Thursday, March 6, 2008

Daily Report

• According to NBC News, in a bulletin released Friday to U.S. law enforcement officials, the Transportation Security Administration (TSA) is warning of “continued strong terrorist interest” in targeting mass transit systems in the U.S. The 10-page threat assessment, titled the “Mass Transit System Threat Assessment,” cautions that the “U.S. mass transit and passenger rail systems are vulnerable to terrorist attacks because they are accessible to large numbers of the public and are notoriously difficult to secure.” (See item 12)

• ABC News reports that the Department of Homeland Security and the FBI issued an assessment, called “Potential Threats to Popular Sports and Entertainment Venues,” that said arenas and stadiums are attractive “potential targets during events.” The assessment repeatedly noted that the FBI and DHS have no “information on any credible or specific current terrorism plots to attack stadiums or arenas in the United States.” (See item 31)

Information Technology

26. March 4, Government Executive – (National) Contractor networks create security risk, Defense official says. Information technology contractors pose a major security risk by not locking down their networks properly, according to the Defense Department’s top IT official. The threat, along with risks associated with offshoring and acquisitions of American IT firms by foreign companies, are driving defense and intelligence agency initiatives to develop stricter information security standards. Contractors managed 1,353 systems on behalf of federal agencies in fiscal 2007, according to an Office of Management and Budget fiscal 2007 report on the implementation of the 2002 Federal Information Security Management Act, submitted to Congress in late February. Less than half of 25 major agencies said they “almost always” ensured that information systems used or operated by a contractor met the requirements of FISMA, OMB policy, and guidelines set by the National Institute of Science and Technology. Lack of oversight, combined with contractors’ failure to secure their networks, put sensitive government information at risk, said the Defense Department’s chief information officer and assistant secretary for networks and information integration, during a panel discussion Tuesday at the Information Processing Interagency Conference in Orlando, Florida. “We have a propensity to talk about the infrastructure, but we have to remember why we’re here – to protect the data,” he said. “There’s ‘exfiltration’ of sensitive data from contractors, [which is] a big issue for national security.” Smaller companies often present bigger risk because they are less accustomed to dealing with sensitive or classified information flowing through their networks than large systems integrators. Defense is working to educate large contractors and develop standards to ensure that proper security protocols are followed, and the department plans to do the same with network and IP providers.

27. March 4, Dark Reading – (National) New method IDs phishing, malicious domains. At a closed-door security summit hosted on Yahoo’s Sunnyvale campus last week, a researcher demonstrated a new technique to more easily identify phishing and other malicious Websites. The vice president of security research for Websense, showed a tool Websense researchers have built that detects domains that were automatically registered by machines rather than humans -- a method increasingly being used by the bad guys, he says. “[Automation] is being used more and more,” he said. Not much of the contents of the so-called ISOI conference typically seeps beyond the confines of this annual closed door event: Its set up to accommodate the privacy and sensitivity of the content and information shared, as well as the attendees themselves. But some participants, including Websense, were willing to discuss some elements of the ISOI 4 summit. Websense’s new Lexi-Rep tool, which it uses internally in its Web security research, gives researchers -- and eventually, maybe domain registrars – a way to sniff out any suspicious domains that get automatically set up. “Increasingly, we’re seeing more bots, keyloggers, and Trojans automatically connecting to domains,” the company said. “And people are now automatically registering these domains without a human involved.” The tool’s algorithm determines whether a domain name was registered by man or machine, by assessing whether the domain and URL are “human consumable,” or “whether someone would type that into a URL or search for that” site. It scores the likelihood of maliciousness of the domain and host name based on patterns in the name. The “bad” domain names then get blacklisted. Websense says the tool has an a 99.9 percent rate of accuracy, and that automatically generated domains to date represent over 1 percent of the nearly 1 million domains registered each day, but that share is rising.

Communications Sector

28. March 5, Computerworld – (National) “Green” building windows can block cell signals. Indian Wells. The senior vice president for strategic planning and technical architecture at Bank of America said the bank has discovered that energy-efficient windows in its newer buildings are blocking cellular phone signals. As a result, the bank faces paying premium access charges to wireless carriers to enhance indoor cellular signals, she said. She spoke yesterday at a panel discussion on wireless technology at the Mobile & Wireless Enterprise 2008, sponsored by Frost & Sullivan. With more than 15 buildings in Charlotte, where the bank is headquartered, the three buildings designated as green are the ones where the cellular signal problem has been detected, she said. Bank of America is making good progress on a multi-year deployment of voice-over-IP phones for nearly all of its 200,000 workers, but the cellular problem in the green buildings was not anticipated, she said. And the bank’s staff is not yet sure how widespread the problem might be, though she says she suspects “we’re at the tip of the iceberg.” Several analysts and IT managers at the conference said they had never heard of the problem before, but Bank of America said the interference has been linked to a special doping material used in the manufacturing process. Metal is a well-known enemy of cellular signals, and companies in some large steel-framed buildings know that they need to enhance signals -- especially in the deep interiors of such buildings. But metal in window materials is a more recent development. In recent years, some greenbuilding architects have relied on new windows that have a thin metallic coating that reduces energy usage by reflecting heat into the building in the winter and out in the summer. On the flip side, some businesses have used the transparent metal linings in some window glass as a security advantage, blocking Wi-Fi piggybacking from outside – not to mention hackers sitting in a parking lot hoping to read data moving inside the building.

29. March 4, RCR Wireless News – (National) Cyber security expert outlines the challenges in keeping wireless protected. “There is no such thing as absolute security,” a former White House cyber security adviser told an audience of mobile security businesspeople and analysts yesterday. But that does not mean the battle for a more secure mobile environment is all for naught. Growth in the wireless industry will be stymied if security is not adhered to, he said. Software and applications are the biggest vulnerability he said. With people using mobile devices for everything from booking flights to paying bills, application security cannot be overlooked, he said. Criminals will always be motivated to break applications to gain access to personal data. “Data is the gold, silver and diamonds in today’s environment,” he said. “I don’t want to be in an environment where I’ve got vulnerability in one of my wireless devices,” he said, adding that third parties that have access to personal data on mobile devices must also share equal responsibility for security. Wireless devices have become a critical part of infrastructure for government, public and commercial entities, he said. Through a year-long study, the government learned that “private industry owns about 85 percent of what we call critical infrastructure,” he noted, adding that since then, “major private companies and government agencies have come together to share critical information to help improve security overall.