NoticeBored blog

An burglar who stole stuff from an NZ home was snapped by the owner's webcam that had been set to monitor the scene for movement. When triggered, the camera sent still images to the owner by email, alerting him to the burglary in progress. Unfortunately the police arrived just too late to nab the intruder but his face is quite clearly recorded for posterity ...

The news cutting says the owner used software called "Motion", possibly this package which is promoted on the strength of its use for home security monitoring - CCTV on the cheap.

Labels: Physical

Fascinating BBC report on GCHQ, the UK Government Communications HQ - "GCHQ: Cracking the Code".

There's a nod to Bletchley Park's work cracking Enigma in WWII.

Clifford Cocks talks about inventing PKI "overnight".

GCHQ employees talk enthusiastically about the buzz their work gives them and the 'culture of security' which extends to home life, avoiding any specifics of course.

The reporter and guides describe the 10,000 square metres of computer halls in the centre of the donut, and their dependence on cooling water ...

They mention monitoring Web 2.0, VOIP and other Internet comms globally, and the need to adapt quickly to agile targets exploiting new security technologies and constantly watching for new exploits.

The ethics of snooping/spying and the inevitable privacy compromises that entails get a good mention: the very fact that the program was produced at all is surely a positive sign of GCHQ management and indeed the British government's intent to be more open.

GCHQ people are now 'embedded' with military units deployed around the world, sharing intelligence (no doubt in both directions).

Bonus marks for picking out all the other the physical security controls mentioned throughout the programme, and the social engineering potential of a program like this, no matter how carefully produced and edited.

Labels: Confidentiality, Crypto, Network, Physical, Secrecy, Social engineering

Consonus, a US data-center/co-location facility provider that prides itself on its "highly secure and reliable data centers", suffered a rather embarrassing physical security incident at one of its data centers on Saturday February 20th. An email from the Consonus data center manager to his customers indicates that an Inergen automated fire suppression system was accidentally triggered during a routine 6-monthly inspection of the fire system. This incident somehow damaged a large number of disks in the facility - I understand from other less reliable sources that as many as five hundred disks may have bitten the dust. Oops.

The point of this blog posting is not to poke fun at Consonus, who have clearly invested heavily in state-of-the-art controls and appear to have a comprehensive approach to information security, but rather to indicate that control failure remains a risk that we should all consider, no matter how strong we believe our controls may be.

In this incident, disk damage was evidently not the anticipated result of triggering the fire suppression system. It was an unforseen risk, exactly the kind of thing that contingency planning is designed to mitigate. I wonder how many of Consonus' customers either buy its optional disaster recovery and data protection (evidently meaning backup and archival) services, or have their own contingency controls in place, or didn't but now wish they did ...

At the same time, this incident is probably not generating the kind of publicity that Consonus would welcome (although there's truth in the saying that there's no such thing as bad publicity!). I wonder if their customer services team has its own contingency plan for this kind of event?

This unfortunate incident would form the basis of an excellent case study for security awareness purposes, but it's far from isolated. The truth is that unpredictable and costly information security incidents happen more often than most people realize [and here I'm talking in general terms, explicitly not referring to Consonus!]. In the course of my career, I have seen many and, I'm ashamed to admit, been personally involved in a few.

Investing in high availability technologies and strong security measures still cannot guarantee that essential IT services will be 100% available under all circumstances. Testing the fire system 'outside normal office hours' reduces but does not eliminate the risks. Siting IT facilities above the anticipated '100-year flood level' is merely gazing into some weather man's crystal balls. 'Uninterruptible power supply' is an oxymoron.

Even if information security is truly taken to heart by an enlightened senior management, as IT technologies and services get ever more complex, some types of coincident or catastrophic failure (including those caused by the very security controls we are implementing) become more not less likely.


Contingency planning depends on contingency thinking, which starts with someone posing the inevitable "What if ...?". There's a fine art to getting managers to suspend their rather charming but somewhat dubious trust in technology just long enough to consider what might happen if things don't in fact work perfectly, while at the same time not going so far as to be accused of just spreading FUD or constantly crying wolf (which is where classic "worst case scenarios" can easily lead). This is exactly the area where security awareness really helps in that it aligns information security and business thinking, focusing everyone on the risks and controls with the benefit of knowledge of what can, and indeed does, go wrong in similar situations elsewhere.

And that's why case studies make such good awareness tools. Better to learn from other people's misfortunes than to suffer them yourself.

Labels: Awareness, DCP, Physical

Taken at face value, a claim to have cracked voice encryption programs in minutes sounds pretty melodramatic, when in fact it appears the hacker has merely intercepted the 'plaintext' (plainvoice? Plainaudio? Plaingab?) en route to/from the encryption software at the client end, using a Trojan. The same kind of trick would probably work against most encryption systems unless they physically and logically secure the plaintext streams.

Labels: Confidentiality, Crypto, Physical

The BBC reports that fraudsters are exploiting taxpayers' passwords to access an online Inland Revenue system in attempts to make fraudulent claims for tax refunds. They presumably obtain the passwords by stealing the notification letters from the post or carelessly discarded in rubbish bins, by tricking people out of them (perhaps by social engineering or phishing), or perhaps most worryingly for the tax authorities, hacking their lovely online and/or back-end IT systems.

It's hard to imagine that taxpayers would deliberately discard letters with login credential that might let them reclaim overpaid tax, but its possible some do not even realise that they are able to do so. I doubt the tax man says this in big bold print! We know from studies by the Police and other dumpster divers that many people routinely discard all sorts of juicy documents without a care.

Stealing mail from the postal system is certainly a possibility, although of course there are controls in place to prevent this kind of thing. Rogue postal workers sometimes get the blame. Fraudulent redirection of post and theft from mailboxes also occur from time to time.

It's interesting that the possibility that someone might have been hacking the tax systems is not even mentioned by the BBC or the Revenue's spokesperson. Perhaps it's just too horrific to countenance?

Labels: Fraud, Office, Physical

We've released a thoroughly refreshed and updated awareness module on office security, covering physical and IT security in the workplace. It includes email security and security for other forms of office messaging and inter-personal communications such as IM and VoIP.

Labels: Awareness, Email, Office, Physical

In the past year, the British Government admits to having lost:

• 53 computers
• 36 BlackBerrys
• 30 mobile phones
• 4 memory sticks; and
• 4 disc drives.

If we assume that the devices had just 1 Gb of data storage each (a low estimate for some I'm sure), that's 127 Gb of data gone walkies. Some of them were hopefully strongly encrypted - let's be generous and say half, bringing the exposure down to 63.5 Gb of unencrypted data. By my calculation, that's equivalent to a pile of printed papers more than 50 feet high:

The reported numbers of lost devices is certainly an underestimate, since (a) it's self reported by government officials; (b) it excludes the Ministry of Defense and Home Office who did not respond to the request for information; (c) government employees probably use, and lose, personal devices for official work; and (d) it excludes other formats e.g. lost CD/DVD ROMs and actual papers.

As to whether it is acceptable for Her Majesty's Government to lose at least 50 feet of printed papers per year, that depends on whether your privacy was compromised I guess.

Labels: Mobile, Physical, Privacy, Secrecy, Trust

Police are using technology to capture criminals, for example by fitting out vehicles with CCTV and leaving them in vulnerable locations to lure car thieves. The CCTV images are so good that it's easy to make out the criminal's facial features and sometimes even his name and birth date tattoo'd on his neck (doh!).

But consider the question about whether such activity is ethical. From most perspectives (other than the criminals'!), it seems acceptable since the recording devices are within someone's property space which is clearly being violated by the criminals. One might argue that leaving such an attractive lure in a vulnerable place is entrapment, encouraging an otherwise law-abiding person to step over the line and break in, but what do you think? This is a good topic for a tea-time discussion in the average office.

UPDATE Oct 17th: Here's another situation with similar ethical issues. The FBI has allegedly been running DarkMarket, a carders' web exchange for stolen credit card numbers. What a great way to capture details about the criminals, the cards and the culture, but is it ethical? To make it work, they had to let a significant number of carders' transactions go ahead without interference, leading to millions of pounds worth of fraudulent purchases and costs for the card holders and/or credit card companies, banks and retailers concerned, in the same way that undercover drugs cops let and in fact help drug deals proceed until they have the opportunity to spring the trap.

Labels: Awareness, Ethics, Physical

Ross Anderson's team at Cambridge University has demonstrated physical security vulnerabilities in two of the devices commonly used to validate chin-and-PIN cards in the UK. The vulnerabilities would enable an attacker with sufficient physical access to the devices and some manual dexterity with a needle or bent paper clip to hack them, exposing PIN codes. With PIN codes plus data from the magnetic stripes, card hackers could create fake cloned cards that work in non chip-and-PIN validators (which are becoming uncommon in the UK now, but less so abroad), or in chip-and-PIN validators that fallback to the magstrips if card chips don't work.

This ably demonstrates the difference between "tamper resistance" and "tamper proofing". The chip-and-PIN security mechanism, like many others, was designed to resist certain attacks not to prevent them. Compromises inevitably had to be made during the chip-n-PIN design specification prosess for the sake of cost, usability etc., including the decision to retain magstripes on chipped-cards (as the team puts it, "Essentially, the vulnerabilities we exploit are not just a matter of hardware design, but also of the options many banks chose as they implemented EMV"). Hackers, as a breed, feed on such security compromises. There is no shortage of fodder. We've already seen miniature CCTV cameras plus magstripe readers used in the wild to capture PINs and card data on ATM skimmers, and chip-n-PIN device tampering in frauds at Shell service stations in the UK in 2006.

The team draws out some general lessons in the paper, aspects such as:
- the complexity of the EMV specifications (leading to local interpretations and the introduction of further unintended flaws)
- obvious conflicts of interest that result from equipment vendors selecting and paying security labs to assess their products against Common Criteria - something economists call "moral hazard" apparently - plus the commercial pressure on labs to issue pass slips like confetti (same with ISO/IEC 27001 certifications!)
- further issues that arise when product assessments and certifications are clouded in secrecy, thanks to the whole banking industry closing ranks and lax controls by the UK's Common Criteria certification body (apparently, anyone can claim to have had their product Common Criterial Evaluated, whereas they must have actually passed the tests to claim Common Criteria Certified ...)
- the potential applicability of this kind of hack to other tamper-resistant mechanisms such as on electronic voting terminals. The same class of attack would probably succeed against devices using biometric mechanisms (fingerprints, iris scans, whatever) for user validation: if the codes sent by a biometric reader can be captured in the clear en route to the encryption/validation guts, they can probably be replayed or used for other attacks. Blog-reading designers of dual-interlock atomic missile launch fire biometric authorization mechanisms please take note. Tamper resistance has its limits.

The paper is well written and thought provoking for hackers and security professionals alike, even those with only fleeting interest in chip-n-PIN while paying for stuff.

Labels: Authentication, Physical

A US spy satellite "the size of a bus" (the SI unit of satellite size) that went out of control shortly after being launched a year ago, has been blasted by a US missile over the Pacific Ocean. They aimed (literally) to blow the satellite to smithereens (the SI unit of satellite size following missile impact), ostensibly to prevent the frozen hydrazine fuel tank smashing to Earth and giving someone a nasty surprise. Any secret weaponry allegedly on board would also, presumably, have been destroyed.

What if the missile had missed its target or they had not been able to fire the missile for fear of creating an international security incident amid fears of the Star Wars initiative? And what if the spy satellite had landed, intact, on your data center? What if the missile landed on your data center? What if ...?

Now I don't expect your contingency plans to mention falling spy satellites, frozen hydrazine or missiles explicitly, but that's really not the point. The point is that your plans perhaps ought to mention and should definitely cover commonplace and credible disaster scenarios, but should also cover the more extreme, outlandish and incredible incidents too, the nature of which is presently unknown and, in fact, unknowable. That is the essence of true contingency planning: "We don't know exactly what might happen but we are as ready as we can ever be to cope with any disaster that comes our way."

The US military's contingency plan for the spy satellite going out of control presumably reads:
- Have large missiles available in strategic locations worldwide
- Launch large missile at satellite
- Handle PR nightmare as well as can be expected given circumstances
- Reassure Chinese and Russians that WW3 is not declared
- Fire designers and builders of out of control spy satellite

For you and me, a specific contingency plan to cover the spy satellite scenario might read something like:
- See flaming ball of fire approaching at 22,000 mph
- Take cover under large immovable object, quickly
- Hear flaming ball of fire explode, releasing no-longer-frozen hydrazine gas
- Hold breath
- Crawl out from under large hot immovable object
- Staunch bleeding, dampen fires
- Seek fresh air
- Call insurer to make incredible claim

A more general plan might read:
- Have large immovable object or similar, under which to take cover
- Have first aid kit with all essentials
- Have disaster survival kit with all essentials
- Have insurance policy
- Watch for news of imminent disasters, Google "hydrazine" and refine/enact plan accordingly

Labels: DCP, Physical

... especialy if you are a banker.

A 5 year old boy who discovered that his local bank branch was closed but unlocked was awarded a paltry £10 (US$20) by HSBC, one of the world's largest banks that makes obscenely large annual profits, for letting them know. HSBC say the electronic door lock system failed. I presume bank staff neglected to check the lock, in other words the bank's security procedures also failed.

Labels: Office, Physical

Physical security incidents are one class of incident that virtually all contingency plans cover, but are your plans broad enough to cater for the full range of potential physical security incidents? Here are some classic photographs of actual incidents that might make you re-think your approach:
- Mice nesting inside a system, using a handy computer manual as nesting material
- A snake living inside a nice warm system box
- Lightning/storm damage to electronics
- Inept maintenance and repairs
- Equipment overheating

There are more photos of this nature at the Microwave Mortuary if you need something to spice up your awareness program.

Labels: Awareness, DCP, Physical

FERC, the Federal Energy Regulatory Commission, has approved eight new mandatory critical infrastructure protection (CIP) reliability standards developed by NERC, the North American Electric Reliability Corporation, covering:
- Critical cyber asset identification (NERC standard CIP-002) - essentially inventory and risk assessment of critical information assets;
- Security management controls (CIP-003) - security policy and management structure, exceptions process etc.;
- Personnel and training (CIP-004) - personnel risk assessment, training and, of course, security awareness;
- Electronic security perimeters (CIP-005) - a 'crunchy outer shell' for networks;
- Physical security of critical cyber assets (CIP-006) - physical perimeter controls, card locks, processes, visitor logs etc.;
- Systems security management (CIP-007) - security testing and patching, controlled network services, antivirus, security monitoring and various other IT security controls including, I note, minimum 6 alphanumeric+punctuation character passwords with a lifetime of up to one year (!);
- Incident reporting and response planning (CIP-008) - an annually-reviewed incident response plan; and
- Recovery plans for critical cyber assets (CIP-009) - DR plans with at least annual exercises.

For completeness, CIP-001 covers sabotage reporting, the critical infrastructure equivalent of SB-1386 and similar requirements to report unauthorized credit card or personal data disclosures.

FERC's IT security standards are stronger that mere recommendations and will probably become fully mandatory when get-out clauses relating to business judgement are removed. In-scope companies should all have started work on this by now and have to be fully compliant by mid-2008 or mid-2009 depending on the type of company and the specific standards.

FERC did not go as far as to mandate NIST's SP800-series security standards, however, excellent though they are, nor indeed international standards such as ISO/IEC 27002. The stated reason was not to delay implementation. While I applaud their haste to beef up infrastructure security, it's a shame to ignore the large existing body of work on information security from the likes of NIST, ANSI, BSI, ISO, IEC and others. Arguably there is a need for specific security standards covering SCADA (Supervisory Controls And Data Acquisition) systems, but the electricity industry is not pure SCADA by a long shot: there are conventional systems, many running Microsoft Windows and various UNIX/Linux variants, and TCP/IP networks all over the place, and security architecture, operations and management issues are basically the same as for any other industry. [I guess adopting existing standards would put a posse of electricity industry security consultants out of jobs but IMHO they are better deployed implementing security standards than creating new ones.]

Looking over the lit of bullets above, it is not hard to align FERC's advice with ISO/IEC 27002 ... whereupon gaps such as compliance stand out. FERC evidently intends to assess or audit the utilities' security against the standards but there's more to compliance than formal assessments/audits. Electricity companies should have suitable governance structures and processes in place to ensure compliance with their internal security requirements (policies, standards, guidelines and procedures) and with legal obligations unrelated to FERC (e.g. software license compliance plus other intellectual property issues, SOX and protection of Personally Identifiable Information) along with compliance by their suppliers and business partners. There are solid commercial drivers for information security in the electricity industry, quite separate from the critical infrastructure protection angle. Surely FERC could leverage this to their advantage?

The standard on DR is also notable for the absence of any advice on contingency planning and business continuity. I would have thought that 'keeping the light on' is absolutely number 1 top priority for the electricity industry, therefore resilience is more important than recovery. Perhaps this is so ingrained that it is taken as read but I'm surprised by the omission.

By the way, I also couldn't help but notice that "Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission" are explicitly excluded from the scope of the standards. I trust the nukes have their own, strong, rigorous, comprehensive cyber security standards ... they do, don't they?

Labels: Awareness, Compliance, Infosec, ISO27000, Physical

When a vehicle maintenance contractor's car was stolen, thieves removed a clipboard with a sheet of paper listing access codes for pushbutton locks on 73 Police station yards in West London. The contractor disclosed the loss and all the numbers were changed within 11 hours, but this was yet another embarrassing security blunder for HM Government. Questions have been posed about why a civilian had access to such sensitive information and why he failed adequately to secure it. The relatively poor security afforded by mechanical pushbutton locks would be another concern although thankfully Police stations have multiple overlapping layers of physical security.

Labels: Office, Physical

If like me you've been wondering over the Christmas break "Just how many computer specialists does it take to reset an Emergency Power Off [EPO] button?", here's your answer from the latest RISKS mailing list digest:

"A Sacramento County computer technician has pleaded guilty to trying to shut down California's power grid by pushing a button marked "Emergency Power Off," authorities said. Lonnie Charles Denison, 33, of South Natomas, admitted Friday in U.S. District Court in Sacramento that he went into a room at the Independent System Operator's data center in Folsom (Sacramento County) on April 15, broke a glass cover and pushed the button, prosecutors said. Denison, a contract employee at the data center, was upset with his employer, authorities said.

The ISO oversees electricity purchases and distribution. Denison prevented the data center from communicating to the electricity market for about two hours, leaving the electrical power grid vulnerable to shortages, Matthew St. Amant, a California Highway Patrol officer assigned to an FBI task force, wrote in an affidavit. No blackout occurred because the incident - which cost $14,000 for 20 computer specialists to repair - happened on a Sunday, investigators said. Denison was identified by surveillance-tape footage and his security-access code, the affidavit said. He pleaded guilty to attempted damage of an energy facility, a felony. He is to be sentenced Feb. 29 by U.S. District Judge Garland Burrell."

If you don't already subscribe to RISKS, it's highly recommended.

Labels: Awareness, Physical

Brazen robbers conned their way into a shared data centre in London by posing as Policemen with a convincing story:

"The bogus police gained entry to the data centre by claiming that they were investigating claims that there were people on the roof of the building. Five data staff are thought to have been tied up, although none were seriously hurt."

This was clearly a social engineering incident.

Labels: Physical, Social engineering

A Chicago shared data center (a "co-location facility") has been broken into and robbed for the fourth time in two years, despite claiming physical security measures that would put some data centres to shame.

Masked robbers allegedly broke in through a wall using a power saw (although this is disputed by customers who visited the site), tazered and hit the center manager, and made off with a hoard of servers worth at least $20k (presumably that's just the hardware cost: the data content could be worth rather more and CI Host customers whose websites are down are fast losing their customers). The following physical security controls are mentioned in the Register piece and on CI Host's website, although the existence of some is doubted by slashdotters:
- Multiple layers of 24x7 security cameras with 360-degree perimeter and roof surveillance and Facilities 24 hour DVR systems with 14 day video storage (foiled by masks and by allegedly stealing the CCTV equipment)
- Proximity card readers plus biometric access controls and key pads, with double-locking mantraps at data center entrance (bypassed by using a convenient hole in the wall instead of the doors)
- Reinforced walls (vulnerable to a power saw, so "reinforced" seems a bit of artistic license)
- On-site personnel 24x7 (perhaps only one person? It's not entirely clear whether he was already there or responded to an alarm. There's no mention of security guards or alarms being sounded, as far as I've read so far)
- Non-customers enter equipment area by escort only (presumably not the robbers!)
- All cabinets, cages, and suites have locking mechanisms (a.k.a. "locks") and security upgrades are available (padlocks? Cages? Bullet-proof Kevlar vests?)
- Physical audit trails on all entry points (visitor logs?)
- Anti-pass back and tail gating systems (passback is permitted through holes in the wall)
- 24x7 intruder, smoke, heat and fire alarms monitored by police and fire departments for instant reaction (for large values of "instant")
- No signage, nondescript building (the building's street address - 900 North Franklin, 3rd Floor, Chicago, IL 60610 - and photo is provided on CI Host's website, and of course the robberies make the news. Hardly what one would call discreet!).

Banks know a thing or two about physical security, yet bank robberies do still occur. Robbers naturally avoid the strongest controls but exploit the weakest, which often includes the employees. Bank employees are not, as a rule, expected to fight to the death to defend their employer's and customers' assets. Automated security controls such as time-locked vaults and silent intruder/hold-up alarms are designed to at least delay if not foil the robbers while the cavalry trot along. On top of that, many of the security controls in a bank are designed to protect the employees. Maybe CI Host should consider taking advice from local bank security people ... or moving out of Chicago?

Labels: Physical

Iron Mountain Inc. is back in the headlines again - this time a customer's storage media went missing from an Iron Mountain truck when the driver "did not follow established company procedures when loading the container onto his vehicle".

The backup device belonging to the Louisiana Office of Student Financial Assistance (LOFSA) contained thousands of names, birth dates and Social Security numbers. It was unencrypted - evidently LOFSA is "working on a plan to encrypt all backup data stored off site". It was also "in the process of developing our disaster and recovery plan, but [the loss] occurred before we could get it in place and establish it as a standard plan".

Labels: Physical

... this time it reveals the face of a man accused of sexually abusing boys in Vietnam and Cambodia. Photos of the man were redacted using a swirly filter effect that police somehow reversed. The resulting image is clearer than most CCTV snaps we see on TV crime watch programs.

Presumably the same kind of techniques would work on similarly redacted digital photos of vehicle license plates, associates of criminals and so forth. Provided there is sufficient original data in the redacted image, and provided the manipulation can be reversed without too much data loss, it's feasible.

Stories about un-redacting documents by cutting-and-pasting the original words from 'beneath' black boxes crudely added to PDFs etc. are simply passé.

The take home lesson for today is this: if something needs to be redacted, do it properly by removing, not just manipulating or covering the original data. There's a lot to be said for the 'print out -> obliterate with marker pen -> scan -> load' method.

UPDATE: a man has been arrested in Bangkok following release of the unredacted photo.

Labels: Confidentiality, Physical

This tragic story speaks for itself. After the operators cleared a jam in a Swiss/German Oerlikon 35mm MK5 anti-aircraft twin-barrelled gun during a live-firing military exercise, the gun turned to the left and fired a rapid burst of ½kg cannon shells directly at adjacent guns in the line, killing 9 soldiers and injuring 14. At the time, the gun was supposedly on 'manual', locked on to a target 1.5 to 2km away. On 'manual', it should not have turned at all.

According to news reports, "Defence pundit Helmoed-Römer Heitman told the Weekend Argus that if 'the cause lay in computer error, the reason for the tragedy might never be found.'" If 'computer error' equates to bug, then I can only assume the software must be horrendously complex and opaque to be so resistant to analysis ... which it probably is if it combines target acquisition/identification, range finding, gun control, oh and safety.

The South African Department of Defence is under pressure to conduct an inquiry.

Don't the procurers of such automated weaponry specify mechanical safety interlocks capable of physically preventing the turret from turning beyond set azimuth (and perhaps elevation) limits?

Labels: Bugs, Physical

A page from the University of Bristol's new security awareness site, aimed at students, offers some worthwhile advice on avoiding physical damage or loss to your IT equipment, things like:
- Don't cover the PC or monitor with anything (fire risk)
- Don't drink near the system (water damage risk)
- Don't be in a rush (a common explanation for why laptops etc. get left on public transport is that the owner was in a hurry ... I suspect asking students to get out of bed 5 minutes earlier is a bit of a tall order).

The rest of the site is straightforward enough - basic advice on antivirus, firewalls, patching, backups and so on. Not a bad start.

Labels: Physical

An interesting angle on the dumpster-diving craze comes from Singapore. A judge has previously ruled that confidential information discovered in the trash cannot be used against someone, but the issue is to go to appeal.

It seems to me the burden is and should be on the person discarding information to take care to make it unreadable, for example by cross-cut shredding and burning. It seems fair to me that it's their fault if they fail to take sufficient physical security measures to protect the information.

Labels: Physical

Rebecca Herold lists some 18 common security breaches to look out for when undertaking an office physical security review out of hours (also known as a black bag run when the reviewer/auditor collects up and quarantines sensitive/valuable materials left on desks).

We'll be looking at office information security specifically in January's NoticeBored Classic awareness module but Rebecca's list is an excellent starting point. It's hard to think of other breaches.

Labels: Physical

Anyone who sells a used hard drive, or a system containing one, should follow the step-by-step guide to using DBAN (Darik's Boot And Nuke), a great free program to securely erase everything, BEFORE packaging and sending the goods to an anonymous eBay or car boot sale buyer.

DBAN does a good job but overwriting the entire disk surface several times with random data is not a quick five-minute-or-less job - it may literally take hours to do thoroughly. Don't leave it to the last minute and don't cut it short if there is anything vaguely incriminating on the disk.

Oh and don't try this on any disk drive whose contents you actually still might need (doh!).

Labels: Physical

Podcasts at SecurityInfoWatch cover topics such as voice recognition biometrics, CCTV camera technologies, terrorist threats and more. They are mostly interviews with representatives of companies selling associated products and services (i.e. advertorials or infomercials) but still the information content may be just what you need.

Labels: Physical

It's not A Good Idea to lose a USB memory stick containing top secret data from the NSA, even if you are a foreign citizen working at the Hague in Holland.

Similarly, it's not A Good Idea to shred your top secret papers with a plain cut shredder and hand the shreddings to an untrustworthy Taiwanese courier.

Labels: Confidentiality, Physical

If your CCTV security camera system uses IP transport to cut costs, don't forget to factor the cost of network and device security into the mix. It has long been known that many IP-enabled CCTV cameras are pumping live video onto the Web with no encryption or access control. It now appears that exploiting security vulnerabilities in the camera controllers may allow hackers (or bank robbers) to manipulate the video stream, for example replacing it with a 'blank scene' while they crack the vault.

Labels: Network, Physical

Gosh: another stolen laptop contains personal data. But it's OK, we're told, because the laptop is "password protected".

"Password protected" could mean a BIOS boot password, a hard drive access password, a Windows/UNIX user login password, or a data encryption key. Using hacker or forensics techniques, all but the latter control can be broken, and even encryption can often be brute-forced given enough time and a weak pass phrase. If the laptop's data or entire hard drive had been strongly encrypted, we'd presumably have been told so and the people whose personal data are on the stolen laptop could sleep easier.

Call me paranoid but "password protected" sounds very much like "insecure" to me.

At least the Gap company 'fessed up that their stolen laptop was unencrypted.

UPDATE Dec 9th 2007: after a laptop was stolen from a Citizens' Advice Bureau employee's car, the CAB confirmed that it was protected with "a high level of encryption". Presumably 'high level' means strong encryption using a current encryption algorithm (such as AES) with a long key length (at least 128 bits, ideally 256 or more) and a strong password/passphrase policy, ruthlessly enforced (long non-dictionary phrases). Anyway, if it were my personal data on the laptop, the fact that the PR people specifically state that the laptop was encrypted would give me a lot more confidence than the usual mention of "password protection".

This is doubly important if you are, say, a government that regularly loses hundreds of laptops and desktops per year.

Labels: Mobile, Physical

Picking up on a technique used to retrieve MP3s from an 'erased' CD-RW disk, a forensic investigator has succeeded in retrieving incriminating data from 'erased' CD-RWs, sufficient to secure the defendant's prosecution in a child abuse case.

The news article barely outlines the method: it appears to involve writing a new file to the 'erased' CD-RW but interrupting the write process. I presume the first part of the write creates the 'lead-in' file system synchronization and identification data. If interrupted soo after, the PC can presumably be fooled into reading the rest of the disk.

Presumably, also, if 'erasing' a CD-RW only involves wiping the disk sync and ID part leaving all the data intact just waiting to be overwritten by the next write operation (rather like deleting the directory on a hard drive), then surely it ought to be possible to manufacture forensic CD/DVD software or drives that sync directly to the data tracks to make their bitwise copies, all without having to overwrite the lead-in part of the (evidential) disk? Indeed, a very quick Google query reveals that one can buy data recovery software for damaged CDs. I wonder if the 'clever officer' in the news story tried such an approach?

Anyway, the take-home-message is not to discard even 'erased' CD-RWs that might contain valuable or sensitive data. Shredding/grinding/physical disintegration and burning remains the safest option.

Labels: Physical

ASIS International has released a guideline on protecting information assets.

"This guideline is organized into three primary sections. The first section offers a general framework and some guiding principles for developing an effective Information Assets Protection (IAP) policy within any organizational setting. The second section proposes recommended practices that may be applied in the implementation of a high-quality IAP program. The third section consists of two appendices that provide useful tools for any size organization. Appendix A consists of a Sample Policy on IAP. Appendix B is a Quick Reference Guide, a sample flow chart for assessing information protection needs that can be modified and customized to meet an organization’s needs."

The guideline recommends categorizing, classifying and valuing (or rather "valuating"!) the organization's information such as
● Proprietary information - customer lists, marketing plans, pricing strategies, test results etc.
● Trade secrets
● Patent information
● Copyright information
● Physical products - prototypes, models, molds, dyes and manufacturing equipment etc.
● Trademarks and service marks
● Privacy information - personal data, evaluations, credit info etc.
● Regulated information - health information, financial data, government
classified etc.

It recommends technical/logical, procedural/manual and physical security controls, although technical controls such as firewalls are merely noted and not explained. Information security awareness and training however merits a specific mention in section 12.7:

"Almost invariably, security awareness and training is one of the most cost effective measures that can be employed to protect corporate and organizational information assets. This is largely due to the fact that protecting information, generally more so than any other asset, is best achieved through routine business practices that permeate every element of an organization. Therefore, where each individual entrusted with sensitive information takes prudent measures and personal responsibility for protecting those assets, a robust security environment should occur naturally."

The sample organizational policy on information asset protection in Appendix A is a decent model for a high level/overarching information security policy such as that recommended by ISO/IEC 27002 section 5.

Labels: Awareness, ISO27000, Physical, Privacy, Trade secrets

A security page at the ISACA website links to three resources on convergence between physical and information security:

1. A survey by Deloitte & Touche addresses the value of security as part of enterprise risk management and the benefit of a converged view of security in managing enterprise risk. Security executives provided insight into the general state of security convergence, integration of converged security as part of ERM, the role of risk councils and the benefit that a strategy for converged risk management plays in breaking down communications barriers.

2. Convergent Security Risks in Physical Security Systems and IT Infrastructures describes how enterprises are facing the risks that arise when physical and IT security risks collide.

3. Convergence of Enterprise Security Organizations is a Booz-Allen-Hamilton study examining how enterprises are addressing the converged issues surrounding their security.

Labels: Physical

Since this month's awareness topic is physical security, I guess a story about a suspected chemical attack in London is not too far off-topic.

The subtext is that London remains on high alert for terrorist attacks.

Labels: Physical

October's NoticeBored security awareness module covers the physical aspects of information security e.g.:
- Physical access controls such as fences, walls, doors, locks, security cables etc.
- CCTV, security guards, staff passes, visitor procedures, intruder alarms
- Environmental controls and supplies for the computer equipment e.g. UPS, air-conditioning, fire/smoke & flood alarms.

Since first writing and delivering this module in 2004, we've added a stack of new materials so the whole module now contains over 80Mb of rich content.

Do let us know if there are any physical security links to add to our links collection.

Labels: Awareness, Physical

In a shining example of integrity, transparency and customer service, 365 Main, a data center company that promises extremely high levels of availability, has published details of a serious power failure that took out service to over 40% of its San Francisco colocation clients for as much as 45 minutes. The diary of events describes the frantic investigative engineering work required to analyze and resolve a problem in the backup power systems, finally traced to a timing issue (one of the nastiest forms of software bug!) in a PLC (Programmable Logic Controller - a type of Supervisory Control and Data Acquisition SCADA) subsystem that failed to clear the memory reliably when the diesel generator control units reset. Although I'm not a SCADA security expert, the fact that the failure occurred after a number of set/reset events sounds like a memory leakage and buffer overflow problem to me, but then I'm reading another texbook about software security testing at the moment so it's on my mind.

In the course of explaining the failure, the company outlines the design of its "N+2" standby power system using ten 2.1MW diesel generators, two of which are backups in case of maintenance or failure of the remaining eight. This level of power system investment is evidently sufficient to deliver 99.99% availability ("four nines")in an area subject to "dozens of surges and utility failures" during the last five years, although it is patently insufficient to reach five nines. Close but no cigar.

Describing the rapid sequence of five poer surges as a "unique event" implies that they had not previously tested the power systems under the specific conditions that led to the failure. This is known as Sod's Law or Murphy's Law, I'm not sure which. The preventive maintenance and testing regime looks reasonable by most standards i.e. "preventative maintenance logs on the Hitec generators are currently available for customer review. All generators in San Francisco pass weekly start tests and monthly load tests where diesels are started and run at full load for 2 hours. Both of these tests simulate a loss of utility and the auto start function is accurately tested." That said, however, if I were advising them [which I am not!], I would probably suggest running occasional on-load tests for much longer - perhaps 24 to 48 hours or more - to ensure that the diesel tanks, pumps/valves and pipes are clear, to confirm their capacity for exceptional long-term outages, and to refresh the diesel in the tanks. One of our clients experienced a backup generator on-load failure due to a blockage between the diesel header tank and the main diesel tank: the header capacity was sufficient for short on-load tests but not for a multi-hour power failure.

Reading between the lines of the diary a little, it looks as if the company had 'full and frank exchanges' with senior management at Hitec, the supplier of the no-break diesel generators and controls. The fact that they name the supplier is perhaps indicative of a frosty chill in the business relationship, but equally could imply their confidence in the way the supplier responded to the incident.

Anway, this is all fascinating and will probably form the basis of a case study in our forthcoming awareness module on physical security and environmental services for IT, due for release in October, or perhaps a later as-yet-unplanned module on application security. As with this month's case study based on the ongoing Ferrari-McLaren spying incident, real world cases often make more convincing classroom assignments. The trick is to summarize and crystallize the key factors into a format suitable for discussion.

Labels: Physical

A 66-page guide to critical power from BITS, although intended for US-based financial institutions, is broadly applicable. It outlines the electric grid system and points out that much of the critical infrastructure is exposed to adverse weather and even terrorist attacks. It goes on to provide a 225-question checklist but without model answers (though it's not exactly hard to figure them out).

On page 15, the guide points out a hidden drawback in over-engineering power systems:

"For modern critical facilities, the benchmark availability is in the range of 99.999% (“five nines”) to 99.9999% (“six nines”). To achieve six nines availability, the engineered systems will have to incorporate designs that include system+system [2(N+1)] redundancy. It is worth noting that engineered systems in a critical facility are often over-designed to include too much redundancy. That is, systems become more complex than they need to be, which leads to decreased reliability."

Labels: Physical

Have you heard people talking about "tier three data centers" etc. and wondered what planet they were from? Well The Uptime Institute has the answer - a short white paper explaining the characteristics of each of the four tiers, handily numbered I (basic) through IV (fault tolerant) for the Romans amongst us.

It's interesting that the top-of-the-range fault tolerant/highly resistant tier IV data center listed in one of the tables achieved 99.995% availability (down for just under half an hour per year!), still short of the "five nines" availability that people with very deep pockets sometimes insist they need.

Labels: Availability, Physical

The US Government specifies physical security requirements prior to the construction of facilities to house especially sensitive and valuable information assets - national secrets. Sensitive Compartmented Information Facilities (SCIFs) need physically strong walls and doors with multiple layers of protection. A SCIF reference guide provides further details of the requirements, including aspects such as sound proofing and white noise generators (to mask sensitive conversations). The requirements may seem excessive outside the government and military/defense sectors but in fact many large commercial organizations face similar risks.

Labels: Physical

Having just issued a security awareness module on 'insider threats', I'm currently researching for a future topic on 'competitive intelligence' so this story caught my imagination. The mystery about US defense contractors working in Canada being bugged by coins containing miniature transmitters has been solved: the coins were a commemorative 'poppy' issue with a special protective coating that looked suspicious to alert defense people.

Regardless of the eventual outcome in this case, the way that the suspicious coins were identified and reported up the line demonstrates good security awareness. The contractors were evidently well aware of the possibility of being bugged, enough to spot and report the susicious coins. Their managers and clients, in turn, quickly raised the alarm and so the story spread. The authorities now admit that they did not fully validate the reports but it appears they chose to err on the side of caution. We call that 'fail-safe'.

If a similar situation occurred in a regular commercial setting, how many of you and your colleagues would have identified the possible threat, or reported it? Would any of your managers have given such a report even a second thought, let alone circulated a warning? Would someone have investigated and resolved the issue? That's called 'fail-open'. Or 'fail' for short.

Labels: Insider, Physical

An unusual article in CSO Magazine concerns the theft of copper wires (and sometimes fiber optics!) due to a peak in the global price of copper. Thieves are literally risking their lives to steal power cables.

More physical security links

Labels: Physical

An unusual source of security information has come to light: the entertaining Mythbusters TV series has explored a variety of physical security controls including fingerprint readers (defeated by a latex copy of a fingerprint ... and even by a photocopy of a fingerprint), intruder detectors that detect body heat (defeated by a pane of glass), and a safe-breaking technique involving water and a depth charge (! That one works.). Another episode busted the myth about being able to cross a criss-cross laser-beamed room by visualizing the beams, and showed how to defeat a pressure switch with duct tape.

More physical security resources

Labels: Physical

In similar fashion to the chronology of privacy breaches maintained by the Privacy Rights Clearinghouse, a table of privacy breaches in 2006 tells several stories. For a start, it's already 19 pages long after three quarters of a year. Secondly, the breaches reflect a variety of security threats (e.g. accidental disclosure, hacks, Trojans, theft of equipment/media from offices/homes/cars or in transit), vulnerabilities (e.g. no encryption, inadequate logical or physical access controls, careless disposal of information) and impacts (e.g. public disclosure of the breaches, thefts, around 50 million victims' personal details compromised/exposed to fraud) at all sorts of organization. Thirdly, virtually all of the incidents have had to be publicly disclosed under California State Bill 1386 (presumably a similar level of privacy incidents occur elsewhere outside the remit of SB1386). Finally, the authors of the table have identified the ISO 27001 controls that appear to have been missing or inadequate in each case (sections 7 through 11 feature prominently).
More incident management and privacy links

Labels: Fraud, Incidents, ISO27000, Physical, Privacy

Seems I'm not alone in having trouble locating good information online about computer room environmental requirements (power, air-con, physical access controls, raised floor design etc.). A fellow infosec professional searching specifically for air-con parameters published some useful links on the CISSPforum today i.e. IBM, HP and more HP, Sun and the University of Texas. I recommended a book from the Sun Blueprints series by Rob Sneveley: Data Center Design and Methodology (~$62 from Amazon). I'm still looking for relevant standards.
More physical security links

Labels: Physical

Slurp is a program to download MS Office files from the C:\Documents and settings area onto the hard drive of an iPod through a PC’s USB connector. The risk is that someone with physical access to the PCs in your office (such as a hacker in the guise of an unescorted visitor, maintenance worker or cleaner) may have much more than ripped MP3s on their iPod.
More portable IT security links

Labels: Mobile, Physical

When passengers on new Metrorail Tri-Rail trains in Southern Florida press buttons to alert guards to incidents, the new on-board CCTV system automatically zooms-in on the area. Additional cameras monitor the outside of the train plus fore and aft. Taking this idea a step further, the technology exists potentially to zoom-in on users who cause security alerts on our network systems, get their passwords wrong or make typing errors ... George Orwell would be proud of us.
More physical security links

Labels: Physical

Two online presentations from the US Transporation Security Agency aim to raise awareness of [physical] security amongst employees at flight schools and flight simulators. The introduction mentions that the courses were made available "in accordance with 49 CFR 1552" as a "pro-active response from TSA".
Both presentations recommend reporting suspicious behaviors or incidents, including "unusual adjustments to strengthen the wheel wells" on aircraft amongst other things. We find out later on that strengthened wheel wells are considered a threat as they may indicate the intention to carry heavy loads - evidently that is Bad. Advice to interview suspicious characters such as people "loitering for extended periods" (as opposed to those who loiter briefly), students who "continually want to fly over sensitive locations or critical infrastructures - nuclear facilities, power plants, dams, etc." or students "who perspire excessively or have excessing nervous energy", though well meaning, could prove life-threatening if the people under suspicion are indeed worth interviewing, and seems rather pointless otherwise.
It's so easy to poke fun at the training materials that I wonder whether this is some sort of elaborate joke or hoax, maybe even a honeypot. If so, it's very convincing, delivered without the vaguest hint of irony or humor. If it is genuine, though, I have to ask why the TSA considered it A Good Idea to post this advice on a public website if they are genuinely expecting to catch suspicious characters loitering, sweating or whatever near aircraft ... The "Reference PDF" is not available as I write this blog entry so maybe the presentation was uploaded for testing or by accident, or maybe it's just broken. The 'interactive learning' elements make good use of the technology although the stodgy, repetitive language soon gets tedious. Judging by the number of times the courses recommend 'inform your supervisor', for instance, US flight schools seem to have a plentiful supply of highly-knowledgeable supervisors. They have presumably been trained into an elite defense force, experts at body language and psychology as well as (possibly) flight training.
More security awareness links

Labels: Awareness, Physical

Diggers (backhoes) are evidently one of the most serious threats to comms networks, including otherwise well-designed resilient networks with redundant links.
More physical security links

Labels: Physical

It is evidently possible to determine what someone is typing on a keyboard purely by painstaking analysis of tiny differences in the sounds made by the keys. A research team used the standard letter distribution in English to reconstruct what had been typed by a typist using a computer keyboard, using just a 15-minute audio recording. [This is a creative application of a standard cryptanalysis technique.] Perhaps quiet keyboards and background noise should be considered information security measures?
More physical security resources

Labels: Physical

Sazo is an interesting low-cost product line from a UK company that uses GPS or GSM signals to locate Sazo devices. They are being marketed for concerned parents to track and communicate with their children, and for similar personal-location applications. The technology may also prove useful for tracking stolen vehicles or PCs or other valuables (although it would of course need to be modified slightly so as not to need the thief to acknowledge the location request message!).
More physical security links

Labels: Physical

The British Computer Society has published a paper by Zach Anuka highlighting the importance of human factors in information security, alongside physical and logical/technical factors. "... the human piece of the puzzle, the soft factor, receives the least attention and investment. How often in an IT project do you hear about human vulnerabilities requirements? Not often. It is not usual for systems integration projects to include the aspect of user training that could enable users to manage their own inherent vulnerabilities." Well said Zach!
Click for more security awareness resources and our own white papers on why we need awareness and human factors.

Labels: Awareness, Physical

Perhaps as a result of the Californian law requiring disclosure of security breaches involving personal data on Californian residents, several incidents involving the loss of backup tapes in transit between the primary and backup sites have come to light since 2004. Given the sensitivity and volume of data on the tapes, and the fact that they are being handed to (albeit trusted) third parties for transportation, it is perplexing to discover how few organizations apply encryption ['encoding' and 'proprietary formats' don't count - these are just weasel words], even in financial services. The latest example of this kind of incident involves Iron Mountain Inc., a backup specialist that hit the news over another similar incident a few months before. Why is it that the possibility has escaped otherwise quite comprehensive risk analyses? Presumably it is not explicitly covered by SAS70 or the auditing standards and has simply slipped under management’s radar, until now.
More physical security resources

Labels: Incidents, Infosec, Physical, Risk

With some analysis of the Enron case, The Register's piece Shred It! says you should "establish a clear and reasoned and workable [document retention] policy ... [and ideally] automate the process of document destruction ... Your policy should ensure that it is applied to active and archived documents equally, and paper and electronic documents." However, things change if your organization is under investigation. "Once you know, or reasonably should know that particular documents or categories of documents may be relevant to an actual or anticipated investigation or litigation, your document destruction policy should be suspended." In other words, you must not artificially use the policy to destroy evidence.
More physical security and confidentiality links

Labels: Physical

In Looking at the insider threat!, Doug Schweitzer picks up on the need for organizations to protect themselves against attacks by insiders - employees and others working within the physical and logical perimeter. "Security starts from the inside out" neatly encapsulates it. We'll have more to say on hackers, both insider and outsider versions, in next month's NoticeBored security awareness materials.

Labels: Awareness, Insider, Physical

There seems to have been a rash of security incidents involving the loss of backup tapes lately. Computerworld is now reporting that Time Warner lost an entire shipment of data backups en route to its off-site storage. The Register outlined a handful of similar incidents, pointing out that identity thieves would love to get their hands on backup tapes containing credit card numbers and other personal details, especially as so few are encrypted.
More risk management, physical security, privacy and confidentiality links

Labels: Physical, Privacy, Risk, Secrecy

A report by the UK Home Office reveals that only one of 13 CCTV systems studied directly produced a statistically significant reduction in crime relative to comparable control areas without CCTV. This runs counter to the general perception, and the implication of previous Home Office and Police statements, that CCTV deters city-center crime. The report has implications for the cost-benefit and risk analysis of CCTV in private/commercial settings.
More risk management and physical security links

Labels: Physical, Risk

Curious to see the extensive Microsoft Redmond campus? One of their employees, presumably, has kindly posted this detailed aerial photograph of the site (warning: it's 4Mb!). Why did he/she post it on whe web? I've no idea.
More physical security links here

Labels: Physical

The Washington Post is reporting that imposters falsely claiming to be unannounced inspectors working for a US government hospital inspection body have been detected and ejected from at least three hospitals. Their motives are unclear at present. Until two weeks ago, the inspection body used to post the names of its inspectors on its website (‘nuff said).
More social engineering and physical security links

Labels: Physical, Social engineering

Dirty disks clogged up with musty old data? Desperate to throw them away but worried about where they'llend up? You need DBAN! DBAN is a bootable system and disk eraser. Boot and nuke your old hard drives with DBAN! Kills 99.9% of data, DEAD!
More physical security resources

Labels: Physical

"Draining" is the 'sport' of infiltrating places by means of underground sewers, cable ducts etc. Caving skills, a cyclops hat and a strong stomach are advisable. The implications for critical infrastructure facilities are glaringly obvious.
Other physical security resources here

Labels: Physical

Modern dedicated or multifunction printer/scanner/photocopier devices typically contain embedded hard drives used to cache and re-sequence document images. A piece in Canadian cNews (no longer online) points out the risk of accidentally disclosing images of ‘everything you’ve ever printed’ [a bit of journalistic license there, we think] when machines are sold or returned to the leasing companies [or, for that matter, are ‘serviced’ by unethical engineers or hackers].
More physical security links here

Labels: Physical, Risk

The UK Department of Trade and Industry publishes a range of basic good advice for businesses, including a set of awareness materials on information security topics. The link above takes you to an index page with access to all sorts of goodies on malware, internet security, physical security etc. plus a new overview publication Information Security: Hard Facts.
More malware links here

Labels: Awareness, Malware, Physical

If a skilled adversary can gain physical access to a PC, it's game over as far as information security is concerned. Without appropriate controls in place, he/she can potentially install a hardware keyboard logger, download data and programs to/from a USB memory device, reboot from a powerful operating system on a CD/DVD or USB memory device, steal the hard drive or other components, destroy the system ... Do you search visitors to your site for USB pens for example?

Other physical security links here

Labels: Physical