Choke Points to Checkpoints

This is some promising biometric technology from AOptix.Enrolling in the system is the first step and means just seconds of standing in the capture field of the slender tower, and the device scans both iris and face of the person.The scanning captures images within seconds and the software converts the images into binary code.It then subsequently scans and matches the person’s biometrics against the database for positive identification.The beauty of this system is that it is simple and fast and can be used for passenger screening, immigration, or any other access control for entry/egress for a building, location, or even to a computer computer system and it’s information.According to Bloomberg Businessweek, the Insight Duo Towers sells for $40,000 each.

Eighty of these are currently in use at all air, land, and sea borders in Qatar.  Further, Dubai International Airport has been piloting this at a terminal that handles 40 million people per year, and it has cut immigration waiting times from 49 minutes to 22 seconds.

This technology has obvious important applications for military, law enforcement, and homeland security, as well as even more generalized security use in the private sector.

And while very impressive, here are some concerns about it that should be addressed:

1) Enrollment of Biometrics and Personal Identification–registering for the system may only take a few seconds for the actual scan, but then verifying who you are (i.e. who those biometrics really belong to) is another step in the process not shown.  How do we know that those iris and face prints belong to Joe Schmo the average citizen who should be allowed through the eGate and not to a known terrorist on the watch list?  The biometrics need to be associated with a name, address, social security, date of birth and other personal information.

2) Rights versus Recognitions–rights to access and recognition are two different things. Just because there is iris and facial recognition, doesn’t mean that this is someone who should be given access rights to a place, system or organization.  So the devil is in the details of implementation in specifying who should have access and who should not.

3) Faking Out The System–no system is perfect and when something is advertised as accurate, the question to me is how accurate and where are the system vulnerabilities. For example, can the system be hacked and false biometrics or personal identification information changed?  Can a terrorist cell, criminal syndicate, or nations state create really good fake iris and facial masks for impersonating an enrollee and fooling the system into thinking that a bad good is really a good guy.

4) Privacy of Personally Identifiable Information (PII)–not specific to AOptix, but to this biometric solutions overall–how do we ensure privacy of the data, so it is not stolen or misused such as for identity theft.  I understand that AOptix has PKI encryption, but how strong is the encryption,who long does it take to break, and what are the policies and procedures within organizations to safeguard this privacy data.

5) Big Brother Society–biometrics recognition may provide for opportunities for safe and secure access and transit, but what are the larger implications for this to become a “big brother” society where people are identified and tracked wherever they go and whatever they do. Where are the safeguards for democracy and human rights.

Even with these said, I believe that this is the wave of the future for access control–as AOptix’s says, for changing choke points to checkpoints–we need a simple, fast, secure, and cost-effective way to identify friends and foe and this is it, for the masses, in the near-term.

Increase Security On Your Google Account

After reading the article Hacked! in The Atlantic (November 2011), I looked into Google’s new security feature called 2-Step Verification(a.k.a. Two Factor Authentication).

This new extra layer of security–adding “something you have” to “something you know”–to your sign in credentials helps to better protect you and your information in Google (i.e. in the Google cloud), including your emails, documents, and applications.

While a little extra work to login to Google–you have to type in a verification code that Google sends or calls to your phone (this is the something you have), it provides an extra layer of defense against hackers, criminals, and identity thieves.

To protect your Smartphone, Google provides “Application-specific passwords” that you generate from the 2-Step Verification screen and then you enter those into the specific iPhone, Droid, or Blackberry device.

You can sign up for 2-Step Verification from your Google Account Settings page and help protect yourself, your information, and your privacy.

In the future, I hope that Google (and other cloud vendors) will improve on this and use biometrics, to add “something you are,” to the authentication process and make this even sleeker and more secure yet.

Stay safe out there!  😉

Visualizing IT Security

I thought this infographic on the “8 Levels of IT Security” was worth sharing.

I thought this infographic on the “8 Levels of IT Security” was worth sharing.

While I don’t see each of these as completely distinct, I believe they are all important aspects of enterprise security, as follows:

1) Risk Management – With limited resources, we’ve got to identify and manage the high probability, high impact risks first and foremost.

2) Security Policy – The security policy sets forth the guidelines for what IT security is and what is considered acceptable and unacceptable user behavior.

3) Logging, Monitoring, and Reporting – This is the eyes, ears, and mouth of the organization in terms of watching over it’s security posture.

4) Virtual Perimeter – This provides for the remote authentication of users into the organization’s IT domain.

5) Environment and Physical – This addresses the physical protection of IT assets.

6) Platform Security – This provides for the hardening of specific IT systems around aspects of its hardware, software, and connectivity.

7) Information Assurance – This ensures adequate countermeasures are in place to protect the confidentiality, integrity, availability, and privacy of the information.

8) Identification and Access Management – This prevents unauthorized users from getting to information they are not supposed to.Overall, this IT security infographic is interesting to me, because it’s an attempt to capture the various dimensions of the important topic of cyber security in a straightforward, visual presentation.

However, I think an even better presentation of IT security would be using the “defense-in-depth” visualization with concentric circles or something similar showing how IT security products, tools, policies, and procedures are used to secure the enterprise at every level of its vulnerability.

IT security is not just a checklist of do’s and don’t, but rather it is based on a truly well-designed and comprehensive security architecture and its meticulous implementation for protecting our information assets.

Does anyone else have any other really good visualizations on cyber security?

(Source Photo: here)

Supercookies Are Super Invasive

 

 

 

 

 

 

 

 

 

You’re alone sitting at the computer surfing the web, you’re looking up health, financial, entertainment, shopping, and other personal things. 

You feel comfortable doing your thing…you have your privacy and can be yourself without someone looking over your shoulder.

But is the sense of safety real or an illusion?

For the most part, when we are online, we are not safe or in private. 

Like at work, where you get the warning that you are being monitored, when you are browsing the Internet, your actions are being tracked site by site (but this is done without warning)–by cookies–or data packets exchanged between web servers and user’s browsers.

On the plus side cookies are used for identification, authentication, preferences, and maintaining shopping cart contents; but on the negative side, they are installed on users computers to track your activities online.

The Wall Street Journal (18 August 2011) reports that now there are Supercookies! and “history stealing.”

– Supercookies are not cookies with that can fly or lift locatives, but rather they are more difficult to locate and get rid off your computer, so they track your activities, but are hidden in different places such as in the web browsers cache.

– “History stealing” is done when you visit certain websites, and they use software to mine you web browser history to determine where you’ve visited and then use that to for example, target advertising at you. Imagine though what other profiling can be compiled by categorizing and analyzing your browsing history in aggregate.

Currently, the online ad industry has established self-imposed guidelines to supposedly protect privacy, but they seem wholly inadequate such as “collecting health and financial data about individuals is permissible as long as the data don’t contain financial-account numbers, Social Security numbers, pharmaceutical prescriptions or medical records.” But knowing people’s household finances, credit histories, and personal medical histories is okay–by whose standard?

According to the WSJ, web tracking is not only alive and well, but flourishing with “80% of online display ads are based on tracking data.”

Why should anyone have the ability to track our personal web surfing?

We don’t need ads targeted at us–we are not targets!  We are very capable of searching online for what we what we are interested in and when we are interested in it–thank you!

Session cookies that expire at the end of ones web browsing for session management is one thing; but persistent cookies that collect and mine your personal data–that’s should be a definite no-no.

Like with the advertisements that come unwanted in the traditional mailbox and get routinely and speedily placed in the garbage, online advertisements that are based on intrusive website tracking is not only a nuisance, but a violation of our privacy–and should be trashed as a concept and a practice.