Going to ASIS?

It's that time of year again, you can tell by the buyout rumors and new product buzz. ASIS 08 is just around the corner (September 15th - 18th), and I'll be headed down to the ATL for the full event this time.

One of the biggest draws for me, is that I have access to the engineers and designers behind the products all in one place. The kinds of questions/issues that can take weeks to resolve- get cleared up pretty quickly when you can go right to the source.

And with industry leaders, great seminars and interesting speakers - it's usually a good investment of time.

So, hit me up if you're going to be in town - Email or DM for my number. See you there!

Smartphones, great for workaholics AND criminals

Smartphones are revolutionizing the workplace in more ways that we realize sometimes. .

As more and more technology is crammed into these modern wonders, they become more versatile, and that versatility can present more directions for risk.

Take, for instance the iPhone and similar high end smartphones. Users love being able to connect to wi-fi networks when they are at home or the office to access secure files and speed up transfers.

But as Robert Graham and David Maynor of the Atlanta-based Errata Security point out, they can be used to find unsecured networks from far outside your corporate campus. (from SecurityInfoWatch)

Basically, they send an iPhone that's rigged with special software and extended power supply to a non-existent employee and let it sniff out connections as it's in the facility.

No huge risk to most capable IT departments. They have become very skilled at securing internal wi-fi networks from outside hackers. But - how many people do you know that have hooked up their own wireless router to the corporate network? It happens more than we like to admit. And the employees that do it tend to mask the router's IP address to look like a system already registered through security.

This is just one example of how an off-the-shelf unit with minimal rigging can turn into a sophisticated snooping device. Think of all the other cool (but damaging) tricks that are out there.

I love my smartphone, but you can bet I'm keeping an eye on how powerful, mobile tools like this can be used by criminal minds. Smartphones have cameras, microphones, GPS, Bluetooth and other useful resources that can be used in many ways.

---

There have been reports out there of using them for remote spying tools (the cameras and microphones) but I have not seen any very usable versions of of that technique myself. Please let me know if you've seen otherwise.

---

Anthrax Investigation and Basic Lab Security

You're probably tired of hearing about this week's developments in the anthrax investigations (that started in 2001). Don't worry, I'm not about to launch into a time-line analysis or anything - but I would like to take this opportunity to talk about basic laboratory security.

With biological agents such as anthrax, you have some DNA fingerprints to follow when looking for the origin of the substance. In this case, they followed the DNA to a few labs that shared a specific strain of anthrax.
One of the labs was operated by Dr. Bruce E. Ivins, who of course committed suicide yesterday.

As I listened to details through the day, I was constantly reminded how important it is to have solid access control and access tracking when dealing with research substances that can be used as weapons.

This was not gunmen armed to the teeth, raiding labs to supply a terror plot. This was not secret agents repelling through ventilation ducts -
It was a respected but troubled researcher enacting what he thought to be a chance to test his cure, and bring problems he saw with research limitations to light.

It's not difficult to trace many "select agents" back to specific research institutions. But once the substances get into the labs, accountability tends to decrease rapidly. If you're just protecting against outside threats to your research or dangerous substances, you can easily loose sight of what's considered to be the most valid threat of all, your own people.

Most of the time, research labs are comprised of senior researchers, junior worker bees, and administrative staff. Only a limited number of staff members should work with the substances in question. Access to the select agents is restricted (they are locked up) and tracking forms / logs are filled out when they are used. In most settings, anything more advanced than that feels like overkill to everyone involved.

But as we see with Ivins, any internal threat is very difficult to pin down. His colleague, Steven Hatfill was being looked at first, and was eventually cleared last month (and given 5.8 million for the trouble).
Imagine how different the investigation would have went if there were solid access control and access tracking in place. I don't know the specifics of how things were set up in the Fort Detrick lab, but it sure doesn't sound like it was easy to track who accessed what substance and when they did it.

When everyone has to play along with strict access policy, it keeps people honest - and protects the staff (as long as they follow the rules). It may seem very restrictive - and "big brother-ish" at first, but the staff soon appreciates how much easier it is to swipe a card to open storage lockers and freezers, and not have to bother with writing out access logs.

Once something comes up missing, or a similar problem occurs - it's easy to see the benefits when you can easily conduct a database search and have a clear picture of who used the substances, who they were working with, and when all the access occurred. Even if you are honest it's easy to slip up when entering times and dates on a log sheet - or forget all-together. Integrated access systems can't be "pencil whipped" at the end of the month to account usage, you can't forget to use your badge to track your use of items or space when it's required to physically access it. They give you an accurate account of events, and do it in a way that's easy to find small scraps of information quickly.

Systems don't come out of the box ready to be configured for this kind of thing. But if you work with a reputable systems integrator - it's not hard to do. The best systems are designed to be integrated, and believe it or not - it's not too expensive either.



Ivins didn't fit the profile of what most people protect against, he was a leader in his field, recipient of the Decoration for Exceptional Civilian Service for his anthrax vaccine work. He wasn't the guy you'd spend time and money to protect against, yet he killed five people with anthrax laced letters in his attempt to test his cure and crippled political, postal and logistical operations across the country.

Fences, gates, cameras and alarms don't protect against that kind of threat, only solid access control and tracking practices can be effective - and sadly - they usually are not in place.

UC Santa Cruz researchers firebombed

Saturday morning (Aug 2nd), a UC Santa Cruz researcher's home and another researcher's car were firebombed in what the police are calling a case of domestic terrorism by animal rights activists.

"The violence occurred four days after a customer at Caffe Pergolesi, a downtown Santa Cruz coffeehouse, found fliers listing the names, home addresses, home phone numbers and photos of 13 UC-Santa Cruz science researchers and professors. Police believe unidentified animal rights activists created the fliers, which were made to appear as "wanted posters." They warned: "Animal abusers everywhere beware; we know where you live; we know where you work; we will never back down until you end your abuse."" (Mary Ann Ostrom, San Jose Mercury News)

There has not been any direct activity linked to this in the RTP area, but we do have a lot of research involving animals and have been subject to our share of activism.