Security – Page 45 – A Geek With Guns

Multi-Layer Security

Bruce Schneier has an excellent essay posted on his blog. It deals with a security mechanism we are all familiar with, physical locks. It’s no secret physical locks can be bypassed via lock picks, bump keys, and random everyday objects. Few people realize though how insecure the lock on their front door is. On top of that most physical locks require a key, which many people find inconvenient.

Lock companies have been trying to solve both of these problems through more secure locking mechanisms and keyless entry methods. Of course as with any security related items these new methods are introducing new ways of exploiting physical locks. I don’t think there will ever be a secure lock, there will always be methods of bypass. But locks are important because they add another layer of security.

Having one layer of security is never a good idea since an exploit in that layer will leave everything behind it vulnerable. Case in point if somebody picks your lock they are through the front door. If you have no other security layer everything in your home is fair game. Now let’s add a large guard dog to the mix. Once the criminal bypasses the lock they will have to deal with the dog. This can be accomplished by simply killing the thing but if you are in the house and you hear the dog bark that gives you a few seconds to prepare. That would imply a third layer, you. Hopefully that third layer has a gun to add another layer between you and the criminal.

Security can only be properly done in layers, and each layer should complement another. No layer should be exploitable via another layer. In other words using our example bypassing the front door lock won’t affect the dog. Bypassing the dog won’t affect you and your gun. Meanwhile as mentioned in the link Schlage are introducing Internet enabled locks. This ties your physical security to the security of your computer. Should somebody exploit your security layers on your computer they also exploit one layer of your physical security. This should never be the case.

When planning a home defense strategy make sure you have multiple layers. Even seemingly unimportant things will require time on the criminal’s behalf. The more time the criminal wastes the more time you have to properly respond and prepare. Sure having two locks on your font door (always ensure one is a good dead bolt) may seem like a meaningless idea since it only prolongs the criminal’s entry it does prolong it. Those few additional seconds could buy you enough time to round your family up in a secure room with only one entrance that can be covered with a shotgun.

Trust No One, Especially if They Produce Your Cell Phone

It’s no secret I’m a geek. I work at a technology company, pay attention to technology news, get excited over new releases of Mac OS, Linux, and Windows and I have a smart phone. My smart phone is an old Palm Treo 755p running Palm OS (I still refuse to call it Garnet OS). By today’s standards, and even by the standards of the day I purchased it, it’s an outdated phone.

I’ve been looking at new phones but haven’t found one that suites me. The iPhone would be nice if it wasn’t on AT&T, and didn’t have draconian policies in place for it’s App Store. Android would be nice but it’s on T-Mobile which doesn’t get coverage in may places I travel to. Then there is the Palm Pre which I’ve had a slight love affair with due to the fact it’s from Palm and it’s on Sprint (I’m out of contract so I’m in no hurry to get into a contract with another carrier). I’ve been waiting for Palm to open the flood gates and allow third party applications to be installed on the Pre without using the special developer mode. Well I think the Pre may be off of my list.

Apparently the Palm Pre periodically reports you GPS coordinates back to Palm. I know what you’re thinking, since the cell phone providers can triangulate your position from your cell phone what does it matter if GPS coordinates are being transmitted? Well triangulating my position via my phone is simply a side effect of the technology and can be done with any radio based device. Also Palm is receiving these coordinates, and frankly they have no business having them. They have no need to know where I am when using their product, and they never mention that they are doing this. It’s slight of hand acts like this that really piss me off.

The link does have instructions on disabling this problem but it’s unknown if these changes will hold after a software update. But this is a good lesson on why you should trust no one with your security. This goes doubly so for closed source software vendors where you can’t know for certain that they aren’t doing something malicious under the hood. This goes triple for a company that produces a product that you carry around with you everywhere that has the ability to track you. Paranoia when it comes to personal security is a good thing.

Further Research

Palm’s terms and conditions that legally allow them to get away with this. (PDF)

Senator Wicker Introduces Bill to End Gun Restriction on Train Travel

Another pro-second amendment bill is being introduced, this time by Senator Roger Wicker of Mississippi. The Bill, titled the Amtrak Secure Transportation of Firearms Act, would require Amtrak to enact regulations akin to those held by airlines for transportation of firearms.

As it stands right now Amtrak has a zero gun policy. Unlike the airlines that have regulations in place that allow you to transport you gun, Amtrak won’t even allow you to bring a gun that is unloaded and locked in a secure case. From the article:

The legislation states that if an Amtrak station accepts luggage for a specific route, passengers would be able to lawfully transport firearms and ammunition in secure baggage based on the following guidelines:

· Before checking the bag or boarding the train, the passenger must declare that the firearm or pistol is in his or her bag and is unloaded

· The firearm or pistol must be carried in a hard-sided container

· The hard-sided container must be locked and only the passenger has the combination or key for the container

Of course this won’t allow you to carry a gun even if your legally capable but it’s far better then the anti-gun zero ability policy currently in place. Apparently a similar amendment to a budge resolution was made earlier this year but was removed by the House.

Secure Password Tips

Bruce Schneier has a good post with some dos and don’ts related to password security. It’s a good list that everybody should take a gander at since everybody reading this is using a computer.

Those Zany Russians are at it Again

You have to hand it to those Russians they don’t quite. Right now as you read this they apparently have two Akula class submarines patrolling our waters. Needless to say this has our people at the Pentagon a little concerned.

For note though the Akula class submarines are not nuclear missile launching platforms (although they can launch cruise missiles). Instead these subs work as anti-vessel ships searching out our navel assets and sinking them should war break out.

According to the article this is the first time the Russians have put submarines off of our coasts in roughly 15 years. You have to hand it to them you can knock the Russians down (at least their government) but you can keep them down.

Further Research

Information on the Akula class submarine.

Outrage and Lies

I saw a video posted on John C. Dvorak’s site entitled “Log into Cars.gov and Turn Your Computer Over to Obama” yesterday. I didn’t think much of it but I see it’s making the rounds now so I thought I’d comment.

In the video Glenn Beck says when you visit the cars.gov web site provides a disclaimer stating that once on the site your computer becomes federal property. Once I saw this I headed over to the site to check it out and couldn’t find the said disclaimer. I figured the site owners probably removed it once this aired due to public outcry but I’ve since discovered it only applies to the dealer’s site. Here is the text of the disclaimer:

his application provides access to the DoT CARS system. When logged on to the CARS system, your computer is considered a Federal computer system and is the property of the United States Government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized CARS, DoT, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion CARS or the DoT personnel.

That is a pretty severe disclaimer. In essence it states that certain people have unrestricted access to your system and its files. I agree that this in itself is outrageous but further in the video is where the lies come in.

Mr. Beck goes on a tirade about the government having all sorts of evil software that can infect your system and turn it over to government control. Further he implies that if you go to that website the government will probably upload this software onto your system (at least that’s how I understood what he was saying). This of course if after a series of hysteric disclaimers saying people shouldn’t go to the website on their computer.

This is pure lies and hysteria. Let me sum it up in three words computer aren’t magic. A properly secured computer system will not allow remote entities to place software on the said system. The only way to place software on a system remotely is either through administrator tools which restrict access to system administrators (if properly setup) or through security holes. Many malicious software engineers use the later to upload things like worms, which are self replicating software packages that use vulnerabilities found in operating systems to install itself on un-patched systems. The key world there is un-patched. Once a security hole is discovered the operating system manufacturers are usually very quick to get out a patch which fixes the vulnerability. This is what Windows Update does and why Microsoft is so insistent that people either run it or set it to run and install patches automatically.

Furthermore most worms doesn’t come out until the patch has been released. This is because of two reasons. First most people don’t know about the vulnerabilities as security advisors who find them usually keep quiet until the patch is released. The second reason is most malicious hackers (there are good hackers to hence I’m designating the bad ones as malicious) take the patch and reverse engineer it to understand the exploit and then write their worm based off of that newly learned understanding.

But we’re dealing with the government which plays by different rules. Some people believe the government has backdoors in every operating system on the planet or at least in corporate backed operating systems such as Microsoft Windows and Apple Mac OS. Here again we have two points. the first is if they already have these back doors why the Hell would they tell you that your computer is federal property when visiting their dealer site as that would potentially tip people off that they have access to the machines files? But the second point is why would any corporation be willing to place those back doors in their systems?

First off people will say money. Their understanding is the companies will put in back doors for the government because the government is willing to pay them for it. This argument doesn’t hold water because no operating system is totally autonomous. There are security experts combing through modern operating systems, especially Microsoft Windows, looking for previously unknown means of compromising the system’s security. We are not talking about a couple experts but thousands. These people are paid by finding these vulnerabilities and reporting them to the operating system manufacturers and generally will release the details of the discovered exploit after a patch is released to increase their portfolio.

See a security expert whom hasn’t discovered anything isn’t much of an expert while one who has published exploits has some clout and hence is more likely to get a job. Now here is where money for the operating system producers comes in. With each security hole likely being published and certainly being eventually patched people get a feel for the number of security exploits that have been found in each operating system. People don’t want to trust a system they don’t feel is secure, which is why Microsoft has had such an issue getting more people to adopt or at least not dump Windows for secure systems. To this effect operating system producers have been putting tons of time and money into making their systems more secure and have done quite a good job of it.

Now with how little people trust Windows to be secure just imagine if people found out they placed a back door for the federal government in their system? This applies to all operating system producers but since Microsoft is the largest I’m using them as an example. I can guarantee that within minutes of this being discovered and announced (which it would be either via discovery or through a whistle blower at Microsoft) major companies would be hauling in their entire IT staff for an emergency meeting on how to deal with this security threat. The only conceivable outcome of that meeting would be to dump Windows for something more security and probably not corporately controlled such as Linux of FreeBSD. Microsoft would in essence lose thousands if not millions of Windows licensees within the period of time required to move critical systems over to another operating system. Hence it’s not in Microsoft’s, or any other company who produces an operating system’s, best interest to create a back door for anybody in their system.

I’m sorry for the extent of this post but people need to realize that computers aren’t magic. They are designed systems created for human use by mostly paranoid developers.

Now this doesn’t mean don’t be paranoid when using a computer and visiting a web site. There are plenty of exploits out there that can take control of systems, although fully patched systems are generally pretty safe. But don’t let people like Mr. Beck make you believe that your systems is going to be fully exploited and taken over by the federal government because you visiting a website. Honestly the government wouldn’t gain enough to justify the risk of it being revealed that they are breaking into citizens’ computers without any warrant or due process.

Further Research

A good write up about the disclaimer only applying to dealers and the ramifications of that.

Trust No One Especially Baggage Checkers at Airports

I just say this post on Says Uncle. As we all know if you fly with guns you have to put them in checked luggage. This in essence is meant to prevent somebody from coming aboard with a gun and either hijacking the plan or shooting it up. The checked baggage is checked by humans whom are supposed to be airport employees whom you can trust.

Well once again live shows a wrench in the best laid plans as three baggage handlers have been arrested for theft. They were busted as a result of a string operation which was set in place when a retired police officer’s gun was stolen after being checked in at the airport.

This should present a couple major ideas. First and foremost never use those TSA approved locks. These locks for those who do not know are ones which can be opened by any TSA officer should they need to look at an item contained in the locked case. These locks are flimsy and not secure to begin with but knowing anybody with a specific key can open your luggage should worry you. If you don’t have a TSA approved key you will be called to the desk to open the locked container should they need to look at it. This is ideal since you’ll be there to open the case and stand there while they look at it. This means you see everything from the case being opened to the case being closed again so nothing should go missing.

The second thing to note is you should have a plan should your container be stolen. If you have a good case with a good lock it will take the thief some time to open it, in fact they probably won’t get to it before the end of the day when they can get the case home. This means you should be able to put a tracking device inside of the case and it probably won’t be taken out until the thief gets the case back home. The linked tracking device has an option to send SMS texts to you based on outlined criteria. This means you could setup criteria that once the case leaves the airport you get an SMS with it’s location and get periodic updates from then on. This would allow you to track the case and you will know if it’s heading in the right direction. Further should the case be stolen you can tell the police where it went and where is potentially is. Of course the device I linked to is pricey but if you have one or two custom guns in there isn’t not really that expensive considering the cost of losing the guns.

If You’re Going to Scam Try Doing it Somewhere Not Overrun by Security Experts

This is a rather funny but also scary story. An unknown criminal entity setup a fake ATM at a hotel. The fake ATM was meant to steal credit card numbers and provide them to the controlling entity. Well the people who set it up probably didn’t realize that Defcon, an event focusing on security, was going to be in town.

Needless to say a place flooded with security experts meant somebody took note that the ATM didn’t look quite right. After a short investigation they discovered the machine was in fact fraudulent and contacted the police whom took it away.

The scary part here is realizing how sophisticated criminals are becoming. Who would suspect a fake ATM machine? But all that is needed is to create a casing that looks like an ATM and slap a computer with a card scanner in it and you have an instant way of harvesting credit card numbers. For bonus points you can put in a cellular data card tied to a stolen account and have the computer inside the machine transfer the credit card numbers to a compromised computer which in turn will transmit them to the controlling entity.

Of course creating a fully functional fake ATM isn’t necessary. A simple card reading device can be overlaid on an authentic ATM. When you insert your card the overlay will read the card number and then feed it into the ATM. At that point you have no idea your credit card number was recorded by an entity besides the ATM. After a period of time the thief can retrieve the overlay and obtain the recorded credit card numbers. Furthermore to prevent having to physically retrieve the overlay the thief could setup some kind of wireless transmitter inside the overlay which would allow the numbers to be retrieved from a distance.

People trust ATMs because they don’t realize people can make fake imitations which look real. This seems like a job that would be too expensive and sophisticated for a generic criminal and hence nobody worries about it. This story should remind everybody that being paranoid isn’t necessarily a bad thing.

Further Research

A Diebold white paper on ATM fraud and security. (PDF)

A Case Against a Gold Backed Economy

I was reading Bruce Schneier’s block and came across an interesting story…

http://www.commodityonline.com/news/Swiss-banks-have-no-space-left-for-gold!-19698-3-1.html

Swiss banks are running out of space to put their gold. This is a larger issue than many would give it credit for since gold does take a lot of space and if you have a large quantity of it in one area you need to really secure it. I’m not talking just putting more guards around it but you need to fully secure it since criminals will be trying to steal that treasure trove of precious metals.

It’s an interesting thing to consider especially for those who want us to return to a gold based economy. I’ll be the first to admit that I don’t know enough about economics to determine if backing our money with gold is a good idea. I will say it seems smart to back your money with something of value though. And if you set each denomination of money to be valued a specific denomination of gold it would prevent stupidity like a government printing up $1 trillion to give away to people who helped cause a major economic recession. I’m just saying.

Source: http://www.schneier.com/blog/archives/2009/07/swiss_security.html

Using Waste Water to Determine Drug Use

This is an interesting study…

http://eastoregonian.com/main.asp?SectionID=13&SubSectionID=48&ArticleID=95522&TM=41256.42

Researchers are testing untreated sewage for chemicals that are found in drugs. From the article…

Scientists from Oregon State University, the University of Washington and McGill University partnered with city workers in 96 communities, including Pendleton, Hermiston and Umatilla, to gather samples on one day, March 4, 2008. The scientists then tested the samples for evidence of methamphetamine, cocaine and ecstasy, or MDMA.

Just wait until all waste water leaving your home gets tested. If they find traces of anything illegal it will give the Drug Enforcement Agency probably cause to storm your home. Ah yes, progress.

Source: http://www.schneier.com/blog/archives/2009/07/mapping_drug_us.html