Tuesday, February 25, 2014

Opinion: Your Gun Is An Equalizer

Source: Gunsandammo.com 

Folks, it is no secret I love guns. I love shooting them. I love learning about them. I love talking about them. That being said, I also recognize their limitations in the hands of the untrained and the overzealous. However, I came across this article while perusing my emails this morning and it has me FIRED UP! That's right. I'm pretty upset with this.

I'll address a few points made in the article:
  1. The author attributes a quote a female professional boxer and concealed carry holder, Christy Salter Martin made in an article in The Atlantic. She says, “Just putting a weapon in the woman’s hand is not going to reduce the number of fatalities or gunshot victims that we have. Too many times, their male counterpart or spouse will be able to overpower them and take that gun away.” It is no big secret as well that I was a police officer in the military for a number of years and am now a criminal defense investigator currently. My stepfather successfully defended a woman who used a gun against an abusive husband in 1992(?). She had no trouble leveling the gun at her husband who was facing her and pulling the trigger. I have known several women also engage their husbands and strangers with guns with great efficacy. Women have had guns for quite some time and a many of men who thought they could overpower them and take their guns are now six-feet deep wishing they hadn't tried. 
  2. The author claims to be a lifelong shooter and has since changed her former stance on believing having a gun could help her defend herself because a professional boxer told her and the rest of the world how she got shot with her own gun. Let's get something straight. Being a professional boxer is a difficult occupation and I'm taking nothing away from that. Ms. Martin was stabbed and shot in a brutal attack by her then-husband. The details are pretty gruesome. In no way am I disputing Ms. Martin's claims of her attack and why she feels the way she does. She has earned the right to have such an opinion. However, I would suggest her attack supports my supposition her attacker may have had an advantage over her because he had a knife. Contrary to what you've heard, bringing a knife to a gun fight against an under-trained gunslinger is not a bad idea. Ask any police officer how long they keep their gun out before actually pulling the trigger in any lethal situation and you will be amazed by how staggeringly short the time is. If I recall from training I received as a military law enforcement officer, your reaction time with someone wielding a knife is very short. This article explains it better than I can. However, being a professional boxer and a concealed carry permit holder does not in any way make you an expert on whether all women should have guns in their home. 
  3. The author provides no source for a quote about data she uses to substantiate her point. When I mean she used "no source", I mean she didn't bother to cite a single source of where this report came from. She didn't bother to say the quote came from the article Ms. Martin had written. Read for yourself: "A recent study found that women with access to firearms become homicide victims at significantly higher rates than men, and 84% of all U.S. females account for all the firearm victims in the developed world. Chilling stats, wouldn’t you say?" No, ma'am. What's chilling is your seeming lack of integrity. Since grade school, all writers have had it planted in their brains to cite sources. Yet, you can't name one for your reader to check your facts except Ms. Martin's article? You even quote the President of National Rifle Association without giving us one place where he is seen saying it. At best, this is just laziness. At worst, this is an industry website doing very dangerous fact-checking. Chilling, indeed. 
  4. Both articles fail to acknowledge the impact which proper training could have. Seriously, not one mention from someone who had successfully completed a weapons retention course who used the techniques taught was cited. How about the reluctance of some female victims who may have been afraid to pull the trigger? How about a report on the totality of circumstances? What other tactical advantage did the attacker have? I'm not victim-blaming. I'm just asking for more factual data which provides more context than just numbers. 

Here are my thoughts:
  • Having just a gun as your means to defend yourself is foolhardy. Seriously, if you own a gun, you should also be equipped with knowing how to retain it in any confrontation just like any police officer would. Cops don't lose guns in fights for a few reasons - good holsters, good training, and a proper survival mindset. I have long felt concealed carry holders can be quite irresponsible in this way. Many of us are good people who just want to protect our homes, families, and our neighbors. As I have also said in the past, good guys are terrible for thinking how bad guys think. They believe just drawing the gun will make any person stop the action of attacking them or others. They fail to equate for the determined bad guy who doesn't care. In that situation, good guys often fail to pull the trigger for a variety of bad reasons. I also believe this lack of competence in weapons retention has contributed to many high profile shootings to include the shooting of Trayvon Martin. I firmly believe had George Zimmerman been better trained to hold on to his weapon and knew how to adequately defend himself with other tools than a gun, perhaps (and that's a big "perhaps") Trayvon Martin would still be alive. 
  • If you're the publisher of an industry magazine or newsletter, particularly one in security, you have a duty to ensure you report all of the facts and to properly cite them. Doing so, ensures your readers who are supposed to be professionals in the field can check your references and dig further into the material. I do it here. Am I perfect? No, I get it wrong sometimes. I sure did when I first started this blog. Then again, I'm not being paid to cite facts. You are, though. Doing this lets us readers know if you are a source we can trust. Based on what I have seen thus far in both the article and credentials of its staff, I will no longer trust Security Today.

Monday, February 24, 2014

Jim Stickley Demonstrates How to Bypass Home Alarms [TV] by Jim Stickley

Jim Stickley of TraceSecurity demonstrates the issues with home alarm systems.

Recording Fingerprints for Ten-Print Submission by PublicResourceOrg

The program shows the FBI recommended techniques for collecting fingerprints on the ten-print submission card. Discusses the characteristics of fingerprints, various collection mediums, rolling procedures, medical circumstances, and card preparation requirements.

Physical Security: An Ever Changing Mission by PublicResourceOrg

This video provides an overview of the evolution of physical security measures, due to increased criminal activity, and outlines pro-active strategies and physical security techniques used to augment the traditional reactive responses to crime.

Defcon 18 - Physical Security Your doing it wrong- A.P. Delchi - Part.mov by killab66661

LayerOne 2012 - John Norman - Physical Security: Bridging the Gap With Open Source Hardware by noid23

This talk will be a follow-up to last year's overview of physical access control systems and the vulnerabilities and challenges associated with implementing them. Highlights include new research on DIY access control, fusion of off-the-shelf sensors and other cheap technology to maximize physical security and minimize false alarms, and a new project involving the Raspberry Pi physical computing platform. Additionally, a series of new open-source security monitoring and interoperability protocols under development will be discussed. Sample code using the Arduino IDe will be provided, along with links to a wiki with reference designs and protocol standards.

DEFCON 14: An Analysis of Current and Emerging Threats to Physical Security by Christiaan008

Speakers: Marc Weber Tobias, Investigative Law Offices, Security.org Matt Fiddler, Security Consultant - Security.org 

Although there has been a significant amount of attention paid to the topic of late, there are complexities that must be understood to accurately gauge the impact of "Bumping Locks" on physical security. This talk will explore the vulnerabilities and exposures of virtually all pin-tumbler locks, highlighting the legal issues surrounding the possession and use of bump-keys and bumping implements. Case examples and demonstrations detailing a major security flaw and vulnerability in locks used by the federal government and a private sector corporation that affect millions of users will be presented. For more information visit: http://bit.ly/defcon14_information To download the video visit: http://bit.ly/defcon14_videos

The Duhs of Security by Virginia Government

This security awareness video was developed to promote simple changes in behavior that will strengthen the security of Commonwealth information.

Seaport Security by PublicResourceOrg

DEF CON 16 - Eric Schmiedl: Advanced Physical Attacks by DEFCONConference

Your stack is smash-proof. Your dumpster is fully alarmed. And your firewall is so secure that it has former Soviet officials green with envy. So why are the developers finding their undocumented features in competitors' products, or company executives on a constant hunt for leaks and traitors? There's a whole lot more to doing an end-run around network security than calling up and pretending to be the help desk or hoping someone chucks a service manual in the trash Professional attackers with specific targets have a whole rash of techniques -- from using targeted employees to hiding microphones -- adopted from the world of espionage, and this talk is all about how they do what they do. Eric Schmiedl has spoken on access control systems at BlackHat 2007 and safecracking at DEFCON 14. He is a member of the TOOOL.US Board of Directors, maintains a semblance of an undergraduate career at the Massachusetts Institute of Technology, and has been picking locks all his life. For copies of the slides and additional materials please see the DEF CON 16 Archive here: http://ift.tt/1mDLlZ8

Tactical Walls: Covert Arms Storage

Sunday, February 23, 2014

INFOGRAPHIC: Charateristics of a Burglar

The State of Aviation Security

I have often said our biggest vulnerabilities can be found in places where people congregate. Human targets are often selected by bad guys simply because they are part of a crowd. This goes against our natural instinct to believe bad actors won't pursue us in a crowd and will wait until we're alone. This is true for some attackers. However, terrorists and active shooters pick crowds because our intolerance towards suffering any casualties makes a target-rich environment like a mall an almost irresistible target. The meme above personifies how often we protect against the last known vulnerability and losing sight of the vulnerabilities we create or ignore.

Here's the scene of a major airport's TSA screening area. Notice the crowd aka potential targets.

Thursday, February 20, 2014

VIDEO: Using NFC Tags In My Car

I decided to do this project because I felt I had a few security vulnerabilities with respect to my vehicle. There are plenty of things I can do to perhaps prevent an attack on myself in my vehicle. That is a fool-hearty goal at best. Prevention of any crime is difficult to measure. We assume crime is prevented by the things we do but we have no idea as to whether the threat ever went away. Our best course of action, then, is to think about mitigation. In other words, we seldom plan for WHEN the attack or emergency will occur. In this scenario, I felt I a great mitigator would be the use of a discreet mechanism alerting authorities and other concerned persons if I found myself in an emergency. I felt NFC (near field communication) tags would be best, since my phone is an integral part of my travels in my vehicle. Placement of course was key, so I positioned the tag just below where I keep another tag that commands my phone to turn on my map an increase its brightness. The duress tag alerts the authorities and tweets out a duress message to friends and followers on social media. As you can see from the video it is place in a way where I can't accidentally activate the duress command. Imagine a scenario where the phone is mounted on the phone holder while I'm carjacked. The bad guy asks for the phone and I have an opportunity to grab the phone and place it on the tag for a second to activate my duress. I stall the attacker until the authorities arrive. I set the phone to activate the duress with the screen locked out when activated with no speakers on and only the microphone working.

Here is the pic of where my tags are located inside my vehicle:

A couple of great links to where you can buy some tags.



There are also a number of apps to use. I use Trigger. See the link below to download it from the Google Play Store:


The thing about NFC tags is they are very inexpensive and relatively easy to implement. Almost a perfect security tool when properly used.

To learn more about NFC tags:


Be sure to check out my blog for my DIY security projects and security related topics - http://blog.thesecuritydialogue.org

Wednesday, February 19, 2014

Why Attacking The Grid Became Hip & What We Can Do About it

In April 2013, a group of armed men attacked 17 Bay-area power substations in an effort to presumably disrupt power to neighboring business. The attack was carried out using 7.62 rounds which are commonly used in AK-47s (and its variants) as well as numerous other rifles namely certain sniper rifles such as the M-24 depicted below. The attacks were said to be carried out with military precision as the attackers both shot at the transformers and breached the underground area where various power cables were located.

I've also attached the surveillance video of these attacks so you can get an idea of how they occurred.

Much has been pontificated on exactly who could have carried out such an attack. Former Federal Regulatory Commission Chairman John Wellinghoff stated he believed the attacks were a "terrorist act" even though the FBI has said to various media outlets they don't see any evidence of that now. As an investigator and a former military police officer, I can tell you when law enforcement says they "don't see any evidence supporting that", that does exclude any suspicions they might have. My preliminary guesstimate is the FBI has some idea as to who the perpetrators are especially given the investigation is several months old and we're approaching a year since the attacks occurred.

I have heard from various sources this was the work of animal rights groups or environmentalist, given the target selection and court convictions of members of those groups in attacks against similar targets despite the methodology being completely different from the Bay-area attacks. For the record, I completely disagree with this supposition, as it eliminates several other groups who are just as capable and have just as much stake in pulling off this kind of attack. As a matter of fact, I find it odd those who suspect environmentalist/animal rights connections would ignore the attackers would choose a methodology using firearms which goes against one of the strongest weapons going for them - the lack of human casualties and kinetic attacks which harm human beings. Think about what I'm saying here for a second. Why would you bring a gun to an op where you could be discovered by law enforcement if the weapon isn't going to be useful as a defensive weapon against them? Also, any of these groups would have to account for the damage done to their public image if discovered with sniper rifles. It certainly makes it easy for their opponents to call them "enemies of the state".

What I surmise, rather amateurishly, is the perpetrators brought guns to do the damage and possibly, engage responding law enforcement. Thankfully, the latter never occurred I suspect because the suspects believed they had done enough damage. I am also of the opinion this was a dress rehearsal for a larger scale attack. Many groups do a dry-run before a major attack to test how the target and responders react. We see this all the time with bomb threats called in weeks before an attack. No suspicious device is found at first as the subjects observe reactions. They then rework the plan and decide whether to order another test. I know this because this is how I was taught to plan operations in the military and I suspect whoever is behind these attacks was taught the same lessons.

So why the power plants and why sniper attacks? Quite simply, because the security industry and our government partners have been discussing this since 2002. We've consistently asked that critical infrastructure beef up its security. Additionally, a report was done by the National Academy of Science describing the probability for success of a sniper attack against transformers. One could use the CARVER matrix to determine this is perhaps the more likely of any probable attack against critical infrastructure nodes. This is partially because of the ease of access to the target, lack of security at the target, its criticality (it is vital to the target's mission), and its recoverability.

My summation is the attackers didn't have much experience as a group with kinetic attacks and may have used this attack as a means to demonstrate some proof of concept. Whether there will be more attacks is still unknown. Given the hype surrounding this one, they may try again.

Here's what I propose power companies can do to protect their substations:
  • Add 10 foot fencing around the perimeter of substations, ensure fence is encased in concrete at the bottom to prevent digging under the fence, and configure the barbed wire in a Y configuration.
  • Have a roving armed security unit patrol actively in the area of transformers and substations conducting periodic but random security checks of the area. Have a randomizer pick the days and times of these attacks on a daily basis. Never keep the same schedule.
  • Consider feeding the substation's closed circuit television feed into your state's emergency management agency or fusion cell incident management consoles.
  • Emplace barriers throughout the avenues of approach to disrupt potential vehicle traffic to the substation. 
  • Consider placing armoured steel on the transformers and other critical areas.
  • Consider using seismographic security sensors and magnetic sensors along various vantage points.
  • Conduct a foot patrol in the area as a part of your random checks I mentioned earlier. 
  • Conduct a red team exercise yearly on your facilities to ensure personnel and security operators understand and implement sound practices to secure your assets in an attack.
As a caveat to the recommendation above, I fully realize this is not a fully comprehensive plan. The idea is to demonstrate how the power companies can implement various measures which are relatively less-complicated than might be assumed. If you have other recommendations, please post them below. I'd like to hear from folks from all over the industry.

About Us