Monday, June 30, 2008
Daily Report
• According to the Wall Street Journal, the National Transportation Safety Board’s call for retrofitting planes with fuel-tank designs, like those that exploded in TWA Flight 800, has been bogged down for more than a decade inside the Federal Aviation Administration. (See item 17)
• KVAL 13 Eugene reports that Oregon authorities are tightening security in Eugene in preparation for the Olympic trials. Authorities are setting up metal detectors and using bomb-sniffing dogs to check vehicles and garbage receptacles, and 60 armed officers will be stationed inside the venue. (See item 41)
Banking and Finance Sector
14. June 27, Computerworld – (National) Web firewalls trumping other options as PCI deadline nears. Companies scrambling to comply with a Web application security requirement due to take effect next week appear to be heavily favoring the use of Web firewall technologies over the other options that are available under the mandate, according to analysts. The mandate from the major credit card companies is the latest adjustment to the Payment Card Industry Data Security Standard (PCI DSS). Essentially, it requires all entities accepting payment card transactions to implement new security controls for protecting their Web applications. The controls have been a recommended best practice for nearly two years now, but starting June 30, they will become a mandatory requirement under PCI – especially for so-called Level 1 companies that handle more than 6 million payment card transactions a year. Under the requirement (PCI Section 6.6), merchants can choose to implement a specialized firewall to protect their Web applications, or to perform an automated or manual application code review and fix any flaws found. Companies also have the option of performing either a manual or an automated vulnerability assessment scan of their Web application environment, fixing any problems that are discovered during that process. The 6.6 requirement is designed to address growing concerns about vulnerable Web applications being exploited by malicious attackers to compromise payment data. The controls are supposed to protect Web applications from common threats like SQL Injection attacks, buffer overflows and cross-site scripting vulnerabilities. As with almost every other major PCI deadline so far, though, few companies are expected to be fully compliant with the PCI 6.6 requirement come June 30. But analysts say the companies that are compliant or heading in that direction appear to be favoring the Web firewall option. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9104118&source=rss_news10
15. June 26, Dark Reading – (National) Hacking the call center. The contact center mostly has been forgotten as a potential point of breach – even though customer service representatives take credit card numbers and outsourced help desk workers have access to your databases. That all soon could change. The Payment Card Initiative (PCI), for instance, also applies to call centers that handle credit card data, so PCI is driving a new generation of security tools that encrypt voice call recordings of phone transactions. RSA’s encryption technology, for instance, is now used to encrypt audio recordings handled by call center software vendor Verint Witness Actionable Solutions’ call recording applications. Even so, not all call centers are tuned into PCI, especially the smaller organizations. “We still find a real lack of awareness in the contact center community about PCI,” says the director of solutions marketing for Verint, who says it is mostly the company’s largest call center customers that have been asking about PCI. Verint’s software records calls in the centers. “Because that data is in an unstructured format – a Wave file, for example – companies are just starting to realize that it becomes an area of potential liability for them,” she says. Other products are emerging that come with a “blackout button” feature that prevents the credit-card number from being recorded on the call and thus not stored at the call center, for example. But credit card information is not the only exposure risk at these sites. Outsourcing-based call centers for IT and help desk support pose even more security problems. “This is a bigger and often more overlooked area, where PCI is not an issue. Credit card numbers aren’t involved, but a major issue is they have access to or a copy of your customer database,” says the vice president and research fellow at Gartner. “And many call centers that are outsourced use shared services. The same IT infrastructure that supports you is supporting” other organizations. Source: http://www.darkreading.com/document.asp?doc_id=157627
16. June 26, Finextra.com – (International) Toronto police bust ATM skimming gang. Police in Toronto have busted a sophisticated ATM skimming ring that used a network of ‘debit card laboratories’ to defraud bank customers of hundreds of thousands of dollars. The swoop on the Toronto crime ring followed a six-week surveillance operation and resulted in the arrest of eight local people. The gang used portable card skimmers to capture customer data at the cash machine for later download and transfer to counterfeit cards. The police raid on “two sophisticated labs” netted $120,000 cash and led to the arrest of eight suspects. Computers, skimmers, card-readers, moulding machines, embossers, tippers, counterfeit cards, cameras, overlays and valances, tools, and two-way communications devices were also seized. Theft and counterfeit payment cards have been a growing problem for the Canadian banking industry, which is making a gradual transition to chip-based technology. Police say over $100 million was lost to this type of activity in 2007, which involved 159,000 card holders. Source: http://finextra.com/fullstory.asp?id=18650
Information Technology
36. June 27, Financial – (National) Press Release: Leading IT vendors establish forum to drive global security response excellence and innovation. On June 26, five leading information technology vendors announced the creation of the Industry Consortium for Advancement of Security on the Internet (ICASI), a nonprofit organization that will enhance global IT security by proactively driving excellence and innovation in security response. Founded by Cisco, International Business Machines, Intel Corporation, Juniper Networks, and Microsoft Corp., ICASI provides a unique forum for global companies committed to proactively addressing complex, multi-product security threats and to better protecting enterprises, governments, and citizens, as well as the critical IT infrastructures that support them. According to Intel, the increasing sophistication of attacks and the integration of applications, now common in IT environments, pose real challenges for IT vendors. Online attacks occur more frequently and in more rapid succession, while often spanning international boundaries. To date there has not been a trusted vendor environment that allows companies to identify, assess, and mitigate multi-product, global security challenges together on the customers’ behalf. ICASI aims to fill this void. ICASI does not seek to respond to every product security issue that emerges, but rather the consortium is designed to respond to and ideally reduce the potential customer impact of global, multi-vendor cyber threats.
Source: http://finchannel.com/index.php?option=com_content&task=view&id=15867&Itemid=10
37. June 26, ZDNet Blogs – (International) ICANN and IANA’s domains hijacked by Turkish hacking group. The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket’s domain on June 18. ICANN is responsible for the global coordination of the Internet’s system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols. IANA is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. NetDevilz left the following message on all of the domains: “You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group).” The following domains were hijacked, and some of them still return the defaced page – icann.net; icann.com; iana-servers.com; internetassignednumbersauthority.com; iana.com. The hackers are once again redirecting the visitors to Atspace.com, 82.197.131.106 in particular, the ISP that they used in the Photobucket’s DNS hijacking. The NetDevilz hacking group seems to be taking advantage of a very effective approach when hijacking domain names, and while they declined to respond to an email sent by Zone-H on how they did it, cross-site scripting or cross-site request forgery vulnerability speculations are already starting to take place. Source: http://blogs.zdnet.com/security/?p=1356
Communications Sector
38. June 27, ars technica – (National) NYPD, cities slam FCC Block D public safety network dream. The emergency managers of key city agencies are weighing in on that troublesome chunk of the 700MHz spectrum reserved for public safety – the D Block – telling the Federal Communications Commission that they can not wait for a lost cause. “The NYPD’s opinion, reinforced by conversations with commercial wireless carriers, is that there is simply no business case for a commercial wireless network operator to build a nationwide network that will meet public safety coverage and survivability standards,” the deputy chief and commanding officer of the New York City Police Department wrote to the FCC. The FCC received the statement on June 19. When the 700 MHz auction ended in mid March, no bidder offered the FCC’s minimal asking price for the block. An FCC audit of the D Block failure concluded that the plan had been loaded with too many expectations and uncertain variables. Now the FCC is running a new proceeding on how to redo the D Block auction, but NYPD says the plan just will not work. “Although public safety and commercial networks may share technology, they do not share the same mission,” the agency wrote. “Conflicts of interest arise that cannot be ignored. Public safety agencies require a robust network that will remain operational during virtually any circumstance; however, commercial network operators are motivated by commercial priorities to build networks that meet commercial requirements.” NYPD notes that the FCC’s first D Block scenario did not require the auction winner to build out a public safety band network in areas where it did not deploy its commercial system, thus making it “extremely unlikely that they would deploy their network in unprofitable rural or remote areas.” NYPD proposes that the FCC just assign portions of the D Block to local or regional public safety agencies. The department has already contracted with Northrop Grumman to build a broadband public safety data network on 2.5GHz leased spectrum, and expects to have the operation running by the end of the year. Source: http://arstechnica.com/news.ars/post/20080627-nypd-cities-slam-fcc-block-d-public-safety-network-dream.html
39. June 26, Associated Press – (National) Wireless hospital systems can disrupt med devices. Wireless systems used by many hospitals to keep track of medical equipment can cause potentially deadly breakdowns in lifesaving devices, such as breathing and dialysis machines, researchers reported Tuesday in a study that warned hospitals to conduct safety tests. Electromagnetic glitches occurred in almost 30 percent of the tests when microchip devices similar to those in many types of wireless medical equipment were placed within about one foot of the lifesaving machines. Nearly 20 percent of the cases involved hazardous malfunctions that would probably harm patients. Some of the microchip-based “smart” systems are touted as improving patient safety, but a Dutch study of equipment – without the patients – suggests the systems could actually cause harm. A U.S. patient-safety expert said the study “is of urgent significance” and said hospitals should respond immediately to the “disturbing” results. The wireless systems send out radio waves that can interfere with equipment such as respirators, external pacemakers, and kidney dialysis machines, according to the study. Researchers discovered the problem in 123 tests they performed in an intensive-care unit at an Amsterdam hospital. Patients were not using the equipment at the time. Source: http://www.mobile-tech-today.com/story.xhtml?story_id=60469
No comments:
Post a Comment