Security Under Siege at the Airport

Reprinted from CSO

Security dangers aren't always so clandestine. One of the most serious threats to your firm's security could be sitting next to you... in the airport departure lounge.

By David Michaux

October 18, 2006 — CSO —

Engineers from my company, a global security consultancy, have found documents and e-mails on public access terminals in airport departure lounges that could bring some global companies to their knees.

What began as a mixture of curiosity and boredom led consultants from our Dubai-based network security outfit to uncover a plethora of secrets left by globe-trotting executives logging on in between flights. While such senior figures possess high-level knowledge of their companies' affairs, many aren't equipped with knowledge of IT security precautions to match.

The average executive lounge offered to business and first-class flyers is equipped with a number of PCs that allow visitors open access to the Web. Each PC is installed with a standard Windows package that includes Microsoft Explorer, Outlook Express and sometimes Office.

As weary executives pull up to terminals, a sense of familiarity encourages them to behave as they would at home or in the office, and send an e-mail the same way. Why not use Outlook, just as they would at their desk?

But this could be a costly mistake.

Outlook Express is probably not configured to allow e-mails to be sent from such machines, so the correspondence simply moves to the system's outbox, where it remains indefinitely after the user clicks send. And if the system is configured to send messages, the e-mail that goes out is automatically saved to the machine's sent items folder. In either case, the message is ready for anyone to access at their leisure.

While traveling to meet clients, our engineers have found everything from intimate missives to mistresses (perfect for blackmail) to desktop-saved documents outlining multimillion-dollar deals, complete with profit margins and lowest bid values.

They also stumbled on something more sinister. Many machines, they found, are infected by Trojansor backdoor programsthat can monitor, record and relay information entered by the execs to someone watching their activities externally.

I remember a discovery I personally made while waiting for a delayed flight. As I was playing solitaire, I noticed heavy network traffic on the lounge machine's taskbar even though I wasn't using any network applications. After some delving, I was amazed to find Back Orifice 2000 (BO2K) as the culprit. It had been invisibly collecting my keystrokes and sending a record of them to a Hotmail account every 15 minutes!

I reported my findings to the lounge receptionist, who responded by explaining she couldn't take responsibility for the security of the machines.

BO2K is a well-known Trojan capable of taking full control of the machine it has infected. The perpetrator is able to view the machine's webcam, listen in on its microphone and watch a streaming video of its display, all in real-time.

Another lounge security lapse my colleagues foundthis time at a London airportallowed users to log on to machines as Administrator, meaning they could download and install any software. Again, engineers found keyloggers had been installed on systems there, configured to send information to an external e-mail account at regular intervals.

The danger is that the CEO types who travel on behalf of their companies and use these lounges are privy to unusually sensitive data. This makes computers there a veritable gold mine, whether it's executives downloading attachments from their Web mail and leaving them on the desktop, or even deleting them afterward but not emptying the recycle bin before they get up to catch their plane.

What's more, execs who do take precautions are likely to be let down by the lounge's security itself, especially if a hacker has turned its machine into listening posts.

As airport lounges increasingly offer passengers wireless Internet access, existing Trojan problems are being eliminated. But as so often happens in the world of IT security, this new era will usher in a whole new family of network malignancies.

>

Until then, I've got a plane to catch&

David Michaux is the CEO of Scanit, a home and corporate security systems company with operations in Belgium, Dubai and Iran.

Technologists vs. Terrorists

Reprinted from CSO

Technology is not a magic bullet that will render impotent all threats. But the nascent security tech revolution will make us safer, and soon.

By Mark P. Mills

October 10, 2006 — CSO —

So, where are the high-tech solutions in this conflict with terrorists, plotters and evildoers? Surely a nation that can produce iPods, cell phones, gigabit data streams, server farms and laser-guided bombs can sniff out some bad stuff without banning every water bottle and toothpaste tube from air travelers. Our soldiers are struggling mightily with a similar problem, trying to detect improvised explosive devices. Putting policy implications and opportunities for political mischief aside, why don't we have high-tech sensors and sniffers, electronic moats and virtual walls to protect citizens and soldiers from bad guys and bad stuff?

That we're on the half-decade anniversary of 9/11 with so little apparent progress is as much a technology challenge as a budget or policy one. In the initial paroxysm to do anything post-9/11, we added protection using what we already knew how to domostly more guards, guns and gates. Obvious to all: We need much better and much more, and in far more places. Less obvious is the near-revolutionary technology progress that has occurred and is about to be deployed. There is a remarkable new generation of solutions coming.

Over the past five years I've visited and talked with hundreds of scientists, engineers and entrepreneurs in the new multibillion-dollar high-tech security enterprise, from Boston to Austin, and San Diego to St Louis. And Silicon Valley too, though in this tech revolution, there is yet to emerge a "Valley" epicenter. While the venerable defense giants dominate big deployments like airports, ports and borders, the lion's share of revolutionary intellectual property and new technologies is emerging from universities, laboratories and small startups. Indeed, the archetype for high-tech security, the X-ray machines offered by GE and L3 for explosives detection in airplane check-baggage, originated in small entrepreneurial companies.

Before 9/11 there were only several dozen security tech companies, and no serious focus from the military-industrial giants. Today, every big player from Honeywell and Boeing to Northrop and Lockheed has a security tech operation. More importantly, there are more than 30,000 small companies in this new 21st-century security enterprise.

As with earlier conflicts, the forces of American capitalism have spooled up. The legion of scientists and engineers that I've met talk passionately about solving the difficult technical problems that detecting so many threats presents. And they do so not just with entrepreneurial enthusiasm, but with genuine patriotism and concern to mitigate threats to fellow citizens.

But there are daunting technological barriers to seeing and sniffing out physical threats & challenges well beyond those faced in creating the hardware and software of the digital information economy. Information bits are just electrons, and their quantum cousins, photonstiny, orderly, simple by comparison to the monstrously larger, more complex and disordered world of atoms and molecules that make up all the bad stuff we want to find and identify. And unlike well-organized electrons in info systems, the atoms and molecules of TNT, acetone or anthrax are not only inconveniently randomly distributed, but also masked by other atoms and molecules and hidden by the complexities of the physical world, not to mention malicious schemes.

So, some of the first-to-emerge new security tools are purely information-based, from communications intercepts and watch-list matching, to biometric identification and smart software in video cameras. But to see, sense and identify materials and objects, we need new classes of detectors using exotic regions of the electromagnetic spectrum, nano-class chemistries, customized semiconductors and micro-fabricated instruments.

Such next-generation sniffers are now possible precisely because of the tech revolution. Riding the coattails of the trillion-dollar-plus digital infrastructure's material, tool and device revolution, engineers have designed, and can soon cost-effectively produce, classes of sensors the likes of which previously were found only in laboratories, or were simply inconceivable. It just took a little time.

The nascent products now emerging, or on the commercialization ramp, can meet the hurdles of low-cost, accurate and exquisite sensitivity to build unobtrusive virtual barriers across and within our society to detect bad, or potentially bad things, in all manner of places and conveyances, unobtrusively, quickly and accurately. Big laboratory-class detection will move to the front lines, shrunken down in size, cost and complexity: a reprise of the mainframe-to-the-desktop, then palmtop, trajectory.

There remain deployment hurdles, not the least of which is customers' ability, whether government or private, to even know new tools exist. Then there's the near-opaque challenge of performance validation: Does reality follow performances claimed? This is one of the most important roles for government: tests, standards, endorsements and seals of approval. Finally there are practicalities in using new tools effectively, often requiring facility redesign, operational and training considerations. All this creates frustrating delays. But these collateral issues are manageable and, importantly, amenable to acceleration now that a security tech revolution is at hand.

No, technology is not a magic bullet that will render impotent all threats. Electronic walls and moats will not obviate the need to take the offense and hunt down enemies. Nor will they diminish the role of strategic diplomacy and effective intelligence to foil dastardly plots and plans. But the nascent security tech revolution will make us safer, and soon.

Mark Mills, co-author of The Bottomless Well, is a cofounding partner in a tech venture fund, and serves as chairman and chief technology officer of ICx Technologies.

The New Trend in Identity Verification

From Privaris...

Biometrics has yet to achieve widespread adoption, or offer the panacea for CSO’s physical and logical access challenges that was predicted. Part of the reason is cost, though more often it’s the installation and usability hassles that stand in the way.

A new trend in identity verification, called “personal biometrics," is dramatically changing the landscape of the biometrics industry – offering any size organization the peace of mind of heightened security – without the cost and complexity.

Top 5 Misconceptions about Biometric Security

1. Biometric security is disruptive, complex and costly to implement. Implementing biometric security no longer requires the installation of specialized biometric readers at every access point. The advanced technology of personal biometric solutions can be deployed overnight because they work with existing systems, including standard door readers for access cards and the Microsoft Operating Systems found on most PC’s, eliminating the need to rip and replace hardware or install software.

2. Biometric security is inconvenient.

Biometrics doesn’t have to involve frustrating user experiences at access points and inconsistent, slow results. The new trend of personal biometrics eliminates the need for shared biometric readers and replaces users’ access cards and passwords with a single token for fast, convenient access everywhere identity verification is required.

3. Biometric security is inherently invasive to personal privacy.

Biometric implementations don’t have to entail employers collecting users’ sensitive biometric data and assuming the liability for protecting it from hackers. With personal biometrics, central repositories of biometric data are no longer necessary.

4. Biometrics is inefficient.

Long lines during periods of high traffic, delays due to a single individual having trouble matching – these historic characteristics of biometric systems have been overcome. New advances in personal, wireless biometric fobs are enabling “on-the-go” mobile biometrics that eliminates traffic back-ups and converges an organization’s physical and IT security functions with a single and simple protocol.

5. Biometrics is considered overkill for the task at hand.

Biometrics can simplify users’ lives while significantly enhancing security. The new generation of personal biometric technology offers tangible benefits to both end users and organizations, including reducing costs, converging physical and IT security and eliminating the management of access cards and passwords –while providing proof-positive identity verification.

This video showcases firsthand Privaris' new approach to identity verification (.wmv).

DHS Conducts Cyber Storm II To Examine Preparedness, Response Capabilities

From the Security Products website

March 11, 2008

The Department of Homeland Security (DHS) is conducting the largest cyber security exercise ever organized. Cyber Storm II is being held from March 10-14 in Washington, D.C. and brings together participants from federal, state and local governments, the private sector and the international community.

Cyber Storm II is the second in a series of congressionally mandated exercises that will examine the nation’s cyber security preparedness and response capabilities. The exercise will simulate a coordinated cyber attack on information technology, communications, chemical, and transportation systems and assets.

“Securing cyberspace is vital to maintaining America’s strategic interests, public safety, and economic prosperity,” said Greg Garcia, Homeland Security Assistant Secretary for Cyber Security and Communications. “Exercises like Cyber Storm II help to ensure that the public and private sectors are prepared for an effective response to attacks against our critical systems and networks.”

Cyber Storm II will include 18 federal departments and agencies, nine states (Calif., Colo., Del., Ill., Mich., N.C., Pa., Texas and Va.), five countries (United States, Australia, Canada, New Zealand and the United Kingdom), and more than 40 private sector companies. They include ABB, Inc., Air Products, Cisco, Dow Chemical Company Inc., Harris Corporation, Juniper Networks, McAfee, Microsoft, NeuStar, PPG Industries, and Wachovia.

Cyber Storm II objectives include:

• Examining the capabilities of participating organizations to prepare for, protect against, and respond to the potential effects of cyber attacks.
• Exercising strategic decision making and interagency coordination of incident response in accordance with national level policy and procedures.
• Validating information sharing relationships and communications paths for the collection and dissemination of cyber incident situational awareness, response and recovery information.
• Examining means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.

For more information on Cyber Storm II, visit http://www.dhs.gov/xprepresp/training/gc_1204738275985.shtm.

Tips: Protect Your Computer From The ‘Zombie Army’

From the Security Products website

March 3, 2008

Hackers and spammers may be using your computer right now. They invade secretly and hide software to get access to the information on your computer, including your e-mail program.

Once on your computer, they can spy on your Internet surfing, steal your personal information and use your computer to send spam to other computers without your knowledge.

Computers taken over this way often become part of a robot network, known as a “botnet” for short. A botnet, also known as a “zombie army,” is made up of tens or hundreds of thousands of home computers sending e-mails by the millions. Fortunately, botnets are not inevitable.

To help you reduce your chances of becoming part of a bot, the Federal Trade Commission encourages you to secure your computer by:

• Using anti-virus and antispyware software and keeping it up to date.
• Being cautious about opening attachments or downloading files from e-mails you receive.
• Using a firewall to protect your computer from hacking attacks while it is connected to the Internet.
• Disconnecting from the Internet when you are away from your computer.
• Checking your “sent items” file or “outgoing” mailbox for messages you did not intend to send.

To learn more, visit OnGuardOnline.gov/botnet.html.

RFID Installation Speeds and Secures School Library Processing

From T.H.E. Journal

by Dian Schaffhauser

Red Mountain Middle School in Deming, NM has implemented a radio frequency identification technology in its library for self-service checkout. The school chose RFID technology from Integrated Technology Group, which specializes in library automation technologies. The school, which opened in 2007 and currently has about 900 students, has a library collection of 9,000 volumes. That is expected to grow to 20,000 by the next school year.

"I think we are really trendsetting for public schools," said Teresa Ortiz, library media specialist at the school. "Before ITG installed RFID, I did not have quality time to spend collaborating with teachers to build new learning programs for students. Now I am able to devote much more energy toward collaboration and do what library media specialists are supposed to do--teach!"

The new RFID system includes Apex XpressCheck patron self-service kiosks, an Apex PowerReader wand for inventory purposes, Apex RFID DirectReader software and Apex RFID security pedestals installed at exits for loss protection.

The DirectReader software enables the library to integrate RFID technology into existing library applications. The application replaces bar code scanning with the action of placing a stack of materials on an RFID pad. The user can check in a stack of items or use the "one-at-a-time" method. The security is set on or off at the same time. The staff can turn a tag's security bit on or off independently of any other process.

The school estimates that the new set-up reduces inventory processes to half a day instead of two and a half weeks. Ortiz said is she using the extra time to develop curriculum for an Internet research course that teaches the students how to use the Internet effectively.

---

About the author: Dian Schaffhauser is a writer who covers technology and business for a number of publications. Contact her at dian@dischaffhauser.com.

Chicago Schools, Police To Share School Security Camera Video

From T.H.E. Journal

by Dian Schaffhauser

Chicago Public Schools and city administrators have agreed on a partnership that will give the Chicago Police Department and the city's Office of Emergency Management and Communications a remote connection to the cameras installed inside and outside Chicago schools.

The move was announced by Chicago's mayor, Richard M. Daley, against the backdrop of violence during which four public school students were killed and another five wounded in separate gun incidents.

"When this program is fully implemented over the next few months, we will have a comprehensive school security system that will make it far easier for us to respond more quickly and effectively to any emergency at a school building," Daley said. "The step we're announcing ... will help us keep our young people safer when they are in and around school buildings throughout the city."

Until now, the real-time video provided by more than 4,500 cameras inside and outside about 200 public elementary and high schools and administrative sites has been accessible only to school officials. Under the new agreement, the police department and the Office of Emergency Management and Communications will have a remote connection to the safety cameras.

According to reporting by the Chicago Sun-Times, Chicago's existing surveillance network includes more than 10,000 public and private cameras. The cost of the school-focused upgrade, $418,000, will be financed by Department of Homeland Security funds.

The cameras will not be monitored, according to the Sun-Times report. They'll be accessed when emergency personnel are alerted.

The system will be implemented over the next few months. It will allow first responders to an emergency situation at a school to be able to see real-time video from inside and outside the building on portable data terminals.

Beginning March 22, the city will also be putting into effect new curfew hours. Starting that night for young people under 17, the curfew will start at 10 p.m. Sunday through Thursday and 11 p.m. Friday and Saturday.

---

About the author: Dian Schaffhauser is a writer who covers technology and business for a number of publications. Contact her at dian@dischaffhauser.com.