Monday, September 26, 2011

Really, really excited....

Sorry, it's been so long folks but I've been a bit busy this week.  For starters, my request to test and evaluate products sold by Victory Defense was granted and we'll be taking a look at a few gadgets with security applications.  One such gadget is a tactical flashlight with video and audio recording capability!  Now, do you see why I'm so excited? Secondly, we'll have articles about behavioral video analytics versus rules-based analytics.  If you've been following my Twitter feed, you probably noticed I was quite curious about the difference between the two and what failures behavioral analysis has.  I'm going to attempt to get a hold of someone at BRS Labs the company on the forefront of behavioral analytics to discuss this more.  We'll also have a commentary on what I perceive to be the most prevalent source of failure in any security program.  I conducted a poll on LinkedIn about a month ago regarding this very issue and the responses I got were quite surprising and enlightening in many respects.  Finally, I also hope to have an interview with an Executive Protection agent to discuss their journey into the field, the types of projects they've done, and where they see this subsection of our industry going.  As an added bonus, I'll be publishing a video on last week's topic on proper ways to search/inspect bags in a security environment.  As you can see, I've been a bit busy getting content.  It is my goal to move towards more original content.   So stay tuned and welcome back to The Security Dialogue.

Tuesday, September 20, 2011

100th Blog Post and Book Review: Ghost in the Wires

For our first book review, we'll be looking at Ghost in the Wires: My Adventures as the World's Most Wanted Hacker .  This is the first autobiographical work of a hacker-turned-security consultant I've ever read.  I could hardly put it down.  The book takes us from Mitnick's journey from being a ham operator to some of his most famous and infamous hacks.  What was startling to learn was the absurd nature of the comments levied against him.  One law enforcement official declared he could "launch ICBM's (inter-continental ballistic missiles) by whistling into the phone".  Seriously?

Mitnick was candid about his first marriage and how he naively trusted his hacking partners not to "rat" him out when in fact they did.  He also made no qualms about letting the reader know he has since established relationships with some of pursuers.  Most interesting was how much information he had gathered in his own defense.

There revelations of what they perceived he was capable of and what he actually did were often very different.  I found it illuminating that Mitnick would mention hacking had become an "addiction", as he never sought profit or fame for his hacks.  I recall seeing the "Free Kevin" bumper stickers once he was captured and wondering in astonishment how people could be demanding the release of such a dangerous person.  I regarded Mitnick as person who sought to damage information systems or steal data outright.  What I didn't know was Mitnick did neither.  Hacking was a puzzle with dangerous consequences he became addicted to.  I realize not all hackers are like Mitnick and are in it for nefarious reasons and should be treated as a threat by any security entity.  

Perhaps, the most telling part of his book is learning he was great at phone system hacking otherwise known as "phreaking" but his specialty lies in "social engineering".  "Social engineering" is the use of pretexts and verbal manipulation to gain access to systems through human interaction.  Basically, he "conned" people into believing he was someone he wasn't to get access to all sorts of information which aided his hacking pursuits.

Overall, if you're looking for a real "page-turner" with interesting characters and an honest portrayal of Mr. Mitnick and his journey, I HIGHLY recommend this book.  In celebrating this book review and our 100th post, I'm offering a $25.00 gift certificate to the person who can solve this message:

Lfd ran cqn ydtxl jveena ofa 6bc sffx anivnj ofa Pqfbc ve cqn Jvan.   

To claim your prize, email [email protected] your answer.

Saturday, September 17, 2011

The nominee for worst bag check is....

If you're like me, you can't help but to check out the security wherever you go.  Perhaps, another person wouldn't have noticed or cared about a recent encounter I had during a visit to an amusement park.  I won't name any names but let's just say I was "less-than-impressed" by what I saw as an egregious breach in standard security searching protocol.

While entering the park, every visitor is subjected to a bag search.  The searcher in this instance was very consumed by a conversation he was having with another patron.  As a matter of fact, he never took his eyes off that patron while he frisked my bag.  He placed a small wooden rod commonly used to probe bags for contents behind my bag while he frisked it.  In my professional career, I have never seen such a cursory search of a bag.

The bag in question...Notice the large pocket towards the rear...

Here are the problems I noted with the search:
  1. He never looked at the bag he was searching.  Hopefully, had he seen the bag, he would have "clued on" the bag has multiple pockets with a large one in the rear.  This particular bag is a Maxpedition Versapack Fatboy.  It was designed to carry a small amount gear during the day and to look as "civilian" as possible.  The most important pocket for any searcher of this bag is the rear pocket because it holds an internal holster for a small handgun for concealed carry (I wasn't packing this day).  The searcher completely missed this pocket.
  2. He never looked inside the bag.  The major interior pocket has enough room for a digital camera, an iPod, a camcorder, two or three grenades...You get the picture.  Had he looked in the bag, he would have noted his stick wouldn't have told him much.
  3. He was so engrossed in conversation he never noticed any visual cues such as the look on my face when began frisking my bag.  As you can imagine, it was not a happy look.  Most professional security searchers will tell you the search and the level of searching you conduct on an individual item often depends on visual cues you get from a subject.  Nervous glances, jittery hands, profuse sweating, shifty eye movement, etc. are all what we in law enforcement call a "clue".
  4. There was a failure to acknowledge me and start a small but necessary conversation.  These "conversations" provide a searcher his first clues what your intentions are.  This is customary to an entry control situation and you almost expect it whether it be at Customs or with TSA.  The gate guard at the ballpark even does it.
I understand and can appreciate why parks conduct such cursory searches.  It frees up the lines, gives the perception they're being aggressive about security, and it gives them an opportunity to detect potential profit-stealing items such as "outside" commercial beverages and alcohol.   I get it and support it wholeheartedly - when it's done correctly.

I have several issues with this, though.  It lulls security and park personnel (management) into believing there is an additional layer of security which in effect never existed because the search isn't geared towards a security threat.  It also fails to address the likelihood of an attack on park property and guests.  A slightly more thorough search could detect such threats.  Finally, cursory searches for contraband only allows your searchers to focus on one thing only - line congestion.  What happens if you a miss gun and there is an attack?  You gave an impression you had security and yet you failed to detect a gun and admitted the attacker in the park.  Two words depict the place you find yourself in: LITIGATION HELL!!!

So what are my recommendations?
  1. Post the items you consider contraband (please include guns, knives, grenades, etc.) and showcase "found" items in a display case.  This puts potential disruptive guests on notice that you will be looking for those items and escorting them off the park should you find them.  There maybe some resistance and you may detect your fair share of "bad" stuff so have a local deputy there just in case.  This is also a great psychological deterrent.
  2. Get rid of the probe.  You're not finding anything using this method.  Just because you jab a rod in my bag once or twice doesn't mean the bag is "good-to-go".  Open the bag and see what you're probing.  
  3. Conduct random full searches of bags.  This puts the "bad guys" on notice you're taking security seriously.  This works great against terrorists as they can never tell if they're going to the random number.  It also allows you to clear up lines and avoids charges of profiling.  The military has phenomenal success with this method.
  4. Address training and quality control AS SOON AS POSSIBLE!!!  Training has to be conducted semi-annually on searching techniques and behavioral cues.  A great source to reach out to for this is Homeland Security.  Often times, they can provide the training without significant costs. Plus, it looks impressive to management and your investors (the real bosses).
I didn't want to name the park because I know this is a systemic problem with other mass gathering locations throughout America.  We often engage in "security theater" and assume our methods are keeping "bad" people away.  It isn't until our guys miss one bag and allow someone in who shouldn't have gotten through that we realize our methodologies are flawed.  If you're in the business of protecting these parks, please ensure your park never wins the award for "Worst Preventable Tragedy In The History of Amusement Parks".  Your guests, the public, security personnel, management, and investors are counting on you to never miss anything.

Monday, September 12, 2011

Commentary: Have we "evolved" beyond incarceration as a punishment?

Have we gotten to a point as a civilization where we have "evolved" past incarceration as an effective means of crime deterrence and punishment? During a course I'm taking on corrections, I posed this question to my classmates. I am beginning to be of the opinion that we are getting close to seeing incarceration as not being punitive nor rehabilitative enough for certain offenders. How can it be when our culture glamorizes abhorrent behavior and has created an outside "culture" where our norms and morals are seen as inconsequential? We tend to think of punishments in terms of these values. Most law-abiding citizens enjoy freedom. Criminals place little value on freedom or the rewards of a compliant and peaceful lifestyle. So why do we structure our punishment towards them with this value? As my favorite Vulcan says, "It's illogical."

I'm not opposing incarceration for certain violent offenders. However, I firmly believe "jail time" for crimes against property and certain misdemeanors has become extremely costly and offers very little restitution for its victims and the community. In other words, "the punishment doesn't fit the crime".

So what do I propose? The time has come for our society to reexamine our criminal justice system and assess whether our expectations are realistic enough. I would surmise we would conclude those expectations are too high given the diminishing resources dedicated to eliminating crime. With budgetary cuts in rehabilitation programs and correctional facilities, we have attempted to solve our "crime problem" with a minimalist attitude. In other words, "there is money in the treatment and not in the cure".

Our national conversation needs to move beyond the "lock 'em up and throw away the key" paradigm and into one where we contemplate alternative punishment/rehabilitative environments. What are your thoughts?

Sunday, September 11, 2011

Ummm...I think it's safe to say someone might get fired for this one....

Boys and girls, this is something you should NEVER EVER EVER EVER do.....During tonight's Redskins' post-game interviews, this little gem was revealed by one of Fox News' cameras....And blasted all over Twitter.....Safe to say, someone probably got fired....

Friday, September 9, 2011

Survey says.....

Please, take a few minutes to answer my survey and provide whatever commentary you want below.

Unfortunately, the Boogey Man still lives under our beds

This ladies and gentleman is courtesy of Al Jazeera. It's a part of a series of articles and commentary on the 9/11 anniversary. What I find most poignant is with all our efforts to successfully target and eliminate their principle leadership, AQ is still a very viable threat to security particularly if you're in the business of mass gatherings. Their appetite for "soft targets" is almost perpetual and is core to their preferred modis operandi - the improvised explosive device. I digress. This map is a great visual tool for any security professional.

View Major al-Qaeda attacks worldwide in a larger map

Small Hiatus

Folks, It has been a very long time since I've written anything and for that I sincerely apologize. As you can imagine, I've been extremely busy. Fret no more, I will earn back your readership by posting once again. Over the next week or so, I will post reviews of Ghost in the Wires by Kevin Mitnick and Social Engineering: The Art of Human Hacking by Christopher Hadnagy as well as original content articles on topics covering my theories on return on investment (ROI) for security practitioners, the upcoming ASIS 2011 convention, and various commentaries on successful (and some not so successful) threat/risk management methodologies I've come across this week. Stay tuned I have my plate full with getting you guys back but I'm up for it......

About Us