2.27.2008

Flying Through Airport Security


from the Wall Street Journal

By STEPHANIE CHEN
February 27, 2008; Page D1

On a crowded Tuesday morning at Orlando International Airport, Lou Stanislao, a 61-year-old project manager and frequent flier, had his fingerprint scanned at a kiosk designated for "registered travelers." His name popped up on the screen, allowing him to move into another line -- where he doffed his shoes and handed over his bag for scanning. Next, he showed his ID and ticket to a security agent and picked up his belongings. In all, he breezed through airport security in five minutes.

For this, Mr. Stanislao pays $100 a year.

He's among the 100,000 registered members of Verified Identity Pass Inc.'s Clear security system -- one of three companies authorized by the federal Transportation Security Administration that currently offers expedited security lines.

[Go to map]
See a map of airports that participate in registered traveler programs.

Yet, more than seven years after Congress approved the concept of an expedited airport security clearance system, only 16 out of 3,364 airports in the U.S. are operating any form of the system. That's because the program doesn't necessarily make the skies safer: Would-be terrorists with a clean history could, in theory, be approved for a pass, officials say. So the Transportation Security Administration abandoned the effort, deciding to focus resources on other security efforts. The program was then turned over to private companies.

In the private sector, the issue of convenience emerged as a priority. And with total passenger levels at U.S. airports approaching 700 million a year, more airports have signed on. In the past year, three airports have implemented the program. These include Oakland and both major Washington, D.C., airports.

About a dozen other airports have expressed interest trying to start programs this year. The country's busiest airport, Atlanta's Hartsfield-Jackson Airport, recently listened to a presentation about the program from vendors. Chicago's O'Hare International Airport, the second-busiest airport, and Los Angeles International Airport are vying for vendors in those cities as well. As part of the contract, airports each receive between $77,000 and $250,000 a year from Registered Traveler companies.

John Harrington, a photographer in Washington D.C., is convinced the program speeds up his travel. He plans his routes specifically to go through airports that offer the service whenever possible. Last year, he flew into San Francisco International where the program is offered, for instance, rather than Oakland International Airport, which just received the program in January. "It gives me more time to spend on my work instead of waiting at the airport," he says.

The program works like this: Applicants fill out a form that asks basic questions, such as Social Security number and previous addresses. Two forms of identification are submitted, and the applicant's fingerprints and irises are scanned. Then the TSA conducts a background check. The person's information is compared with names on suspected-terrorist lists and checked in databases to determine criminal background and U.S. citizenship. If approved, the applicant receives a credit-card-size pass with an annual fee of anywhere from $100 to $200.

This is all possible because back in 2001, amid the airline gridlock that followed the 9/11 attacks, federal officials -- and eventually Congress -- authorized a program aimed at reducing the hassles of new security regimes for frequent fliers without compromising safety. The Registered Traveler program was intended to move those with clean records to the front of the line, says Kip Hawley, TSA administrator.

Over the next few years, TSA poured federal funds into testing biometric systems for identification. In 2004, it set up a pilot program in five different airports, offering about 2,000 people at each location a free membership. Officials soon realized, however, the flawed logic behind the Registered Traveler program: It might actually increase security risks because a terrorist with a clean record could still get on a plane.

Still, vendors of the Registered Traveler system point to security benefits. Steven Brill, the writer and media entrepreneur who is chief executive officer of Verified, says the program does enhance airport security by letting TSA know who the members are through the enrollment process. On a busy Monday morning in Orlando, Mr. Brill says, about 15% to 30% of the passengers are Clear members. "The airport knows who those people are," he says. "That's a lot of hay out of the hay stack."

So far, Verified's Clear system is the dominant player. The company, which began operating in late 2005 at Orlando International Airport, has kiosks in 14 airports. Unisys Corp. operates at Reno-Tahoe International Airport, and Vigilant Solutions offers services at Jacksonville International Airport in Florida. The memberships work across participating airports, regardless of the company that sold the pass.

Overall, the Registered Traveler companies are going after hard-core business travelers -- the frequent fliers and first-class passengers with "elite" status who may already have access to fast lanes. So the companies are emphasizing additional benefits.

Customers who sign up with Vigilant Solutions, a Jacksonville Beach, Fla., company, get discounts at some golf courses in Florida. Vigilant Solutions has about 3,000 participants since its first operation opened in August and expects membership to grow to 10,000 by the end of 2008, says Julie Venditti, chief technology officer.

FLO Corp., a security company based in Chantilly, Va., has aggressively pursued corporate clientele for its version of the service, but doesn't yet operate at any airports. FLO says it has secured 150,000 participants to join its program nationwide, adding that its members will receive discounted limousine services and other benefits.

Still, some airports have been slow to offer the option. Officials in Atlanta have spent the past five years discussing the possibility of implementing a Registered Traveler program. If a vendor is selected in the next few months, the program could be running this year, officials say. But they don't seem to be in any hurry, instead worrying about the potential for irritating travelers who aren't in the program.

"We have to accommodate all the passengers that come through and make sure we're not causing anything detrimental to people not participating in the project," says Herschel Grangent, spokesman for Hartsfield-Jackson Airport.

Road warriors like Phillip Merdinger, an Atlanta consultant, don't understand why the program is taking so long to catch on.

He pays about $100 each year to avoid security-line snarls at airports such as San Francisco International Airport and LaGuardia International Airport in New York. In addition to shorter waits, he also receives help from company-employed workers with laptop removal and luggage sorting to speed up the line.

"You start to get spoiled when you're moving quickly though the airport," says Mr. Merdinger, who flies several times a week using Clear.

Write to Stephanie Chen at stephanie.chen@wsj.com

2.20.2008

Keeping Watch for Burglars (And Tabs on the Kids)

From the Wall Street Journal...........

Wireless Home Security Lets
You Check In From Afar;
Do-It-Yourself Installation

By CHRISTOPHER LAWTON
February 13, 2008; Page D1

As a police officer in southern Florida, Greg Varley was dispatched to investigate as many as 10 false alarms a day at residents' homes. He was frustrated to discover that most people didn't disarm their security systems properly.

So after retiring and moving to Cookeville, Tenn., Mr. Varley three months ago looked for a home-security system that would give him more control over arming the sensors, helping him avert false alarms. He soon came across a company called InGrid Inc., a security system that he could install himself and control using the Internet.

[Alarm]

Mr. Varley now arms and disarms his security system by logging onto a personalized Web site. And in addition to knowing when something goes wrong at home, he also can monitor when things are going right. "It's easy to go online and check the status of your sensors," he says. "We have a cleaning lady who comes, and I can tell when she comes and when she leaves."

InGrid is just one of a wave of Internet- or cellular-based home security and monitoring products on the market now, joining iControl Networks Inc., NextAlarm.com, Broadband Alarm Co. and Alarm.com Inc. in offering homeowners a do-it-yourself approach. Larger companies, such as AT&T Inc., are also moving into the wireless home-security market.

Just 1.5% of homes in the U.S. now use wireless monitoring systems, but that percentage is expected to reach 5% to 6% by 2012, according to market researcher Parks Associates.

That's far below the estimated 25% of U.S. households today that use traditional security systems, such as ADT Security Services Inc. and Brink's Co. Those systems are linked via the homeowners' phone lines and mainly use wired sensors that are placed on window and doors. Traditional systems also use a central-monitoring center that alerts police or fire departments when alarms are triggered.

Internet-based security, however, allows homeowners to place wireless sensors throughout the home -- beyond just entryways. Many of these systems have central monitoring provided by a third party. AT&T doesn't offer central monitoring at all.

Using a password-protected Web page, homeowners can use their computers to view the status of each sensor, see a history of dates and times sensors were triggered, and tailor settings to send email, text-message updates and alerts to smart phones or other hand-held devices.

Alarm on the Gun Rack

These features have given rise to a new type of monitoring: Homeowners are now able to spy on activities going on in their homes. Sensors can be installed on everything from liquor chests to medicine cabinets; gun racks to garage doors. Some of the systems also come with stand-alone Web cams that can be monitored through the Web site while users are at work or out of town.

Boston resident Martin Cowley recently put a wireless sensor from Alarm.com on his home liquor cabinet because he hires a teenage babysitter to watch his small children when he's away. The 39-year-old says he's already experienced some instances when he's been out to dinner and gotten an email from his system saying the liquor cabinet had been opened for a short time. (After later inspection, he found no liquor was taken.)

Makers of the new wireless alarm systems say their customers don't see the monitoring as intrusive. InGrid Chief Executive Louis Stilp says that people mainly want to know if their children are doing something they aren't supposed to. "The benefits that come from that far outweigh any potential privacy issues," he says.

Mary Knebel, a vice president at Alarm.com, says all of her company's features are "opt in," meaning users can choose what services to implement and who has permission to view the reports.

Installation Savings

Since the wireless systems can be set up by homeowners, there may be savings on installation. For example, InGrid's kit for single-family homes, which includes eight wireless sensors and other hardware, costs $299 with a one-year monitoring commitment. Customers who use traditional security systems typically pay $300 to $1,000 for equipment and professional installation. Prices will vary based on the number or type of sensors used, add-on features and the length of the contract. Central monitoring costs are roughly the same -- about $30 a month -- for both traditional and wireless customers.

To get a larger piece of the $8.8 billion home-security market, some big companies are also entering the wireless monitoring business. In late 2006, AT&T launched a home-monitoring service that includes cameras and wireless door and window sensors. This system, which can be self-installed, costs $10 a month and a one-time $200 equipment fee, with a one-year commitment.

[Alarm]

ADT says it's planning to add Web and mobile interactive features to its traditional security offering in the coming months, but company officials declined to give specifics. Brink's plans to add complementary Internet-based option to its primary service by the end of the year.

Setting up wireless systems yourself can prove challenging. Homeowners must first add the security system's hardware to their wireless router, which is then connected to a broadband modem. Sensors are then individually placed and programmed to trigger an alert when breached. Finally, a Web site interface is personalized to let homeowners determine who gets notified and how. An opened liquor cabinet could send an email alert to the homeowner, for example, but a backdoor entry may be set to trigger an alert to the monitoring center as well.

Getting Signals Straight

In some cases, the signal may not stretch to all the corners of the home, making it necessary to use "extenders," wireless devices that get all the sensors to communicate with the base unit. Most services offer help over the phone, and InGrid plans to launch a partnership with a professional installation company for those who don't want to install their own systems.

Lee Hutchinson, a 29-year-old computer systems administrator in Houston, recently had trouble figuring out where to put the extender device for his InGrid system so that all the sensors would connect without interference and work properly. He eventually had to draw out a map of his home and email it to InGrid's customer-service department. They sent him two free extra extenders and instructed him on where best to put the devices.

Still, customers of the wireless alarm systems say the products have made them feel safe. Marvin Hayes, a 75-year-old retired International Business Machines Corp. employee, found that his home in Tucson, Ariz., was broken into in 2003 when he was traveling. Thieves broke down the door, ransacked his bedroom and stuffed valuables into a pillowcase. The criminals haven't been caught.

In 2006, Mr. Hayes got a home-monitoring system from iControl, and then installed door sensors, as well as motion-activated cameras on the front door and in the living area. The system sends text messages to his cellphone whenever a sensor is triggered.

"It makes me feel very good that I have some control over my house," he says.

Write to Christopher Lawton at christopher.lawton@wsj.com

2.15.2008

A Growing Threat

Reposted from Security Products website article

By John Flaa · January 2008

Critical infrastructures look to ID cards for enhanced protection

In the United States, people encounter a perpetual tradeoff between freedom and security. The nation depends on a complex system of critical infrastructures to maintain a high quality of life and the freedoms enjoyed every day. New threats to security have these organizations taking a second look at their vulnerabilities, however, scrambling to minimize disruption and to maintain the integrity of their operations.

In the past, national security was perceived as the role of government. Today, Department of Homeland Security efforts to protect critical infrastructures from physical attack are a shared responsibility of the public and private sectors, as well as individual citizens.

Prime Targets
Critical infrastructures are generally prepared for natural disasters, which are often predictable days in advance. Terrorist attacks, however, are new and immediate, requiring a different mindset and different levels of preparedness. With proper design, management and operation, organizations can reduce their risks, often without significant investment.

The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets report, published by the Bush administration in 2003, identifies the industry segments and key assets that would disrupt the safety, security or economy of the United States if compromised. They include agriculture and food, water, public health, emergency services, the defense industrial base, telecommunications, energy, transportation, banking and finance, chemicals and hazardous materials, postal and shipping, national monuments and icons, nuclear power plants, dams, government facilities and commercial key assets.

These industry segments are being encouraged by the government to adopt security plans. Some already have a base level of security, but others are just beginning. DHS introduced the national infrastructure protection plan in 2006 to provide structure between public sector and private industry initiatives, but because there are no standards for most utilities, each must determine for itself an effective security program.

Broad Security Solutions
In the past, security meant a combination of guards, guns and gates. Today, organizations seek the broadest possible solution to integrate all elements of an operation, from access control to logical security. In many cases, this starts with a simple ID card.

Access control is often the main reason utilities and critical infrastructures introduce ID card systems. The Wisconsin State Laboratory of Hygiene, a public health and environmental laboratory, performs bioterrorism testing of materials such as anthrax. Prior to Sept. 11, 2001, anyone could enter the building, located in the middle of the University of Wisconsin campus. Now, anyone who needs access to the lab must show an authorized ID card. Ensuring that only legitimate cardholders have access to protected areas enables all employees to enjoy greater freedom.

Transportation is another area that plays a vital role in the U.S. infrastructure, and it was designed to be open and accessible. However, an upset here can cause a ripple effect felt nationwide, so after 9/11, it was the first area to receive increased attention. The FAA required every airport in the United States to revalidate identification cards for all employees, ensuring all of the ID cards used at airports were active and up to date. For Los Angeles International Airport, which saw 67 million passengers that year, this meant creating 44,300 new badges, which were produced in-house by two employees with Fargo Professional series card printers.

Today, the focus has shifted to ports. TWIC is being phased in at 12 high-risk ports throughout the country, starting with enrollment in October at the Port of Wilmington, Del. TWIC cards are tamperresistant biometric credentials for as many as 750,000 employees who need unescorted access to ports and vessels.

DHS set aside $400 million to help fund port security initiatives, including money for the ID cards. While a good start, this ID card is basically a photo ID, indicating that a person has passed a background check. What’s missing is any integration with systems at the port facilities themselves, many of which are operated independently. Most ports are vast and sprawling with multiple access points.

Many have railroads running throughout, adding yet another layer of vulnerability. Many transportation companies operate under tight budgets. For example, Metro Transit, a unit of Minneapolis/St. Paul’s Metropolitan Council, considered cost effectiveness when it bought a printer to produce its ID cards. Bringing inside the production of its 20,000 yearly Metropass cards for bus and light rail transit improved the security of the cards and saved the organization money.

Adding Logical Security
Preventing unwanted and unauthorized entry to buildings and grounds is a primary objective of critical infrastructure security systems, but these organizations also need to protect their internal networks. The growth of the Internet and advances in wireless technology have increased the power, and the vulnerability, of computer networks and IT architectures, leaving data and infrastructures at risk. Today, employees and customers have the necessary tools to damage computer systems or steal individual identities around the clock and from virtually any location. Traditional password systems, which can be stolen, copied or forgotten, are being replaced with sophisticated authentication systems, many of which start with an ID card.

While critical infrastructures have yet to adopt ID cards widely for network security, the trend is moving in this direction. ID cards, especially those with smart card technology, can provide single-use access or administrative control, which is especially appealing to critical infrastructures with expansive facilities or complex IT systems.

Security and privacy often go hand in hand, especially in the healthcare marketplace. HIPAA encourages healthcare facilities to implement electronic systems and mandates that these systems guarantee privacy and security of patient information. As a result, more healthcare organizations are using smart cards, proximity cards and biometrics to secure their computer networks.

The Right Technology
Organizations today can choose from a wide range of ID card technology to fit their security needs, from visual ID cards to those with embedded biometrics. Most choose something in the middle.

Magnetic stripes and bar codes are inexpensive methods of encoding text onto a card and collecting critical data. Magnetic stripes contain digital data, such as access privileges, employment history or background information, that is transferred onto the card by special encoders. A reader translates the data for computer processing, and bar codes provide access to more complete information in a secondary database.

Smart cards use internal microprocessors or memory chips with non-programmable logic to manipulate information—much like a miniature computer. This enables organizations to incorporate multiple applications and functions into one smart card, thus justifying the slightly higher cost.

Many critical infrastructures still have a low level of perceived threat and thus have not adopted the robust security offered by smart cards. They could learn a lesson from how schools have maximized the benefits of these cards, often combining multiple functions onto one card. Students at the 3,200- student Everglades High School in Florida, for example, have been using ID cards for school identification for about 12 years. Four years ago, the staff added a smart chip to its cards, enabling debit card privileges in vending machines, the media center and at a number of other student activities. EHS students can even purchase yearbooks and prom tickets with their ID cards. The goal is to become a cashless campus.

At one New York high school, substitute teachers must carry a smart card containing a microprocessor chip embedded with their Social Security number and certain encrypted security codes. The smart card program is tied into the criminal justice system, providing immediate confirmation of criminal violations. Special attention is paid to individuals with a criminal history.

Critical infrastructures that want to take security programs to another level can add holographic solutions to their ID cards to prevent them from being counterfeited. Options range from economical foilstamped holographic seals to custom holographic overlaminates with hidden micro text, sophisticated flip images that appear to be animated or pseudo color that changes when the card is tilted.

Biometrics represents the ultimate in authentication and, as a result, can be the most expensive addition to ID cards. Iris scans and palm prints are powerful security tools. In a few years, this technology will be more commonplace, but for now, it is used primarily by critical infrastructures threatened by the greatest amount of disruption if attacked. For example, the Department of Defense is matching biometric data stored on its 4 million common access cards with a live image from a biometric sensor.

Responding to Disasters
Critical infrastructures are sometimes better at responding to disaster than preparing for it, and ID cards are an important part of a disaster management program. Following Hurricane Katrina, ID cards were used to credential evacuees and provide them with some form of personal identification, which also helped the Salvation Army maintain security in the temporary shelters. Evacuees also were able to receive their Social Security payments and cash checks.

Often during a disaster, first responders from federal, state and local agencies work together in a single command structure to credential people quickly and authorize access to certain areas. The need for a clear and constant tracking system is critical. The first responder authentication cards, compliant with HSPD-12 and FIPS 201, identify first responders at the scene of an incident, enabling them to move in and out of secured areas. The cards allow physical access into buildings, logical access to networks, incident command and control, and property and firearms accountability.

Preparing for the Unthinkable
Applications exist today for in-house production of ID cards that fit almost any budget. Funding also is available to help offset costs. Having a localized system gives organizations the flexibility needed to create an ID system that is relevant to their facility.

People want to know that critical infrastructures are taking every precaution to preserve the safety and continued operation of this nation. Visible ID cards provide small but tangible assurance.

About the author

John Flaa
John Flaa is the customer knowledge manager at Fargo Electronics.

2.13.2008

Alabama School District Initiates a District-Wide IP Alert System

Continuing with the theme of our last post, it appears that other governmental departments in the state of Alabama are picking up on the trend to implement system-wide emergency alert systems. In Dian Schaffhauser's article on T.H.E. Journal, Alabama's Elmore County School District has installed and tested a Cisco/Cistera integrated solution, and they are very pleased.

The solution integrates three components:
  • RapidBroadcast is an network-wide IP phone system involving text, SMS, voice, and pre-recorded messaging. This is a Voice-over-Internet-Protocol engine that ties together all of these services into a single package allowing entities to enlist their own computer networks to host telephony capabilities.
  • LandMobileRadioConnect is a multiple-frequency compatibility medium connecting two-way radios and the IP phones from the RapidBroadcast system. This allows two-way radios to integrate into VoIP networks, and vice-versa.
  • ZoneController is a system that integrates with the first two to provide paging via IP Phone, radio, and loudspeaker emplacements.
The school district encapsulates 15 campuses. One of these, a middle school, ran a test drill successfully using the new system, and the results were satisfactory. Davis Brock, the technology director for the middle school, had this to say: "..the success of the drill reinforced our overall satisfaction and peace-of-mind that we have a reliable communications system in place to share important information if we are faced with an emergency."

As the world gets smaller and communications travel closer to the speed of light, the ability to alert whole systems is becoming commonplace in corporate, federal, and as evidenced by the past two articles, civic installations.

Cited
Dian Schaffhauser, "Alabama School District Implements Emergency Alert as Part of VoIP Rollout," T.H.E. Journal, 2/8/2008, http://www.thejournal.com/articles/21999

2.06.2008

Louisiana courts adopt Emergency Notification System

As per the article posted on the Security Products website, the Louisiana Supreme Court and the 4th Circuit Court of Appeal, both housed in the French Quarter of New Orleans, are now sharing a centralized Emergency Notification System provided by AtHoc. The necessity came about mainly through the lacking emergency response time during the Katrina hurricane disaster.

The highlights of the article are how integrated this system appears. It can be triggered from a web browser, and includes alerts by phone, SMS text messaging, paging, and desktop popups. Tommy Anderson, director of security for the Louisiana Supreme Court, had this to say: “We can now reach all personnel in the courts on their desktops in an average of one minute....When an emergency occurs, triggering an alert from a single console and achieving that type of response time is critical.”

AtHoc has already partnered with many large important commercial, military, and government entities in the U.S., including the Navy, Army, and even Microsoft. Their network-centric alert systems have become critical to many of these entities, and it appears that more and more organizations are turning to network-based security measures.

The original article on AtHoc's site can be found here.