Friday, February 29, 2008

Old Scary news from Phoenix

I just finished watching some pretty scary footage of airport security at Phoenix International from July 2007. ABC15 News did an expose of security issues at SkyHarbor . The information they reported was quite scary. They found the City of Phoenix used a private security firm (more intel on that as I get it) who provided security during non-flying hours. Does anybody remember the days before TSA? TSA can be scary but at least they're an improvement from where we were at before. The City of Phoenix had certainly forgotten this.

The results were disastrous almost. The news crew found bags were not searched adequately or not at all. Employee badges were checked by a guard who may or not have been following standard security procedures. Many times entire suitcases and huge newspaper dollies made their way in. At one point the news crew found a guard sleeping who readily admitted sleeping on the job for periods at a time. You don't have to be genius to figure out that some got fired (as they should have been).

Any time a news crew (no offense) can expose the flaws within your security you've got problems. Phoenix has made some improvements, but I would bet their weakest link is their people. Watch the video here. It speaks volumes.

And you thought you had fencing issues...

Ladies and gents, it appears the United States' "virtual fence" has run into some snags, according to Security Management. I won't even go into how a CCTV system is as only good as its operators and software/hardware platforms. Nor will I mention the same goes for IDS as well. I won't even go into how with all CCTV and IDS systems your biggest weakness lies in the money you're willing to spend to fix your problem (porous borders). I will, however, talk a bit about the virtual fence and what it means for us as a citizenry and as professionals in this field.

The Washington Post broke the story with its report that despite the Bush Administration's approval of the fence this past Friday, the construction and implementation of the fence will have to be delayed by at least three years.

It appears there we were technical problems from a prototype system as well as a test system located along a stretch of the border in Arizona. According to the report, the problems included:

1. According to the Washington Post, "Boeing's use of inappropriate commercial software, designed for use by police dispatchers, to integrate data related to illicit border-crossings. Boeing has already been paid $20.6 million for the pilot project, and in December, the DHS gave the firm another $65 million to replace the software with military-style, battle management software."

2. According to the Washington Post, "Technology originally central to the project, such as mobile radar/sensor towers, has been dropped, the article reports, in favor of "[m]ore traditional ground-based radar and airborne surveillance drones," according to Business Week."

This past Tuesday, Homeland Security Secretary Michael Chertoff asserted in his blog, "I’ve seen this system work with my own eyes, and I’ve talked with the Border Patrol Agents who are using it. They assure me that it adds value. That’s what matters to me, and it’s a fact that cannot be denied."

While the virtual fence is better than what we currently have, I'm having trepidations about a system that has so many setback and issues which are core to its very success. For more information click here for the Post's article on the virtual fence or here for the full article from Security Management.

Thursday, February 28, 2008

Bluetooth Hack

This video has been out for a while. I'm surprised this vulnerability hasn't gotten more "play". The basic premise of this hack is you can not only hack into a Bluetooth device and record what is said into the headset but you can also inject your own audio. This of course being that the password for the device is still "0000" which I'm it is like most of ours. Check out the video to watch the hack.

Wednesday, February 27, 2008

A Little Bit About Being Plane Stupid

Sorry, I couldn't resist the title. Earlier, I wrote a bit about the events that took place this week in the UK. Let's look at the group responsible for the Parliament actions - Plane Stupid.

According to The Guardian, "Plane Stupid was created three years ago after a group of anti-Iraq War protesters found common cause in the government's expansionist aviation policy.

The group conducts what are known as "direct action" operations. These require no overhead support and require no upper leadership approval when a target of opportunity has been discovered. Some of their ops have included the storming of the BAA's appearance at the transport select committee last November and chaining themselves to the gates of Farnborough airport – the main UK hub for private jets. 27-year-old Richard George is said to have co-founded the group with 34-year-old Greenpeace employee Graham Thompson in 2005.

The Guardian report also notes the group is made up of five members who are educated, middle class, and young. It operates on anarchist principles and describes itself as a "devolved network of autonomous groups" numbering around 150 dedicated activists. It has no designated leader and reaches all decisions by consensus.

Does this sound familiar? I'm beginning to see a lot of duplication when it comes to celluar structures of nonconformist organizations like this and others. What makes their statements about how they carried out the Westminster op so realistic is their age and education level. They're are all very smart and young enough. I bet at one point they even used student ID's to get past security. When protecting government institutions, we must look at all areas of vulnerabilities. This includes but does not exclude students and young people. If your too lackadaisical and think they're just kids, remember most of the 9/11 hijackers were all in this profile except they weren't white.

Big Ben, Heathrow, and Climate-Change Terorrists

Today, I read a news report from Great Britain's newspaper, The Guardian, which reminded me of all the times I said, "I'm sure glad I wasn't working yesterday." Ladies and gents, over the past few days, our great ally has been besieged by "climate-change terrorists." Okay, so I'm exaggerating a bit. But there were some serious security breaches both at Heathrow and at the Houses of Parliament.

Yesterday, five protesters from a group calling themselves "Plane Stupid" climbed atop the roof of the Houses of Parliament. The displayed two banners reading "No third runway" and "BAA HQ". Okay, I know there's a ton of speculation as to how this could have happened. Well, the police speculate they had an insider who provided them with access and who offered to store the signs. How else could they have gotten past security especially at Parliament? The protesters, of course, claim they brought the signs in past security and merely told the guards they were there to hear a debate on the floor. Either way it goes, somebody is in a lot of you-know-what.

According to SkyNews, Greenpeace protesters gained access to the roof of a Boeing 777 outside of Terminal 1 on Monday. For what? They were protesting Heathrow's planned expansion. For those who have traveled through Heathrow, you might agree climate change aside it could use the expansion. And maybe some maps and arrows that made sense. I digress. To say the least this was a major breach of security for an airport that has repeatedly been targeted by terrorists of all types to include Al-Qaeda and the IRA. Police and security units were able to respond and remove the protesters who posed no significant threat except to Heathrow's PR image. The protesters did carry signs which denounced the changed. It should be noted Virgin Airlines flew out of this same airport on the same day flying a bio-diesel jet which is supposed to reduce greenhouse gases from commuter jets.

Sunday, February 24, 2008

Welcome and Encryption Key Madness

Welcome to my first post for this blog. I hope you can tell from my lengthy bio that we'll have plenty to talk about. So lets get started with todays topic: Encryption Keys.

For those of you still stuck in the Paleolithic Age of computing, encryption keys were thought to be some the most secure and efficient means to protect data stored on computers. In essence, you would store whatever data you wanted safe from prying eyes on a computer which would then encrypt the storage medium with a very difficult key secured be an even more difficult algorithm. Without the the right pass code, the data could not be decrypted and the key could not be used. According to the American Society of Industrial Security's publication, Security Management "the game has changed".

The Electronic Frontier Foundation, a non-profit electronic goods consumer advocacy group, along with Princeton have come with an ingenious way to get those keys without having to crack the algorithm. They freeze the medium and then extract the code. It appears because most keys are stored in DRAM where the keys are stored temporarily. Once your computer goes "idle", these keys are vulnerable to this "hack" because the memory takes a while to leave the chip upon shutdown and the freezing method of course slows this process down giving our intruder enough time to grab what he/she needs.

This "hack" effects TrueCrypt as well as other to include BitLocker, FileVault, and dm-crypt. Check out the Security Management website for further details.

Click here for video footage.

Incredible! Once you think you have it made with encryption, somebody not only cracks it but posts it on the Net.

About Us