Sunday, October 2, 2011
Good, but no cigar....
Monday, September 26, 2011
Really, really excited....
Sorry, it's been so long folks but I've been a bit busy this week. For starters, my request to test and evaluate products sold by Victory Defense was granted and we'll be taking a look at a few gadgets with security applications. One such gadget is a tactical flashlight with video and audio recording capability! Now, do you see why I'm so excited? Secondly, we'll have articles about behavioral video analytics versus rules-based analytics. If you've been following my Twitter feed, you probably noticed I was quite curious about the difference between the two and what failures behavioral analysis has. I'm going to attempt to get a hold of someone at BRS Labs the company on the forefront of behavioral analytics to discuss this more. We'll also have a commentary on what I perceive to be the most prevalent source of failure in any security program. I conducted a poll on LinkedIn about a month ago regarding this very issue and the responses I got were quite surprising and enlightening in many respects. Finally, I also hope to have an interview with an Executive Protection agent to discuss their journey into the field, the types of projects they've done, and where they see this subsection of our industry going. As an added bonus, I'll be publishing a video on last week's topic on proper ways to search/inspect bags in a security environment. As you can see, I've been a bit busy getting content. It is my goal to move towards more original content. So stay tuned and welcome back to The Security Dialogue.
Saturday, September 17, 2011
The nominee for worst bag check is....
If you're like me, you can't help but to check out the security wherever you go. Perhaps, another person wouldn't have noticed or cared about a recent encounter I had during a visit to an amusement park. I won't name any names but let's just say I was "less-than-impressed" by what I saw as an egregious breach in standard security searching protocol.
While entering the park, every visitor is subjected to a bag search. The searcher in this instance was very consumed by a conversation he was having with another patron. As a matter of fact, he never took his eyes off that patron while he frisked my bag. He placed a small wooden rod commonly used to probe bags for contents behind my bag while he frisked it. In my professional career, I have never seen such a cursory search of a bag.
The bag in question...Notice the large pocket towards the rear... |
Here are the problems I noted with the search:
- He never looked at the bag he was searching. Hopefully, had he seen the bag, he would have "clued on" the bag has multiple pockets with a large one in the rear. This particular bag is a Maxpedition Versapack Fatboy. It was designed to carry a small amount gear during the day and to look as "civilian" as possible. The most important pocket for any searcher of this bag is the rear pocket because it holds an internal holster for a small handgun for concealed carry (I wasn't packing this day). The searcher completely missed this pocket.
- He never looked inside the bag. The major interior pocket has enough room for a digital camera, an iPod, a camcorder, two or three grenades...You get the picture. Had he looked in the bag, he would have noted his stick wouldn't have told him much.
- He was so engrossed in conversation he never noticed any visual cues such as the look on my face when began frisking my bag. As you can imagine, it was not a happy look. Most professional security searchers will tell you the search and the level of searching you conduct on an individual item often depends on visual cues you get from a subject. Nervous glances, jittery hands, profuse sweating, shifty eye movement, etc. are all what we in law enforcement call a "clue".
- There was a failure to acknowledge me and start a small but necessary conversation. These "conversations" provide a searcher his first clues what your intentions are. This is customary to an entry control situation and you almost expect it whether it be at Customs or with TSA. The gate guard at the ballpark even does it.
I have several issues with this, though. It lulls security and park personnel (management) into believing there is an additional layer of security which in effect never existed because the search isn't geared towards a security threat. It also fails to address the likelihood of an attack on park property and guests. A slightly more thorough search could detect such threats. Finally, cursory searches for contraband only allows your searchers to focus on one thing only - line congestion. What happens if you a miss gun and there is an attack? You gave an impression you had security and yet you failed to detect a gun and admitted the attacker in the park. Two words depict the place you find yourself in: LITIGATION HELL!!!
So what are my recommendations?
- Post the items you consider contraband (please include guns, knives, grenades, etc.) and showcase "found" items in a display case. This puts potential disruptive guests on notice that you will be looking for those items and escorting them off the park should you find them. There maybe some resistance and you may detect your fair share of "bad" stuff so have a local deputy there just in case. This is also a great psychological deterrent.
- Get rid of the probe. You're not finding anything using this method. Just because you jab a rod in my bag once or twice doesn't mean the bag is "good-to-go". Open the bag and see what you're probing.
- Conduct random full searches of bags. This puts the "bad guys" on notice you're taking security seriously. This works great against terrorists as they can never tell if they're going to the random number. It also allows you to clear up lines and avoids charges of profiling. The military has phenomenal success with this method.
- Address training and quality control AS SOON AS POSSIBLE!!! Training has to be conducted semi-annually on searching techniques and behavioral cues. A great source to reach out to for this is Homeland Security. Often times, they can provide the training without significant costs. Plus, it looks impressive to management and your investors (the real bosses).
Friday, September 9, 2011
Survey says.....
Unfortunately, the Boogey Man still lives under our beds
View Major al-Qaeda attacks worldwide in a larger map
Sunday, March 15, 2009
Red Alert!! Don't buy Sentex locks!!
Bruce Schneier, much hyped security-guru, writes in his blog to be wary of Sentex locks:
Wow! This is why it is extremely important to properly vet ALL security appliances before installation. I used my "Google-fu" on a different device and got this little gem. You should check the vendor's web site to see if they have product manuals online. If they do, guess who also has the manual in their files. You get a 1, 000 points if you said "The Bad Guys".It has a master key:
Here's a fun little tip: You can open most Sentex key pad-access doors by typing in the following code:***00000099#*
The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access box will be left in admin mode!)
Thursday, May 22, 2008
Now, You Know Why I Have Issues With Doctors
The man was stopped because he smelled of alcohol and proceeded to leave once he realized his cover was about to be blown.
The following is a bit disturbing:
Later that day, an employee found the black computer bag the man was seen carrying. The bag was under a car in the parking garage and contained everything the man was seen wearing in the surveillance video, including a badge from Shands-Jacksonville Medical Center with a picture of a young child that was cut out and taped on the badge.The last comment by the spokesman was a bit disturbing because usually people don't impersonate professionals like doctors if they're not up to something. So how did he get access? He used the usual items like a medical coat, a badge, a stethoscope and a clipboard. I swear i you need to get into building in the world all you need is a clipboard and an ID badge.
“That in and of itself shows you that this persons possibly was up to something but maybe his attempt was foiled,” Jacksonville Sheriff’s Office spokesman Ken Jefferson said.
Saturday, May 10, 2008
DEFCON 15 Presentation on Phyiscal Security
Border Security via RoboCop
They can suppress suspicious elements close to the perimeter, and hold them back until manned security forces arrive, or use various forceful means to eliminate the threat, if applicable.
The M-Guard autonomous vehicle uses the TomCar chassis. The vehicle is equipped with an automated tactical positioning system and can operate autonomously on and off road, at speeds up to 80 km/h. The vehicle can carry a payload of up to 300 kg, including light armor shield to protect vital systems. The USV can carry a wide variety of sensors, including video and thermal cameras, with auto-target acquisition and capture, sensitive microphone, powerful loudspeakers and two way radio.
The vehicle can also be equipped with lethal or less than lethal weapons which can be directed and operated from the Main Control Center (MCC). A fleet of USV sentries is controlled from the MCC, from where they are launched on routine patrols, ambushes or operating in response to events received from an early warning or perimeter defense system.
The MCC is also provided with automatic tactical area definition, by terrain, doctrine and intelligence, which assist in preparation of the operational planning and programming for USVs. Each USV can also be manually controlled by remote control.
Virtual Fence Prototype...going...going..gone
The virtual fence project is an $8 billion Secure Border Initiative, called SBInet, which aims to harden the nation's border by networking traditional barriers, vehicles, sensors and agents.
Although controversial, DHS is still proclaiming this was just a prototype and heralded its assistance in over 3,000 captures.
Sunday, March 16, 2008
Book Review - The Art Of Deception
Well....I finally did it. I finally finished Kevin Mitnick's book, The Art Of Deception. This was perhaps one of the most compelling books I've read in a very long time. It covers ways into which many of our corporations and government agencies are vulnerable. It details what was once thought of as "old-school" techniques in which information thieves gain insight into the very workings of these organizations such as dumpster diving and pretexting.
The book is 352 pages of real-life examples of Mitnick's former operation and those of his former comrades. I particularly liked his ideas about how we can protect from these attacks. Some would think this would be an opportunity for Mitnick to brag and thumb his nose at his former adversary, the US government. But it isn't. It is certainly a guide into some very low-tech means in which these guys operate and exploit.
This book is a must-read for anybody who cares about security. I would suggest this for any reader who wants to protect themselves or their organizations. If you think you're not vulnerable, hire an outside firm to do a penetration test on your people not your systems and see where your vulnerabilities are. I can tell you from my experience, the best way to defend yourself is to protect your people. Your systems need people to operate and maintain them. If your folks fail to perform the basic due diligence when dealing with anyone seeking information or access (either physical or virtual) into your organization, then you better get them doing it ASAP. If you're in charge of security for any corporation, I HIGHLY suggest this book.
Thursday, March 13, 2008
Another Incident at Heathrow
SkyNews is reporting a man was arrested after jumping a perimeter ence at Heathrow International Airport shortly after 2pm and was tackled by armed officers on the northern runway. The entire northern runway was shutdown while police handled the situation.
Integrating Physical and IT Security
According to their release:
Most respondents indicated increased interaction between their security and IT functions:Why the integration? Some might say the better question is why has it taken so long. Well, it turns out many of the respondents feel a vulnerability in either fields could bring about a breach in another. Take a look at this data:
* 63 percent said their security and IT organizations “had a formal coordination mechanism”
* 10 percent stated the two functions are run as one entity within their organizations
* 52 percent noted their security functions had a formal working relationship with their audit and compliance functions, while 11 percent said those functions are combined
* 91 percent of the responding companies showed an increase in security investment
* 75 percent of which said those investments increased by more than eight percent
* 31 percent suggested a greater than 12 percent rise
“This study reinforces that companies are increasingly concerned with protecting their information assets as well as their physical assets, and they recognize that integrating once-disparate systems can be effective in addressing threats,” said Jim Ebzery, senior vice president of Identity and Security Management at Novell, which recently collaborated with Honeywell to develop a converged physical-IT security system. “How they choose to implement convergence varies on a number of factors including internal roles and overall attitudes about its effectiveness.”
With all this talk of integration, the question which must be asked is "Who's in charge in regards to an a coordinated attack on both systems?".
* 34 percent said there isn’t a single internal contactThe study’s margin of error is plus/minus 2 percent.
* 27 percent said the Director of Security is responsible
* 14 percent said a single CSO deals with the threats
* 14 percent said the Crisis Management Group is ultimately responsible
If you're considering this as a career, it behooves you to get "smart" on both sides. What sense does it make to build a multi-tiered surveillance system using network infrastructures if you're not knowledgeable on the risks you face. I would hate to be you if an incident occurs on the IT side and it affects your cameras or alarms. I'm sure your boss is going to ask what measures did we have in-place and how were they defeated. He/she will be looking at you to communicate with IT to find out.
Tuesday, March 4, 2008
Update on DHS Fencing Project from DHS
The Wall Street Journal Inaccurately Asserts That First 28 Miles of the Virtual Fence Will Be the Last: "But The Problems That have plagued the high-tech barrier mean that the fence's first 28 miles will also likely be its last. The Department of Homeland Security now says it doesn't plan to replicate the Boeing Co. initiative anywhere else." ("US Curbs Big Plans for Border Tech Fence," The Wall Street Journal, February 23, 2008)
But, P28 was a proof of concept and a building block. It was never intended to be replicated across the entire border: “Let me remind everybody, of course, the border is not just a uniform place. It is a very complicated mix of different kinds of environments -- ranging from urban areas, where the distance between the border and a major transportation hub is measured in maybe less than a mile, to very remote and desolate rural areas or wilderness areas, where there's really, frankly, quite a bit more distance to be covered and therefore a lot more flexibility in how and when you interdict those crossing the border. That's why SBI Net, as a critical element, has been designed to be a flexible tool. It is not a cookie cutter approach. What applies in one stretch of the border is not going to be what applies in another stretch. What will be common, however, is that all of the stretches and all of the tools will be integrated and bound together.” (Transcript of Press Briefing by Secretary Chertoff on the Awarding of the SBInet Contract, 9/21/06)
It's an out-of-the box concept: "I would say it is a partial model for the future. I think that it was a concept. We wanted to make sure that, A, there's the basic concept functionality work and, B, the thought was to give the contractor an opportunity to present something that essentially thought out of the box, that wasn't just a follow-on to the traditional way of doing business." (Senate Homeland Security and Governmental Affairs Committee Hearing on the Fiscal 2009 Budget for the Department of Homeland Security, 2/14/08)
And, we'll use more technologies at the border: "…by the end of this calendar year, we will be a 670 miles of barriers. Plus, we will have deployed 40 what we call mobile surveillance systems. That is ground-based radar. We will have our P-28 system, and begin to employ other camera-based and sensor-based systems…we will have substantially put either real or virtual fencing or barriers across the entire border." (Secretary Chertoff at a House Homeland Security Committee hearing on the Fiscal 2009 Budget for the Department of Homeland Security, 2/13/08)
The Wall Street Journal Claims That DHS Will Be Mothballing the Concept Behind the Virtual Fence: "The effective mothballing of the concept is a setback for the government's border-protection efforts, an embarrassment for politicians backing the idea of an electronic fence and a blow to Boeing, the project's designer." ("US Curbs Big Plans for Border Tech Fence," The Wall Street Journal, February 23, 2008)
But, that's wrong: Technology used for P28 will continue to be deployed along the border. In fact, the FY09 budget requests $775 million for SBI to continue the development and deployment of technology and tactical infrastructure on the border.
The Wall Street Journal Erroneously Reports That DHS Issued Boeing a New Contract to Fix the P28 Common Operating System: "In early December, the government said it was closing in on taking delivery. But that same month, the government gave Boeing another $64 million contract to fix the "common operating picture," which lets agents in vehicles see imagery from the towers' surveillance systems." ("US Curbs Big Plans for Border Tech Fence," The Wall Street Journal, February 23, 2008)
But, this contract was to develop the new Common Operational Picture and to enhance systems capabilities for future deployments as initially planned. ("DHS Moves Forward on Border Fencing and Technology Improvements", December 7, 2007)
All I have to say is, "Wow!" I understand this was supposed to be just a "proof-of-concept" to see if this would work across the board. And I don't think this was supposed to be our only lines of "defense". But I do think DHS has to step-up the deployment a notch. If it's working like Secretary Chertoff says, then let's get this thing rolling.
According to most immigration watchdogs and other concerned parties, every day wasted testing or delaying is another day wasted keeping bad guys out. If I live in a really bad neighborhood and all I have is a big mean guard dog and pistol to protect my home, this may work to some extent. It does not keep intruders from gaining in the first place and may not achieve the results I had intended as well as welcoming me up to substantial liabilities.
As I welcome the idea of a "virtual fence", I believe we have to have other means to secure our borders. In addition to new technologies, we need new tactics and methodologies when dealing with our current immigration debacle. That's the end of me being political but I hope you get the picture.
Friday, February 29, 2008
And you thought you had fencing issues...
Ladies and gents, it appears the United States' "virtual fence" has run into some snags, according to Security Management. I won't even go into how a CCTV system is as only good as its operators and software/hardware platforms. Nor will I mention the same goes for IDS as well. I won't even go into how with all CCTV and IDS systems your biggest weakness lies in the money you're willing to spend to fix your problem (porous borders). I will, however, talk a bit about the virtual fence and what it means for us as a citizenry and as professionals in this field.
The Washington Post broke the story with its report that despite the Bush Administration's approval of the fence this past Friday, the construction and implementation of the fence will have to be delayed by at least three years.
It appears there we were technical problems from a prototype system as well as a test system located along a stretch of the border in Arizona. According to the report, the problems included:
1. According to the Washington Post, "Boeing's use of inappropriate commercial software, designed for use by police dispatchers, to integrate data related to illicit border-crossings. Boeing has already been paid $20.6 million for the pilot project, and in December, the DHS gave the firm another $65 million to replace the software with military-style, battle management software."
2. According to the Washington Post, "Technology originally central to the project, such as mobile radar/sensor towers, has been dropped, the article reports, in favor of "[m]ore traditional ground-based radar and airborne surveillance drones," according to Business Week."
This past Tuesday, Homeland Security Secretary Michael Chertoff asserted in his blog, "I’ve seen this system work with my own eyes, and I’ve talked with the Border Patrol Agents who are using it. They assure me that it adds value. That’s what matters to me, and it’s a fact that cannot be denied."
While the virtual fence is better than what we currently have, I'm having trepidations about a system that has so many setback and issues which are core to its very success. For more information click here for the Post's article on the virtual fence or here for the full article from Security Management.
Wednesday, February 27, 2008
A Little Bit About Being Plane Stupid
Sorry, I couldn't resist the title. Earlier, I wrote a bit about the events that took place this week in the UK. Let's look at the group responsible for the Parliament actions - Plane Stupid.
According to The Guardian, "Plane Stupid was created three years ago after a group of anti-Iraq War protesters found common cause in the government's expansionist aviation policy.
The group conducts what are known as "direct action" operations. These require no overhead support and require no upper leadership approval when a target of opportunity has been discovered. Some of their ops have included the storming of the BAA's appearance at the transport select committee last November and chaining themselves to the gates of Farnborough airport – the main UK hub for private jets. 27-year-old Richard George is said to have co-founded the group with 34-year-old Greenpeace employee Graham Thompson in 2005.
The Guardian report also notes the group is made up of five members who are educated, middle class, and young. It operates on anarchist principles and describes itself as a "devolved network of autonomous groups" numbering around 150 dedicated activists. It has no designated leader and reaches all decisions by consensus.Does this sound familiar? I'm beginning to see a lot of duplication when it comes to celluar structures of nonconformist organizations like this and others. What makes their statements about how they carried out the Westminster op so realistic is their age and education level. They're are all very smart and young enough. I bet at one point they even used student ID's to get past security. When protecting government institutions, we must look at all areas of vulnerabilities. This includes but does not exclude students and young people. If your too lackadaisical and think they're just kids, remember most of the 9/11 hijackers were all in this profile except they weren't white.
Big Ben, Heathrow, and Climate-Change Terorrists
Yesterday, five protesters from a group calling themselves "Plane Stupid" climbed atop the roof of the Houses of Parliament. The displayed two banners reading "No third runway" and "BAA HQ". Okay, I know there's a ton of speculation as to how this could have happened. Well, the police speculate they had an insider who provided them with access and who offered to store the signs. How else could they have gotten past security especially at Parliament? The protesters, of course, claim they brought the signs in past security and merely told the guards they were there to hear a debate on the floor. Either way it goes, somebody is in a lot of you-know-what.
According to SkyNews, Greenpeace protesters gained access to the roof of a Boeing 777 outside of Terminal 1 on Monday. For what? They were protesting Heathrow's planned expansion. For those who have traveled through Heathrow, you might agree climate change aside it could use the expansion. And maybe some maps and arrows that made sense. I digress. To say the least this was a major breach of security for an airport that has repeatedly been targeted by terrorists of all types to include Al-Qaeda and the IRA. Police and security units were able to respond and remove the protesters who posed no significant threat except to Heathrow's PR image. The protesters did carry signs which denounced the changed. It should be noted Virgin Airlines flew out of this same airport on the same day flying a bio-diesel jet which is supposed to reduce greenhouse gases from commuter jets.