Looking for Vulnerabilities in All the Right Places? Experts Think you Might be Missing a Few...

Source -- DarkReading

By Keith Ferrell, Contributing Writer
DarkReading

 

The biggest vulnerabilities in the enterprise might be items we see every day -- and just don't think about.

Experts say that vulnerability assessments often overlook the everyday dangers: Network-attached devices that aren't computers. Paper documents. Passwords posted in plain view. Portable storage devices.

Most of these are technologies that would never be taken into account by a traditional vulnerability scan. Yet they could lead to data leaks just as surely as a keylogger or a data-stealing Trojan, experts say.

"Peripheral devices on the network may have capabilities the business doesn't know of," says Kevin Brown, delivery manager for custom testing at security assessment firm ICSA. "And those capabilities can create security vulnerabilities."

Printers, fax machines, and multifunction devices with persistent storage could all serve as entry points for a sophisticated hacker, Brown observes. And the presence of internal storage might not be clear at first glance, nor does it necessarily show up on traditional security audits.

"An automated vulnerability scan may not reveal which printers and other hard copy devices have hard drives," Brown observes. "As a result, the business isn't aware that digital copies of sensitive information may remain in the printer."

A thorough vulnerability assessment should include examining all hard copy devices for internal storage capability -- this could require contacting the manufacturer or even opening the machine, Brown says.

Enterprises also should take steps to ensure that digital files are wiped from these devices as soon as the hard copy is produced or the fax transmitted. This could mean purchasing and installing additional software from the manufacturer.

Other network-attached devices could also be vulnerable, Brown observes. "Any device connected to the network needs to have its security validated," he says.

He offers security cameras as an example. "For cost-saving and other reasons, companies have shifted security cameras from dedicated coaxial cable connections to TCP/IP connections, which run the risk of being vulnerable to cross-site scripting attacks and remote control takeover."

Even backup power devices might be at risk, Brown warns. "UPS devices connected to the network could enable an attacker to take control," he says.

Brown offers three bits of advice for all network-attached devices. "The biggest risk is leaving the default password in place," he says. No matter the device and its purpose, he advises, users should change its password before connecting it to the network.

"Second," Brown continues, "review all of the features that the device offers. Web printing capability may not be useful as a business function at your company, but it could be very useful to an attacker."

Finally, he points out that maintaining security readiness on peripheral devices is an ongoing process.

"Incorporate all devices into your patch cycle," he says. "We're all familiar with Microsoft and Cisco patches -- but when was the last time you upgraded the firmware on your printer? Seek out patch information on every device connected to your network, and incorporate them into your patching cycle."

Many of these office devices produce a lot of paper -- paper which, as security consultant Steve Stasiukonis of Secure Network Technologies points out, can be a vulnerability itself.

"Take a look at your copier station," Stasiukonis says, noting that many companies overlook sensitive material that might be found in unsecured places. Recycling bins or preshredder collection stations holding unshredded materials can be rich sites for information-miners, he notes.

Documents that aren't shredded could be the cause of a data breach, as a recent New Jersey incident revealed when papers containing Social Security numbers and other personal information were found in a public dumpster.

"And don't forget the amount of paper and other sensitive information on employees' desks," Stasiukonis advises.

A workplace walk-through -- even in a "clean desk" environment -- can often reveal security badges and swipe-cards laying in plain sight, ripe for the taking, Stasiukonis explains. In his physical penetration tests, Stasiukonis frequently also finds passwords and log-ins on sticky notes and keyrings hanging from thumbtacks in cubicles.

Even if you don't see anything at first glance, Stasiukonis suggests, look a little closer. "Have your employees turn over their keyboards for inspection," he suggests, noting that many users stick their passwords there for easy recall.

Stasiukonis also recommends checking devices, such as copiers, for default service tech passwords, which might remain in place even if the business has changed its own access and log-in codes.

"Check to be sure that security cameras haven't been repositioned," he adds. "Scan for infrared devices. Examine the security not only of IT administration notebooks, but also physical plant management and control notebooks. Beyond that, an examination of the contents of employees' desks can reveal treasure chests of vulnerabilities.

"But," he cautions, "before going into employees' desks, you should review your plans with your human resources department." Whatever your company's legal rights, many employees resent having their desks checked, so be sure to educate them before conducting a search, he explains.

Another vulnerability vector -- and in many ways the most common one -- is human nature.

Security professional Scott Wright's Honey Stick Project put human nature to the test by leaving specially prepared USB drives in plain sight. When one of the drives was inserted in a business device, the information was logged, revealing what the user had done.

Such behavior is typical, according to Wright. As he notes on his Streetwise Security Zone site: "Out of 54 devices dropped with specially configured -- but safe -- files on them, the Honey Stick Project has detected that at least 35 of these devices have had files opened."

Vulnerability-scanning tools are a good place to start, but they can't see the whole enterprise, the experts warn. To find all of your vulnerabilities, you'll need to look at the things your users see every day -- in a new way.

Piezoelectricity and You.

Sustainability got sexier last week at the opening of Surya in London. The Club4Climate project is London’s first taste of eco-friendly clubbing, making clubbers happy in the knowledge that their organic beverage-induced booty shaking can generate 60% of the energy needed to run the club. The venue’s most exciting innovation is the piezoelectric dancefloor, which uses quartz crystals and ceramics to turn clubbers’ movement into electricity!

Previously seen in the Sustainable Dance Club in Rotterdam, this is Britain’s first exposure to such technology. The rest of the power needed will come from a wind turbine and solar energy system, with any surplus used to power private homes in the area. The club will also be installing the latest air flush, waterless urinals, low flush toilets and automatic taps to ensure maximum water saving plus less greedy air conditioning units.

The project is clearly trying to affect behavior on a much wider scale, too, requiring patrons to sign a 10-point manifesto on entry, giving free entry to anyone who can prove that they walked or cycled to the venue, and encouraging as many other clubs as possible to adopt his philosophy.

Property developer Andrew Charalambous is behind Club4Climate, appearing in character as ‘Dr Earth‘ to be more down with the kids. He says the club aims to ’stop preaching to people and use an inclusive philosophy to create the revolution [needed] to combat climate change.’ A Club4Climate island is also planned for 2010, although how clubbers will transport themselves to the island hasn’t been mentioned.

In another shining example of using what you have  for power generation, a Netherlands train station is using a revolving door to produce electricity. The Natuurcafe La Port in the train station expects the coming and going of patrons to provide 4,600 kWh a year. So, while the coffee powers the customers, the customers are powering the coffee shop.

The door uses a generator that harvests the kinetic energy produced when the door spins and a supercapacitor to store the energy. The energy is used to power the cafe's LED lights. When the lights use up the stored energy from the door, the station's main energy supply takes over. For the curious, the station has a display that shows the amount of energy generated as customers walk in and out.

While 4,600 kWh is a small amount compared to a train station's total energy needs, it's great to see a large building harvesting renewable energy from as many sources as possible. These types of kinetic energy generators could go a long way if they're consistently implemented in both new buildings and renovation projects.

Piezoelectricity is the ability of some materials (notably crystals, certain ceramics, and biological matter such as bone, DNA and various proteins) to generate an electric field or electric potential[1]  in response to applied mechanical strain. The effect is closely related to a change of polarization density within the material's volume. If the material is not short-circuited, the applied stress/strain induces a voltage across the material. However, if the circuit is closed the energy will be quickly released. So in order to run an electric load (such as a light bulb) on a piezoelectric device, the applied mechanical stress must oscillate back and forth. For example, if you had such a device in your shoes you could charge your cell phone while walking but not while standing. The word is derived from the Greek piezo or piezein (πιέζειν), which means to squeeze or press.

The piezoelectric effect is reversible in that materials exhibiting the direct piezoelectric effect (the production of an electric potential when stress is applied) also exhibit the reverse piezoelectric effect (the production of stress and/or strain when an electric field is applied). For example, lead zirconate titanate crystals will exhibit a maximum shape change of about 0.1% of the original dimension.

The effect finds useful applications such as the production and detection of sound, generation of high voltages, electronic frequency generation, microbalances, and ultra fine focusing of optical assemblies. It is also the basis of a number of scientific instrumental techniques with atomic resolution, the scanning probe microscopies such as STM, AFM, MTA, SNOM, etc., and everyday uses such as acting as the ignition source for cigarette lighters and push-start propane barbecues.

No, DNSSEC Upgrades Won't Break the Internet Next Week

source: broadbandreports.com

"Internet users face the risk of losing their internet connections on May 5th when the domain name system switches over to a new, more secure protocol," proclaims the Register, which informs its readers that DNSSEC upgrades could "kill your internet." The article goes on to insist that "from May 5th all the DNS root servers will only respond with signed DNSSEC answers," then goes on to infer this could terminate connectivity for users completely. That certainly sounds scary. Would it make you feel any better to learn that most of that isn't true?

DNSSEC stands for Domain Name System Security Extensions, and it's the new flavor of security that allows both sites and providers to validate domain names to make sure they're correct and not tampered with, and is supposed to help combat things like DNS cache "poisoning" and phishing scams.As we mentioned recently, Comcast hopes to have the upgrade installed by the end of 2011 ("if not sooner"), while OpenDNS has stated they'll be using an alternative to DNSSEC dubbed DNSCurve they claim is simpler and easier to deploy.

Upgrading to DNSSEC is a slow and measured affair that's only just really getting off the ground, and despite The Regester's claims that the Internet may grind to a halt next Wednesday -- all 13 root servers upgraded with DNSSEC next week will behave normally to end users whether your ISP is fully prepared or not (and most certainly aren't). However there is a small problem that could slow the Internet down slightly for a very small portion of users, as "El Reg" explores:

Normal DNS traffic used the UDP protocol, which is faster and less resource-hungry than TCP. Normal DNS UDP packets are also quite small, under 512 bytes. Because of this, some pieces of network gear are configured out of the box to reject any UDP packet of 512 bytes on the basis that it's probably broken or malicious. Signed DNSSEC packets are quite a lot bigger than 512 bytes, and from May 5th all the DNS root servers will respond with signed DNSSEC answers.

Kind of -- except for the fact that we we understand it -- root servers will only return signed DNSSEC answers to queries that have explicitly asked for them. In other words? The vast majority of Internet users won't notice a damned thing next week.

Keith Mitchell, head of engineering at root server operator Internet Systems Consortium, takes issue with the very Register article he's quoted in. "No-one is going to completely lose Internet service as a result of the signed root -- or indeed any DNSSEC deployment efforts -- and I certainly didn't say that," he says. "The worst that is going to happen is that a tiny minority of users behind mis-configured firewall or middleware boxes may experience some performance degradation when their clients have to attempt alternative paths for resolving names,"  says Mitchell of the May 5th upgrade.

Apparently, "Highly Technical Upgrade May Cause Very Small Problem" wasn't as hit-generating as claiming the world might end. Users interested in learning more about DNSSEC can head to our security forum where users are discussing the upgrade and how to test your ISP for DNSSEC preparedness and possible problems next week.

Internet users are not without choice, however, as OpenDNS provides a free service to anyone looking for alternatives.

Introducing Plexidor Electronic Access Control for your Dog!

Access Control is evolving all the time.  Situations in which access control can evolve to are limited only by one's imagination. That said, did you know that there’s access control option for your pets?

Yes, gone are the days where one worries about the unwanted entry of stray dogs, neighborhood cats, racoons, or any such pesky varmint.  Pet owners can find relief knowing that RFID tags are available for pet collars giving access to enter or exit the house when the pet door is equipped with electronic access control.  You are able to control which pet(s) can go outside and which cannot.

Love your pet? Can you hold it for 9 hours? The next time you have to “go” in the middle of the night, think about your pet – and the Plexidor® Performance Pet Doors. Sure, pets are different from people. People have flush toilets, pets don’t. Pets just have to wait until morning.

But if you forget, or make your pet wait too long, you know what comes next: Yup, the clean-up.

So, for the last 22 years, Plexidor® has been crusading for pets’ rights to come and go as they please. It’s actually a 2-in-1 crusade because pet owners have rights too…such as the right NOT to be a 24-hour-a-day doorman, the right NOT to live with spotted carpeting, and the right NOT to have to refinish scratched doors, to name just a few.

Because of this crusade Plexidor® has been designing and manufacturing the Performance Pet Door line. The Plexidors® come in sizes ranging from cat to great dane. They work in any kind of door or wall. All Plexidors® have heavy durable aluminum frames that can be secured and locked. White and bronze frames are baked on for strength and durability. And the door panels are made of insulated high impact acrylic to help keep your home warm in the winter and cool in the summer.

Call us or visit our website and join the crusade. Order a Plexidor® pet door today. You and your pet will be happier.

• High impact acrylic panels, also used in small aircraft windshields.
• These colors do not run. Plexidor® pet doors are not painted, they use a baked on finish.
• Dogs chew through plastic and bend thin aluminum frames. These are thick, heavy aluminum.
• Magnets are not effective “keys” and are not used with Plexidor® pet doors.
• The electronic door has 1000s of key codes.

Plexidor® Electronic Doors

Secure – Interior stainless steel locking bar, thousands of key codes. Opens only for your pets. Tough shatter resistant panel. Heavy, thick aluminum frames that won’t bend. Won’t interfere with home security system.

Energy Efficient – No gaps for air filtration, saves you money.

Pet/Child Safe – Panel won’t close when obstructed. Total control up and down. No pinched tails. No pinched fingers.

Dependable – Runs on household current. Collar key is waterproof and does not need batteries. Key fastens securely to collar and won’t fall off. Interior mounted motor won’t freeze up in cold.

Durable – Steel and hardened aluminum frame with thick acrylic closing panel. Wall units include aluminum tunnel pieces and stainless steel mounting hardware for years of service. No unsightly rust streaks on your home.

Easy to Use – One button programming to add or change collar codes quickly and simply. Collar key snaps on easily and stays on. Comes complete with pet door, exterior trim, stainless steel hardware, 2 collar keys, power supply and 15ft cord.

The key is a micro RFID chip weighing only 0.4 oz.

Plexidor® collar keys are:

• Waterproof
• Rugged
• Battery free
• Shock proof
• Won’t fall off
• Works with underground fencing
• Have 1000s of key codes

How it works: Plexidor® Electronic “reads” the key code and opens only for your pet. Panel unlocks and slides up like a mini garage door. The main frame has a low profile of just 1 5/8” in thickness. Door plugs into household outlet or can be hardwired.

Order a Plexidor® today and say goodbye to…

• Messy littler trays
• Scratched doors
• Wasted energy
• Awkward, noisy, chewed flaps
• Ruined carpets and drapes

Plexidor® Pet Doors Provide

• Peace and quiet
• Undisturbed sleep & TV
• Freedom from worry about letting your pet out

Plexidors® are

• A carpet saver
• A money saver
• An energy saver

ISONAS' Crystal Matrix at a glance.

Easily Support Seasonal Schedules with ISONAS Access Control System

source: ISONAS

Are some of your clients affected by seasonal changes to their facility's schedules?

Seasonal variations are common for organizations such as:

• Schools and Libraries
• Park Districts
• Amusement Parks
• Sports Facilities
• Churches
• Recreation or Tourism Business

Many of these organizations will wnat to pre-plan and pre-program the upcoming schedules into their access control system, so that the schedule's transition times are seamless and worry-free. The Crystal Matrix application supports these types of requirements with the Permission Groups feature.

Crystal matrix Permission Groups for Schools

A high school might use the Permissions Group feature of Crystal matrix to schedule the full summer activity sessions before the end of the school year. Prepare the system for band camp, 2-a-days football practice, teacher development workshops, and adult education seminars. All pre-planed and pre-programmed before the school's staff begins its summer break. As the summer calendar progresses, the access control system automatically adjusts the system's business rules to allow the proper people into the school, at the proper times.

Click here for more details on this solution

Understanding how to use Crystal Matrix Permissions

To effectively use the Crystal matrix Permission Groups feature, you shoul dhave a solid understanding of how Permissions are defined within the system. Below are links to short training videos that explain the process of setting up Permissions within the ISONAS system.

Basic Crystal Matrix Configuration

Advanced Crystal Matrix Configuration 

There's a "People Element" to security we seem to be forgetting...

Social Engineering, the USB Way 

source: darkreading.com

Those thumb drives can turn external threats into internal ones.

The folks at DarkReading recently got hired by a credit union to assess the security of its network. The client asked that they really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging their effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue drive plugging into their network. So the DarkReading guys wanted to see if they could tempt someone into plugging one into their employer's network.

In the past they had used a variety of social engineering tactics to compromise a network. Typically they would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time, they knew they'd have to do something different. Employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.

So DarkReading tried something different by baiting the same employees that were on high alert. They gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with their own special piece of software. One of their guys wrote a Trojan that, when run, would collect passwords, log-ins and machine-specific information from the user's computer, and then email the findings back.

The next hurdle was getting the USB drives in the hands of the credit union's  internal users. Simply enough, they made their way to the credit union at about 6am to make sure no employees saw them. They then proceeded to scatter the drives in the parking lot, smoking areas and other areas employees frequented.

Once the drives were seeded, it was time to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desk.

Upon calling the guy who wrote the Trojan and asking if anything was received at his end, it was revealed that slowly but surely info was being mailed back to him. It would have been lovely to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, the unknowingly running the piece of software cleverly hidden away by DarkReading.

After about three days, they figured they'd collected enough data. Upon review of their findings, they were amazed at the results. Of the 20 USB drives planted, 15 were found by employees and all had been plugged into company computers. The data  obtained helped to compromise additional systems, and the best part of the whole scheme was the convenience. Everything that needed to happen did, and in a way it was completely transparent to the users, the network and credit union management.

This little "giveaway" takes security loopholes a step further, working off humans' innate curiosity. Email virus writers exploit this same vulnerability, as do phishers and their clever faux websites. The credit union client wasn't unique or special. All the technology and filtering and scanning in the world won't address human nature. But it remains the single biggest open door to any company's secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

Tough Snail Shell Could Inspire Better Body Armor

source. LiveScience

By Rachael Rettner, LiveScience Staff Writer

A snail's shell that protects it from attacks underwater could provide clues for designing improved body armor to guard human soldiers, a new study suggests.

The research involved an unusual sea snail, the so-called "scaly-foot" snail which was first reported in 2003 and makes its home in the harsh environment of a deep-sea hydrothermal vent in the Indian Ocean. Past studies of the  snail, a type of sea mollusk, revealed its foot was covered in plates of iron-sulfide minerals, and it is now the only known animal today to employ iron sulfides as a structural material.

  

Like other snails, this one also sports a shell covering its body. Although hard, a typical snail's shell will fracture if persistently squeezed by a predatory crab. Hoping to learn exactly how the scaly-foot snail's shell is designed to resist such crushing, the authors took a close look at the shell's structure, examining it on the nanoscale.

 

They saw that shell is composed of three layers: a hard outer layer that contains iron sulfides, similar to the ones identified in its foot scales; a more supple middle layer made of organic material; and a stiff inner layer with a large amount of calcium minerals. This arrangement of "rigid-compliant-rigid" layers creates a trilayer, sandwich structure unique to this snail, the researchers say.

Snail protection

After figuring out the shell's structure, the team used a computer model to simulate how the shell faired when subjected to a penetrating force, similar in strength to the pinching of a crab's claws.

"Each layer does something differently," said lead researcher Christine Ortiz, a materials science and engineering professor at the MIT.

The hard outer layer contains small, grain-like particles. When under attack, these granules help to dispel the energy of the blow, spreading it out across the outer region. Any fractures that occur will disperse along jagged lines guided by the granules, forming fissures in the top layer.

"Cracks that form travel extensively throughout the outer layers, thereby protecting the inner layers and mitigating catastrophic fracture," Ortiz said.

The softer middle layer helps protect the brittle inner layer from cracking, Ortiz explained. And the inner layer itself protects the snail's body from injury. Since this inner layer is rigid, it doesn't displace into the animal's body during an assault, which could cause blunt trauma, Ortiz said.

Put together, the three layers work to help prevent penetration of the shell and also withstand bending.

The outer and middle layers also help the snail to survive in the extreme environment characteristic of hydrothermal vents, since these layers are resistant to dissolving in the highly acidic waters.  And the middle layer protects the snail from temperature changes at the vents.

Snail-like armor and sporting gear

The shell's structure may one day inspire new and better designs for human protective equipment, from body armor to sporting gear. The three-layer arrangement and curved surface give the shell stability and penetration resistance, highly valued characteristics of materials used for armor, Ortiz said.

Automobiles painted with an iron-based, granular coating similar to the one found in the shell's outer layer could dissipate energy in the same way the shell does when undergoing a predator attack.

However, any bio-inspired design would likely not use the exact same materials found in the snail's shell, which has flaws of its own. Scientists would simply use it as a guide, and improve upon the shells shortcomings.

"Nature only uses what's available to it," said Ortiz. Engineers might use a similar design, but replace some of the components with high performance structural, or ballistic materials, she said.

The results were published online Jan. 18 in the journal Proceedings of the National Academy of Sciences.

7 Famous Security Breaches

source: NJ.com

When Rutgers doctoral student Haisong Jiang slipped under a security rope to give his girlfriend a kiss before she left on a flight out of Newark Liberty airport Jan. 3, the resulting security breach threw the airport into a lockdown, and inspired everyone from politicians to ordinary business travelers to talk about airport security. While this incident grabbed headlines worldwide, it's only the latest in a long line of high-profile breaches to hit airports, computer networks and even the White House. Take a look at our list of seven famous breaches.

7. Presidential Dinner Crashers: Washington D.C., November 24, 2009
Tareq and Michaela Salahi, a Virginia couple, slipped past security and were uninvited guests at a White House state dinner. The event was to honor Indian Prime Minister Manmohan Singh, but the well-dressed Salahis got all the headlines, mingling with guests and even getting a photograph with President Barack Obama.


Result: White House security systems are under review, two wannabes got 15 minutes of fame and may face criminal charges.

6. Man of Many Talents: Worldwide, Arrested, 1969
New York native Frank Abagnale was at different times an airline pilot, an attorney, a doctor. Actually, he was fooling security officials at airports, hospitals and other institutions. Abagnale was also famous for forging millions of dollars in checks and playing havoc with security systems long before computers.

Result: Abagnale was arrested in 1969 in France, served jailtime and later became a security expert. His life story became the inspiration for "Catch Me if You Can," a movie starring Leonardo DiCaprio and Tom Hanks.

5. Grammy Gatecrasher: New York, Feb. 25, 1998
Picture it: Rock and roll legend Bob Dylan is jamming on stage during the Grammy Awards. Suddenly, a pasty man with no shirt is on stage next to Dylan. How did this guy get past show security? How come he's got SOY BOMB written on his chest? The man gyrates for about a minute on TV before being escorted off by security. The best part? Dylan never missed a beat.

Result: Artist Michael "Soy Bomb" Portnoy  had been hired as one of dozens of show extras to dance in the background as Dylan performed, but he clearly went over the line. He never faced charges, but never got paid for his appearance.

4. This is Only a Drill: Slovakia, Jan. 2, 2010
Airport security workers in Bratislava, Slovakia put a bomb in an unsuspecting passenger's luggage as part of a drill. Problem was, none of the airport staff being drilled removed the explosive and it was loaded onto a plane bound for Dublin. Fortunately, the bomb didn't explode, no one was hurt and the plane landed without incident. The bomb was recovered after the plane landed, when the passenger was arrested for carrying a bomb aboard a plane.


Result: The passenger was released, but European Union officials are demanding changes in Slovakia's airport security procedures.

3. Security breach in the CIA:  Arlington, Va., arrests made Feb. 24, 1994
Some spies spill secrets for ideological reasons. Central Intelligence Agency USSR expert Aldrich Ames was in it for the money. Beginning in 1985, the FBI says Ames shuttled the Soviets classified documents and was paid nearly $2 million over several years. Because he was schooled by the CIA, Ames was able to cloak his misdeeds for years.


Result: Ames and his wife Rosario were arrested, plead guilty and sentenced to jail.

2. Retail Hacker: Miami, Arrested August 17, 2009
If you shopped at T.J. Maxx, ate at Dave & Buster's or bought books at Barnes & Noble, computer hacker Albert Gonzalez may have had access to your credit card number. The feds say Gonzalez led a group of hackers who breached computer security systems and stole 170 million payment card numbers from ordinary people just like you. Gonzalez may have been emboldened by his experiences as a one-time government informant.


Result: Gonzalez's sentencing has been delayed. He's lobbying for a lenient sentence because he has Asperger syndrome.

1. Deadly Painkillers: Chicago, 1982
A string of deaths in and around Chicago in 1982 were blamed on Extra-Strength Tylenol spiked with cyanide. At first it was feared the poison had been introduced during the production of the painkillers, but authorities later said the pills were most likely tainted after they were stocked on supermarket shelves.


Result: The incident led to changes in the way medications are packaged, but the killer or killers remain at large.

© 2010 NJ.com. All rights reserved.

Mind-reading systems could change air security

source: msnbc

Technological developments can blur the line between security and civil liberties.

A would-be terrorist tries to board a plane, bent on mass murder. As he walks through a security checkpoint, fidgeting and glancing around, a network of high-tech machines analyzes his body  language and reads his mind.

Screeners pull him aside.

Tragedy is averted.

As far-fetched as that sounds, systems that aim to get inside an evildoer's head are among the proposals floated by security experts thinking beyound the X-ray machines and metal detectors used on millions of passengers and bags each year.

On Thursday, in the wake of the Christmas Day bombing attempt over Detroit, President Barack Obama called on Homeland Security and the Energy Department to develop better screening technology, warning: "In the never-ending race to protect our country, we have to stay one step ahead of a nimble adversary."

The ideas that have been offered by security experts for staying one step ahead include highly sophisticated sensors, more intensive interrogations of tevelers by screeners trained in human behavior, and a lifting of the U.S. prohibitions against profiling.

Some of the more unusual idea are already being tested. Some aren't being given any serious  consideration. Many raise troubling questions about civil liberties. All are costly.

"Regulators need to accept that the current approach is outdates," said Philip Baum, editor of the London-based magazine Aviation Security International. "It may have responded to the threats of the 1960s, but it doesn't respond to the threats of the 21st century."

Here's a look at some of the ideas that could shape the future of airline security:

Mind readers

The aim of one company that blends high technology and behavioral psychology is hinted at in its name WeCU - as in "We See you."

The system that Israeli-based WeCY Technologies has devised and it testing in Israel projects images onto airport screens, such as symbols associated with certain terrorist group of some other image only a would-be terrorist would recognize, said company CEO Ehud Givon.

The logic is that people can't help reacting, even if only subtly, to familiar images that suddenly appear in unfamiliar places. If you strolled through an airpost and saw a picture of your mother, Givon explained, you couldn't help but repsond.

The reaction could be a darting of the eyes, an increased heartbeat, a nervous twitch or faster breathing, he said.

The WeCU system would use humans to do some of the observing but would rely mostly on hidden cameras or sensors that can detect a slight rise in body temperature and heart rate. Far more sensitive devices under development that can take such measurements from a distance would be incorporated later.

If the sensors picked up a suspicious reactions, the traveler could be pulled out of line for further screening.

"One by one, you can screen out from the flow of people those with specific malicious intent," Givon said.

Some critics have expressed horror at the approach, calling it Orwellian and akin to "brain fingerprinting."

For civil libertarians, attempting to read a person's thoughts comes uncomfortably close the the future world depicted in the movie "Minority Report," where a policeman played by Tom Cruise targets people for "pre-crimes," or merely thinking about breaking the law.

Lie Detectors

One system being studied by Homeland Security is called the Future Attribute Screening Technology, or FAST, and works like a souped-up polygraph.

It would subject people pulled aside for additional screening to a battery of tests, including scans of facial movements and pupil dilation, for signs of deception. Small platforms similar to the balancing boards used [with] the Nintendo Wii would help detect fidgeting.

At a public demonstration of the system in Boston last year, project manager Robert Burns explained that people who harbor ill will display involuntary physiological reactions that others - such as those who are stressed out for ordinary reasons, such as being late for a plane - don't.

The system could be made to work passively, scanning people as they walk through a security line, according to Burns.

Field testing of the system, which will cost around $20 million to develop, could begin in 2011, The Boston Glove said in a story about the demonstration. Addressing one concern of civil libertarians, Burns said the technology would delete data after each screening.

The Israeli Model

Some say the U.S. should take a page from Israel's book on security.

At Israeli airports, widely considered the most secure in the world, travelers are subjected to probing personal questions as screeners look them straight in the eye for signs of deception. Searches are meticulous, with screeners often scrutinizing every item in a bag, unfolding socks, squeezing toothpaste and flipping through books.

"All must look to Israel and learn from them. This is not a post-911 thing for them. THey've been doing this since 1956," said Michael Goldberg, president of New York-based IDO Security Inc., which developed a device that can scan shoes while they are still on people's feet.

Israel also employs profiling: At Ben-Gurion Airport, Jewish Israelis typically pass through smoothly, while others may be taken aside for closer interrogation or even strip searches. Another digtinguishing feature of Israeli airports is that they rely on concentric security rings that start miles from terminal buildings.

Rafi Ron, the former security director at israel's famously tight Ben Gurion International Airport who now is a consultant for Boston's Logan International Airport, says U.S. airports also need to be careful not to overcommit to securing passenger entry points at airports forgetting about the rest of the field.

"Don't invest all your efforts on the front door and leave the back door open," said Ron.

While many experts agree the United Stated could adopt some Israeli methods, few believe the overall model would work here, in part because of the sheer number of U.S. airports - more than 400, versus half a dozen in Israel.

Also, the painstaking searches and interrogations would create delays that could bring U.S. air traffic to a standstill. And many Americans would find the often intrusive and intimidating Israeli approach repugnant.

Profiling

Some argue that policies against profiling undermine security.

Baum, who is also managing director of Green Light Limited, a London-based aviation security company, agrees profiling based on race and religion is counterproductive and should be avoided. But he argues that a reluctance to distinguish travelers on other grounds - such as their general appearance or their mannerisms - is not only foolhardy but dangerous.

"When you see a typical family - dressed like a family, acts like a family, interacts with each other like a family ... when their passport details match - then let's get them through," he said. "Stop wasting time that would be much better spent screening the people that we've got more concerns about."

U.S. authorities prohibit profiling of passengers based on ethnicity, religion or national origin. Current procedures call for travelers to be randomly pulled out of line for further screening.

Scrutinizing 80-year-old grandmothers or students because they might be carrying school scissors can defy common sense, Baum said.

"We need to use the human brain - which is the best technology of them all," he said.

But any move to relax prohibitions against profiling in the U.S. would surely trigger fierce resistance including legal challenges by privacy advocates.

Privatization

What if security were left to somebody other than the federal government?

Jim Harper, director of information policy studies at the Washington-based Cato Institute, a free-market-oriented think tank, says airlines should be allowed to take charge of security at airports.

Especially since 9/11, the trend has been toward standardizing security procedures to ensure all airports follow the best practices. But Harper argues that decentralizing the responsibility would result in a mix of approaches - thereby making it harder for terrorists to use a single template in planning attacks.

"Passengers, too, prefer a uniform experience," he said. "But that's not necessarily the best security. It's better if sometimes we take your laptop out, sometimes we'll pat you down. Those are things that will really drive a terrorist batty - as if they're not batty already."

Harper concedes that privatizing airport security is probably wishful thinking, and the idea has not gotten any traction. He acknowledges it would be difficult to allay fears of gaping security holes if it were left to each airline or airport owner to decide its own approach.

Access Control - Then and Now

Access control systems have changed and grown exponentially since they were first introduced. In 2009, amazingly, the majority of access control systems on the market continue to utilize the same basic technologies that were introduced in the late ‘60s: a combination of simplistic card readers lacking electronic intelligence, linked by multiple wires to a centralized power supply and a central control panel. This setup makes the “allow entry” decisions for the card or other credential presented at the door. These systems are energy hogs, they’re difficult to install and –more simply put- they’re a relic of past technology.

Then – A look back in access control history

The original access control system was a simple lock and key. Still in use today, keyed locks are easy to install and affordable, yet easy to break into. The first generation of automated door access systems used what would today be referred to as primitive readers with no intelligence which passed credential information -from a magnetic or RFID-enabled card- to a central control panel, which made the “allow entry” decision. The next generation of readers made slight improvements so that the reader could be connected to the control panel with an RS-485 bus and had enough intelligence to open the lock. These second-generation “semi-intelligent” readers however still passed the credential codes to the control panel so there was no improvement in either installation cost or energy consumption cost.

Although the advent of “intelligent” readers improved memory to allow access decisions to be made at the reader, independent of the control panel, the panel was still necessary since updates to the system and event histories were uploaded to it. Though some current panels have added the ability to connect to a network, they still offer no new advances in installation time, costs or energy consumption.

As shown below, the installation of even the most modern panel-based system remains a labor and cost intensive exercise. The panel also has the disadvantage of limitations to the number of doors supported per panel – typically 4, 8 or 16 doors depending on the brand and model. This means that adding just one more door to a full panel system necessitates the addition of another panel, thus increasing the cost on both a total system and a per-door basis. The ongoing operational costs of any panel-based system are also higher than the state-of-the-art ISONAS alternative for two reasons;

Panel-based systems must be maintained by specially trained  personnel since they do not employ widely available computer standards of operations.

 They consume significantly more energy

Now – Intelligent IP reader-controllers

Alternatives exist today that take advantage of modern computing and networking technologies to provide a number of significant improvements over panel-based systems by improving the basic functionality of access control systems, improving the overall security parameters of these systems, lowering the cost of installation, lowering energy usage associated with the system’s operation and easy integration with other security and building management systems.

The ISONAS Powernet Access Control System utilizes a customer’s existing Ethernet-based Internet Protocol (IP) network to link intelligent reader-controllers via a CAT5 or CAT6 cable -the same cables that provide power to the ISONAS reader allow data communications to any inexpensive standard Windows computer running the system’s access control software – the ISONAS Crystal Matrix Software System.

“Allow entry” decisions are made at the door by the intelligent PowerNet IP reader-controller with historical event data passed, on a periodic basis, to the host software. The PowerNet reader contains a list of individuals that are allowed entry to the door (cabinet, gate, etc.) along with the times or shifts that they are allowed entry. Management of the system is easily accomplished via web-based pages from any computer with access to the internet. Individual reader-controllers can be set to stay open for specified periods or to remain locked until an authorized user’s credential is presented. Requirements such as anti-pass back, holidays and other special actions are easily accomplished through the Windows-based management software. Should the network go down, the PowerNet reader-controller continues to function in “standalone mode” and automatically updates the Crystal Matrix software when the network comes back online.

With Power over Ethernet (PoE) made possible by using the customer’s existing Ethernet network and industry standard CAT5 or CAT6 cabling, the additional power sources and wires needed for a standard panel-based system are simply unnecessary. The PowerNet reader-controller, the magnetic lock or strike and all the typical accessories, such as request to exit (REX) devices and door sensors, are powered by low voltage PoE through the PowerNet reader-controller. The on-going power usage of the system as a whole is therefore significantly more efficient than with any panel system, and installation is accomplished much faster -and is more cost effective- than is possible with a panel-based system.

The PowerNet is designed for both indoor and outdoor use and since it is not encumbered by a control panel, it can be installed in virtually any location with no limitation on the number of doors or access points. Adding new doors is as simple as adding a single CAT5 cable to the existing network facilities, attaching the PowerNet, the appropriate lock and accessories to the entry point and programming the reader-controller via the reader’s web-based pages from any computer with access to the internet.

Since the PowerNet system is managed by a software system (the ISONAS Crystal Matrix Access Control Software System) that runs on a standard Windows-based server, and is accessible through the normal IP network, integrating the PowerNet reader-controller with a web-based video system, building management system or other electronic security system is quite easily accomplished. The combination of access control and IP video into a single platform not only optimizes security and efficiency during operations but it also minimizes the costs of hardware, maintenance, and training of security personnel.

With this platform in place, it can easily be expanded to create a complete IP-based security and process monitoring system. Perimeter security devices, motion detectors, and/or additional cameras for monitoring key operations can be quickly added to the infrastructure. As illustrated below, the installation of a combination of IP-based access control and video surveillance is more efficient and cost effective than the installation of panel-based system.

Summary

Utilizing the capabilities of PoE allows access control devices to break free from the limitations of a control panel. Today one of the major advantages brought by PoE to the security marketplace is the freedom to install reader-controllers virtually anywhere. In a traditional panel-based system if the control panel fails the functionality of all the doors in the system is lost, severely impacting facility security. With an ISONAS system if the reader-controller fails it is isolated to one door.

The reason for the reduced installation costs of the ISONAS system is simple: Since the IT infrastructure already has PoE built in, no additional power infrastructure needs to be added to support the access control system. The number of wiring terminations required for an ISONAS system versus a panel based system is significantly reduced since an electrician installing a panel-based system terminates the wire at a junction box near the door and runs proprietary wiring back to the control panel where it has to be terminated again. With the CAT5 wire installation of the ISONAS system, “termination” is a single wire per reader-controller, pulled by less expensive installation personnel (no electrician required since CAT5 is low voltage) and uses the same simple plug familiar to anyone who has ever plugged a laptop into a network.

The installation labor of an ISONAS system is typically at least 30% less than a comparably sized panel-based system.

With a lower manufacturing carbon footprint and the lower voltage required from the PoE ISONAS devices, access control can now legitimately claim to have gone “green” since the power usage of an ISONAS system is significantly lower over its lifetime than with any panel system.

And since the actual hardware cost of a panel system with all its pieces and parts is more expensive than the simpler but more powerful ISONAS IP-at-the-door reader-controller, the whole system is more cost effective than any alternative available. Better security combined with more cost effectiveness – the difference between THEN and NOW.

What Is Lock Bumping & Should I Care?

Bumping, also referred to as "rapping" is not new. In fact, it's been around for at least half a century! When this method is used correctly it is extremely effective in over 90% cylinder type locks. As with any other lock picking technique it requires some time and patience to master. A bump key is a key in which all the cuts are at the maximum depth. Bump keys can be cut for standard pin tumbler type locks as well as "dimple" locks.

In the 1970s, locksmiths in Denmark shared a technique for knocking on a lock cylinder while applying slight pressure to the back of the lock plug. When the pins would jump inside of the cylinder, the plug would be able to slide out freely, thus enabling the locksmith to disassemble the lock quickly. The use of a bump key was not introduced until some time later and was first recognized as a potential security problem around 2002–2003 by Klaus Noch who brought it to the attention of the German media. After further examination of the procedure, a white paper was drafted in 2005 by Barry Wels & Rop Gonggrijp of The Open Organization of Lockpickers (TOOOL) detailing the method and its applicability.

A patent exists for a lock device following the same principle as the bump key from 1926–1928. The technique then attracted more popular attention in 2005 when a Dutch television show, Nova, broadcast a story about the method. After the method received further publicity from TOOOL presentations at security conference talks, members of TOOOL and a Dutch consumer group, Dutch Consumentenbond, analyzed the capability of the method on 70 different lock models and with trained and untrained users in a 2006 study.

At the same time, Marc Tobias, an American security expert, began to talk publicly in the United States about the technique and its potential security threats. In 2006, he released two further white papers regarding the technique and its potential legal ramifications.

High-quality locks may be more vulnerable to bumping unless they employ specific countermeasures. More precise manufacturing tolerances within the cylinder make bumping easier because the mechanical tolerances of the lock are smaller, which means there is less loss of force in other directions and pins move more freely and smoothly. Locks made of hardened steel are more vulnerable because they are less prone to damage during the bumping process that might cause a cheaper lock to jam.

Locks having security pins (spool or mushroom pins, etc.)—even when combined with a regular tumbler mechanism—generally make bumping somewhat more difficult but not impossible. Electronic locks, magnetic locks, and locks using rotating disks are not vulnerable to this attack.

Because a bump key must have the same blank profile as the lock it is made to open, restricted or registered key profiles are not any safer from bumping. While the correct key blanks cannot be obtained legally without permission or registration with relevant locksmith associations, regular keys can be filed down to act as bump keys.

Locks that have trap pins that engage when a pin does not support them will jam a lock's cylinder. Another countermeasure is shallow drilling, in which one or more of the pin stacks is drilled slightly shallower than the others. If an attempt were made on a lock that has shallow drilled pin stacks, the bump key will be unable to bump the shallow drilled pins because they are too high for the bump key to engage. Many bump-resistant locks are available which can not be easily opened through the lock bumping method.

Of course you can also prevent such worries with an access solution such ISONAS' PoE PowerNet IP or SimonsVoss' Digital Locking & Access Control System.


If you have any questions, please do not hesitate to contact us here.

Company responsible for 1/3 of the world's junk email shut down.

source: http://www.theregister.co.uk

A botnet that was once responsible for an estimated third of the world's spam has been knocked out of commission thanks to researchers from security firm FireEye.

After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the legions of zombie machines that make up the network.

Almost immediately, the spam stopped, according to M86 Security blog. Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled.

The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change, said Jamie Tomasello, an abuse operations manager at antispam firm Cloudmark.

The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational. Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers. When all else failed, its software was able to dynamically generate new domain names on the fly.

With head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control, an indication of the massive number of zombies believed to have belonged to the botnet. FireEye researchers plan to work with the ISPs to identify the owners of the orphaned bots so their owners can clean up the mess.

FireEye researchers said the key to dismantling the giant ring was a coordinated effort that worked in multiple directions all at once so that bot herders didn't have a chance to counteract. "As it turns out, no matter how many fallback mechanisms are in place, if they aren't all implemented properly, the botnet is vulnerable," they wrote.