Turn, Press, Pull — Gonna Get Ya

So as I go around town, I see more and more of these industrial-type control panels. 

The problem is that they are stupidly in the open and unprotected or otherwise easily defeated.  

While probably not a serious threat of any sort, this one apparently is a unit to control some fans in an underground garage open to the public. 

You see the knobs you can just turn.

And one with a yellow warning sticker above it.

As if that will keep someone with bad intentions from messing with it. 

You also see the red and yellow lights…hey. let’s see if we can make those flash on, off, on.

Panel 13, nicely numbered for us–let’s look for 1 to 12 and maybe 14+.

It just continues to amaze me that in the age of 9/11 and all the terrorism (and crime) out there that many people still seem so lackadaisical when it comes to basic security. 

Anyone in the habit of leaving doors and gates open, windows unlocked, grounds unmonitored, computers and smart phones without password protection, data unencrypted and not backed up, even borders relatively wide open, and so on. 

Of course, we love our freedom and conveniences.

We want to forget bad experiences.

Could we be too trusting at times?

Maybe we don’t even believe anymore that the threats out there are impactful or real.

But for our adversaries it could just be as simple as finding the right open “opportunity” and that’s our bad. 😉

(Source Photo: Andy Blumenthal)

18 Million–Change The SSNs

So, maybe one of the most detrimental hysts of information from the Federal government in history. 

Now involving over 18 million current and former federal employees, including military and intelligence personnel. 

No getting around it, but we are major screwed here–this is a treasure trove of personal and privacy information ready to use for identity theft, blackmail, assassination/decapitation attacks at home and work addresses, kidnapping of family members, and literally attacking our national security apparatus from the very inside out–it’s people. 

Imagine, if at the time of its choosing, an adversary attacks our nation, but preempts this with sophisticated and coordinated attacks on our critical government personnel–generals, spy masters, political kingpins, and other key decision makers–thereby distracting them from their duties of safeguarding our nation. 

This is our new Achilles Heel and overall a security disaster bar none!

Well, we can’t go back and put the genie back in the bottle–although wouldn’t it be nice if such critical information (if not encrypted–already unforgivable) would have a self-destruct mechanism on it that we could at least zap it dead.

But for the people whose personal identities are at risk–whose social security numbers (SSNs) and dates of birth (DOBs) have been compromised what can we do? 

While we can’t very well change people DOBs, why not at least issue them new SSNs to help thwart the adversaries peddling in this information in the black markets. 

If we can put a man on the moon, surely we can issue some 18 million new SSNs and mandate government and financial institutions to make the necessary updates to the records. 

This is not rocket science, and certainly we owe this much to our people to help protect them.

Will our government be there for it’s own employees and patriots? 😉

(Source Photo: here with attribution to Donkey Hotey)

Data Like Clouds

So data is like clouds…

Clouds want to be free roaming the wild blue skies similar to how data wants to be searchable, accessible, useful, and so on. 

But with data, like clouds, when it rains it pours–and when data blows about with the windstorm and is compromised in terms of security or privacy, then we not only come away wet but very uncomfortable and unhappy. 

Then, as we actually end up putting our data in the great computing clouds of the likes of Amazon, iCloud, HP, and more, the data is just within arm’s reach of the nearest smartphone, tablet, or desktop computer. 

But just as we aspire to reach to the clouds–and get to our data–other less scrupled (cyber criminals, terrorists, and nation states)–seek to grab some of those oh so soft, white cloud data too.

While you may want to lock your data cloud in a highly secure double vault, unfortunately, you won’t be able to still get to it quickly and easily…it’s a trade-off between security and accessibility. 

And leaving the doors wide open doesn’t work either, because then no one even needs an (encryption) key to get in. 

So that’s our dilemma–open data, but secured storage–white, soft, beautiful clouds wisping overhead, but not raining data on our organizational and personal parades. 😉

(Source Photo: Andy Blumenthal)

SCADA In Pictures

So SCADA are Supervisory Control and Data Acquisition systems.

They are a form of Industrial Control Systems (ICS) that monitor and control major industrial processes from power generation, transmission, and distribution, to water treatment, chemical production, air traffic control, traffic lights, building controls, and more.

These are part of our nation’s critical infrastructure.

In the lab, we are able to use tools to capture and analyze communication packets and edit and re-use them to:

– Turn on and off lights

– Open/close perimeter gates

– Control water and gas pipelines

– And even open and close a bridge

This was very scary!

No one, unauthorized, should be able to do this in real life, in the physical world.

This is a major security vulnerability for our nation:

– SCADA systems should not be openly available online, and instead they should be able to be controlled only either locally or remotely through an encrypted virtual private network (VPN).

– SCADA systems should not be available without proper access controls–there must be credentials for user id and passwords, and even two-step authentication required.

No one but vetted, cleared, authorized, and trained personnel should be able to monitor and control our critical infrastructure–otherwise, we are giving them the keys to disrupt it, destroy it, and use it for terror.

We owe our nation and families better, much better.

(Source Photos from lab: Andy Blumenthal)

The Privacy Slope

I read with interest Ronald Bailey’s book review of Privacy by Garet Keizer in the Wall Street Journal ( 16 August 2012) .

In a nutshell, privacy is founded in the Constitution’s 4th Amendment: “the right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures, shall not be violated.”

I would define privacy as the freedom–to think, to feel, and to act as ourselves (within ethical boundaries) without fear of intrusion, revelation, or reprisal.

In other words, it should only be our business who we love, what we are interested or believe in, who we vote for, what we choose to do with our lives, and more.

I think in grade school, the children generally sum it up well when they playfully chant: “Mind your own BI,” where BI is used for business (or biziness). 🙂

According to Keizer, the danger to privacy come into play from two main sources:- Commerce–who want to sell you something and

– Government–that needs to surveil for security and law enforcement purposes

After 9/11, their was a perceived need for greater surveillance to enhance homeland security, and with advances in technology and communications (smartphones, Internet, social media, etc.), the ability to snoop became far easier.

In 2002, the DoD program for Total Information Awareness (TIA) was an attempt to know everything (i.e. total) about those who would do us harm, but fears about this capability being used against the innocent, quickly required a rethinking or perhaps, just a rebranding.

Some say that the new NSA mega data center in Utah is the fulfillment of the TIA dream–according to the Washington Post, already in 2010 NSA intercepted and stored “1.7 billion emails, phone calls, and other types of communications.” Further, law enforcement demanded records from cellphone carriers on 1.3 million subscribers “including text messages and caller locations” over just the last year’s time.

Keizer cautions that “the ultimate check on government as a whole is its inabilityto know everything about those it governs”–i.e. without the people holding the cards, there is the risk of spiraling into a Big Brother totalitarian society–goodbye democracy!

I think Keizer perhaps oversells the fear of government surveillance and underemphasizes intrusion from business–his thinking is that “If consumers are annoyed with a merchant’s monitoring, they can buy elsewhere.”

But what Keizer misses is that industry as a whole has moved toward the use of technology–from club cards and promotions to use of Internet cookies, RFID, and more–to systematically track consumers and their buying behavior and that information is readily captured, packaged, used, and sold for marketing and sales–as well as to the government!

As a common practice now, where is a consumer to go that will shield them from hungry business looking to capture market share and earn nice profits?

At the same time, while government surveillance can certainly be misused and abused with terrible consequences for individuals society—there are potentially a lot of people looking over the shoulder of those carrying out public programs–and this “sunlight”–where and when it shines–can help to prevent bad things happening. The problem is that the system is not perfect, and there are always those program people who act of out of bounds and those watchers who are ineffective and/or dishonest.

Overall, it’s a zero sum game, where those that hype up security and capitalism, can tramp down on privacy, and vice versa.

In totality, we can never just assume everything will be okay when it comes to privacy and how information is used, but we have to be active citizens helping ensure that right things are done, the right way.

For regular, hardworking, decent citizens, there is a definite need to safeguard privacy–and technology can be helpful here with anonymizers, encryptors, and other shielding tools

For the bad guys, I would imagine, no question, that the government will continue to develop the means to thwart their secrecy and planning to inflict harm on the American people.

For business, it’s okay to capture consumer information and sell, but pour it on to thick and people will think twice about your company’s ethics and brand–and even a lawsuit may be in the making.

Yes, privacy is a slippery slope, and not only can a person’s self be revealed or used inappropriately, but the voyeur can get burned too if they overdo it.

(Source Photo: Andy Blumenthal)

Leadership Cloud or Flood Coming?

I came across two very interesting and concerning studies on cloud computing–one from last year and the other from last month.

Here is a white paper by London-based Context Information Security (March 2011)

Context rented space from various cloud providers and tested their security.

Overall, it found that the cloud providers failed in 41% of the tests and that tests were prohibited in another 34% of the cases –leaving a pass rate of just 25%!

The major security issue was a failure to securely separate client nodes, resulting in the ability to “view data held on other service users’ disk and to extract data including usernames and passwords, client data, and database contents.”

The study found that “at least some of the unease felt about securing the Cloud is justified.”

Context recommends that clients moving to the cloud should:

1) Encrypt–“Use encryption on hard disks and network traffic between nodes.”

2) Firewall–“All networks that a node has access to…should be treated as hostile and should be protected by host-based firewalls.”

2) Harden–“Default nodes provisioned by the Cloud providers should not be trusted as being secure; clients should security harden these nodes themselves.”

I found another interesting post on “dirty disks” by Context (24 April 2012), which describes another cloud vulnerability that results in remnant client data being left behind, which then become vulnerable to others harvesting and exploiting this information.

In response to ongoing fears about the cloud, some are choosing to have separate air-gaped machines, even caged off, at their cloud providers facilities in order to physically separate their infrastructure and data–but if this is their way to currently secure the data, then is this really even cloud or maybe we should more accurately call it a faux cloud?

While Cloud Computing may hold tremendous cost-saving potential and efficiencies, we need to tread carefully, as the skies are not yet all clear from a security perspective with the cloud.

Clouds can lead the way–like for the Israelites traveling with G-d through the desert for 40 years or they can bring terrible destruction like when it rained for 40 days and nights in the Great Flood in the time of Noah.

The question for us is are we traveling on the cloud computing road to the promised land or is there a great destruction that awaits in a still immature and insecure cloud computing playing field?

(Source Photo: here with attribution to freefotouk)

A Word Indeed

The information in your smartphone and managed by your telecommunications carrier is available and accessible to others with today’s tools and following the right processes.Bloomberg BusinessWeek(29 March 2012) reports on a new tool for law enforcement that captures your data from smartphones.It is called the Cellebrite or Universal Forensic Extraction Device (UFED).

As the video describes it works with almost every mobile device out there–over 1,800 of them.

And when attached to a smartphone, it can extract everything from your call log, emails, texts, contact list, web history, as well as photos and videos.

The forensic tool can even retrieve deleted files from your phone.

Your smartphone is a digital treasure trove of personal information and the privacy protection afforded to it is still under debate.

The article cites varying court opinions on “whether it’s fair game to examine the contents of a mobile phone without a warrant,” since it is in the suspect’s immediate possession.

According to law enforcement sources quoted in the article, “we use it now on a daily basis.”

Aside from the contents on the phone itself, Bloomberg BusinessWeek (29 September 2012) earlier reported that telecommunications companies are also storing your personal data for various lengths of time.

For example, detail call records and text contacts are retained for up to 7 years and phone location information indefinitely, depending on the carrier.

This data is available too under the processes specified in the Electronic Communications Privacy Act.

While the technology is constantly getting better for us to electronically manage our information and communicate with each other, the reach and life cycle of digital information can certainly be far and long.

As we should all by now know, working remotely, digitally, in cyberspace, and encrypting, deleting, or even attempting to destroy data files does not ensure their ultimate privacy.

In that respect, both digital and non-digital information are the same in one very important facet and that is as we all learned early in life that “a word once said cannot be taken back.”