From Malware To Malevolent People

So in virus protection on the computer, there are 2 common ways antivirus software works:


1) Signature Detection – There are known patterns of viruses and the antivirus software looks for a match against one of these. 


2) Behavior Detection – There are known patterns of normal behavior on the computer, and the antivirus software looks for deviations from this. 


Each has certain weaknesses:


– With signature detection, if there is a zero-day exploit (i.e. a virus that is new and therefore which has no known signature) then it will not be caught by a blacklist of known viruses.


– While with behavior detection, some viruses that are designed to look like normal network or application behavior will not be caught by heuristic/algorithm-based detection methods. 


For defense-in-depth then, we can see why employing a combination of both methods would work best to protect from malware. 


It’s interesting that these same techniques for recognizing bad computer actors can be used for identifying bad or dangerous people. 


We can look for known signatures/patterns of evil, abusive, and violent behaviors and identify those people according to their bad actions.


Similarly, we generally know what “normal” looks like (within a range of standard deviations, of course) and people who behave outside those bounds could be considered as potentially dangerous to themselves or others. 


Yes, we can’t jump to conclusions with people — we don’t want to misjudge anyone or be overly harsh with them, but at the same time, we are human beings and we have a survival instinct. 


So whether we’re dealing with malware or malevolent individuals, looking at patterns of bad actors and significant deviations from the normal are helpful in protecting your data and your person. 😉


(Source Photo: Andy Blumenthal)

Cybersecurity Lost In Unknowns

Security

Today unveiled is a new Cybersecurity National Action Plan


This in the wake of another Federal data breach on Sunday at the Department of Justice where hackers stole and published online the contact information for 9,000 DHS and 20,000 FBI personnel


And this coming on the heels of the breach at OPM that stole sensitive personnel and security files for 21 million employees as well as 5.6 million fingerprints.


While it is nice that cybersecurity is getting attention with more money, expertise, public/private poartnerships, and centers of excellence. 


What is so scary is that despite our utter reliance on everything cyber and digital, we still have virtually no security!


See the #1 definition for security–“the state of being free from danger or threat.”


This is nowhere near where we are now facing threats every moment of every day as hackers, cybercriminals, cyber spies, and hostile nation states rapidly cycle to new ways to steal our secrets and intellectual property, commit identity theft, and disable or destroy our nation’s critical infrastructure for everything from communications, transportation, energy, finance, commerce, defense, and more. 


Unlike with kinetic national security issues–where we regularly innovate and build more stealthy, speedy, and deadly planes, ships, tanks, surveillance and weapons systems–in cyber, we are still scratching our heads lost in unkowns and still searching for the cybersecurity grail:


– Let’s share more information


– Let’s throw more money and people at the problem.


– Let’s seek out “answers to these complex challenges”


These have come up over and over again in plansreviewsinitiatives, and laws for cybersecurity.


The bottom line is that today it’s cyber insecurity that is prevailing, since we cannot reliably protect cyber assets and lives as we desperately race against the clock searching for real world solutions to cyber threats. 


Three priorities here…


1) Build an incredibly effective intrusion protection system

2) Be able to positively tag and identify the cyber attackers 

3) Wield a powerful and credible offensive deterrent to any threats 😉


(Source Photo: Andy Blumenthal)

Choke Points to Checkpoints

This is some promising biometric technology from AOptix.Enrolling in the system is the first step and means just seconds of standing in the capture field of the slender tower, and the device scans both iris and face of the person.The scanning captures images within seconds and the software converts the images into binary code.It then subsequently scans and matches the person’s biometrics against the database for positive identification.The beauty of this system is that it is simple and fast and can be used for passenger screening, immigration, or any other access control for entry/egress for a building, location, or even to a computer computer system and it’s information.According to Bloomberg Businessweek, the Insight Duo Towers sells for $40,000 each.

Eighty of these are currently in use at all air, land, and sea borders in Qatar.  Further, Dubai International Airport has been piloting this at a terminal that handles 40 million people per year, and it has cut immigration waiting times from 49 minutes to 22 seconds.

This technology has obvious important applications for military, law enforcement, and homeland security, as well as even more generalized security use in the private sector.

And while very impressive, here are some concerns about it that should be addressed:

1) Enrollment of Biometrics and Personal Identification–registering for the system may only take a few seconds for the actual scan, but then verifying who you are (i.e. who those biometrics really belong to) is another step in the process not shown.  How do we know that those iris and face prints belong to Joe Schmo the average citizen who should be allowed through the eGate and not to a known terrorist on the watch list?  The biometrics need to be associated with a name, address, social security, date of birth and other personal information.

2) Rights versus Recognitions–rights to access and recognition are two different things. Just because there is iris and facial recognition, doesn’t mean that this is someone who should be given access rights to a place, system or organization.  So the devil is in the details of implementation in specifying who should have access and who should not.

3) Faking Out The System–no system is perfect and when something is advertised as accurate, the question to me is how accurate and where are the system vulnerabilities. For example, can the system be hacked and false biometrics or personal identification information changed?  Can a terrorist cell, criminal syndicate, or nations state create really good fake iris and facial masks for impersonating an enrollee and fooling the system into thinking that a bad good is really a good guy.

4) Privacy of Personally Identifiable Information (PII)–not specific to AOptix, but to this biometric solutions overall–how do we ensure privacy of the data, so it is not stolen or misused such as for identity theft.  I understand that AOptix has PKI encryption, but how strong is the encryption,who long does it take to break, and what are the policies and procedures within organizations to safeguard this privacy data.

5) Big Brother Society–biometrics recognition may provide for opportunities for safe and secure access and transit, but what are the larger implications for this to become a “big brother” society where people are identified and tracked wherever they go and whatever they do. Where are the safeguards for democracy and human rights.

Even with these said, I believe that this is the wave of the future for access control–as AOptix’s says, for changing choke points to checkpoints–we need a simple, fast, secure, and cost-effective way to identify friends and foe and this is it, for the masses, in the near-term.

Are You Thing 1 or 2?

Tees

The old Dr Seuss story of The Cat In The Hat had the crazy part when “Thing 1” and “Thing 2” jump out from under The Cat’s hat and proceed to make a messy house disaster even worse.

Recently, I saw some people wearing the matching type shirts–you know the ones that that generate attention–bright red, with one shirt saying “Thing 1” and the other person’s shirt saying “Thing 2.”
It was cute the way the family members were connected through the shirts, and I smiled to myself thinking, like in the children’s story, which one is the bigger “trouble-maker” in this family–Thing 1 or 2?
Today, I saw this picture online of these twins, again with these matching type t-shirts, but this time, one said “Ctrl + C” and the other one had written on it “Ctrl + V” — these are the well-known Microsoft commands for copy and paste.
I guess with twins, the copy-paste imagery makes a lot of sense–copy kid 1, paste, and there you have it, kid 2.
Generally, t-shirts have messages about peace, rock and roll bands, corporate branding, or satire of some sort–I wouldn’t say it’s exactly a fashion statement, but more of an identity thing–how we choose to brand ourselves in a world of 7 billion people. It’s not necessarily about who we are, but more like how we choose to identify ourselves–a meaningful one for example, is for breast cancer awareness.
I remember as a kid, my sister, who was a budding biomedical scientist, bought me t-shirts from a scientific catalogue–so that I was wearing the Periodic Table and Einstein on my chest from very early on in life.  While I always did like science too, it was not what I ended up pursuing, but I would still wear these shirts today, because in some ways, I still identify with science and psychology and learning and so on.
These days, if I had to choose some t-shirt themes, I am pretty sure technology and futurism would be in the mix. Then again, my current t-shirts include a hefty mix of Rocky and Everlast–you see identity is a complex subject. Also, a whole bunch came 4 for 10–who can say no to a sale? 😉
A simple t-shirt, and the messaging can take you from Dr. Seuss to Microsoft, the Periodic Table and to the future (or even to the bargain bin).
What are you wearing–who are you?
(Source Photo: here)

Supercookies Are Super Invasive

 

 

 

 

 

 

 

 

 

You’re alone sitting at the computer surfing the web, you’re looking up health, financial, entertainment, shopping, and other personal things. 

You feel comfortable doing your thing…you have your privacy and can be yourself without someone looking over your shoulder.
But is the sense of safety real or an illusion?
For the most part, when we are online, we are not safe or in private. 
Like at work, where you get the warning that you are being monitored, when you are browsing the Internet, your actions are being tracked site by site (but this is done without warning)–by cookies–or data packets exchanged between web servers and user’s browsers.
On the plus side cookies are used for identification, authentication, preferences, and maintaining shopping cart contents; but on the negative side, they are installed on users computers to track your activities online.
The Wall Street Journal (18 August 2011) reports that now there are Supercookies! and “history stealing.”
Supercookies are not cookies with that can fly or lift locatives, but rather they are more difficult to locate and get rid off your computer, so they track your activities, but are hidden in different places such as in the web browsers cache.
“History stealing” is done when you visit certain websites, and they use software to mine you web browser history to determine where you’ve visited and then use that to for example, target advertising at you. Imagine though what other profiling can be compiled by categorizing and analyzing your browsing history in aggregate.
Currently, the online ad industry has established self-imposed guidelines to supposedly protect privacy, but they seem wholly inadequate such as “collecting health and financial data about individuals is permissible as long as the data don’t contain financial-account numbers, Social Security numbers, pharmaceutical prescriptions or medical records.” But knowing people’s household finances, credit histories, and personal medical histories is okay–by whose standard?
According to the WSJ, web tracking is not only alive and well, but flourishing with “80% of online display ads are based on tracking data.”
Why should anyone have the ability to track our personal web surfing?
We don’t need ads targeted at us–we are not targets!  We are very capable of searching online for what we what we are interested in and when we are interested in it–thank you!
Session cookies that expire at the end of ones web browsing for session management is one thing; but persistent cookies that collect and mine your personal data–that’s should be a definite no-no.
Like with the advertisements that come unwanted in the traditional mailbox and get routinely and speedily placed in the garbage, online advertisements that are based on intrusive website tracking is not only a nuisance, but a violation of our privacy–and should be trashed as a concept and a practice.

>Advanced Biometrics for Law Enforcement

>

Homeland Security Today Magazine (March 2010) has an interesting article called “Biometrics on the Battlefield” about how the American military has had significant success in Afghanistan taking biometrics and in using it for “vetting, tracking, and identification.”

Here’s how it’s done:

The biometrics system uses HIIDE (Handheld Interagency Identity Detection System) devices, which is “similar in size to a large camera, [that] connects directly to the BATS [Biometrics Automated Tool Set] database and matches inputs against a biometrics watch list of 10,000 individuals.”

The database “BATS uses a combination of fingerprints, photographs and iris scans, in addition to an in-depth background examination” to “screen potential local employees, identify detainees, and differentiate friendly individuals from insurgents and terrorists.”

How successful has the use of biometrics been?

“The use of biometrics has clearly thwarted security breaches and helped prevent unwanted activities by the enemy. Additionally, in 2008 alone, hundreds of HVTs (high value targets) were identified through the use of this biometrics technology.”

The article suggests the application of this biometric system for domestic law enforcement use.

Currently, fingerprint cards or stationary scanners are common, but with the proposed military biometrics system, there is the technology potential to use mobile scanning devices quickly and easily in the field.

The article gives the example: “if an officer came into contact with an individual under suspect conditions, a simple scan of the iris would ascertain that person’s status as a convicted felon, convicted violent felon, convicted sex offender or someone on whom an alert has been placed.”

In this scenario, quicker and more accurate identification of suspects could not only aid in dealing with dangerous offenders and benefit the officers in terms of their personal safety, but also contribute to ensuring community safety and security through enhanced enforcement capabilities.

Of course, using such a system for law enforcement would have to pass legal muster including applicable privacy concerns, but as the author, Godfrey Garner, a retired special forces officer, states “hopefully, this valuable technology will be recognized and properly utilized to protect law enforcement officer in the United States. I know that I’ve seen it protect our sons and daughters on the battlefields of Afghanistan.”

We are living in an amazing time of technology advances, and the potential to save lives and increase public safety and security through lawful use of biometrics is a hopeful advancement for all.

>Biometrics and Enterprise Architecture

>

Biometrics is “the study of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits.” (Wikipedia)

Biometrics is crucial for identifying and taking out of play enemy combatants, terrorists, and criminals or for providing access to trusted employees or partners in public or private sector organizations, like the intelligence community, defense, security, and various sensitive industries like financial, telecommunications, transportation, energy, and so forth.

National Defense Magazine, November 2007 has an article on the significant advances being made in biometric technologies and their applications to our organizations.

According to “’The National Biometrics Challenge,’ a report produced by the Office of the President’s National Science and Technology Council…’a tipping point in the maturation of the technology has been reached.’

Both the FBI’s Information Services Division and The Department of Defense Biometric Fusion Center are leading the way in this field.

Currently, identity is established based on the trinity: “something you know (such as a password), something you have (like an identity card), or something you are, which is where biometrics comes in.”

Biometrics includes technologies for recognizing fingerprints, facial features, irises, veins, voices, and ears, and even gait.

But these are technologies identification means are not fool-proof: remembering multiple complex passwords can be dizzying and identity cards can be lost, stolen, or forged. So biometrics becomes the cornerstone for identity management.

However, even biometrics can be spoofed. For example, fake rubber fingers have been used in lieu of a real fingerprint (although now there are ways with living flesh sensors to protect against this). So therefore, biometrics is evolving toward “multi-modial” collection and authentication. This could involve using 10 fingerprints versus one or combing fingerprint, iris scans, and digital mugshots (called the “13 biometrics template” and used to gain access in U.S. managed detention centers in Iraq) or some other combination thereof.

Biometrics has advanced so much so that an Iris scan system from Sarnoff Corp. of Princeton NJ “can scan and process 20 people per minute from distances of about 10 feet awat, even those who are wearing glasses.”

The keys to further enterprise application of these technologies in our enterprises are the following:

  1. Lowering the cost (especially to make it available to local law enforcement agencies)
  2. Making it rugged enough for extreme environments for the military
  3. Making it portable so that it can be used for a variety of law enforcement and defense operations
  4. Reengineering business processes so that measurements are captured, stored, accessible, and readily available for making a match and generating a decision on someone’s identity in real-time
  5. Developing policies that “effectively govern the proper use of the data” and ensure adequate protection for civil liberties and privacy.

Overall, biometrics has moved from emerging technology to applied technology and needs to be planned into your identity management architectures.