Oops, over in England an HSBC branch forgot to lock the doors and turn on the alarm. A 5 year old accidentally wandered in while his dad was using the ATM.

Reading the article, the bank is trying to cover their asses with outright lies.

My favorite line from the article?

The Pettigrews stood guard at the bank until police officers arrived.

I suspect someone might be in some remedial door-closing training right now.

Technorati Tags: Physical security

(Thanks to Marcin)

Thanks to some good old hardware hacking, a Polish teen built an infrared device that let him switch around the tracks.

Twelve people were injured in one derailment, and the boy is suspected of having been involved in several similar incidents.

Miroslaw Micor, a spokesman for Lodz police, said: “He studied the trams and the tracks for a long time and then built a device that looked like a TV remote control and used it to manoeuvre the trams and the tracks.

“He had converted the television control into a device capable of controlling all the junctions on the line and wrote in the pages of a school exercise book where the best junctions were to move trams around and what signals to change.

Wow.

I guess I don’t get to rant about SCADA security today.

No, this isn’t science fiction. According to Wired’s Danger Room, an automatic defense system went out of control in South Africa during a live fire exercise. Nine soldiers lost their lives, and fourteen were injured.

I’m not going to make any jokes about this one, since we’ve crossed from the theoretical to the real, with a tragic loss of life.

There’s not much else to say.

I didn’t plan on writing about the DHS blowing up a power generator on CNN, but I’m in my hotel room in Vegas waiting for a conference call and it’s all over the darn TV. Martin and Amrit also talked about it, and I hate to be late to a party.

That little video has started an uproar. Based on the press coverage you’ve got raving paranoids on one side, and those in absolute denial on the other. We’re already seeing accusations that it was all just staged to get some funding.

I’ve written about SCADA (the systems used to control power grids and other real-world infrastructure like manufacturing systems) for a while now. I’ve written about it here on the blog, and authored two research notes with my past employer that didn’t make me too popular in certain circles. I’ve talked with a ton of people on these issues, researched the standards and technologies, and my conclusion is that some of our networks are definitely vulnerable. The problem isn’t so bad we should panic, but we definitely need to increase the resources used to defend the power grid and other critical infrastructure.

SCADA stands for Supervisory Control And Data Acquisition. These are the systems used to supervise physical things, like power switches or those fascinating mechanical doohickies you always see on the Discovery Channel making other doohickies (or beer bottles). They’ve been around for a very long time and run on technologies that have nothing to do with the Internet. At least they used to.

Over the last decade or so, especially the past five years, we’ve seen some changes in these process control networks. The first shift was starting to use commodity hardware and software, the same technology you use at work and home, instead of the proprietary SCADA stuff. Some of these things were O L D old, inefficient, and took special skill to maintain. It’s a lot more efficient for a vendor to just build on the technology we all use every day; running special software on regular hardware and operating systems.

Sounds great, except as anyone reading this blog knows there are plenty of vulnerabilities in all that regular hardware and software. Sure, there were probably vulnerabilities in SCADA stuff (we know for a fact there were), but it’s not like every pimply faced teenage hacker in the world knew about them. A lot of new SCADA controllers and servers run on Microsoft Windows. Nothing against Microsoft, but Windows isn’t exactly known as a vulnerability free platform. Worse yet, some of these systems are so specialized that you’re not allowed to patch them- the vendor has to handle any software updates themselves, and they’re not always the most timely of folks. Thus we are now running our power plants and beer bottling facilities on stuff that’s on the same software all the little script kiddies can slice through, and we can’t even patch the darn things. I can probably live without power, but definitely not the beer. I brew at home, but that takes weeks to months before you can drink it, and our stash definitely won’t last that long. Especially without any TV.

Back to SCADA. Most of these networks were historically isolated- they were around long before the Internet and didn’t connect to it. At least before trend number two, called “convergence”. As utilities and manufacturing moved onto commodity hardware and software, they also started using more and more IT to run the business side of things. And the engineers running the electric lifeblood of our nation want to check email just as often as the rest of us. And they have a computer sitting in front of them all day. Is anyone surprised they started combining the business side of the network with the process control side? Aside from keeping engineers happy with chain letters and bad jokes, the power companies could start pulling billing and performance information right from the process control side to the business side.

They merged the networks. Not everyone, but far more companies than you probably think.

I know what you’re all thinking right now, because this *is* Securosis, and we’re all somewhat paranoid and cynical. We’re now running everything on standard platforms, on standard networks, with bored engineers surfing porn and reading junk email on the overnight shift.

Yeah, that’s what I thought, and it’s why I wrote the research.

This isn’t fantasy; we have a number of real world cases where this broke real world things. During the Slammer virus a safety system at a nuclear power plant went down. Trains in Sydney stopped running due to the Sasser virus. Blaster was a contributing factor to the big Northeast power outage a few years ago because it bogged down the systems the engineers used to communicate with each other and monitor systems (rumor has it). I once had a private meeting in a foreign country that admitted hackers had gained access to the train control system on multiple occasions and could control the trains.

Thus our infrastructure is vulnerable in three ways:

1. A worm, virus, or other flaw saturating network traffic and breaking the communications between the SCADA systems.
2. A worm, virus, or other attack that takes down SCADA systems by crashing or exploiting common, non-SCADA, parts of the system.
3. Direct attack on the SCADA systems, using the Internet as a vector

Some of these networks are now so messed up that you can’t even run a vulnerability scan on them without crashing things.

Bad stuff, but all hope isn’t lost. Not everyone connects their systems together like this. Some organizations use air gaps (totally separate, isolated networks), virtual air gaps (connected, but an isolated one-way connection), or air-locks (a term I created to describe two separate networks with a very controlled, secure system in the middle to exchange information both ways, not network traffic). NERC, the industry body for the power networks, created a pretty good standard (CIP, Critical Infrastructure Protection) for securing these networks that went into effect last year. When I talk to power guys these days about network separation, I don’t get nearly the strange looks I did five years ago.

Another thing in our favor is that to cause serious damage like we saw in the video, you really need to know what you’re doing. You have to gain access to the network, disable safeties, and know exactly what to do.

Well, more bad news. I’m not worried about Joe Hacker at Starbucks or whatever they use for Internet cafes in Russia (Starbucks?) taking down the North American power grid. But it’s very clear that foreign nations have the expertise to do this, especially over in China where they seem to be having all sorts of fun on our networks. Terrorists? They’re better off just blowing up a few major transformers. That will take out major parts of the grid, might blow up some generators (years ago the one at the University of Colorado blew up during a big blackout), and those transformers are both costly and may take years to replace. Besides, terrorists are blood-obsessed psychotics, despite their threats to attack our economy and infrastructure.

In summary we are definitely vulnerable to just the right kind of attack, but it’s a problem we can get our arms around and solve with a little investment and common sense. Not everything is vulnerable yet, and we’re early enough on the convergence trend that we can still stop and put the right security precautions in place.

I’m glad that video hit the news; maybe we’ll get the right amount of dollars in the right places so we can take this one off the table.

Unless the bad guys just get jobs at the power plants and flip switches during the midnight shift.

Not that I’m paranoid or anything.

It sweeps across a defined field of fire and launches its (un)deadly projectile at anything that invades it’s defined perimeter (3 feet).

Bender is just there for moral support. When he’s sober.

(Yeah, I’m a geek. But I have a black belt, so it’s okay.)

(From Slashdot)

So a student creates a map of his school for a video game mod, and gets arrested and kicked out of school.

Aside from discouraging freedom of thought, something I doubt the Founding Fathers ever thought needed protection, how is the youth of today supposed to prepare for the coming alien invasion? This is a serious issue and we can no longer let these gutless liberals undermine the defense of this country by preventing our future warriors from learning the latest frag techniques for radioactive mutants, alien invaders, or Mo from the Simpsons (love that mod).

The quote of the year:

“They decided he was a terroristic threat,” said one source close to the district’s investigation.

“Terroristic”. That’s just awesome. Nice to see sniglets returning to the common vernacular related to national defense.

Can we make dumb people wear hats or something? Please?

(Physical security, that is)

Road House

“Be Nice.”
“Until when?”
“Until it’s time to not be nice.”

Don’t forget the rest of the quotes.

Seriously- even you non-physical security types need to watch this. The ultimate expression of the security mindset.

(This post inspired by this link)

This is so stupid.

Terrorism is a tactic, which is also defined as a particularly nasty crime. There are a lot of definitions, but I tend to use various versions of the U.S. Code of Federal Regulations:

…the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives” (28 C.F.R. Section 0.85).

So tell me, how does the following meet the definition of terrorism?

A 14-year-old boy who allegedly kidnapped a classmate at knifepoint and was later found with a backpack full of restraining devices and weapons will be charged with terrorism, Maricopa County Attorney Andrew Thomas said.

The Mesa boy, who attended Powell Junior High School, also faces charges of aggravated assault with a deadly weapon, kidnapping and carrying weapons on a school campus.

A very bad crime? Yep. Terrorism? Nope. Only in the heads of over-zealous prosecutors who don’t understand terrorism, or the risks of abusing the laws against it.

This kid needs to be dealt with, but how can you possibly compare this to real terrorist acts?

This is a sick kid. Not a terrorist.

Last week was one of those crazy travel ones. I headed to NYC for some client work, and since my wife had never done the tourist route there she came along and I took some time off to show her around. I’m not from NYC, but I’m from the part of Jersey that likes to think we are (technically, I lived closer to Manhattan than some of the other boroughs). After a few days in the city we headed down to Richmond, VA to catch up with my family.

It was a ton of fun- we caught up with a bunch of friends and spent a couple nights staying with Chris Pepper and his wife Amy- who it turns out are pretty exceptional hosts, even when their daughter’s a little sick.

It’s weird going back to post-9/11 New York. Aside from the skyline of my childhood being forever altered, there’s a different vibe in parts of the city. (And why the f* don’t we have any real progress on a new WTC?!? Are politics so bad in this country we can’t get anything done anymore?).

One of those vibes is security- I hadn’t been in the Empire State Building for about 10 years, but the day was clear so we decided to give it a shot. Aside from the dramatically inflated prices and lines (carefully hidden so you can’t see them where you buy your ticket) there was the ever-present x-rays and magnetometers.

Magnetometers de-tuned to such a level that I walked through with my jacket, belt, and watch on- and cellphone and camera in my pocket.

Maybe that thing would have stopped a rifle, but I had more than enough metal for all sorts of badness on me.

Then again, I suppose if it’s all just for show, there’s no reason to actually inconvenience people. No wonder ticket prices are up.

Stupid. Stupid. Stupid.

I was catching up on some old TiVo and saw an ADT commercial that really tweaked me. You know the one, it has a woman alone in the kitchen when the bad guy smashes the window to pop the door and do all sorts of nastiness. Her alarm starts blaring, scares off the bad guy, and it’s ADT to the rescue.

There are two things that bother me about this:

1. The average default alarm installation doesn’t include glass break detection. Those free-with-service ADT (or anyone) systems just include contact sensors for someone opening doors or windows, and usually one motion detector. Glass breaks can cost over $100 more each, only cover about a 30′ radius, and are prone to false alarms. Sure, maybe the alarm would go off when the bad guy opened the door, but only if…
2. How many of you set your alarm when you’re home during the day? Nope, maybe only those of you in a real nasty part of town. Definitely not in the nice suburbs like our luckless victim.

I really don’t like deceptive advertising- especially when it imparts a false sense of security. I wonder how many people think those sensors on their windows will go off if someone smashes them? How about all those people that lose bikes out of their garages every year because garage doors aren’t normally sensored?

I realize I’m exaggerating a bit to make a point. Just having an alarm can really reduce your risk of any kind of break in, and if you’re in a higher risk area I recommend alarms (and have one myself in Phoenix). But if advertising is going to play on FUD, it’s irresponsible to create a false sense of security. Having dealt with multiple alarm installers over the years, very few of the sales guys (as opposed to the installers) educate customers on the gaps in the system, or additional high-cost options.*

*which is a little surprising, although I suspect they worry about sticker shock to the average consumer.