Archive for the ‘Global Security’ Category

Hiking the mountain to security enlightenment (video)

July 21, 2009 3 comments

Freeform ramblings while hiking to the top of Multnomah Falls in Oregon.

Approaches to enterprise information protection changing – as Axelrod, Bayuk, Hunt and others show

March 18, 2009 1 comment

A book I contributed to is available on Amazon.  Warren Axelrod and Jennifer Bayuk edited this collection of essays on security and privacy. Axelrod Book
I think it is a special, unique view of how physical and logical threats, plus dynamic business and compliance trends are changing how security needs to be done.  My chapter was on security as it relates to the Transportation industry.  I took a logical and physical view of the problem.

Now he’s hacked US Passports using a $250 RFID reader!

February 3, 2009 1 comment

Is he evil?  Ask some manufacturers and they'll say yes, emphatically.  Ask privacy advocates, and they'll praise him for exposing the seeds of Big Brother.  Chris Pajet didn't stop at cloning your HID prox card while standing next to you in line at the 7-Eleven.*  Now he has begun war-driving through San Francisco, gleaning RFID tags from US Passports. This is another assault on the Western Hemisphere Travel Initiative.  Read about it here.  

White hats like Chris find the holes in our tech infrastructure that the bad guys also find.  I'd rather know about it than keep my head in the sand.  Besides, these problems are ususally fixable, so let's fix the problems and not ignore them.

*not sure if he ever did that, but the cloning device he showed me sure could have been used that way.

Steelbox and Netversant go under

November 22, 2008 3 comments

Steelbox was foreclosed on by its bank, and Netversant sought Chapter 11 protection.  Netversant's demise must have been due to poor management decisions, because the concept was timely.  Steelbox's main problem was that the product was too damn good.  Customers who bought one or two would never need another box.

Anybody want to pitch in to help me buy the assets?  Could be fun. 

New York Department of Transportation clears the way for better collaboration between government and motorists

November 14, 2008 2 comments

Commissioners from both the New York State and New York City Departments of Transportation were on hand to bring the Joint Traffic Management Center (JTMC) online today.  New York City DOT Commissioner Janette Sadik-Khan was eloquent in her vision of technology.  She believes that aggregating and analyzing data from the 590 state and city cameras deployed around the city, road sensors, traffic signaling systems, and intelligence from the TransCom transportation communications infrastructure can lead to faster, safer transit through the city and better commuting decisions by New York City residents and visitors.  Hear what she had to say in this video.

James Chung, founder and CTO of VidSys, was the architect of many of the systems in the center and was publicly recognized along with VidSys CEO Chuck Teubner at the power-up ceremony.  It was obvious that the Commissioners and the NYPD Chief of Transportation, Michael Scagnelli saw the value of the data integration the VidSys system provided.  Inspector Patrick McCarthy of the NYPD put it succinctly when he said that the integrated information management in the new center allowed a higher level of collaboration between NYPD, the State DOT, the City DOT and the Federal Highway Administration. “We are all here, under one roof.”

The JTMC is an example of the best principles of PSIM, physical security information management, creating real value for people, businesses and governments in New York City.

Images from traffic cameras and data from road and signaling sensors appear on monitors around the JTMC. The monitoring personnel can spot incidents or verify incidents that have been called in by the public.  From there the operators forward real time information to the media and relevant agencies electronically.  Operators can also change messages on the 100 variable message signs along roads around the city to warn travelers of the conditions ahead. Click here to see real time traffic coming off the Queensboro bridge at 2nd Ave.

Sensors along the roadway also produce a graphical display of problem areas around the city.  This color coded map and many views from DOT cameras are available for public viewing on the DOT website.

Today, about 75 cameras are feeding video to the JTMC, but over the coming year, all of the 218 City DOT cameras along bridges, local streets and FDR drive as well as the 278 State DOT cameras along highways around the city will be connected to the center.

In addition to DOT cameras, the JTMC integrates:

  • the graphical sensor maps mentioned above
  • data and video from NYPD squad cars
  • traffic detectors located every half mile on the highways indicating speed and flow
  • EasyPass transponder data indicating traffic density and vehicle classification
  • traffic signal sensors in the streets near intersections
  • and TransCom data about tunnel and bridge status and other intelligence shared by State and City agencies

Not all that comes from China will be Gold!

Here is a blog post from HuntBI associate, Jeffrey Stutzman, CISSP.  His post makes me wonder how many corporate networks will be infiltrated by malware when Olympics visitors come home and plug back in. -sh

What happens in Vegas stays in Vegas right?

What happens in China won’t necessarily stay in China.

What do I mean by that? In the Navy there was a sea story. It went something like this…

We pulled into <name your favorite port>.  When we pulled in, the Captain came over the 1MC (the general shipboard loudspeaker system) and gave us a country brief. He told us to be careful. He told us that if we got into a fight, to win, and to be careful with the women- always. Sexually transmitted diseases ran wild in many of the ‘sailor ports’. The story I remember talked about how the hospital corpsman onboard the ship would use a Sharpie to put the name of the sailor on the pair of syringes used to rid us of whatever we picked up.  The syringes were then stuck into a dartboard in the Chief’s Mess. As the story goes, the dartboard was always full.

So here’s the deal….

Chinese cyber spies WILL steal your stuff! When you get to China and use your computers to access the Internet, you will be monitored, and will almost assuredly download, or be pushed, software that will execute on your computer. This software will sit quietly on your computer, will not be detected by anti-virus or intrusion detection/prevention software, and will likely ‘phone home’ –send your data back to intelligence collectors in China. When you return home, that software will likely spread automatically to other computers that you connect to or communicate with via email or through the web.  You will be infected. Be ready for it.

The problem? Antivirus vendors don’t have the syringes to fix you.  It’s a sad state, but the protections currently loaded on your computers are designed to protect from the common threats –those that infect everybody. When a specific group of users are targeted –Olympic visitors for example, or maybe Olympic visitors staying at a specific hotel, or maybe Olympic visitors who work for or represent certain governments or industries, the methods of infection are not always the same. Smart intelligence collection operators won’t use the same tools on everyone. You know why? They don’t WANT antivirus and intrusion prevention vendors to be able to keep up! Even if they are successful 10% of the time, the number of journalists, politicians, and business people entertaining others will easily afford the cyber spies small pieces of information that they can combine with other small pieces of information to eventually put together the pieces of the puzzle –the BIG piece of information.

You should expect this. It shouldn’t come as a surprise.

A recent interview on CNN disclosed publically (finally!) that over 3500 Chinese front companies exist in the US today solely for the purpose of collecting intelligence.  It reported that cyber attacks on the Pentagon (and likely all of DoD) have increased 55% since 2007.  References to other Chinese cyber attacks and information gathering run in the thousands on the Internet.  A quick Google search for the words “Titan Rain”, the term coined by US Government officials to describe the coordinated information warfare being waged from Chinese sources, yields over four million hits.

Thousands (millions?) of influential people – business managers, politicians, journalists, you name it, have headed to China for the 2008 Summer Games.  Don’t be a victim. Don’t allow your home/work networks to be victimized.

Here’s what you can do:

             Think like a spy…

o             Leave your computer(s) at home. If you have to have one, take a clean one (one used only for surfing the web and sending emails).

o             Use anonymous, encrypted email. The best spies never use computers to relay details of their exploits. If you must use a computer, create two anonymous accounts on an encrypted service such as Hushmail; an encrypted, web-based email service that scrambles your email.  Use one account to send, and the other to receive. If you must send data to your company from China, give the second account to the intended recipient before leaving the country.  Do not send the account and credentials by email. Kill, or abandon those accounts after you return.

o             Do not under any circumstances divulge your identity in email, even when using encrypted communications. This is a sure-fire way to give others those “small pieces of information” that can later be used to target you when you return home.

o             Never use HTML formatted email. All communications should be formatted as text only. Graphics and other fancy things that make your email sexy also make it very easy to hide viruses and Trojans in your email –those pieces of software that will later be used to send data back to China once you return home.

o             Do not send email directly to a work address.  Use the anonymous service. Software may get embedded in your outbound communications. That software will spread once opened by your intended recipient. 

o             When you do return home, expect to receive more junk e-mail. Spam, phishing, or spearphishing (targeted phishing) are easy ways to get you back into the collection network by embedding malicious software into HTML formatted messages.

o             Never forward or respond directly to emails received. If you need to respond to something, start with a fresh email, and format it in text only.

o             When you return home, do not, under any circumstances, plug these computers into ANY network without first having it professionally cleaned and reloaded with a fresh version of Windows, or your operating system of choice. 

Be safe. Be smart. I really don’t want to hear your IT guy bragging about the number of syringes in his dartboard!

CFATS and our complex world cry out for public private partnerships like InfraGard

Listening to a webinar on CFATS (chemical facility anti-terrorism standards) today and thinking that convergence best practices as well as the public private partnership promoted by Infragard will be critical.  Ask me and I’ll tell you more about those convergence best practices – but the nut of it is that traditional security will be insufficient for those 7000 affected organizations to satisfy the regulation.  The second part is better described on the Infragard website, where I read today that Kathleen Keirnan has been appointed Chairman of the InfraGard Board of Directors.

Dr. Kiernan is kind of a rock star in the Federal law enforcement world with a long history of building bridges between the private sector and government.  She is also taking the helm at a time when InfraGard is poised to break out of its adolescence into a period of greater cooperation with private companies.  InfraGard is already doing that, of course, by making the FBI more approachable.  However, I expect InfraGard to jump in membership and influence during Dr. Kiernan’s tenure as chair.

Read more…

Categories: Global Security

Protecting the crown jewels with clear thinking and a little help from your friends

I see a transformation in modern security practice.  There is a new appreciation for the primacy of data.  Certainly the financial institutions are forward thinkers in this regard, along with insurance companies and most of the heavily regulated industries and some retailers.  Apart from those folks, however, I think there is a lot of awareness about the bad things that can happen.  Many purchase decisions today, however show signs that the tail is wagging the dog – so many vendors are pushing data loss prevention solutions, then it MUST be a badwagon I should jump on.  If I don’t, I might end up on the front page next to TJX.

A CISO at a Fortune 500 telecommunications company in the US said his organization is improving three classes of security activity: prevention, detection and corrective action.  In a phone conversation he reminded me that a few years ago, data classification was all the rage.  But the point was well taken, he said.  We all needed to step back and say "wait a minute. What are we really trying to protect here?"  One key to success he discovered was asking his legal department for help.  "Take a look at the records retention guidelines that legal departments crank out.  You’ll find an excellent starting point for identifying the most important information in your organization."  It is just a start, but it’s better than most IT security folks can do by themselves. 

Corestreet in the money again

CoreStreet is one of the really cool young technology companiesCs_enabled  in the security industry, and now In-Q-Tel knows it, too.  The beltway-based investment vehicle for the US intelligence community made a strategic investment in CoreStreet.  This is the most recent in a long string of victories for the young identity management and access control vendor.

You’ve read about CoreStreet on this blog – about how they dominated a bid in the State of Colorado.  Well, other states will follow suit this year, and federal government FIPS 201 initiatives are all over the Corestreet products. 

This company, and those like it, are the reason I got into this business.  Very cool

Airline boarding passes on my PDA – Cool

December 5, 2007 2 comments

I’ve tried it.  It didn’t work for me, but it’s a great idea.  Instead of printing out my boarding pass at home or from one of those airport kiosks, I can display it on my T-Mobile MDA device and show the barcode to the gate agent.  The agent can scan that code as easily as if it were on paper.

When I tried it, I got no further than the security line, where that poor soul in the red coat checking IDs and boarding cards didn’t understand what he was looking at.  He made me go and print it out at a kiosk and try again.

Continental is piloting a similar program, but I hope they clue in the TSA folks at the security line.

Categories: Global Security

Get every new post delivered to your Inbox.