Archive for the ‘Global Security’ Category

How Geeky Should a CISO Be?

August 26, 2014 2 comments

Michael Daniel, the current White House cybersecurity coordinator, recently admitted to lacking technical know-how; i.e. he can’t code and doesn’t feel the need to learn to do so. Those who have the technical expertise and think it’s important have lit up the Internet with their cries, making it clear that they do not approve.

Does it matter that Michael Daniel can’t code? Read More…michael daniel


Hiking the mountain to security enlightenment (video)

July 21, 2009 3 comments

Freeform ramblings while hiking to the top of Multnomah Falls in Oregon.

Approaches to enterprise information protection changing – as Axelrod, Bayuk, Hunt and others show

March 18, 2009 1 comment

A book I contributed to is available on Amazon.  Warren Axelrod and Jennifer Bayuk edited this collection of essays on security and privacy. Axelrod Book
I think it is a special, unique view of how physical and logical threats, plus dynamic business and compliance trends are changing how security needs to be done.  My chapter was on security as it relates to the Transportation industry.  I took a logical and physical view of the problem.

Now he’s hacked US Passports using a $250 RFID reader!

February 3, 2009 1 comment

Is he evil?  Ask some manufacturers and they'll say yes, emphatically.  Ask privacy advocates, and they'll praise him for exposing the seeds of Big Brother.  Chris Pajet didn't stop at cloning your HID prox card while standing next to you in line at the 7-Eleven.*  Now he has begun war-driving through San Francisco, gleaning RFID tags from US Passports. This is another assault on the Western Hemisphere Travel Initiative.  Read about it here.  

White hats like Chris find the holes in our tech infrastructure that the bad guys also find.  I'd rather know about it than keep my head in the sand.  Besides, these problems are ususally fixable, so let's fix the problems and not ignore them.

*not sure if he ever did that, but the cloning device he showed me sure could have been used that way.

Steelbox and Netversant go under

November 22, 2008 3 comments

Steelbox was foreclosed on by its bank, and Netversant sought Chapter 11 protection.  Netversant's demise must have been due to poor management decisions, because the concept was timely.  Steelbox's main problem was that the product was too damn good.  Customers who bought one or two would never need another box.

Anybody want to pitch in to help me buy the assets?  Could be fun. 

New York Department of Transportation clears the way for better collaboration between government and motorists

November 14, 2008 2 comments

Commissioners from both the New York State and New York City Departments of Transportation were on hand to bring the Joint Traffic Management Center (JTMC) online today.  New York City DOT Commissioner Janette Sadik-Khan was eloquent in her vision of technology.  She believes that aggregating and analyzing data from the 590 state and city cameras deployed around the city, road sensors, traffic signaling systems, and intelligence from the TransCom transportation communications infrastructure can lead to faster, safer transit through the city and better commuting decisions by New York City residents and visitors.  Hear what she had to say in this video.

James Chung, founder and CTO of VidSys, was the architect of many of the systems in the center and was publicly recognized along with VidSys CEO Chuck Teubner at the power-up ceremony.  It was obvious that the Commissioners and the NYPD Chief of Transportation, Michael Scagnelli saw the value of the data integration the VidSys system provided.  Inspector Patrick McCarthy of the NYPD put it succinctly when he said that the integrated information management in the new center allowed a higher level of collaboration between NYPD, the State DOT, the City DOT and the Federal Highway Administration. “We are all here, under one roof.”

The JTMC is an example of the best principles of PSIM, physical security information management, creating real value for people, businesses and governments in New York City.

Images from traffic cameras and data from road and signaling sensors appear on monitors around the JTMC. The monitoring personnel can spot incidents or verify incidents that have been called in by the public.  From there the operators forward real time information to the media and relevant agencies electronically.  Operators can also change messages on the 100 variable message signs along roads around the city to warn travelers of the conditions ahead. Click here to see real time traffic coming off the Queensboro bridge at 2nd Ave.

Sensors along the roadway also produce a graphical display of problem areas around the city.  This color coded map and many views from DOT cameras are available for public viewing on the DOT website.

Today, about 75 cameras are feeding video to the JTMC, but over the coming year, all of the 218 City DOT cameras along bridges, local streets and FDR drive as well as the 278 State DOT cameras along highways around the city will be connected to the center.

In addition to DOT cameras, the JTMC integrates:

  • the graphical sensor maps mentioned above
  • data and video from NYPD squad cars
  • traffic detectors located every half mile on the highways indicating speed and flow
  • EasyPass transponder data indicating traffic density and vehicle classification
  • traffic signal sensors in the streets near intersections
  • and TransCom data about tunnel and bridge status and other intelligence shared by State and City agencies

Not all that comes from China will be Gold!

Here is a blog post from HuntBI associate, Jeffrey Stutzman, CISSP.  His post makes me wonder how many corporate networks will be infiltrated by malware when Olympics visitors come home and plug back in. -sh

What happens in Vegas stays in Vegas right?

What happens in China won’t necessarily stay in China.

What do I mean by that? In the Navy there was a sea story. It went something like this…

We pulled into <name your favorite port>.  When we pulled in, the Captain came over the 1MC (the general shipboard loudspeaker system) and gave us a country brief. He told us to be careful. He told us that if we got into a fight, to win, and to be careful with the women- always. Sexually transmitted diseases ran wild in many of the ‘sailor ports’. The story I remember talked about how the hospital corpsman onboard the ship would use a Sharpie to put the name of the sailor on the pair of syringes used to rid us of whatever we picked up.  The syringes were then stuck into a dartboard in the Chief’s Mess. As the story goes, the dartboard was always full.

So here’s the deal….

Chinese cyber spies WILL steal your stuff! When you get to China and use your computers to access the Internet, you will be monitored, and will almost assuredly download, or be pushed, software that will execute on your computer. This software will sit quietly on your computer, will not be detected by anti-virus or intrusion detection/prevention software, and will likely ‘phone home’ –send your data back to intelligence collectors in China. When you return home, that software will likely spread automatically to other computers that you connect to or communicate with via email or through the web.  You will be infected. Be ready for it.

The problem? Antivirus vendors don’t have the syringes to fix you.  It’s a sad state, but the protections currently loaded on your computers are designed to protect from the common threats –those that infect everybody. When a specific group of users are targeted –Olympic visitors for example, or maybe Olympic visitors staying at a specific hotel, or maybe Olympic visitors who work for or represent certain governments or industries, the methods of infection are not always the same. Smart intelligence collection operators won’t use the same tools on everyone. You know why? They don’t WANT antivirus and intrusion prevention vendors to be able to keep up! Even if they are successful 10% of the time, the number of journalists, politicians, and business people entertaining others will easily afford the cyber spies small pieces of information that they can combine with other small pieces of information to eventually put together the pieces of the puzzle –the BIG piece of information.

You should expect this. It shouldn’t come as a surprise.

A recent interview on CNN disclosed publically (finally!) that over 3500 Chinese front companies exist in the US today solely for the purpose of collecting intelligence.  It reported that cyber attacks on the Pentagon (and likely all of DoD) have increased 55% since 2007.  References to other Chinese cyber attacks and information gathering run in the thousands on the Internet.  A quick Google search for the words “Titan Rain”, the term coined by US Government officials to describe the coordinated information warfare being waged from Chinese sources, yields over four million hits.

Thousands (millions?) of influential people – business managers, politicians, journalists, you name it, have headed to China for the 2008 Summer Games.  Don’t be a victim. Don’t allow your home/work networks to be victimized.

Here’s what you can do:

             Think like a spy…

o             Leave your computer(s) at home. If you have to have one, take a clean one (one used only for surfing the web and sending emails).

o             Use anonymous, encrypted email. The best spies never use computers to relay details of their exploits. If you must use a computer, create two anonymous accounts on an encrypted service such as Hushmail; an encrypted, web-based email service that scrambles your email.  Use one account to send, and the other to receive. If you must send data to your company from China, give the second account to the intended recipient before leaving the country.  Do not send the account and credentials by email. Kill, or abandon those accounts after you return.

o             Do not under any circumstances divulge your identity in email, even when using encrypted communications. This is a sure-fire way to give others those “small pieces of information” that can later be used to target you when you return home.

o             Never use HTML formatted email. All communications should be formatted as text only. Graphics and other fancy things that make your email sexy also make it very easy to hide viruses and Trojans in your email –those pieces of software that will later be used to send data back to China once you return home.

o             Do not send email directly to a work address.  Use the anonymous service. Software may get embedded in your outbound communications. That software will spread once opened by your intended recipient. 

o             When you do return home, expect to receive more junk e-mail. Spam, phishing, or spearphishing (targeted phishing) are easy ways to get you back into the collection network by embedding malicious software into HTML formatted messages.

o             Never forward or respond directly to emails received. If you need to respond to something, start with a fresh email, and format it in text only.

o             When you return home, do not, under any circumstances, plug these computers into ANY network without first having it professionally cleaned and reloaded with a fresh version of Windows, or your operating system of choice. 

Be safe. Be smart. I really don’t want to hear your IT guy bragging about the number of syringes in his dartboard!