Monday, March 31, 2008

Ever wonder how the new US passports are made?

Recent news stories recently raised questions about the fact that some of the components of U.S. passports are produced overseas. Questions were also raised about passport security and why foreign firms have been engaged as part of the passport production process. Under Secretary of State for Management Pat Kennedy joined Department Spokesman Sean McCormack for a video podcast to discuss these issues. This video walks you through the process and explains the new passport's new security features.

Sunday, March 30, 2008

High Security or HIgh In-security?

As part of my job, I'm responsible for implementing certain measures to thwart attacks. The most common measure I implement is choosing which locks go on which doors. Sounds pretty basic right? Those in the business know, like computer security, physical security has to change constantly to deal with new threats. Over the last few years, you've heard about key-bumping. This entails taking a key blank for a lock and then guiding the blank through the lock and knocking out the pins. torque is then applied to the lock and the lock and key turn to open the door. Some locks claim to be "bump-proof". Well as we found out last year, this ain't necessarily so. At Defcon (world's largest hacker conference) last year, Marc Weber Tobias gave a talk about "high security" locks, their standards, and their weakness. He even demonstrated bypasses. I HIGHLY encourage everyone who missed this talk to check out the video below.

Saturday, March 29, 2008

Need to nuke a major city?

Okay, I found this little gem on the Net today. The author of the script says he got all of his calculation from FAS and Wikipedia. This mapping tool only calculates thermal effects and not radiation. It may have its faults, but it is really neat and eye-opening.

Friday, March 28, 2008

New feature!

Ladies and Gents,

I'd like to be the first to inform you of a new feature I'm recording/editing now. This will be a 5 to 6 minute podcast on current security topics. It is my hope to make this a bi-weekly event.

Some days I'll address particular questions from listeners while other times I will address particular topics such a bluetooth hacking, physical security, security management, etc. The first podcast will air on March 31, 2008.

If you have nay suggestions or if you'd like to submit questions, please send them to [email protected]

The New Equalizer?

As we approach the time of the year when we'll see more terrorist attacks, I wanted to post some videos of how the threat from VBIED is truly evolving. Just take a look and let me know what you think. Remember to practice OPSEC though.

This second video is posted by a guy on his mobile phone of the aftermath of the 7/7 attacks in the UK. I love citizen journalists. They can get in where big media outlets can't.

This last video is from a dump truck filled with explosives. You can see the shock wave and the blast expansion. Perfect illustration of what VBIED's could look and feel like.

FBI Mystery Man has been identified

The FBI has identified its mystery man as Scott Andrew Shain, born in 1955. The FBI says Shain was identified thanks to the help of the Social Security Administration. Who dimed him out? His parents apparently identified him by checking his picture on the FBI website.
For those of you who don't know or remember this the guy I talked about briefly last week when I mentioned "hide-and-go seek". While the FBI knows his name, aAgents still don't know the full extent of his criminal background, but they do know that he served in the U.S. Air Force and was from Boston.
Shain is now in federal custody on multiple counts of aggravated identity theft, such as stealing a dead man's identity. If you recall, this guy had 33 aliases and had a rap sheet for some of them. I wouldn't be surprised if he wasn't just a paranoid individual who suffered a mental illness and the aliases were a combination of personalities and/or identities to hide. I say that because unlike most identity thieves, he never sold his new identity and never turned it to profit for himself. As I read more, the more I'm suspicious of why he needed 33 aliases.

CCTV Camers, Crime, and San Francisco

The San Francisco Chronicle has written an article about a recent study at UC Berkly of SF's 60 CCTV cameras. Researchers looked at over 59, 000 crimes which occurred within 1, 000 feet of cameras between 1 January 2005 to 28 January 2008. What I found ironic was the discovery that the researchers found most violent crime around the cameras at 250 feet or less had decreased. The further you went away from the cameras the more crime. Wow. That's a novel concept. I'm not saying the researchers were inept at understanding basic criminal methodology but this does seem a bit odd.

Even odder was this comment in the article:

The only cameras' only positive effect appears to be the 22 percent drop in property crime within 100 feet of the cameras, though people broke into cars parked near the cameras at the same rate as they did before the cameras were installed, according to the study released today.

I'm not a fan of technology being a "save-all" in crime prevention but I find it very incredulous that a non-criminal justice professional would not understand the positive effect CCTV's have when properly utilized. Again, I go back to my previous statements about CCTV systems; They are only as good their operators and the money and expertise to maintain and upgrade then.

Crime relocation is not the same as crime prevention . By moving, it does provide some areas enough time to rebound and bring back positive ideas, people, and activities. So just because crime moved doesn't mean that was necessarily a bad thing. I'm sure the residents and cops who live and/or work on those streets where the crime moved from would tell you they welcome the break.

Crazy FBI Child Pornographers!!

So, I'm glad the title caught your eyes. I've been a bit busy catching up on some professional obligations and finally made my way back to the blog. Let's take a look at this very interesting article from

The article details a supposed newly discovered technique the FBI is using to catch child pornographers. This new tactic involves "posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them." Worried the FBI is putting out its own version of porn to catch these guys? Don't worry because the supposed video files actually were gibberish and contained no illegal images. This is a technique most p2p investigators use to catch pirates.

There is legal precedence to use such tactics but it does raise some very interesting questions about entrapment and privacy. Just who did the FBI nab with this technique?
Roderick Vosburgh, a doctoral student at Temple University who also taught history at La Salle University, was raided at home in February 2007 after he allegedly clicked on the FBI's hyperlink. Federal agents knocked on the door around 7 a.m., falsely claiming they wanted to talk to Vosburgh about his car. Once he opened the door, they threw him to the ground outside his house and handcuffed him.

Vosburgh was charged with violating federal law, which criminalizes "attempts" to download child pornography with up to 10 years in prison. Last November, a jury found Vosburgh guilty on that count, and a sentencing hearing is scheduled for April 22, at which point Vosburgh could face three to four years in prison.

Sounds like a cool idea right? You catch bad people who you can prove had an intent to view that material they believed to be on your site which they were led to believe would be child pornography. You get the address of your perpetrator and go arrest him/her.

Any one else see a potential problem? Well, you're not alone. A lot of people find it disturbing that all the FBI and/or any other law enforcement agency has to do is register a domain name and flaunt it through its name or hype as a safe harbor for individuals who may want to see this. The problem which lies in that is what happens to someone who say mistakenly enters the wrong URL and gets the FBI's sting site address. Not to mention how easily another person who get the address, thinks it may not be what it advertises, and "rickroll's" an adversary to that URL. For those of you unaware of "rickrolling", its when you're told in a message a link will take you to a page about flowers (which you want to see) and it then takes you to a Rick Astley video.

I know what you're thinking, "I'm legal beagle but even I can recognize this sort of law enforcement tactic is based on very thin layers of the law." So far, at least, attorneys defending the hyperlink-sting cases do not appear to have raised unlawful entrapment as a defense.

"Claims of entrapment have been made in similar cases, but usually do not get very far," said Stephen Saltzburg, a professor at George Washington University's law school. "The individuals who chose to log into the FBI sites appear to have had no pressure put upon them by the government...It is doubtful that the individuals could claim the government made them do something they weren't predisposed to doing or that the government overreached."

The outcome may be different, Saltzburg said, if the FBI had tried to encourage people to click on the link by including misleading statements suggesting the videos were legal or approved.

In the case mentioned previously, the prosecuotr relied on the federal child pornography law, which states the definition of "sexually explicit conduct" does not require that sex acts take place):

The first image depicted a pre-pubescent girl, fully naked, standing on one leg while the other leg was fully extended leaning on a desk, exposing her genitalia... The other image depicted four pre-pubescent fully naked girls sitting on a couch, with their legs spread apart, exposing their genitalia. Viewing this image, the jury could reasonably conclude that the four girls were posed in unnatural positions and the focal point of this picture was on their genitalia.... And, based on all this evidence, the jury found that the images were of minors engaged in sexually explicit conduct, and certainly did not require a crystal clear resolution that defendant now claims was necessary, yet lacking.
The article also states, "Harvey Silverglate, a longtime criminal defense lawyer in Cambridge, Mass. and author of a forthcoming book on the Justice Department, replied: 'Because the courts have been so narrow in their definition of 'entrapment,' and so expansive in their definition of 'probable cause,' there is nothing to stop the Feds from acting as you posit.'"

Sunday, March 23, 2008

Hiding In Plain Sight

Do you ever have one of those conversations where you come up with a pretty remarkable revelation? I had such a revelation yesterday with my wife. We were discussing how good we both were at "hide and go seek". I'm sure we all discovered sooner or later it was much better to hide somewhere close to our "seekers" and in a place they would normally overlook. In other words, you have to "hide in plain sight". That thought found me no matter where I went this weekend. Getting a new birth certificate, burning your fingerprints, or playing dead seems a bit much like a semi-decent Hollywood movie. But the lessons are the same. Disguises don't work. Nothing works if you can't find a way to hide your real identity while you try to live your life as normal.

I know most of my security aficionados are probably somewhere asking, "Where's he going with this? And why discuss this in a public forum?". My answer to them is we should talk about this in the open because the bad guys already know what I'm telling you. In order to win at the proverbial game of "hide and go seek" in the security world, we must first think like our "hiders" and become much "seekers". For example, if you operate a CCTV system and need to know how to spot shoplifters and other rogue parties, I would begin to look at the ways in which they often try to appear as normal as possible such as dress and appearance, behavior, and demeanor. If you get a guy in an aisle who's trying his best to appear normal when in fact he is far from it, then hopefully you'll recognize this is as a "critical indicator".

I've attached a video I thought was relevant to this topic. Most fugitives evade capture by learning how to camouflage themselves with multiple behavioral patterns which suit their new identities. In the security disciplines, we find this sort of subterfuge with spies and terrorists. In order to gain the advantage, we must learn what mistakes someone like this would make. Maybe, their behavior will lead us to believe something is not quite right. Good cops know what these mistakes look like. If you've been to any escape and evasion course, you know this is one of the first things they teach. If you don't have this skill, might I recommend a good game of "hide and go seek" with your favorite five year old. I know it sounds strange but the games we play as children always come back to us as adults.

Monday, March 17, 2008

Homeland Security Week

I found a website I think my readers might enjoy called Homeland Security Week. It is an Internet television network dedicated to homeland security. the topics they have are very thought-provoking and well presented. Click here for a video I just finished watching on airport security. It gives behind the scenes footage of GAO red-teams penetrating airports. Ouch!

Sunday, March 16, 2008

Book Review - The Art Of Deception

Well....I finally did it. I finally finished Kevin Mitnick's book, The Art Of Deception. This was perhaps one of the most compelling books I've read in a very long time. It covers ways into which many of our corporations and government agencies are vulnerable. It details what was once thought of as "old-school" techniques in which information thieves gain insight into the very workings of these organizations such as dumpster diving and pretexting.

The book is 352 pages of real-life examples of Mitnick's former operation and those of his former comrades. I particularly liked his ideas about how we can protect from these attacks. Some would think this would be an opportunity for Mitnick to brag and thumb his nose at his former adversary, the US government. But it isn't. It is certainly a guide into some very low-tech means in which these guys operate and exploit.

This book is a must-read for anybody who cares about security. I would suggest this for any reader who wants to protect themselves or their organizations. If you think you're not vulnerable, hire an outside firm to do a penetration test on your people not your systems and see where your vulnerabilities are. I can tell you from my experience, the best way to defend yourself is to protect your people. Your systems need people to operate and maintain them. If your folks fail to perform the basic due diligence when dealing with anyone seeking information or access (either physical or virtual) into your organization, then you better get them doing it ASAP. If you're in charge of security for any corporation, I HIGHLY suggest this book.

Thursday, March 13, 2008

Another Incident at Heathrow

SkyNews is reporting a man was arrested after jumping a perimeter ence at Heathrow International Airport shortly after 2pm and was tackled by armed officers on the northern runway. The entire northern runway was shutdown while police handled the situation.

This comes just before the grand opening of the new terminal at Heathrow tomorrow. Guess who is supposed to be in attendance? Her Majesty, of course...This Heathrow's second big intrusion in the last two weeks. The last was by a group calling themselves "Plane Stupid". We've also covered their last two acts in previous blog posts along with a brief background report. It should be noted the group has denied any involvement.

Chertoff's Self -Evaluation

DHS Secretary Chertoff gave his evaluation of Homeland Security's progress over 5 years to Congress on March 5th, 2008. He summarized the Department's progress in 5 areas:
  1. Strengthening border security through greater deployment of infrastructure, manpower, and technology
  2. Enhancing interior enforcement at worksites, providing new tools to employers, and identifying and arresting fugitives, criminals, and illegal alien gang members
  3. Making temporary worker programs more effective
  4. Improving the current immigration system
  5. Assimilating new immigrants into our civic culture and society.
On strengthening border security, he discussed the "installation of tactical infrastructure, including pedestrian and vehicle fencing; hiring and training new Border Patrol agents; and deploying a range of technology to the border, including cameras, sensors, unmanned aerial systems, and ground-based radar."

We made a commitment to build 670 miles of pedestrian and vehicle fencing on the Southern border by the end of this calendar year to prevent the entry of illegal immigrants, drugs, and vehicles. We are on pace to meet that commitment. We have built 302.4 miles of fence, including 167.7 miles of pedestrian fence and 134.7 miles of vehicle fence....For example, in February of this year, I traveled to Hidalgo County, Texas, to meet with county leaders who were planning to build a levee along the Rio Grande River for purposes of flood control. Although we still need help from Congress, we were able to negotiate an agreement to design our fence plans in coordination with their levee construction, allowing us to effectively satisfy two goals at the same time.

He also spoke about Border Patrol:

Over the past year, we have accelerated recruitment, hiring, and training of Border Patrol agents. 15,439 Border Patrol agents are currently on board and we will have over 18,000 agents by the end of this year – more than twice as many as when President Bush took office. This represents the largest expansion of the Border Patrol in its history, and we have grown the force without sacrificing the quality of training the Border Patrol Academy prides itself on delivering.

As an additional force multiplier, we continue to benefit from the support of the National Guard under Operation Jump Start. This has been an extremely fruitful partnership. We are grateful to the Department of Defense as well as governors across the United States for allowing us to leverage the National Guard in support of our border security mission.

On P-28 (which we covered in previous articles), Chertoff had the follwoing to say:

P-28 was designed to be a demonstration of critical technologies and system integration under the broader SBInet initiative. Specifically, its purpose was to demonstrate the feasibility of the SBInet technical approach developed by the contractor, Boeing, and to show that this type of technology could be deployed to help secure the Southwest border. After successful field testing, we formally accepted P-28 from Boeing on February 21st of this year. We have a system that is operational and has already assisted in identifying and apprehending more than 2,000 illegal aliens trying to cross the border since December....A P-28-like system would be neither cost-effective nor necessary everywhere on the border. Accordingly, we are building upon lessons learned to develop a new border-wide architecture that will incorporate upgraded software, mobile surveillance systems, unattended ground sensors, unmanned and manned aviation assets, and an improved communication system to enable better connectivity and system performance.

The department is looking at implementing more UAV's to include one for the entire northern border. He plans to increase the number of ground-based mobile surveillance systems from six to forty. And we will acquire 2,500 additional unattended ground sensors this fiscal year, with 1,500 of those planned for deployment on the northern border and 1,000 on the southwest border. These will supplement the more than 7,500 ground sensors currently in operation.

How much does this cost? Not much really considering what we spend money on already. Could we do better? I'll let you decide. Just remember the old addage: You get what you pay for.

To continue to support these kinds of technology investments, we have requested $775 million in funding as part of the President’s Fiscal Year 2009 budget.

How are things going? That depends on who you ask. Secretary Chertoff says

For Fiscal Year 2007, CBP reported a 20 percent decline in apprehensions across the Southern border, suggesting fewer illegal immigrants are attempting to enter our country. This trend has continued. During the first quarter of Fiscal Year 2008, Southwest border apprehensions were down 16 percent, and nationwide they were down 18 percent over the same period the previous year.

Port security received a lot of help in the form of biometrics and citizenship checks. Current travelers into the US were checked for proof of citizenship and against various criminal/terrorist databases. Chertoff testified:
In January of this year, we also ended the routine practice of accepting oral declarations of citizenship and identity at our land and sea ports of entry. People entering our country, including U.S. citizens, are now asked to present documentary evidence of their citizenship and identity. Not only will this help to reduce the number of false claims of U.S. citizenship, but it reduces the more than 8,000 different documents our CBP officers must currently assess. By requiring a narrower set of documents, we are able to improve security and efficiency at the ports of entry, and create an effective transition period for implementation of the land and sea portion of the Western Hemisphere Travel Initiative in June 2009.
You ever get those stories on the news where it seem like we never arrest illegal immigrants. I know in most places ICE won't come out for less than a large froup of illegals. According to Chertoff, ICE removed over 280, 000 illegal aliens. He lists some of their operations:

Universal Industrial Sales, Inc: On February 7, 2008, fifty-seven illegal aliens were arrested during a worksite enforcement operation conducted at Universal Industrial Sales Inc. (UIS) in Lindon, Utah. ICE forwarded roughly 30 cases to the Utah County Attorney's Office for possible criminal prosecution for offenses such as identity theft, forgery, and document fraud. On the federal side, the U.S. Attorney for the District of Utah unsealed two indictments charging the company and its human resource director with harboring illegal aliens and encouraging or inducing workers to stay in the United States illegally.

George’s Processing: In January of 2008, a federal jury convicted a former human resources employee at George’s Processing – a poultry plant in Butterfield, Missouri – of harboring an illegal alien and inducing an illegal alien to enter or reside in the United States. Under federal statutes, this individual is facing up to 10 years in federal prison without parole. Another former employee recently pleaded guilty to aggravated identity theft. A total of 136 illegal aliens were arrested as part of this investigation into identity theft, Social Security fraud, and immigration-related violations at the plant.

RCI Incorporated: In October of 2007, the former President of RCI Incorporated – a nationwide cleaning service – pled guilty to harboring illegal aliens and conspiring to defraud the United States. He will pay restitution to the United States in an amount expected to exceed $16 million. He also agreed to forfeit bank accounts, life insurance policies, and currency totaling more than $1.1 million for knowingly hiring illegal aliens.

Stucco Design Inc.: On March 7, 2007, the owner of an Indiana business that performed stucco-related services at construction sites in seven Midwest states pled guilty to violations related to the harboring of illegal aliens. He was sentenced to 18 months in prison and forfeited $1.4 million in ill-gotten gains.

Michael Bianco, Inc.: On March 6, 2007, in New Bedford, Massachusetts, a textile product company owner and three other managers were arrested and charged with conspiring to encourage or induce illegal aliens to reside in the United States and conspiring to hire illegal aliens. Another person was charged in a separate complaint with the knowing transfer of fraudulent identification documents. Approximately 360 illegal workers were arrested on administrative charges as part of the operation, representing more than half of the company's workforce.

Fines have in creased for employers who allow illegal immigrants to work for them by 26 percent. What tools did Chertoff give employers to help them weed out illegal immigrants? Well, he's given them E-Verify, an on-line system administered by U.S. Citizenship and Immigration Services that allows employers to check, in most cases within seconds, whether an employee is authorized to work in the United States. Some states have begun to require employers to enroll in E-Verify, most notably Arizona, where the system is adding about 1,000 new users per week.

Nationally, we are adding 1,800 new E-verify users per week. More than 54,000 employers are currently enrolled, compared to 24,463 at the end of Fiscal Year 2007, and nearly 2 million new hires have been queried this fiscal year. We are expanding outreach to Georgia and will be working in other states to increase participation. To support this work, we have requested $100 million in the Fiscal Year 2009 budget.

Have your calls to ICE gone unanswered? Not anymore. Chertoff has told Congress

ICE Agreements of Cooperation in Communities to Enhance Safety and Security (ICE ACCESS) program, which includes training under the 287(g) program, participation in Border Enforcement Security Task Forces (BEST) and Document and Benefit Fraud Task Forces (DBFTF)....Through the 287(g) program, ICE delegates enforcement powers to state and local agencies who serve as force multipliers in their communities. As of September 30, 2007, ICE has signed 38 memoranda of agreement (MOAs) with state and local law enforcement agencies to participate in the program. Last year, ICE trained 426 state and local officers. In the program’s last two years, it has identified more than 26,000 illegal aliens for potential deportation.

ICE also has continued to expand its BEST teams to work cooperatively with domestic and foreign law enforcement counterparts to dismantle criminal organizations operating near the border. In Fiscal Year 2007, ICE launched new BEST teams in El Paso and the Rio Grande Valley, and in San Diego, bringing the total number of teams to five. These task forces have been responsible for 519 criminal arrests and 1,145 administrative arrests of illegal aliens, the seizure of 52,518 pounds of marijuana and 2,066 pounds of cocaine, 178 vehicles, 12 improvised explosive devices, and more than $2.9 million in U.S. currency.

ICE DBFTFs are a strong law enforcement presence that combats fraud utilizing existing manpower and authorities. Through comprehensive criminal investigations, successful prosecutions, aggressive asset forfeiture and positive media, the DBFTFs detect, deter and dismantle organizations that facilitate fraud. The task forces promote the sharing of information, ensure the integrity of our laws, and uphold public safety. In April 2007, ICE formed six new task forces, bringing the total number of DBFTFs to 17. These task forces have been responsible for 804 criminal convictions and 1,917 seizures worth more than $8 million in value.

In Fiscal Year 2007, ICE Fugitive Operations Teams arrested 30,407 individuals, nearly double the number of arrests in Fiscal Year 2006. The teams, which quintupled in number from 15 to 75 between 2005 and 2007, identify, locate, arrest and remove aliens who have failed to depart the United States pursuant to a final order of removal, deportation, or exclusion; or who have failed to report to a Detention and Removal Officer after receiving notice to do so. In Fiscal Year 2008, Congress authorized an additional 29 teams. Fugitive Operations Teams have arrested more than 10,000 individuals this year.

ICE also expanded its Criminal Alien Program (CAP) in Fiscal Year 2007, initiating formal removal proceedings on 164,000 illegal aliens serving prison terms for crimes they committed in the United States. ICE has already initiated more than 55,000 formal removal proceedings against additional criminal aliens in the first quarter of Fiscal Year 2008. ICE is developing a comprehensive strategic plan to better address CAP.

In addition, in Fiscal Year 2007 ICE arrested 3,302 gang members and their associates as part of Operation Community Shield. This total includes 1,442 criminal arrests. For Fiscal Year 2008, ICE has arrested 723 gang members and their associates, which is a 34 percent increase over the same period last year.

All this enforcement has not been without consequences. Secretary Chertoff recognizes the impact their operations have had on certain "economic sectors" like agriculture. He stated, "Of the 1.2 million agricultural workers in the United States, an estimated 600,000 to 800,000 are here illegally. This is not an argument for lax enforcement. Rather, we need to make sure our temporary worker programs are effective. To this end, we have joined the Department of Labor in proposing changes to modernize the H-2A seasonal agricultural worker program to remove unnecessarily burdensome restrictions on participation by employers and foreigners, while protecting the rights of laborers."

Customs has created the Office of Fraud Detection and National Security (FDNS) to enhance the integrity of the legal immigration system by identifying threats to national security and public safety, detecting and combating benefit fraud, and removing other vulnerabilities. During Fiscal Year 2007, FDNS submitted approximately 8,700 fraud or criminal alien referrals to ICE. While USCIS works through the backlog of cases, it remains committed to ensuring the preservation of high quality standards and anti-fraud counter-measures.

The nation's new naturalized citizenship test will be implemented some time this fall. It will emphasizes fundamental concepts of American democracy and the rights and responsibilities of citizenship.

Integrating Physical and IT Security

On Wednesday, Honeywell released a press release revealing many companies are integrating physical security measures with their IT security systems. They interviewed over 50 CIO's, CSO's, and CI&SO's of major US-based global companies.
According to their release:
Most respondents indicated increased interaction between their security and IT functions:

* 63 percent said their security and IT organizations “had a formal coordination mechanism”
* 10 percent stated the two functions are run as one entity within their organizations
* 52 percent noted their security functions had a formal working relationship with their audit and compliance functions, while 11 percent said those functions are combined
Why the integration? Some might say the better question is why has it taken so long. Well, it turns out many of the respondents feel a vulnerability in either fields could bring about a breach in another. Take a look at this data:
* 91 percent of the responding companies showed an increase in security investment
* 75 percent of which said those investments increased by more than eight percent
* 31 percent suggested a greater than 12 percent rise

“This study reinforces that companies are increasingly concerned with protecting their information assets as well as their physical assets, and they recognize that integrating once-disparate systems can be effective in addressing threats,” said Jim Ebzery, senior vice president of Identity and Security Management at Novell, which recently collaborated with Honeywell to develop a converged physical-IT security system. “How they choose to implement convergence varies on a number of factors including internal roles and overall attitudes about its effectiveness.”

With all this talk of integration, the question which must be asked is "Who's in charge in regards to an a coordinated attack on both systems?".
* 34 percent said there isn’t a single internal contact
* 27 percent said the Director of Security is responsible
* 14 percent said a single CSO deals with the threats
* 14 percent said the Crisis Management Group is ultimately responsible
The study’s margin of error is plus/minus 2 percent.

If you're considering this as a career, it behooves you to get "smart" on both sides. What sense does it make to build a multi-tiered surveillance system using network infrastructures if you're not knowledgeable on the risks you face. I would hate to be you if an incident occurs on the IT side and it affects your cameras or alarms. I'm sure your boss is going to ask what measures did we have in-place and how were they defeated. He/she will be looking at you to communicate with IT to find out.

Tuesday, March 11, 2008

New threat

As security professionals, we're always on the hunt for the latest threat out there. The video below shows a threat which is well..pretty unique. It appears someone on the Internet is selling plastic knuckles. They are similar to brass knuckles and cause an equal amount of destruction and pain.

Disclaimer: Watching the video, I was a bit dismayed by the lack of knowledge the reporter seemed to have about plastic and METAL detectors. He was shocked that these knuckles had bypassed the checkpoints.

TSA doesn't have a body-scanner (that we know of) at Cleveland International so its METAL detectors wouldn't detect PLASTIC. Even if it could, that would mean a lot of people would lose a lot of valuable time getting to their gates delaying air travel even more and perhaps stifling our delicate economic growth.

The best advice I have is to be aware these sort of things do exist. You should follow the same rule I've always followed: If it looks like a weapon and acts like a weapon, then it more than likely is a weapon.

BLUtube is powered by

The Apprehender

Have you ever been on-scene to arrest, detain, or escort an unruly individual from a facility? If you have, then you understand how fast things can go from good to bad. If your organization has a use-of-force policy, it usually places your verbal techniques at the very top. After verbal judo has failed, what do you have left? Depending on your situation, arm manipulation or wrist locks may be unavailable. Most officers/guards would probably be looking at their non-lethals and more than likely a baton.

There's a product out now called The Apprehender. It is quite unique with a U-shaped end where a wrist can be captured and locked into place like a handcuff. You, then, have the added benefit of leverage from the elongated torso of the device. It can also be used as a striking tool as well.

I would certainly look at taking this with me on a protest dispatch or maybe a house where I had a lot domestic violence calls or any other environment with highly combative subjects. This is also a tool in which a subject would have to be very good at taking away weapons. Normal, baton resistance techniques can't be applied due to the device's unique shape.

Some of the cons of having such a device are its size and liability. Its current size is 27" X 5" X 1.25". This is a longer-shaped baton. We're talking at least 6" above what the average officer/guard may carry. I know of departments who carry bigger. This isn't something you're wearing in the car either. You would have to store this in the trunk or elsewhere. If you've been in a police vehicle that was fully equipped, the you know how much space you have for extra stuff. If its too big officers may not carry it with them when they get out or they may just forget it.

You would certainly have to train every officer on its use and implementation. This should include modified striking techniques that would have to be reviewed by your department. Your department would also have to look at how the restraint functioned in conjunction with existing restraints. Nothing sucks worse than arresting some guy and realizing you're being sued for excessive force for applying too much leverage and breaking their wrists.

I welcome you to check out the video below and let me know what you think.

BLUtube is powered by

GREM Reaper who blows stuff up

I know this blog is about security as a profession and when we think of security (at least in the federal government) we think of badging systems, card readers, CCTV, and explosive readers as a short list of "must-have" toys. Well, check out the new breaching tool the US Army has come up with to keep troops safe from the "fatal funnel" and knock down a few doors in the process. Check out the video .

Thursday, March 6, 2008

Are Ipod's Causing a Crime Wave?

I've read an interesting article by the Associated Press about IPod's and whether or not they're responsible for an increase in crimes. The article said a think-tank called "The Urban Institute" raised the issue last September and held a panel to further explore the idea.

The Urban Institute's argument is there was a dramatic decrease in robberies since the 1990's, but we witnessed a sharp increase from 2005 to 2006 when IPod's went mainstream. The AP article states:

"FBI statistics show the robbery rate went from 137 per 100,000 people in 2004 to 141 per 100,000 in 2005 and 149 in 2006. That helped boost the overall rate of violent crime in those years, even as rape rates fell and aggravated assault was generally flat. During those years, iPods were going mainstream. In late 2004, Apple had sold about 5 million iPods. By the end of 2005 that had ballooned to 42 million, and in 2006 the number neared 90 million."

The think-tank believes the sudden surge of such a lucrative and portable consumer elctronic good such as the IPod increased the three factors of crime: a motivated offender, a suitable victim, and no natural observers or other significant deterrents.

Some of this makes sense when you think about it:

"Motivation: The IPod's several-hundred-dollar expense and pop-culture buzz made potential thieves, especially young ones, crave the device for themselves or for a lucrative resale market. Suitable victims: People listening through the iconic white earphones are easy to pick out and often unaware of their surroundings. Easy to get away with: IPods lack a mechanism that would pinpoint a thief's location or a subscription that could be canceled by the rightful owner."

I agree with the article's writer that there are quite a few holes in this way of thinking. For example, the report completely ignores the idea that thieves would have taken something else other an IPod and had been doing so before the IPod. What about a Playstation Portable or Nintendo DS? One of the more commonly stolen items, in some of the communal settings I'm familiar with, (military barracks and college dormitories) are laptops and digital cameras. IPods are there as well but rarely have I ever questioned a thief who said he tore apart a room looking an IPod.

The writer also looks at the definition a robbery versus a larceny. Robbery is the taking of another person's property by force or threat of force. The report only blames the IPod on a surge of violent crime (robberies and murders based on failed attempts to rob IPod's).

Here's what I think: IPod's take away a sense of situational awareness that people need to be able to use to adequately defend themselves against predators. Have you ever been jogging with your IPod on and lose track of time and space? What this says to any predator is that you're not paying attention to surroundings and an ambush would be easy. While I don't believe the IPod is solely to blame for the increase in violent crimes, I do believe it is a "critical indicator".

It's one of the reasons I'm beginning to like the Taser C2. If a would-be robber sees you with earphones and thinks of you as a target-of-opportunity, then at least the C2 will buy you time to stop the attacker, run somewhere safe, and get the police.

The Urban Institute's paper (in PDF format):

Apple's patent filing for anti-theft locks:

FBI crime statistics:

Wednesday, March 5, 2008

Off-duty Taser's

Ladies and gents,

As I was perusing Amazon, I wanted to see if they had any of the personal use Tasers. Well, it turns out they do. They're called "TASER C2 - Black Pearl Personal Protector". They price around $350.oo and are small enough to fit in a map case or combat purse ("handbags" for the ladies). For those of you who haven't seen one of these in action, I've attached a video clip of their infomercial.

I know when this first came out there were some in our industry who had their trepidations about this. Once law enforcement began to use this, more and more people began to see the "pro's" of having one of these in their arsenal. Personally, I believe a Taser should be used in accordance with strict "objective reasonableness" standards. There are several consequences for not following these guideline both civil and criminal.

I suspect as more of these "personal use" Tasers are manufactured, we in the security industry are going to see more of them as well. I caution all security managers and project coordinators to consider certain risk assessments before you proceed and buy a few for your agency. If your folks aren't properly trained and selected, you could be faced with some serious problems. We have to caution our people this weapon is a weapon and not a toy. It should also be used as a last resort due to its potential lethality. There have been deaths which some attribute to the Taser, but we won't cover that here as it's a whole other topic.

Now, that I've mentioned the "cons", let's talk about the "pro's". of owning one of these for both personal and professional use. Imagine your wife or other loved one going on a jog when an attacker approaches them with an edged weapon. This weapon is capable of stopping that attacker and buying your wife and significant other some time to escape. On a professional note, a guy in HR called to report a disgruntled former employee still on the grounds swinging a bat and breaking things. You've tried verbal judo along with a show of force with no results. By the way, there was a school shooting about 10 miles away and the cops are tied up. You have to get this resolved soon. I can tell you once a "bad guy" see this being pulled out and being deployed their disposition changes. I imagine mine would too.

I'm no fan of the MP3 version, but I do think some people have taken this the wrong way. Taser incorporated that feature for the consumer I mentioned above who follows an active lifestyle. Many women are abducted or raped by strangers while jogging/walking along isolated paths. I do believe the MP3 feature would take away some situation awareness though.

I plan to post a poll to get your impressions of this product. Please, feel free to share your ideas now.

Tuesday, March 4, 2008

Microsoft's Reply To Encryption Weakness

Well, it appears Microsoft says the vulnerability with encryption key programs isn't with software makers. They say its with us. According to SecurityFocus, "A number of simple changes will make sleeping laptops immune to having their encryption keys filched from memory, a Windows Vista security expert said last week."

The article quotes a Microsoft senior product manager for Windows Vista security, Russ Humphries as saying on a company blog,

"The thing to keep in mind here is the old adage of balancing security, usability and risk. For example BitLocker provides several options that allow for a user -- or more likely Administrator -- to increase their security protections but at the cost of somewhat lowering ease-of-use."
It should be noted it was Mr. Humphries' program, BitLocker that was mentioned along with others in the report as being vulnerable to this hack.

UK Card Readers Hack

According to SecutrityFocus, an e-zine which focuses on electronic security issues, UK merchants have a problem. It sounds like a pretty significant problem with their card readers. SecurityFocus' article says the when credit cards are scanned through the readers the information is not encrypted and thus readable by anyone with access to the data stream from that reader.

The University of Cambridge discovered the PIN entry device (PED) vulnerabilities allow an attacker to wiretap a reader and collect enough data from cards and the PIN pad to create counterfeit cards.

For those of you unfamiliar with the UK's debit and credit setup, I'll explain. Let's say I go to a restaurant and purchase a dinner for two costing a certain amount of money. The waitress brings out a portable card reader in which instead scanning, she can take your debit or credit card from a UK bank and place the card which is embedded with a chip inside the reader. Then the transaction proceeds like it does everywhere else. The readers then transmit the card information through a wireless connection. Catch where I'm going with this? If not, continue reading and you'll get it eventually.

According to SecurityFocus, the researchers stated the vulnerabilities in a paper to be published at the IEEE Symposium on Security and Privacy in May.

"The vulnerabilities we found were caused by a series of design errors by the manufacturers," Saar Drimer, a researcher at UC's Computer Laboratory and an author of the paper, said in a statement. "They can be exploited because Britain's banks set up the Chip & PIN in an insecure way ... A villain who taps this gets all the information he needs to make a fake card, and to use it."

This is not just UK-only vulnerability. There are all sort of vulnerabilities with card readers all over the world. If the card information isn't encrypted on the merchant, purchaser, and bank ends, then there will always be a vulnerability.

Update on DHS Fencing Project from DHS

Well ladies and gents, it appears the Department of Homeland Security got a bit upset at the Wall Street Journal for its article I mentioned earlier. This is the DHS's reply:

The Wall Street Journal Inaccurately Asserts That First 28 Miles of the Virtual Fence Will Be the Last: "But The Problems That have plagued the high-tech barrier mean that the fence's first 28 miles will also likely be its last. The Department of Homeland Security now says it doesn't plan to replicate the Boeing Co. initiative anywhere else." ("US Curbs Big Plans for Border Tech Fence," The Wall Street Journal, February 23, 2008)

But, P28 was a proof of concept and a building block. It was never intended to be replicated across the entire border: “Let me remind everybody, of course, the border is not just a uniform place. It is a very complicated mix of different kinds of environments -- ranging from urban areas, where the distance between the border and a major transportation hub is measured in maybe less than a mile, to very remote and desolate rural areas or wilderness areas, where there's really, frankly, quite a bit more distance to be covered and therefore a lot more flexibility in how and when you interdict those crossing the border. That's why SBI Net, as a critical element, has been designed to be a flexible tool. It is not a cookie cutter approach. What applies in one stretch of the border is not going to be what applies in another stretch. What will be common, however, is that all of the stretches and all of the tools will be integrated and bound together.” (Transcript of Press Briefing by Secretary Chertoff on the Awarding of the SBInet Contract, 9/21/06)

It's an out-of-the box concept: "I would say it is a partial model for the future. I think that it was a concept. We wanted to make sure that, A, there's the basic concept functionality work and, B, the thought was to give the contractor an opportunity to present something that essentially thought out of the box, that wasn't just a follow-on to the traditional way of doing business." (Senate Homeland Security and Governmental Affairs Committee Hearing on the Fiscal 2009 Budget for the Department of Homeland Security, 2/14/08)

And, we'll use more technologies at the border: "…by the end of this calendar year, we will be a 670 miles of barriers. Plus, we will have deployed 40 what we call mobile surveillance systems. That is ground-based radar. We will have our P-28 system, and begin to employ other camera-based and sensor-based systems…we will have substantially put either real or virtual fencing or barriers across the entire border." (Secretary Chertoff at a House Homeland Security Committee hearing on the Fiscal 2009 Budget for the Department of Homeland Security, 2/13/08)

The Wall Street Journal Claims That DHS Will Be Mothballing the Concept Behind the Virtual Fence: "The effective mothballing of the concept is a setback for the government's border-protection efforts, an embarrassment for politicians backing the idea of an electronic fence and a blow to Boeing, the project's designer." ("US Curbs Big Plans for Border Tech Fence," The Wall Street Journal, February 23, 2008)

But, that's wrong: Technology used for P28 will continue to be deployed along the border. In fact, the FY09 budget requests $775 million for SBI to continue the development and deployment of technology and tactical infrastructure on the border.

The Wall Street Journal Erroneously Reports That DHS Issued Boeing a New Contract to Fix the P28 Common Operating System: "In early December, the government said it was closing in on taking delivery. But that same month, the government gave Boeing another $64 million contract to fix the "common operating picture," which lets agents in vehicles see imagery from the towers' surveillance systems." ("US Curbs Big Plans for Border Tech Fence," The Wall Street Journal, February 23, 2008)

But, this contract was to develop the new Common Operational Picture and to enhance systems capabilities for future deployments as initially planned. ("DHS Moves Forward on Border Fencing and Technology Improvements", December 7, 2007)

All I have to say is, "Wow!" I understand this was supposed to be just a "proof-of-concept" to see if this would work across the board. And I don't think this was supposed to be our only lines of "defense". But I do think DHS has to step-up the deployment a notch. If it's working like Secretary Chertoff says, then let's get this thing rolling.

According to most immigration watchdogs and other concerned parties, every day wasted testing or delaying is another day wasted keeping bad guys out. If I live in a really bad neighborhood and all I have is a big mean guard dog and pistol to protect my home, this may work to some extent. It does not keep intruders from gaining in the first place and may not achieve the results I had intended as well as welcoming me up to substantial liabilities.

As I welcome the idea of a "virtual fence", I believe we have to have other means to secure our borders. In addition to new technologies, we need new tactics and methodologies when dealing with our current immigration debacle. That's the end of me being political but I hope you get the picture.

Saturday, March 1, 2008

Google Hacking Tool

Now, I'm all for Google. I mean they've given me a blog and all sorts other cool things like unlimited mail and an awesome task/reminder service. But there are moments when their technology, well sort of, scares the heck out of me. My membership with ASIS has proven invaluable once again. An article written in Security Management talks about another tool hackers have come up with to make find vulnerabilities that much easier.

According to SM, "The new web auditing tool is known as Goolag Scanner, which uses Google's search engine to scour the Web for passwords and security holes."

A hacking group calling itself cDC or Cult of the Dead Cow (cDc). This is the same group who created a little program called "Back Orifice". Sounds a tad bit perverted, but I can assure you the IT departments and users this little software caused grief didn't think it was some laughing matter. "Back Orifice" created a "back door" for hackers to remotely control any computer they gained access to.

Scared yet? Well, don't go calling IT in a panic yet. It turns out that this tool just uses Google to sniff out information you and I could find ourselves through Google. Now it would take us a lot longer. Why is this something not to worry about? Because this program can tell you what hackers may already know about your setup or what you don't. What is that exactly - How secure is your website?

According to cDc, they realize this threat and its the reason they created it. "It's no big secret that the Web is the platform," said cDc spokesmodel Oxblood Ruffin. "And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for web site owners to patch up their online properties. We've seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."

It turns out DHS was made aware of the vulnerability a few weeks ago according to Ruffin. Security experts are now taking a look at the software to ascertain where they're vulnerable.

For now, let's make sure you're doing the same. Check out the article here. InformationWeek's article can also be found here as well.

Friends, Neighbors, and Professionals

I'd like to introduce two awesome professionals that I've gotten to meet either in-person or online. The first person is a gy I met at at what used to be called the Tactical Entry and Explosive School in Memphis, Tennessee (now called Olive Security). His name is Lance Harris and of a few people I've met who I can say is is true executive protection professional. I've known Lance for over 5 years and I know he's always looking for training and special duties to enhance his professional pedigree (not that he needs it). I'm sure if you asked him he might tell you some ridiculous story about me and some rental car almost careening off a highway exit ramp. He's also one of a few that I can say is "100% bona fide been-there-done-that". He currently operates Spartan Consulting which is a target hardening, executive protection firm. Lance can be found at either or at

The last guy I'm going to mention is Bryan Cox. Like Lance, I know Bryan through TF. He, like Lance, is "good-to-go" in my book. He's one of the moderators there and manages to keep the "riff-raff" down. He has a blog as well at He operates a security consulting firm called Cox Protective Services. Please, check him at here.

This is not a complete list of guys who are "good-to-go". These are two who have consistently given me feedback and advice in my journey through the field of security. Should you ever need advice or a good idea or two, I recommend these two (and others).

About Us