Check your freq, - Wireless interference with security components

C-Net and other sites ran stories on how the medical technology community is urging the wireless communications industry to be careful using white-space.

About a decade ago, wireless heart monitors hooked to patients at Baylor University Medical Center in Dallas went on the fritz, causing much scrambling among the building's engineering team.

Although I'm confident the white-space problem here will be addressed through FCC and the key players, there is a similar issue we all need to be thinking of.

As the barriers of possibility are pushed farther and farther away for systems integrators, the use of wireless technology is at the forefront. We can throw just about anything on a wireless network, or shoot a wireless signal across rooms, floors, wards or property lines to connect devices with the rest of the system.

As we do, we'd better be talking to the clinical technology folks if we are doing it anywhere near a medical facility. And we'd better be familiar with possible interference issues to avoid in all applications as well. I've found that clinical technology folks are more than happy to help make sure there are no problems.

That being said, signal interference has always been something to consider, even in wired applications. I've seen numerous "ghost problems" in systems where communication lines are run next to high voltage factory equipment or similar scenarios. So it's critical to make sure you're not going to interfere with any lifesaving devices, but it's also important to make sure wireless interference is not going to be causing trouble for the end users or service techs in the future.

A new kind of "Cat" burglar

With metal prices going up, thieves are getting down on the ground, crawling under vehicles and cutting catalytic converters right off of the exhaust system.

Just a couple minutes and a cordless power saw, and you've got yourself some rhodium, platinum and palladium to sell. Get enough of it - and it's a fairly good payday. Last week metal exchanges were trading rhodium for $9,050 a troy ounce; platinum for $2,025 a troy ounce; and palladium for $446 a troy ounce. Even though there is just a small amount of these substances in your average catalytic converter - it's worth it to thieves because they hit multiple vehicles whenever possible.





So, what can be done?

If you've got a couple hundred dollars to spend, you can always contact American Welding Inc. to get a "CatClamp". $250.

Seems a little extreme doesn't it? Maybe if you've got a fleet of vehicles that need to be customized anyway (work trucks, etc) you can have your customization shop add the CatClamps as part of your package.

And that's not the only trend when it comes to precious metals. You may have noticed thefts of copper wire, tubing and plumbing products on the rise. Copper is trading at about $4 a pound, that doesn't seem like much - but when you've got a roll of wire from a construction site, you're set. I've even seen copper drainpipes stolen off of old buildings recently. In fact, locally we've got the thieves recruiting addicts to go get the copper, and bring it back to the thief to reduce his risk. I've seen trails marked with engineer tape through the woods leading to power substations where copper is stored.
It was just a few months ago that a whole section of copper wire was stolen OFF OF THE POLES in Durham. I think it was a cable company's line and service was out for a while when they got new wire in to fix it.

We're always telling people to park in areas with plenty of lighting and natural surveillance, and that advice is prudent for this as well. I think it may be worth considering making sure the natural surveillance you plan when designing parking areas includes a clear view under the vehicles too.

But basically, we need to adjust our reference to what we consider valuable targets - and include precious and semi-precious metals.

The virtual fence that was - but wasn't - but should be

Back in February, I sat in my car and listened to a NPR (All Things Considered) piece on Boeing's Project 22.
Ironically, I was sitting across the street from the location I was in the process of designing a virtual fence for myself.
Granted, what I had in mind was nothing nearly as sophisticated as Boeing's 21 million dollar design.

It was announced today that the plan is scrapped - and Boeing has been instructed to replace the towers with new equipment. As of now, there is no word about the details.

In the NPR story, I was struck by a statement made by one of the project's engineers. He talked about how they were using off the shelf products that in theory - would work together to meet a desired result. However, they were finding that wasn't the case. That made me think of all the times I've watched vendors trip over themselves to get a project based on loosely developed information that "should" work. There's a fine line between being confident in your technical staff and engineers to find a solution (within the budget your using) and just blindly making commitments based on surface information.

I've been tempted to say "with that kind of money - I'm sure we can figure it out" on more than one occasion. But I'm always reminded of colossal screw ups like this one and tend to error on the side of caution.

With something like three miles of land to cover for each tower there is a lot that can go wrong. They are saying that a key problem is the time lag with transmission of camera images to officers in the field (from the time of movement).

And what about my own project? Well since it is dependent on video analytics and live monitoring - it's on hold for the time being.

Is it just me - or does that camera tower unit look like "johnny 5" from Short Circuit?




Story in Engadget
Story in Wired

Honda's got'cha covered - with crime stats as you drive

Via Engadget - Via Physorg

Honda Motor Co. will start a new system this week warning motorists when they are driving close to crime hotspots. - Based on crime info from local Police Departments.

Looks like it's just in Japan now - but I like the integration of technology / data.

Facebook Police Application

Wow - it's been a busy day in terms of digital media used for security.
First, I came across some Google Maps crime mapping sites - very slick. Then, looking closer at the Garner NC Police Department site - I found out they even have Podcasts - even slicker.

But, for the slickest of the day - check this out:

I found (via NowSourcing post by Mark O'Neill)
That the Greater Manchester Police (GMP) in Great Britain is using a custom Facebook Application to fight crime.


If you're not familiar with Facebook, it's the huge social networking site used worldwide by students, corporations and other organizations. Often times, folks keep their facebook page up on one of their active tabs (when browsing) so they can see what their friends are up to. There are thousands of applications written for Facebook that run inside their service. Most of them are for fun and games, but a few of them are pretty beneficial.

The GMP application can give you streaming crime updates for the area. But - you can also report crime or suspicious incidents through the application.
Now before you blow this off - think about it. I do a lot of work on a university campus and health system - and one thing's for sure; young people today are more comfortable sending text messages, twitter messages and instant messages than making an actual phone call. Notice I didn't even mention email? Yeah - it's still used - but for day to day conversations back and forth it's done quickly and effectively via some type of messaging platform.

There are lots of reasons for this, but one thing you have to remember is that younger folks have grown up in a time where digital communication is the preferred method. If you think about it, all the "thinking on the fly" you do on a telephone call or in person is gone if you're using a messaging platform. You've got time to edit yourself - and say what you truly want to convey. It's not a weakness or being lazy - in fact it's pretty industrious how a generation has transformed communication to fit around themselves. If you were totally comfortable and proficient using that technology to communicate than I bet you'd find yourself using it more and more because it just makes sense.

There's a pretty big gap between most law enforcement/security departments and a large percentage of the population. In my mind, it would make perfect sense to run a workstation in the departments dispatch center that's running IM clients - email - and now a Facebook application as well as receiving SMS messages. But - how many dispatch centers do you know of that would be comfortable with this? Not many at first.

Of course there are legalities that have to be worked out, but I'm sure if you take your Risk Assessment guy out to lunch you can find out what steps should be taken to make sure everything is covered.

Crime Mapping, Google Maps Style (Rock on Garner NC PD!)

Crime and incident mapping is probably one of the most valuable tools you can have. It doesn't matter if you are trying to secure a city or an office park it's helpful to know what kind of problems happen by location and time. Most institutions track this in one form or another, and some even spend thousands of dollars on crime mapping software, or even expensive add-ons to their records management software. That's not necessary - and although it could be the right fit for some organizations, I hate to see others spend money on it when they don't have to.

No secret I'm a huge Google supporter, and I've been using Google Maps pretty much exclusively for some time now. Even their mobile version works smoothly, I've got it loaded on my PalmTreo and get satellite images, traffic status and great search features. What makes Google apps great is how open they make the programming. They figure that if they release a core product to the world the talent out there can apply it in ways their internal staff would never think of. Even with the standard Google Maps you can create your own personal maps and mark them up as desired. You can plot locations, mark routes, area and all sorts of things. To take it one step further, you can share your map with either invited guests only or anyone.

So, it's been possible for some time to use Google's mapping service to map crime data. Some institutions have been doing it by using Google's design on their internally hosted LAN sites or even internet. But in recent months the Google Maps design team has been adding all sorts of features that make it much easier to do, so now we're seeing some great uses.

Check out the Google Maps Blog, they have a post about a Brazilian site that's using Google Maps to produce their WikiCrimes feature.

And what's this? At the bottom of the post I see that The Garner North Carolina Police Department is featured as well. There's a link to their website to check out their mapping feature.

Yep, as you can see the data is limited to the Garner NC area only - but still pretty cool. They let you search by proximity to an address and select what crime data you want to display.

They even have a cool table on the side that lists the results by crime type, date and address. They also feed their data into a Google Earth overlay - sweet.

If you're interested, take your IT guy out to lunch and ask him to check out the Google Maps API and see what they can work out.

Now, the secret to good crime mapping or even crime tracking / analysis is having accurate and consistent data. How effective is it, if each time an incident happens at the "Bradford Building" the officer recording the incident calls it "The B-Building" or "Bradford" or even "Badford Bld"? If you're using a standard database that doesn't use smart word association - than you're going to get a separate location entry for each possible variation of the name or address. For mapping functions you may just get a lot of errors. The best way to do it is to have drop down menus that officers or records staff can choose the name or address of a location rather than enter the text themselves.

One of the largest drawbacks to traditional crime mapping through address-based systems is if you are on a college campus, medical center / park or corporate campus than your street names may be private, and not on most mapping reference sources. If that's the case I've seen it done by using the organization's existing GIS platform. With GIS you are referencing grid data and plotting more than addresses, and a lot of institutions already use GIS for engineering functions. The better systems I've seen for this also incorporate GPS readers so that when the officer is on site, they can grab the grid coordinates and enter them into the report.

Of course another consideration is the security of information you're broadcasting. If you're already releasing crime reports to the general public than I'd just use that data so it's already been cleared for release. If not, I'd put some thought into what you're releasing and why. If it's just for your own internal use, than I'd suggest keeping it behind your firewall. If you have people not connected to your network but still need to see it, you could set up a VPN connection.

And - just another note - the Garner PD has an RSS feed available.

I'm glad to see this catching on, with more an more law enforcement and security sites using RSS to get information out quickly.

If you're not familiar with RSS let me know, I'd be more than happy to point you to some good apps and techniques. With RSS feeds I can cover over 75 news and media sources a day specifically, and key words and phrases in news stories/blogs globally.

Fear, Photographers and False Alarms

I came across an interesting article in BBC News today written by Tom Geoghegan.
(found via Mark O'Neill )

The article focuses on photographers being approached, questioned, searched and sometimes detained by authorities just for taking pictures. It's a prickly subject to be sure. The overall issue here is that as we transition into a more security conscious society, we're more tuned-in to possible intelligence gathering methods that could be used for terrorist agendas. Of course there are problems galore recently on this topic, civil liberties and balancing the proper security posture with true risk - and with public freedoms.

Proper security posture: government, military, law enforcement and security institutions define proper security postures very differently at times. They each have their own core objectives which can be similar , but can also differ greatly. To complicate things, each of the classifications are part of their own little world, are subject to their own rules, standards and expectations that shape their perspective. It's no wonder that countries that have been dealing with terrorism longer have much more integrated government, military, law enforcement and security institutions.

True Risk: True risk vs. perceived risk is a hot topic. And just like enforcement agencies have different perspectives on the application of measures (see above) they have different interpretations of risk (for a lot of the same reasons). Determining risk is a very difficult thing. Just the idea of applying a tangible metric to the factors that make up the possibility of trouble can seem totally unreasonable - not to mention imposable. But nonetheless, once you have to spend money, or change established behavior, you've got to show tangible reasons. Add the concept of ROI to the mix and you've got even more "assessment tools" to wrangle. It's easy to error on the side of caution when it comes to human life, but when freedoms and finances are at stake you've got internal conflict brewing.

Public Freedoms: Once again, we (America) are infants in terms of living with the threat of terrorism. It sounds terrible, but the more we lose as a result of terrorism the more the general public accepts that you just can't do the same things you used to do. None of us like it - but as security practitioners we have gazed much deeper into the abyss - and we are more understanding. Public opinion on implied and protected freedoms is subject to many things. It's not easy to consider it when providing security, but a clear understanding of it helps everyone.

On the specific topic of photographers, I've seen some shifts in the way public spaces fit into security planning. Critical areas and assets should be, and are starting to bedesigned out of public view more often. I'm a big supporter of keeping critical assets totally separate from public space. It's not always possible, but it's a method that helps to preserve public freedoms and increases security at the same time. If your critical asset IS the public space, it's much more difficult. We're getting better at including CPTED and force protection in the initial design of these spaces but it's essential that we try harder. The problem here is, there is no money to be made in it. If the solutions were cameras, sensors or guards than you'd have plenty of folks knocking down the door to be part of the design. But the solution has more to do with the physical layout of space, angles of view,vulnerability to explosives, standoff distances and lighting. Architecture firms should be focusing on getting security design training to their architects as part of an enhanced service offering. City Managers and similar roles should be making room for security consulting services in their budget.

The funny thing is, if a terrorist were taking pictures of a target now-a-days, it probably wouldn't be that obvious.

Eco-Terrorism, Activism and Corporate Espionage (oh my)

Since World Week for Animals in Laboratories (WWAIL) is right around the corner, there have been a lot of animal research / eco-terrorism themed stories in the news and other media. This topic can be a sensitive one for many people, but in my mind - facts are facts. Terrorism is broadly defined, but it's basically a psychological strategy for gaining political ends or ends or further a cause by deliberately creating a climate of fear.


It's shocking how far some of these eco-terrorists go in their efforts against research, which is one of the largest areas of concern for physical security practitioners. Attacks and harassment are carried out against not only researchers, but the institutions that host them, support agencies and even companies that do business with researchers. I hear a lot of activists say that they are being lumped into the terrorism label - especially after 9-11 to demonize their work. They say that the "greedy - soul-less researchers and corporations "are trying to paint them as hijackers, or suicide bombers when they are really just animal lovers who want to fight for creatures who can't fight for themselves. Some activists even try to say that they are being treated like the government treated actors, artists, musicians and other folks during the red scare of the 1940's-50's (I've seen them even spin it like it's a war against the "green" movement).

This topic in itself is the topic of books - large books - and many people much smarter than me have tackled it in numerous formats. I'm not trying to get into anything like that - just draw some attention to how careful we need to be protecting research, researchers, facilities and equipment. Also - to get people thinking about how many people consider this a war. And in any war - aside from the fighting and psychological maneuvers - there is usually a large, dark and ambiguous intelligence gathering component going on behind the scenes.

That's right - Wherever there's information that can be considered valuable (of monetary, logistical or strategic value) there are folks that will try to get that information. And believe me - there is no shortage of skilled operators out there who used to deal in that kind of information gathering for the government. In fact, our most productive breading ground for intelligence gatherers is from our good old Uncle Sam. And although they were trained to get information, protect information and deal in information that holds a life-and-death value - they can apply the same tactics to information that could be sold - or used by activists, or by groups trying to protect against activists. There is a large scale world power intelligence war out there carried out by nations, affiliated religious groups an political parties but there is also a parallel intelligence war going on in the corporate and educational world.

A recent article published in Mother Jones details the exploits of the failed security firm BBI (Beckett Brown International ). Yes - Mother Jones is a very liberal source but it's a very interesting article nonetheless. There are some pretty good details listed - but basically this firm made up of ex-government, and ex-law enforcement agents launched operations to gather information on "Green Groups". The client list for BBI is very robust and includes some of the heaviest hitting corporations in America. All of them - concerned about the activity and actions of activist groups, plus the harm they can cause to people, property and business. I'm not stupid - I know that the harm to business is sometimes the largest motivator - but from a security professional's point of view they are all the same. Now there is a lot of talk about BBI's dumpster diving tactics and intelligence gathering methods - but the fact is - the same tactics are used by everyone looking to get that kind of information. We all know it - employees are not careful about what they throw away, what they write on notepads, what they say to people out in public, what they have on their laptop/smart-phone -etc.. etc.. I've seen cases where the activists engage in much more brazen acts of intelligence gathering - and they are also known to insert their own undercover operatives to gain information.

So - my points:

• Eco-terrorism is real, it's a threat, and it needs to be considered and planed for accordingly - same goes for home grown terrorists.
• These "home grown" activists/terrorists are sometimes even more dangerous because they have no criminal history, no overt affiliations, and can be wildly unpredictable.
• Industrial and corporate espionage is also real, and you should ensure your information security policies/practices protect against it.
• You have to find a good way to address these topics with your administration or clients. It's hard to believe that the information on that new network engineer's laptop is worth a ton of money to the company down the street - but it may be - and someone may want it.
  
• You don't want to be an alarmist but you do want to educate the decision makers about real risks.
  
• Most companies have information security policies, but they center around personal private information - not sensitive information. It's a good idea to launch a sensitive information protection program to identify, and develop methods to protect it.
  
• And at least consider what kind of damage or harm an activist could do when you're performing assessments. Make sure that activism and corporate espionage is a part of your standard assessment process.

Pelco 8100 Series - no notice drive failure

Worth a note - if you're running Pelco DVRs. I had one loose a drive last week, and just stop recording.

This kind of thing happens all the time right? Well, this time there was no error message, or hung reboot, no -- anything. All looked as if it were recording fine. In fact - the only way to know that there was a problem was to go back and try to play archived video.

Not many organizations can stay on top of all their video systems, checking every aspect continually. That's why it's important for a system to actually be recording if it says it is. Granted, recordings should be checked regularly along with many other checks - but unless you've got an error message or other systems failure, you can usually assume you're recording correctly if your system is indicating as much.

This is not a trend that I know of - and both the tech and myself (loads of Pelco experience between the two of us) have never seen anything like this before. However - it's the kind of rare problem that can have serious consequences so I wanted to put a note out. If it does turn out to be a trend I'll post more.

If anything - this can serve as a good reminder to keep checking on video recording, no matter what the system says.

RFID readers see position, velocity

Via CNET

I'm just waiting for the day that logistics RFID folks sit down the security RFID folks. With all the convergence going on now-a-days I have been expecting advancements any day now - but than I wasn't at ISC West so I may be missing a few things.

RFID folks Alien Technology are releasing software to use with their units that can sense distance and velocity from reader ranges of millimeters to one hundred feet. One hundred feet is not a lot of distance for the kind of security applications I have in mind - but it's a start. The technology here and the article are focused heavily on the airline industry and applications with baggage - shipping. But to me this kind of thing has multiple security industry applications as well.

I've got this one in the "keep and eye on" file.

Inmate bolts from Chicago hospital, recaptured

via: Chicago Sun-Times

handcuffed to a crutch, he overpowered a correctional officer at Stroger Hospital and hopped into a waiting sport-utility vehicle.

When authorities caught up to Kirk Davis (27) a few hours later, in a South-side apartment he had shaved of his distinctive corn-rows changed his cloths and removed his shackles.

It's never easy to provide medical care to inmates. Even clinical care inside the correctional facilities is both logistically challenging and hard to keep secure. Many hospitals receive inmates not only for routine care (like in this case) but emergency care as well. It doesn't matter if you frequently provide care to inmates or not, you have to be prepared to receive high risk patients (security risk). Another tricky part of this is that you have to be ready to protect high risk patients from outside aggressors - and you have to protect other patients from the danger the high risk patient brings to the facility.

Some of the key points to this kind of planning are:

• Great communication between law enforcement, corrections on-site security and clinical staff.
• Carefully planned out routes and specific treatment areas.
• Physical preparation and maintainance of the routes and treatment areas.
• Strong procedures, developed with the help of stakeholders and "people on the ground".
• Specific consideration of protection from outside aggressors as well as the inmates themselves.
  

Using your LAN to broadcast panic alarms

This is a novel approach, I don't think I'd trust it as the only method to communicate during an emergency but I can see some value here.
This reminds me of when everyone was hooked into a central server and had workstations - the administrator would broadcast messages to everyone and the messages would come on top of whatever they were working on. The method has been around for awhile, just not used much.

Users have the software running on their machine - and I suspect this kind of window is always open:
















Once you click the type of alert - the system broadcasts to everyone else.











There are some obvious shortcomings with the system (what if I'm not at my desk?) - and they are the kind of shortcomings that a lot of initial solutions have so many critical areas are already going with more far-reaching options (PA system - chime sequence).

All and all I would consider this a useful piece of an overall system. But - you wouldn't need to buy this system to achieve the same effect. Just take your systems admin out to lunch and ask them to set up message broadcasting. You'll probably have more options at your disposal if your system admin does it anyway --- plus they know the subtle details of your situation. You're systems admin could also help integrate other features like SMS, email etc. which may be difficult in a pre-packaged product. Either way you've got to have some very solid procedure in place that's tested - practiced and works. That's way more important than anything like this.

The product here is LANalarm
If you need a pre-packaged system like this, that's what they offer. I don't know much about them.


I'm recommending that every new construction project has PA systems built in to the TELECOM package - that gives you more options, is more reliable and probably more cost effective than anything else. You don't have to say "everyone get out and avoid the dude in the trench-coat" over the PA system, just a series of chimes. And in a pinch you do have the option to just talk over the system as well. When you're in the department store and you hear the chimes come over the PA - you have no idea what they mean but the staff sure does.

FCC - "we'll txt u L8tr" (FCC outlines use of private networks for emergency SMS alerts)

I have to admit, I never believed it would happen anytime soon.
The FCC released a statement yesterday outlining what they are calling the Commercial Mobile Alert System (CMAS - you knew there'd be an acronym in here somewhere). As the name implies, it's basically using commercial providers to send SMS alerts on large scale. I believe this can be a very good resource - and a great use of technology - if it's done right.
"During emergencies, Americans increasingly rely on wireless telecommunications services and devices to receive critical, time-sensitive information anywhere, anytime. Once fully implemented, the Commercial Mobile Alert System (CMAS) will help ensure that Americans who
subscribe to participating wireless services receive emergency alerts when there is a disaster or emergency that may impact their lives or well-being.
Wireless carriers that choose to participate in the CMAS will transmit text-based alerts to their subscribers. As technology evolves, the CMAS may eventually include audio and video services to transmit emergency alerts to the public. To ensure that people with disabilities who subscribe to wireless services receive these emergency alerts, the FCC adopted rules that will require wireless carriers who participate in the CMAS to transmit messages with both vibration cadence and audio attention signals." - FCC Press Release

I'm sorry, this is a significant step and one I'm glad to see - but one part of that statement really bothers me " transmit messages with both vibration cadence and audio attention signals".
I may not be a wireless technology guru - but I'm pretty sure the decision for alerts to be vibrate or audio rests in the device itself and not in the signal sent from the provider. If I'm wrong - I'm wrong.. But if I'm right - than I just lost a lot of respect for this program. How can you tie mass alerts over multiple providers for national emergencies if your press release talks about providers having to send signals in both audible and vibrate.

/rant... back to the topic:

"Consumers can expect to receive three types of messages via their cell phones and other mobile devices from participating wireless carriers, including:
· Presidential Alerts - national emergency-related alerts delivered to the American public that would preempt any other pending alerts;
· Imminent Threat Alerts - alerts with information on emergencies that may pose an imminent risk to people’s lives or well-being; and
· Child Abduction Emergency/AMBER Alerts - alerts related to missing or endangered children due to an abduction or runaway situation." -FCC Press Release

There are a lot of details and logistical considerations when developing a region based alert system - but I applaud this effort. There's still a long way to go but I'm hoping for the best.

Maybe they'll adopt txt language to save space --- how about "PUSA- My felo Amarkns - duk 'n cvr"

Postacrime.com - initial thoughts

I have not looked too closely yet, but initially this looks like a pretty good idea. Basically, anyone can upload video or stills of criminal activity in hopes of someone recognizing the suspects. They are listing over 100,000 items so far!

There is some pretty slick integration with google maps as well. You can plug in your zip code and go to a map of the area. If there are posts for that area, you can even filter out what you don't care about with a little "filter bar". I'm sure there are some legal considerations as well as tactical ones for each specific case that should be considered - but all in all this could be useful.

Visit Postacrime.com

Emergency Feed + SMS = DIY emergency notification

The effectiveness of mass alerts in the event of violent situations on a campus can be debated all day long. But, we all know how effective things like Twitter, Instant Messaging and SMS messages can be in our daily lives.
The big question marks are: "If you have an emergency alert system, how will sending hundreds of thousands of messages over provider networks at once effect all the systems?" and "Who sends out the messages and under what criteria? plus - what specific information is sent out and how helpful is it?"

All that being said, if your organization has an emergency information RSS feed (like Duke does ) you can at least know when something's posted to it. Although I suggest subscribing to that feed in your favorite RSS processing method - you can also use a service like Yahoo Alerts to filter new posts right to your phone.




This is a pretty bare bones way to do it. I'm playing around with Yahoo Pipes, Twitter and some other webapps to find more robust methods.

Local Alert: NCSU Student reports assault

From WRAL.com

Raleigh, N.C. — "A North Carolina State University student reported being grabbed from behind on campus late Thursday, the university said.

In a crime alert e-mail distributed to students, campus police said an unknown assailant grabbed the female student and pushed her into a fence near the coliseum tunnel at the field house.

The student sprayed the assailant with pepper spray which contains a red dye, police said, and ran away through the tunnel toward the coliseum deck toward Dunn Avenue."

* If you're thinking about using a defensive weapon, remember that the statistics show they are most often turned on their owner. People buy them, stick them in their purse/pocket and feel more safe and protected. I recommend that if you carry a defensive weapon to familiarize yourself with it so that you're comfortable using it in a stressful situation. If you get pepper spray - buy two of them, one to practice and know how it sprays and the other to carry. Check the expiration dates as well.

New Article: The fingerprint-grabbing keylogger

I'm a huge supporter of using smartcards to go around this type of threat, but most biometric applications are not so this can be important information. It has to do with systems that have some kind of exposure to the data between the reader itself and the processing unit.

Keep in mind - the hacker would need access to the data transmission to the database used to authenticate and control. If that's part of the reader - than I'm fairly confident that this does not apply unless the reader's easy to pop open. Even then it's a different process than what's outlined here.

This focuses on systems where the reader is connected - via lan/wan to a control server or backup server. I want to highlight the back-up server angle. This is a historically loosley secured method that always deserves a second look. You may only be connecting to the back-up server once a day or even longer but when you do - look at how that's done specifically.

Information Risk Management PLC is the company who released this.
The Register published the article
packet storm hosts the paper

(image from IQBio)

New Article: The War Against Animal Research

Just got word of a new, timely article released in The Scientist.

It's part of a new book "The Animal Research War" by Michal Conn and James V. Parker. So far, looks like a great perspective into this hot topic.


Check out the new book here and pre-order it through Amazon.


The Animal Research War

Just put it on my card - Using smart cards to expand access control to the edge

Access control systems have come a long way in the last ten years. The improvement of random access memory has allowed control panels to keep tons of information on board (so active or dial up connections to control servers are not necessary for every check). The convergence of digital video systems, ID management, personnel databases, and other features has greatly expanded your options. Smart Cards and biometric access integration has made it much more secure and access control companies have finally realized how important a smooth graphic user interface (GUI) is.

In fact, as I was working on security for a concept and research "smart house" recently I actually suggested that they use a security access control system as their central automation and control nerve center. There are other "building automation" packages out there, but with a little creativity you can kill 10 birds with one stone using access control systems.

But - some-thing's been missing. And I'm sure once everyone gets back from ISC West it will be all the rage.

How about, configuring standard roles and privilege information - writing them into the locking devices - and using smart cards with the information stored on board to authenticate? Yeah - that's right - you wouldn't even have to wire the door to a control panel. That means you can easily add that one or two door location to your system without putting an expensive control panel on site. That means you can retrofit dorms with hundreds of doors without running new wire through historic buildings. That means - we've got a breakthrough ladies and gentleman.
I just wish it was my idea!