Research

I’m catching up after all of last week’s travel and saw a good post by Dave over at Matasano on Safety vs. Security. Dave basically states that although one operating system might have better security than another, it doesn’t really matter if it’s more of a target. Vista might be more inherently secure than OS X, but it doesn’t matter if you are less likely to be attacked on your Mac. At least until someone decides it’s time to change targets. But what’s really interesting is that Dave’s post got me thinking on the whole concepts of safety and security. I realized that in the IT security world we tend to always correlate the two, but in the physical security world we know that safety and security are two totally separate issues, often at odds. It’s an easy mistake to make; especially when the New Oxford American Dictionary defines security as: the state of being free from danger or threat. To be honest, that’s not the definition I expected. A significant part of my job as a security professional has absolutely nothing to do with safety or “threats” in the sense most of you are probably thinking. Unless you consider protecting liquor revenue “safety”. For example: At some venues our searches were to reduce the overall volume of alcohol in the event. In other cases, it was to stop booze from coming in so people had to buy it inside. Stopping cameras and recording devices from coming in to a concert has nothing to do with safety. DRM reduces the security of your computer while failing to prevent piracy. It’s a tool to restrict how you use content, not to stop copying. Checking boarding passes at airport security reduces lines, but doesn’t improve security. While URL filtering does provide a little security against certain web-based attacks, it’s more typically deployed to keep employees from wasting time on corporate resources. A productivity issue, not a security one. I can think of countless times in the physical security world where safety played second fiddle to some other security goal. I suppose we could sometimes make some loose correlation between the threat of reduced alcohol sales and gate searches, but really we’re talking about using security as a tool for a goal other than safety. I remember doing a facility walk-through with a facilities management inspector and a rep from the concert promoter before a Beastie Boys show. The promoter was willing to pay for ticket takers and gate searchers, but seemed confused when the inspector and myself told him we’d have to hire security guards for all the emergency exits and couldn’t just chain them to keep people out. On another occasion I was supervising at a Guns and Roses/Metallica show back when G&R was inciting riots to support their drug habits. Axl decided to go for a drive after the opening song, and Slash was up to about 15 minutes on his guitar solo while we (and the Denver police) tracked down the limo. Quiet word was spread to us supervisor types that if we got the word, we were to pull all our people back stage to protect the gear. There’d already been one nasty riot on this tour. Now I’ll admit that there was a personal safety aspect, but the decision was to let the house go and just protect the gear and people back stage. Rather than set up some safe zones for the innocent public we were going to let the house tear itself apart. So even when security is about safety, it might not be about your safety. We got Axl back and man-handled (no joke) him back on stage where a few biker/bouncer-types stood just off stage to keep him there at all costs. No riot, but a really crappy show after a great start by Metallica. Maybe that makes a better story than proof of my case, but I think you get the point. Security is a tool to enforce controls. Despite what the dictionary says, this often has little to do with safety as we commonly think about it, or may even sacrifice your safety for someone else’s. Share:

I went to the Broncos vs. Cardinals game yesterday here in Phoenix (Broncos won, in case you were wondering). On the way in we were subject to a pat down of the type I discussed here. What a joke. Basically, it looks like the employees at the gate were given strict, rote guidelines on how to search. Some of it good (no use of the palm of the hand, to limit accusations of groping), but most of it bad. I’m fairly certain that you don’t need to brush the entire length of someone’s arm when they’re wearing a t-shirt. Also, it’s probably kind of important to check someone’s coat pockets. While an untrained observer might look at one of these searches next to one of the ones we used to perform and think they’re the same, a trained observer will pick up on a stark difference. These guys moved their hands by rote on a pre-set pattern. The searchers never adjusted based on the person, and never used their eyes. It’s like they were magnetometers without brains. Our teams, even the untrained temporary help, were instructed to use their eyes and heads. Don’t just follow the same pattern over and over (although we had a minimum pattern to start); use a little judgement. Most of the time it might look the same, but the odds of finding something are significantly higher. Then again, maybe I’m just waxing nostalgic and we weren’t any better. But seriously- if any of you are senior managers in the NFL give me a call- you’re wasting everyone’s time and increasing your risk of lawsuit with what I saw. Share:

…and I haven’t already contacted you about RSA, please email me at rmogull at securosis.com. Share:

I wasn’t planning on writing about this, but with the release of a third unpatched MS Word vulnerability it’s time to be extra careful. I’m assuming this will be patched soon, but for now I’d limit yourself to only documents you are darn sure are safe. I’d tell you to stop using Word, but that’s just silly and unrealistic. Just be safe, okay? Share:

I’m on yet another airplane, this time up to Seattle for another client meeting. I felt really bad for the non-English-speaker being berated by security at the airport for daring to bring 4.2 full ounces of liquid in his bag, as opposed to the 3 ounce limit. Anyway, every now and then I see a convergence of different tidbits hitting from multiple directions that points to a single issue. This time it’s about controlling content after you make it public. I’m consistently amused by the utter shock and dismay of various individuals and corporations when… gasp.. someone takes something they made public and does something… and you won’t believe this… unexpected and unapproved with it! How dare they share that file, deep link that news article, satirize that press release, re-work the data, or, worst of all, republish sale prices posted on a web site! Here’s the thing- if you make something public, you can’t assume it won’t be used in unintended ways. From friends sharing that new song just discovered, to a website pre-posting sales prices before Black Friday. I’m not saying it’s always legal, sometimes it is and sometimes it isn’t, but what I can say is that you’re foolish if you don’t prepare and plan for unintended use. People are people. They do unexpected things during every moment of consciousness and unconsciousness. Security is fallible, and we can’t prevent everything. If you make something public; heck, sometimes if you even share it privately, the only assumption you can make is that you can’t completely control what you release. What’s the old saying? If two people know a secret it’s only really secret if one of them is dead. Personally, I say knock them both off just to be safe. Share:

I’m out in Colorado with the wife to catch up with friends (I used to live here) and test the snow for proper friction (snowboarding up at Copper, where I used to patrol). And, uh… what was it… oh yeah. Work with a client. While I’m sure I could invent all sorts of crappy metaphors on how security is like snowboarding (keep your knees bent and your weight forward or the firewall crashes?), I think I’ll just sign off for a few days and enjoy the snow. Remember- there are no friends, or blogging, on a powder day. Share:

Adam at Emergent Chaos has a quick post on the lawsuit against the Seattle Seahawks over physical searches at the stadium. My response? Get over it. I performed more pat downs than I care to admit. Sometimes thousands on a given day. It ain’t fun, and I never enjoyed touching all you smelly, drunk, think-you’re-hotter-than-you-are types out there. It was, however, a great workout for your quads after the first few hundred squats to check the ankles. The main reason for searches at football games isn’t weapons (except at Raider’s games), it’s booze. The biggest safety concern during most sporting events is drunks. More specifically, it’s testostahol. When selling beer in a stadium there is a minimum level of control and patrons can be cut off when obviously drunk. No, it isn’t perfect, but it’s more effective than most of you realize. When patrons bring in hard alcohol things can get very ugly. Aside from fights, there are a lot of associated medical concerns (drunks like to fall down, pass out, and do other stupid stuff). Based on personal experience, the more you can screen up front (including denying entry for obvious intoxication), the less you have to deal with inside. Some items, particularly cans and bottles, are also very hazardous in a stadium environment. I’ve seen people nearly killed by an errant beer can thrown from the crowd at the crappy ref. As for the legality, go look at the back of your ticket. Even if built using public money, a stadium during an event is a private facility. Otherwise, technically, anyone could go for free. On all your tickets to any concert or game is the provision that you can be denied entry for any reason. Refusing to subject yourself to a search is a good reason. Besides, court houses, legislatures, military bases, and all sorts of other facilities are bought with public money and subject to security rules for public or private safety. What makes a stadium any different? Get over it. No one wants to pat down your ugly ass anyway, so it’s not like they enjoy it. Share:

I travel a lot, and on occasion I’ll run Nmap or some other scanner from my hotel room to get an idea of what’s out there, and how dangerous these hotel networks really are. To be honest it’s not something I do all that much anymore since even scanning an open network is running the risk of being considered over the line. But I just discovered a new security tool. It’s free. And it even plays music! Yes, the ever venerable and recently updated iTunes turns out to be an honest to goodness, if limited, security scanner. How? Well, I arrived in my hotel room last night, connected to the network, and launched iTunes for some background working music. Very quickly I saw four shared iTunes libraries on the network (without even looking actively, if you have iTunes set to find shared libraries they pop up all on their own after that). Some of my fellow traveler’s musical tastes are fairly interesting. In three of the four libraries the users conveniently included their personal name in their shared library name. One user even had the word “Limewire” in his (judging by his real name) library name. Huh. I wonder if he acquired all the music legally? Thus iTunes is now my new network security tool- I can instantly tell if I’m connected to a switched or segregated network, and even pick up the names and listening habits of other hotel guests. Anyone know if the RIAA offers a bounty? I mean they sue grandmothers and children, I don’t see why they wouldn’t start a confidential informant project. (Update 9/16 : DM and Chris Pepper remind me this feature isn’t anything new. Actually, I’ve used it for years on my home network, but this is the first time I’ve noticed random users on a hotel network and I found it amusing.) Share:

Electronic voting seems to be popping up again thanks to our favorite digital ostrich, Diebold. Martin Mckeay’s also writing on this a bit, and it’s well worth reading. This isn’t the first time I’ve mentioned this, and I didn’t come up with the idea, but with the most recent Diebold gossip I think it bears repeating. Gambling systems, electronic or physical, undergo extensive testing, validation, and auditing. We’re not just talking hacking, they shock the darn things with cattle prods and attack them using such phenomenally creative techniques that I’m awestruck the few times they show it on Discovery channel specials. And it’s the complete system that’s tested and audited constantly- even the odds distributions among video poker clusters in casinos (which are audited externally by various gambling commissions in the sin city of your choice). What does this have to do with voting? Gambling systems are somewhat unique in that pretty much everyone involved has an incentive to cheat everyone else. Were talking about a system where no one can really trust anyone. Sure, casinos (at least in Vegas) are on the up and up, but do any of you really trust them? They sure can’t afford to trust us, and pretty much no one trusts the government. The result? Some fracking good security. So here we have a highly secure system of numerous specialized electronic devices operating in a networked (or non-networked) environment with near-perfect auditability. Hmm, where else might we want a similar system? Heck- they even already have testing labs and audit standards. Funny how closely related gambling and politics are. I wonder if cattle prods are illegal in voting booths? I wonder how long Diebold would survive in Vegas? (I’ll be the first to admit us security types have a habit of blabbing on any topic we can possibly stuff into the security bucket, but electronic voting happens to be one of the areas where our experience is directly applicable. I don’t know too many (any) security types that try to justify Diebold’s positions. They’re either criminal or mentally incompetent.) ((And speaking of casinos- one of my favorite memories of Defcon was how none of the stores in the casino would take credit cards during the event.)) Share:

Reported over at Internetnews.com. The National Institute of Standards and Technology (NIST) is recommending that the 2007 version of the Voluntary Voting Systems Guidelines (VVSG) decertify direct record electronic (DRE) machines Not verified yet, but this could be a very major development, if true. I don’t completely agree with ba ing all DRE- they play a valuable role for disabled voters and a few other demographics. During the last election I watched one older gentleman leave to go get a magnifying glass, since he couldn’t read the optical scan ballots. Requiring a stronger voter verified paper record for a recount, rather than ba ing all DRE, seems more reasonable. Share: