Posts Tagged ‘Security’

Airport technology showing people’s ‘private parts’ to get scrutiny

Sunday, November 9th, 2008




Although already in use at some airports in the US, the UK, and Netherlands, full-body scanning — a security technology quite capable of showing people’s unmentionables — might now fade away as a specter facing Americans and other travelers in European airports, due to a lawmakers’ vote.

Some airports in Europe, including London’s Heathrow and Amsterdam’s Schiphol, already make use of full-body scanners, as do some airports in the US. (more…)

Researchers Demonstrate How to Spoof GPS Devices

Tuesday, September 30th, 2008

gps_satellite_nasa_artiif.jpg

With millions of GPS-based navigation devices on the road today, it is time someone considered the question: What if there’s an attack on the GPS network itself?

Researchers at Virginia Tech and Cornell University spent more than a year building equipment that can transmit fake GPS signals capable of fooling receivers.

“GPS is woven into our technology infrastructure, just like the power grid or the water system,” said Paul Kintner, electrical and computer engineering professor and director of the Cornell GPS Laboratory in a statement. “If it were attacked, there would be a serious impact.”

GPS is a U.S. government-built navigation system of more than 30 satellites circling earth twice a day in specific orbits. The satellites transmit signals to receivers on land, sea and in air. Based on the signals received from the satellites, devices are able to triangulate their exact positions on the globe. But if those satellite signals were wrong — or were spoofed — a GPS device might come up with the wrong location based on the signals it was receiving.

The researchers started by programming a briefcase-size GPS receiver used in the research of the uppermost part of the Earth’s atmosphere, known as ionospheric research, to send out fake signals. The phony receiver was placed in the proximity of a navigation device, where it anticipated the signal being transmitted from the GPS satellite. Almost instantly, the reprogrammed receiver sent out a false signal that the GPS-based navigation device took for the real thing.

The experiments to show the vulnerability of GPS receivers to spoofing could help devise methods to guard against such attacks, says Brent Ledvina, an assistant professor of electrical and computer engineering at Virginia Tech, and will be detailed in a research paper to be released Thursday.

“It’s almost like someone nearby is spoofing your favorite radio station by transmitting at the same frequency but higher power fooling your receiver into believing it is getting the right station,” says Ledvina.

The idea of GPS receiver spoofing has already been considered by federal authorities. In a December 2003 report, the Department of Homeland Security detailed seven countermeasures including monitoring the absolute and relative GPS signal strength, monitoring the satellite identification codes and the number of signals received and checking the time intervals between the received signals to guard against spoofs.

Still those fall short and would not have successfully fended off the signals produced by a reprogrammed receiver, said the researchers.

Instead they have suggested a few countermeasures that involve both hardware and software changes. “We have two patent applications which include a software algorithm to help make changes to how receivers react to signals,” says Ledvina.

The other patent is around the spoofer tool used, he says. “The idea is to help government and other companies use it to potentially make better receivers,” says Ledvina.

Photo: NASA

Links: HomeLandSecurity, wired

Alanco to track D.C. inmates

Sunday, June 15th, 2008

prisonAlanco Technologies has announced that its subsidiary Alanco/TSI Prism, a provider of real-time RFID tracking technologies, has won a $3.3 million contract to create an RFID-based inmate tracking system for the Washington D.C. Department of Corrections.

The Alanco/TSI Prism system, which will combine Alanco’s TSI Prism RFID system with Wi-Fi compatible RTLS technology from AeroScout, will be installed at a Washington DC jail complex housing over 2,000 prisoners and staffed by 450 DOC employees. The system is intended to increase safety and improve inmate accountability.

Source: RFID News

RFID privacy and security

Saturday, May 31st, 2008

The issues of privacy and security, although interrelated, are different. With respect to RFID, we define these issues as follows:

Privacy: the ability of the RFID system to keep the meaning of the information transmitted between the tag and the reader secure from non-intended recipients.

Security: the ability of the RFID system to keep the information transmitted between the tag and the reader secure from non-intended recipients.

The issues have very different repercussions and different solutions. In a given environment, an RFID solution may pose security risks without affecting the issue of privacy. An example of this scenario is when a tag broadcasts its unique identification number in a consistent and unencrypted manner. This enables the tag to be detected by any reader that can decode the RF signal. If all that is read is the tag’s unique identifier – and no association can be made to what that identifier means without access to the backend database that maintains the relationship between the tag IDs and the objects that they represent – there is no privacy issue. However, issues of traceability and inventorying may remain.

Traceability and inventorying relate to the ability of an unauthorized entity to read the identifiers sent by RFID tags without necessarily being concerned as to what the tag is affixed to or who/what is carrying it. In other words just by capturing the signals emitted by an RFID tag, a third party could trace where the tag is or has been (traceability) as well as to what tags have been detected (inventorying).

A standard EPC tag conveys information associated with a particular item, its model or product class and its manufacturer. Anyone with a standard EPC reader could get close enough to a shopper leaving a store to determine what products and what quantities were purchased. Furthermore, the unauthorized reader could track the shopper from a distance utilizing a high-powered reader.

The issue of privacy

RFID is an excellent technology for object tracking. In this case, we can define an object as a physical asset that occupies 3-dimensional space. This means that the whereabouts of any physical object (including animals and humans) can potentially be tracked within the scope of the RFID infrastructure. As RFID technology development progresses, this scope can become larger and larger.

This fact has raised many questions and concerns from people because of the potential invasion of privacy that can be attributed to RFID technology. But, before we get deeper into the privacy issues and their repercussions, let’s look at a few examples of what privacy advocates and the concerned public claim can go wrong with the use of RFID technology.

(more…)

No need for cables with GSM door entry system

Thursday, May 29th, 2008

Urmet Domus have introduced a simple solution for when audio communication is required as part of a door entry system but where it is not possible to install cables.

Domus Cell is compatible with all major mobile networks and provides GSM connection to Sinthesi door entry panels. The default programming enables users to have the system up and running within minutes and it can provide communication through analogue PABX systems, providing all the benefits of a standard telephone system, without the cost of installing fixed lines.

Domus Cell is a particularly practical and cost effective solution for installers of automated gates and barriers although it is also ideal for site and mobile office applications as the same contact numbers can be used for each new project. Read more about this

Considering RFID to track children

Friday, May 23rd, 2008

kidThe yet unsolved kidnapping of kids have brought much fear to parents with young kids in the country. Despite the intense police and public search nationwide and on-going media coverage, the six-year-old is still nowhere to be found.

As long as the culprits are still at large, the chances of other kids being kidnapped remain high. For the time being, maybe it’s time the authority starts thinking of the possible unconventional measures that can be taken to prevent this heinous crime.

One thing or rather technology that may sound possible to be implemented is radio frequency identification, or commonly known as RFID.

Although its usage currently is very much concentrated on information tracking functions, including inventory management, movement of shipping containers, library books, credit cards, etc, there is a possibility that this technology can be used for tracking humans.

For those who are not familiar with RFID, it’s a tiny rice-sized chip that has an antenna. When the chip hears a specific radio signal, it responds with information, usually a long identification number to allow it to be tracked.

Over the past couple of years, trials have been done in countries such as the US, UK and Mexico on its potential to prevent kidnapping. These include planting the RFID device in children’s clothing or injecting it beneath the skin. The idea is viable because RFID chip does not use battery, and since it is small enough, it can be attached to practically anything.

The issue today is that people don’t like the idea of having something attached to them for the purpose of tracking. The idea of planting the chip in one’s body is still unacceptable to many as it’s a kind of privacy intrusion. But using it on clothing or school bags does seem to make more sense.

Applying this to school kids aged 12 and below may be acceptable because these kids are still not mature enough to protect themselves.

The whole idea of having a trackable device is to make it possible to track a missing child in the first few critical hours of the kidnapping incident, and with the RFID chip transmitting the much-needed data, it may make the search of the missing child easier and faster.

Initiatives like these would need all parties to be involved, especially the Government with the help of telecommunications companies and the relevant technology vendors.

If this technology can be implemented in the near future, as the technology mature and becomes cheaper, the chances of tracking a kidnapped child are probably higher.

Things You Probably Wish You Don’t Know

Monday, May 19th, 2008

power lines

Historically, “sensitive” networks have traditionally enjoyed a sense of security due to their total, and complete separation from publicly accessible networks.

In fact, most of us old-school “security wonks” have always joked about the fact that the “…only real security is a pair of wire cutters…” to humorously illustrate the fact that nothing is really secure that is exposed to uncertainty, or untrusted access.

This has always been true in my personal background, having worked in U.S. Military COMSEC disciplines over many years. And given the fact that I have also worked in the Internet security arena for almost 20 years, I figure this gives me some unique insight into some of these issues.

The same security postures which can be applied to COMSEC can, and should, be true of SCADA (Supervisory Control And Data Acquisition) systems.

When you think “SCADA”, think power, water, etc. The systems that allow civilization to function.

First and foremost, these systems should never — never — be connected in any way, shape, or form to the public Internet. Not even as VPNs, or overlay networks. This is simply wrong-headed.

Unfortunately, some business decisions over the course of the past 15 years have allowed the “public” and “private” networks to become dangerously close in proximity, due to “cost savings” and “operational efficiency” business decisions — by companies that control the very systems which deliver these life-sustaining services to the world’s population.

It’s one thing to steal passwords, perpetrate fraud, and other financial theft-based cyber crimes — but it is ominously more dangerous to shut down the electricity to a complete region of a power grid.

If there is anyone out there who thinks that this is only the storyline of blockbuster movies, think again.

There are certainly forces “out there” who wish to wreak havoc, cause damage, and claim victory.

And they are using the exact same methods to infiltrate SCADA infrastructure that they are using to steal unwitting victim’s checking account information.

Source

ShotSpotter’s Gunshot Location & Detection System

Saturday, May 17th, 2008

Ahha, no more gang-land activities will taken place since this system installed on your hometown-cities. ShotSpotter is the world leader in gunshot location and detection systems for the public safety and military markets. The company has been delivering patented, state-of-the-art gunshot location and detection solutions for more than a decade.  Every day, officials in more than a dozen cities rely on ShotSpotter systems, with each and every customer a willing reference to our capabilities and results.

A ShotSpotter network includes 12 to 20 sensors per square mile. Roughly the size of a medium pizza, the devices are hidden on rooftops, utility poles, and in other inconspicuous places. Here are the components of a typical unit:

Microphone An internal microphone array gives the sensor 360-degree coverage and makes it possible to determine the direction a sound came from. Microphone
GPS Receiver Global positioning satellites give the location of each sensor. GPS also serves as a central clock, making it possible to triangulate an incident’s location based on the speed of sound. GPS Receiver
Thermometer Air temperature determines the speed of sound — crucial to calculating a shot’s location. The server at the station checks the Net for other atmospheric conditions that affect sound waves. Thermometer
Network Connection Each sensor is in constant contact with the server. Some are connected by a telephone line. Others have a digital link managed by a microprocessor. Network Connection
Memory In sensor units with a processor, if communication is interrupted or bandwidth becomes clogged, the memory stores the sounds until they can be uploaded. Memory

Wired Reviews: Shot Spotter, Ears on the Street, Spotting the Shot

Website: Shotspooter

Tragedy of the Commons

Thursday, May 15th, 2008

electrical_substation.jpg

“The Tragedy of the Commons is a type of social trap, often economic, that involves a conflict over finite resources between individual interests and the common good.”

Wikipedia

In a perfect world, we all understand that certain situations should not exist which put our critical infrastructure at risk — we all like to be able to have electricity, water, and other common utilities which we normally take for granted.

But we do not live in a perfect world, of course.

First, let’s look at the issue of “convergence”, or rather, “premature convergence” which seems to be a better definition:

“…premature convergence means that a population for an optimization problem converged too early, resulting in being suboptimal.”

Wikipedia

This is similar to — what I believe to be — the situation wherein some unknown portion of the SCADA controls & operations community has strategically moved itself into: using the same platforms, operating systems, and software, which are now susceptible to the vulnerabilities that we all know too well. Buffer overflows, remote exploitation, denial of service vulnerabilities, and so forth and so on.

Now, this wouldn’t be a problem if these system were, in no uncertain terms, not connected to the Internet in any way, shape, or form.

But that is increasingly not the case.

Due to operational “optimization” (meaning: it is cheaper to use publicly available connectivity to manage these systems), the SCADA threat landscape now begins to look a lot like the network security landscape that we all know and respect — one of constant vigilance and constant defensive threat posture.

Within the past couple of days, there have been a couple of SCADA systems management platform vulnerabilities announced which could result in some rather serious exploitation. The SANS ISC reported yesterday a situation in which one software suite which “…provides unauthorized access, allows partial confidentiality, integrity, and availability violation, allows unauthorized disclosure of information, allows disruption of service.”

This seems rather serious. And I have been informed that there is at least one more similar vulnerability which has not been publicly disclosed yet.

As utility companies make operational decisions based on economic business savings (using the Internet, or an Internet VPN, to manage their client-control base to save money), the unintended consequences can be severe. When they occur. If they occur.

Throw the dice.

Let’s keep our fingers crossed that the SCADA community quickly comes to grips with the nature of network security.

Source: TrendsLab Malmware Blog

Video Surveillance Preparation

Monday, May 12th, 2008

cctv 1I’ve no ideas of what keep on happening around us. I do feel so insecure nowadays, due to increasing of crime rate. With crime on the rise many people and business are looking for added security. Video surveillance is one the top ways to improve the security of your belongings and loved ones. I get asked alot about what is good or recommended and although each situation is different there are some common things to consider when showing a video surveillance system that will bring the required results.

You have two basic kinds of video surveillance cameras, there are the CCTV cameras, which are what you see most often right now. They are the cameras that are connected to a DVR or VCR, they usually have a coax type cable (rg59) and a power cable to power the camera leading from the dvr to the camera. You have many different styles, but the most common are the dome cameras or the box cameras. They both do the same thing, they are just in different enclosures. You also have the pan, tilt, zoom cameras that are normally in domes but you can control the camera position via a joystick or through software on your computer.

cctv 2The other type of video surveillance camera are the network cameras, or IP cameras as some call them. They are the latest technology to come along in the video surveillance industry. Network cameras are generally what I recommend because of their advanced features, such as email notifications, remote viewing, can use a pc to view and operate, ease of installation, and exceptional picture quality with the megapixel cameras. The ip cameras can be installed using a single cat5 or cat6 network cable, most of the network cameras are poe (power over ethernet) ready, which means that the power and video can be carried over the same line, which is a huge money saver compared to a cctv system, a poe injector or a poe switch is needed on the backend to power the cameras. Another advantage of this type of system is you can have mulitple cameras coming from the switch and you can the switch plugged into a UPS (battery backup) so if you ever have a power outtage, the cameras will keep running and recording.

A network camera has software built into the camera that allows you to change setting such as color setting, motion sensor areas, email settings and so on. One of the biggest selling points of a network camera is that they can be viewed online from any computer that has an internet connection and all you need is your standard browser, like internet explorer. Software is also available, such as Milestone Systems, that allows you to setup multiple cameras from any location and view them all on the same screen. Read the rest of this article