Archive for the 'Security' Category

Page 2 of 9

AccountKiller

From Activision to NuddistConnect.com to Zattoo, the AccountKiller database of more than 500 sites has links to each one’s deletion page. It offers instructions to remove your account or public profile on most popular social media sites. If you want to create an account it has a Blacklist of sites that don’t let you remove your profile.

You can also use this site to find sites to search for information on your subject. Start in the blacklisted sites as the subject will have a very hard time to delete his profile on these sites.

If you are trying to erase yourself or a client from the Internet, then you will need more that this site to accomplish your goal. Beware, it may be better to edit the profile and leave it in place — this is particularly important with some sites like Twitter.

Nine Meals From Anarchy

A few months later and another practice disaster is under way. These practice sessions are supposed to take the emergency out of emergency management.

The building’s automated locking system is working properly now. The new security guard provider is more responsive and the guards are performing their jobs in a more professional manner this time around. The performance of the maintenance staff has improved and the ground floor windows are completely boarded-up. Ten hours into the exercise and the generators are running flawlessly. Everything inside the building is working properly, people included. After breakfast, I decided to look for something that is screwed-up.

A Vapour on the Wind

It’s a nice Sunday morning — cool but slightly overcast as the sun rose. I decide to take a walk around the neighbourhood. Not much is moving about this early.

The additional soundproofing surrounding the generators eliminates their sound entirely when standing at street level, even at dawn on a Sunday.

I start to crave another coffee but nothing is open this early so I take another walk around the building. Somebody is up early, that bacon smells better than the oatmeal I had for breakfast.

Now I realise how I screwed-up this time.

Nine Meals From Anarchy

Nine meals from anarchy is an expression coined by Lord Cameron of Dillington who headed the Countryside Agency to describe the precarious nature of Britain’s food supply. If some catastrophe occurs and the supermarket shelves are not restocked, he estimated that they had three full days without food on supermarket shelves before law and order started to break down and British streets descended into chaos. This isn’t far-fetched – it happened in New Orleans in the aftermath of Hurricane Katrina.

The smell of cooking bacon would be very enticing to somebody who hasn’t eaten for three days. If this occurred during a protracted cataclysm, then it would add some emergency back into emergency management. Hungry people, especially normally over-fed but now hungry people, will do almost anything to get food.

Practice Doesn’t Make Perfect

Practice doesn’t make perfect – it shows you how many ways you can screw-up. I’m a big believer in practice.

I was working on a project to improve a company’s emergency preparedness that began with a risk assessment which then led to many interesting adventures. One adventure was a little bit of practice to test how they could operate during an extended power outage.

The extra guards didn’t show-up on time. The maintenance staff didn’t want to play the game unless they got time and a half. Someone had pilfered about half of the plywood with an intumescent coating intended for window coverings. The fancy locking system left all the doors open on one side of the building. So far, so good!

Wandering around outside, I was marvelling at how quiet the generators were – those mufflers were really good. Things were going just fine and I was enjoying the nice spring day and then the generators started to make strange sounds, then they belched black smoke. Then they died an ignoble death. Oh well, we got through four and one half hours and the imaginary blackout became permanent.

Now it was time to earn my keep. I had to quantify the screw-ups. The worst was the generator failures. All the generators died as if on cue. We traced this to a single diesel fuel source for all the generators. A single point of failure is never good.

I learned that the new low sulfur diesel creates a storage problem. While the reduced sulfur is good for the environment, it eventually mixes with water that condenses in the fuel tank to form black sediment or emulsified water that can damage the engines. No system was in place to deal with this problem. Some research revealed the type of filtering system needed to maintain the usability of the fuel.

No good deed goes unpunished. I became the point man for the efforts to correct this situation. Product sourcing, procurement, and construction – who knew I could do all that stuff?

Getting Out of Google

Google and other search engines are wonderful things for gathering information, we all know that, but what if people with evil intent are gathering information about you?

Getting out of Street View

Google Street View provides a great deal of data that can be used to plan an attack on a facility, a person, or to conduct a kidnapping. Google offers an easy, free, and effective way to restrict access to this data.

At a client’s home, I found that his car licence plate was legible. This usually occurs when the car is parked inside a garage or car port. At the client’s workplace, several security measures were clearly visible as were other features of the facility that raised concerns.

Google’s solution is to place an opaque digital wall around your house or facility. To get out of Google Street View, first search for the street address. Once the property is visible, you will find a small box at the bottom right of the image that says “Report a problem”. Click on this to select a reason for blurring the image of the property. I usually select Other: This image presents security concerns. Add some discriptive data to help Google identify the property and complete the CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) thing that takes me several tries to get right. In 2 or 3 days a blurred wall should appear around the property.

Brains Versus Brawn

Far too often, security relies on brawn alone — uniformed guards, guns, alarms, locks, armoured vehicles, blast and ballistic resisent engineering. Unfortunately, force can be defeated by guile and superior force.

An example of brawn’s failure is that of Alfred Herrhausen, the Deutsche Bank Chief who was murdered by the Red Army Faction in 1989.

He knew that he was a target. He had a thirty-man security detail and armored vehicles. His murderers had work clothes, a city works vehicle, and explosives. Posing as city workers, his murderers engaged in their own construction project to mine the road that their victim frequently used.

Brawn thrice failed. The first failure was to notice the initial surveillance that led to the terrorists identifing the attack site. Second, brawn failed to recognize and regularly inspect an obivous attack location. Finally, the terrorists were engaged in their construction project for about one month and the security detail didn’t call the city to confirm that the construction activity was legitimate.

The brain would have had a surveillance detection detail. The brain would conduct a route survey to identify likely attack locations. The brain would assign the surveillance detection detail to observe possible attack locations to look for unusual activity. The brain would have called the city about the construction activity.

The brain’s greatest enemy is the budget wala. Brawn is tangible, surveillance detection isn’t. Surveillance detection is like insurance — an expense for something you probably won’t use. Budget walas want proof that surveillance detection is worth the cost because when they spend money on brawn they get something tangible.

ICANN Wants to Close Whois

A working group for Internet regulators at ICANN wants to close all Whois databases. They what to force anybody needing this data to grovel before them before granting access. They are trying to centralize global control over a key component of the Internet. WHOIS allows you to find out who owns a domain name. Without this data, fraud and other crimes will become easier to commit and harder to solve.

Contingency Planning

Recently, I wrote about the dangers of government action when preparing for adverse conditions. While conducting some research on this topic for a planning document I came across a couple of interesting examples.

In the old Soviet Union during the Chernobyl reactor catastrophe, it became illegal for an ordinary citizen to possess any type of radiation meter.  I came across reports that Japanese police confiscated radiation meters from citizens who were taking their own measurements after the Fukushima disaster.

Perhaps I should have recommended that the client read Fuller’s The Day We Bombed Utah.

Threat Spirals

Security professionals undertake planning in relation to threat spirals. As a threat escalates, it inspires new defensive countermeasures. The security professional endeavors to get inside an opponent’s threat spiral. This means anticipating the next escalation and instituting countermeasures that insulate his principal from the future threat. Getting inside an opponent’s threat spiral requires tools, technology, and manpower.

Some form of surveillance usually precedes attacks against people and facilities. This hostile effort will include research using open sources, social engineering, and both technical and physical surveillance.

Surveillance Detection

One powerful tool to get inside the threat spiral is surveillance detection. Hostile surveillance is a precursor to attack – recognising the surveillance activity gets you inside the opponent’s threat spiral.

OPSEC and Business Continuity

Operational Security (OPSEC) is the first consideration when preparing for adverse conditions.

In Canada, I always advise clients to read the Emergencies Act (R.S.C., 1985, c. 22 (4th Supp.)), Section 8  carefully before they take any action or commit to any preparations. The same applies to any individual preparations. Section 8 (1)(c) allows public officials carte blanche to loot your storehouse of supplies during a declared emergency. The provinces have similar legislation, for example, in Ontario it is the Emergency Management and Civil Protection Act, R.S.O. 1990, c.E.9. Politicians wrote all of these acts so that the government can always find a ‘legal’ way to do whatever it wants to do. This problem isn’t unique to Canada. During Hurricane Sandy, so called ‘First responders’ broke into Shore Army-Navy in Seaside Heights and looted it for supplies. During Hurricane Katrina, officials in New Orleans went further, and according to many accounts, committed armed robbery. In the face of armed troops or police, you will be helpless to prevent such looting. Of course, when government is the looter, they get a free pass from government lawyers and politicians.

Undertaking business continuity planning requires a very high degree of OPSEC given the propensity of governments, rioters, and criminals to take what they want. This leads to the question, what are the OPSEC requirements of business continuity planning?

I always advise that all business continuity (BC) assets be separated geographically, and in other ways, from the business they serve. Transfer ownership of BC assets to  obscure sole-purpose subsidiaries. For example, one entity owns the BC site while another buys the supplies and equipment. Yet another entity takes delivery of the supplies at an unrelated location. Execute all the BC planning and implementation on a strict need-to-know basis. The quick dissemination of the BC plan during an emergency must occur on a need-to-know basis. The employees only get the information they need to accomplish their part of the plan. Large-scale rehearsals should not reveal the actual location of the real BC site. To reveal the location of the BC site to all those involved in the rehearsal invites the looting of the site long before it is needed. Experience dictates the use a rented property in the general area of the real BC site for rehearsals.

These considerations are not irrational paranoia for any business located in an area subject to catastrophic disruptions such as riots, protests, natural disasters, or terrorist attack. Discontinuing business activity during such an upheaval is surrendering to these adverse forces.

Risk Assessment Adventure: When Havoc Strikes

Business Continuity

Awhile back I wrote about one of my adventures in risk assessment.  This involved identifying the risks to a Business Continuity site located in a rural area outside a large metropolitan area.

When Havoc Strikes

What happens to Spot when havoc strikes?

The U.S. Humane Society say that 46% of U.S. households own at least one dog and there are 78.2 million dogs owned. In the Canadian Census of 2006 there were 6,070,783 dogs in Canada.

Feral Dogs

After a prolonged catastrophic event, feral dogs will form packs and begin to hunt. They have all the tools they need — fangs, claws, and a fur coat to keep warm. Feral dogs will interbreed with other canids.  Over time, you will encounter dog-wolf and dog-coyote hybrids. The domestic dog ancestry will ensure that they are not afraid of man, and their offspring will inherit this trait.

Feral dogs have better noses, better ears, and sharper teeth than humans. Their reflexes are faster, they possess better protection from the elements, and they move through the environment in near silence. They will attack as a pack and they will do so silently. Their arsenal includes stealth and surprise. When they don’t fear us, we are at a disadvantage.

Solutions

The dog pack will be hunting you. You’re not the hunter, you’re prey. How good is your gun-handling? Can you hit a 2 foot tall predator charging at you?  How about several of them at once?

Security in such a situation will entail modified small unit tactics, marksmanship, and muzzle control. This client took our advice on training and on-site rehearsals. Twelve bore shotguns and 30-30 lever-action rifles won’t get a doomsday prepper’s heart racing, but they get the job done safely when combined with proper training, rehearsals, and forethought.

Note: This article about an attack by a pack of feral dogs appeared in one of my news feeds:
Houston woman in critical condition after pack of 15 dogs attack

This clearly illustrates how dangerous a pack of feral dogs can be. Even feral cats can inflict dangerous wounds as illustrated by this article:

Warning to tourists in France after attack by feral cats

 

Hazardous Material

The Emergency Response Guidebook published jointly by the Canadian Department of Transportation, Mexican Transportation agencies, and the USDOT lets you identify the hazardous contents of pipelines, trucks, or trains from the placards on the side of the tanker, rail car, or pipeline. The guide lists specific hazards and evacuation distances for spills or fires. However, it doesn’t provide any spill/fire/explosion protocols.

If you are around hazardous materials and their transport conveyances then you need this guidebook.

Tim Horton’s & Investigative Internet Research

An article titled, Tim Hortons apologizes for blocking gay and lesbian news website by The Canadian Press on Friday, July 19, 2013 caught my attention. Tim Hortons is a popular Canadian coffee shop chain.

The online site of a popular paper that caters to the gay community was blocked by the coffee shop chain as “not appropriate for all ages viewing in a public environment.”. Once the outrage got going, Tim Hortons relented and changed its WiFi network policy.

What has all this got to do with Investigative Internet Research (IIR), you ask? Well, think about it. We often work while on the road and that means doing some aspects of IIR in places like coffee shops.

When you do IIR outside your normal work environment, different rules apply. How do you know what the WiFi network allows and what it doesn’t? How do you know if some things are censored and others are not? How do you know that your results are complete?

Now do you understand the dangers that doing this presents? I haven’t even mentioned the security issues.

Secured URL

Secured URL allows you to encrypt a URL with a password. It works like TinyURL.

Enter a URL, its password, and choose the expiration date of the resulting encrypted link. The expiration date can be up to 90 days hence. The encrypted link that you get from this can be shared by email without revealing its contents. You send the password to open the link in a separate email.  It’s best to send passwords to one email address and the encrypted content to another email address.

I can think of many uses for Secured URL where confidentiality is required.

What’s in an Employee Number

I was reviewing a stalled investigation into an apparent corporate fraud when I noticed something interesting. A surveillance photograph was in the paper file — you don’t see many real surveilance photographs any more, just muddy images taken from video.

This particular photo was so clear and detailed that I had to talk to the investigator who took it. It was taken with a long lens mounted on a camera with a 22 mp full-frame CMOS sensor. The investigator directed me to the server and directory that contained over one hundred images along with video taken using the same camera. All of this data was summarised in two paragraphs in the investigation report. This proved unfortunate, as this fine work happened early in the investigation. The investigator wrote a detailed report that someone summarised without including a proper citation. The person who did this failed to recognise that the problem had been solved. Over one year later I was hired to solve this difficult and persistent problem.

The surveillance picture clearly showed an employee pass card. The pass card clearly showed the name of the security system vendor, employee name, employee picture, and worst of all, the employee number. The employee number was the defacto authentication required for gaining information the crooks needed. During social engineering the crooks were challenged and asked for their employee number. When they provided the number the information flood gates opened.

Further investigation revealed that a fake employee pass card was made and used to gain access to the facility. The card didn’t have any electronic component, but the crook was wearing a authentic-looking employee card just like everybody else, and that was enough for him to repeatedly gain the access he needed. He just walked throughout he front door at the right time of day and followed the real employees to the department where he committed his crime, over and over again.

Once captured, this crook freely admitted that he got everything he needed from the passcards that employees wore prominently around their necks. He copied it from pictures he took, just like the first investigator did.

File Erasure

File erasure is something every Investigator needs to consider. Investigators collect a lot of data that never makes into a report. Sometimes that data is irrelvant or something that cannot be reported. That stuff should not be left hanging around to be recovered later and then missused. Some form of file erasure software should be used to make it unrecoverable.

Some examples of file erasure software: