THE MAGAZINE

Airport IT security budgets are taking off, and airports worldwide are expected to invest some $2 billion in IT and telecommunications projects annually. That's according to the Airport IT Trends Survey conducted by the Airports Council International, Airline Business magazine, and SITA, a European IT company. The study showed that IT infrastructure projects were the top investment priority, followed by security-related solutions and passenger and baggage processing. More than 96 percent of airports will face additional IT-security challenges as they roll out wireless services by 2006 and implement e-commerce and other Web services. @ The full survey costs $245 and is available at the Airline Business Web site.

A new CD-based training tool, Securing Law Enforcement Computer Systems, is now available from the National White Collar Crime Center (NW3C).

For almost two years, Zachary Keith Hill collected dozens of credit card and bank account numbers, which he milked for more than $47,000. After a joint investigation by the Department of Justice and the Federal Trade Commission, Hill agreed this spring to plead guilty to the phishing scam in which he sent e-mails to AOL customers purporting to be from an "AOL Billing Specialist." The messages directed customers to a realistic Web site where unwary visitors were asked for credit card, bank account, and password information. Hill is now awaiting sentencing, which could include as much as 15 years of jail time.

The CAN-SPAM law was a flaccid defense against unwanted e-mail, according to antispam company Commtouch, which analyzed hundreds of millions of spam messages in the first half of this year.

The security rules from the Health Insurance Portability and Accountability Act (HIPAA) go into effect in April 2005 for most organizations (a year later for healthcare organizations and other covered entities that do below a certain threshold level of business), giving institutions less than a year to get ready. An Introductory Resource Guide for Implementing the HIPAA Security Rule, a new draft paper from the National Institute of Standards and Technology (NIST), can help those responsible for implementing the security rule to understand the rule's concepts while pointing them to standards and other references and explaining key terms and acronyms. @ Link to the NIST paper

While today's microprocessors are vastly more powerful than those of even a few years ago, there are some computing challenges that make even the fastest computer seem like the 1950s' Univac. Many of these challenges are related to national security issues such as weapon system simulations and processing of satellite images. The government's reliance on clusters of commercial-off-the-shelf components falls far short of solving these security issues.

Data mining--the process of poring through various databases looking for hidden patterns and relationships--is alive and well, despite controversy raised by projects such as the Defense Advanced Research Projects Agency's (DARPA's) Terrorism Information Awareness (TIA) program. In fact, 52 government agencies are using or are planning to use data mining for projects ranging from detecting criminal activities to improving service, according to a study by the General Accounting Office (GAO).

With broadband Internet connections able to handle steadily increasing amounts of traffic, the notion of using the same lines to transmit telephone communications via the computer sounds like the perfect moneysaver. But the technology still has security problems that must be worked out before it can become the standard way that businesses make calls, according to technology experts.

The FBI's efforts to modernize its IT program--an effort known as Trilogy--"is not currently on a path to success." That assessment comes from a new book by the National Research Council of the National Academies, which concludes in part that the FBI has no contingency plan in case its new Virtual Case File application fails.

Though Microsoft's servers have been targeted by worms such as Code Red, the company's share of the server market is only 20 to 23 percent, not anywhere near the 47 percent that the researchers say would be needed to "induce a catastrophic failure."

By now, everyone knows what a bad password is: your name, your child's name, your pet's name, your birthday. But what does a good password--which must be both hard to break and easily remembered--look like? A group of scientists from Cambridge University Computer Laboratory say it might be this: MsPi24yo. While that's a hard-to-break combination of numbers and upper- and lower-case letters, it is actually quite simple to recall because it is a mnemonic phrase that stands for "My sister Pam is 24 years old." That use of mnemonic phraseology is the key to good codes, according to The Memorability and Security of Passwords--Some Empirical Results

The National Geographic building discovers window film, and an electric meter supplier gets a reading on patch management software.

One of the greatest dangers to a computer network is the presence of desktop PCs and servers that have not been patched for the latest vulnerabilities and can be exploited by malicious attacks such as worms. Blame goes to software developers for creating insecure programs as well as to network administrators who don't get patches installed before an attack happens.

The first half of the book provides a history and description of water systems and their vulnerabilities, primarily in the United States. But scarcely nine pages are devoted to terrorists themselves. In a section called "Who are the Terrorists?" less than a single page is devoted to answering that question. Subsequent pages outline terrorist groups only in a general sense.

 Like any perceived phenomenon or rapid growth area, global terrorism has inspired many authors to venture into the security and intelligence fields. That's not surprising given that there is an avid audience, not least in the security profession itself, keen to grasp the essential knowledge and skills needed to manage the current and emerging terrorist threat.

The preface to chapter four of this book describes that section as "a layman's introduction." That description can be applied to the entire work. Author Mark Robinson introduces competitive intelligence (CI) concepts to neophytes and peppers his book with charts, lists, and graphics that underscore his lessons. That's good as far as it goes, but it fails to provide the comprehensive study expected from a how-to book.

 Security professionals sometimes forget just how little they knew when they began their careers and how valuable they found references that successfully covered the basics. This book, by a captain in the Dothan (Alabama) Police Department, is a good example of such a book.

Not so this book on emergency management, where the protagonists--disasters--take center stage. The authors load the book with bracing case studies and examples, which have infinitely more impact than generalizations and theories.

The book had its genesis in an assignment to conduct a risk assessment on an (unnamed) international telecommunications company. The authors try to bring the reader into the process, but gaps interrupt a smooth narrative flow. One suspects overly aggressive editing, the result being that the book is neither easy nor enjoyable to read.