Alarm on Malware Problem
Wall Street Journal (07/19/11) Efrati, Amir

On July 19, Google announced that it will use its search engine to respond to an outbreak of malware that it recently discovered. A security engineer at the company, Damian Menscher, wrote recently on Google's blog that the company had uncovered "unusual search traffic" while conducting routine maintenance on one of its data centers. After consulting several experts and investigating, the company announced that computers associated with the traffic had been infected with a specific strain of malware. Google plans to notify more than 1 million computer users whose machines are believed to be infected with the strain. Google believes the malware was downloaded by users who were tricked by online scams that offered anti-virus protection but were really malware. Google will post notifications at the top of users' Google Web-search results that state that inform them that their computers seem to be infected. The notification will assist users in scanning their computers, updating anti-virus software and removing the infections.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: