Physical security Archives

Former White House counterterrorism adviser and cybersecurity doomsayer Richard A. Clarke is now advocating a new technology federal agencies are using to trace a different kind of threat -- weapons and other objects of destruction.

Visible Assets, Inc., manufacturer of RuBee wireless-tracking networks, announced on Tuesday that the author of "Cyber War: The Next Threat To National Security And What To Do About It" has joined its board of directors. The firm currently helps several agencies in the Defense and Energy departments manage inventories of weapons and hazardous materials, and it has aspirations to deploy the technology in federal agency computer server rooms.

Similar to radio frequency identification, RuBee -- typically embedded in tags on objects -- sends data to an antenna, except RuBee's signals travel through magnetic waves, not radio waves. Magnetic waves allow the information to pass through people, mud, water, steel and other environments that disable RFID.

"It's like an RFID tag only better," Clarke told Nextgov in an interview. "The RF in RFID is not involved." He added that the apparatus has applications beyond the military, perhaps for border protection.

John K. Stevens, chairman and chief executive officer of Visible, who also was interviewed, said the firm has had "serious discussions" about attaching RuBee tags to radiation suits for DOE laboratory personnel. The company's Energy customers include the Lawrence Livermore National Laboratory, Y-12 National Security Complex and Los Alamos National Laboratory, all of which conduct nuclear research.

"Most of the nuclear items that DOE has stored are in secure rooms and they have doors on them and [the tags] are also radiation proof," he said. Stevens added that RuBee-based networks could be helpful for heightening the physical security of computer assets.

A Defense authorization bill expected to move out of committee Wednesday night attempts to explicate the ill-defined area of cyberwarfare, spelling out the Pentagon's power to engage in covert military activities over the Internet.

The legislation, H.R. 1540, clarifies that "the secretary of Defense has the authority to conduct clandestine cyberspace activities in support of military operations . . . outside of the United States or to defend against a cyber attack on an asset of the department."

Al Qaeda and the Taliban increasingly have wielded the Web for command and control operations, as well as for distributing technical information to support attacks on U.S. and coalition forces in areas of ongoing hostilities.

"The committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace," the measure states.

While the provision is not meant to stipulate every permissible online activity, the committee's bill summary says it is intended to at least empower the Pentagon to use the Web for secret military efforts "pursuant to an armed conflict for which Congress has authorized the use of all necessary and appropriate force or to defend against a cyber attack on a Department of Defense asset."

Some agencies are turning to cloud computing providers to fulfill a requirement that they install smart card readers on all federal facilities by October.

The Obama administration recently clamped down on enforcement of the 2004 Homeland Security Presidential Directive 12 that requires federal employees and contractors possess IDs embedded with digital fingerprints and photos to access government buildings and networks.

Many agencies only ask that staff show the badges, rather than taking the time and money to activate the electronic features of the cards. February regulations imposed an Oct. 1 deadline for mounting digital readers -- with a financial penalty for failing to comply.

ADT Security Services and Brivo Systems, a web-based software provider, announced this week that they have jointly outfitted five buildings in Detroit and Chicago with an access control system that officials can monitor through the Internet, or the "cloud." About 8,000 employees from roughly 50 federal agencies work in the facilities, according to the two companies.

Agencies are under pressure to outsource hardware and software services to the cloud, as the administration has set a goal of phasing out about 40 percent of the federal government's 2,100 cost-consuming in-house data centers by 2015.

ADT and Brivo began the initiative in downtown Detroit with the McNamara Federal Building, which houses offices for the Internal Revenue Service and the Social Security Administration, among other agencies.

The Detroit facility and four other buildings in the Chicago area, which are operated by the General Services Administration, now have card readers at 55 access points.

"This platform allows the GSA to take full advantage of an infinitely scalable cloud solution in the future," John Szczygiel, Brivo's executive vice president said in a statement.

The House Appropriations Committee intends to cut cybersecurity funding by $60 million for the last remaining seven months of the fiscal year.

The committee on Friday introduced H.R. 1, the largest discretionary funding reduction in congressional history, which would take money away from the Homeland Security program that coordinates nationwide efforts to safeguard critical infrastructure and communications.

Under the Republican-led committee's plan, the infrastructure protection and information security program would get $806 million rather than the $866 million that DHS requested.

Part of the rollback would rescind $6 million in unobligated balances from so-called next generation networks for providing national security and emergency preparedness communications, in the event someone or something cuts off connectivity.

Meanwhile, House Homeland Security Ranking Democrat Bennie Thompson, D-Miss., estimates that another Republican-backed measure, H.R. 408, aimed at scaling back federal spending in fiscal 2012 to fiscal 2006 levels, would slash the cyber and infrastructure protection program by $275 million.

On Friday, Thompson released a report that said the reduction would mean "ground would be lost on efforts to identify, address and mitigate cybersecurity and physical vulnerabilities to federal and private sector networks."

Fox is out with a trailer for its upcoming comedy series, "Breaking In," starring Christian Slater, about a team of brainiacs that makes its money by testing office security systems for weaknesses. The TV twist is that the cyber sleuths also are hackers.

The network describes the show as "a half-hour workplace comedy about a high-tech security firm that takes extreme -- and often questionable -- measures to sell their protection services." The fictional firm, Contra Security, "gives clients a sense of security by first ripping it away."

Slater, who last appeared on the canceled show "The Forgotten," plays the enterprise's leader, Oz. The series debuts April 6.

The episodes may unintentionally assist the government's ongoing effort to raise public awareness about online threats -- if the show lasts.

In early 2007, the organizers of a new website called WikiLeaks invited Steven Aftergood, a Federation of American Scientists researcher who publishes a government secrecy e-newsletter, to serve on their advisory board.

At the time, the site's founders described themselves as Chinese dissidents, mathematicians and startup company technologists in the United States, Australia, Europe, South Africa and Taiwan.

National Journal's now-defunct Technology Daily reported that Aftergood had not decided whether to get involved: "I still want to see how they launch, what the focus is and if they're putting out good material ... and if the positive outweighs the negative," Aftergood explained.

Flash forward to 2010. In June, Aftergood posted a commentary saying that "WikiLeaks must be counted among the enemies of open society because it does not respect the rule of law nor does it honor the rights of individuals. . . .WikiLeaks routinely tramples on the privacy of non-governmental, non-corporate groups for no valid public policy reason."

After the most recent leak of diplomatic cables containing embarrassing and damaging details about U.S. allies, Aftergood wrote, "WikiLeaks has been inattentive to the unintended consequences of its actions, careless about putting individuals in harm's way, particularly in the case of the Afghan war records, and ethically deficient in its invasions of personal privacy."

Aftergood tells Nextgov that -- shocker -- he never became an adviser to WikiLeaks. "We had some friendly communications in late 2006 and early 2007. But basically I concluded that I didn't support their basic approach to publication of confidential records, and that was the end of it," he said.

During his brief correspondence with the group, Aftergood did offer one piece of advice that WikiLeaks apparently ignored: "As I recall, I told them it was a mistake to publish anything without some kind of editorial filter to screen out false, libelous or dangerous information."

The Office of the Director of National Intelligence disclosed 2007 guidelines used to investigate and respond to leaks of classified information, in response to a Freedom of Information request filed by government secrecy expert Steven Aftergood. The Wikileaks website published a 2002 version of the handbook a couple years ago.

The 4-page policy on unauthorized disclosures that Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists, legally obtained last week was signed by then-Director Mike McConnell to replace the earlier directive issued by former Director George Tenet.

The document outlines requirements for reporting alleged unauthorized releases of intelligence that are likely to jeopardize national security interests. It covers media leaks, as well as compromised storage equipment and other data losses.

"The 2007 directive, signed by then-DNI J. Michael McConnell, seems measured and matter of fact by comparison with the 2002 directive (pdf) that it replaced, which was issued by then-DCI George J. Tenet. The Tenet directive had a lot more adjectives ("strong", "aggressive") connoting forceful opposition to leaks, as well as a bit of chest-thumping (leaks "shall not be tolerated or condoned"). For whatever reason, most of that colorful language was removed in the 2007 directive," Aftergood noted on the project's blog.

The following item was written by Jill R. Aitoro.

You think metal detectors, you think enhanced security. If someone's got a gun, it will set off the alarm and he or she won't be able to enter.

Not in Texas.

According to an AP story posted by countless media outlets, including Washingtonpost.com, a loophole in a new security procedure allows those with a gun permit to bypass the lines for metal detectors at the entrance of the Texas Capitol building.

The metal detectors were installed earlier this year after a man fired his gun outside the doors of the main entrance. Soon after, a separate lane was created so those carrying guns could enter without having to show their weapons. (This complies with Texas law that allows people to carry a gun if they have a permit and keep it concealed.) Holders of gun permits simply have their licenses scanned and place their bags -- sans gun -- through an X-ray scanner. An actual gun is not required to get to the front of the line, only a permit stating that you have the right to carry one, should you so choose.

The result?

"Everyone from lobbyists to lawyers and journalists is rushing to get permits to carry guns inside the Texas Capitol," the article reports.

The FBI this week arrested 10 people accused of being Russian spies, an investigation that stretches back to the Clinton White House. According to the FBI, the operation was aimed at placing spies in nongovernmental jobs where they could get insider information without being easily identified. Interestingly enough, the FBI's arrest was aided by its ability to infiltrate the group's computers. Turns out these alleged spies weren't as careful about their cybersecurity as they should have been. So what did they do wrong?

Word is the spies used Wi-Fi networks to communicate, but instead of connecting to an access point, they established Ad-Hoc networks. Ad-Hoc networks make remote surveillance of the connection a bit harder, and the FBI would needed a listening post close by in order to intercept the connection. Johannes Ullrich, chief research officer for SANS, writes today that the spies should have changed their MAC addresses to avoid tracking.

The other security hiccup to emerge is a good lesson for us all. Apparently the FBI secretly searched the homes of some of the spies and copied their hard disks. Problem was, they were encrypted. However, an FBI agent noticed a piece of paper during the search with a long letter and number combination, which turned out to be the encryption password. This allowed the agents to decrypt the hard disk where they found stenagography software, other encryption tools and lists of websites used to exchange stegagographic messages.

"Typically, if you want to do steganography right, first encrypt the message, then encode it in an image," Ullrich writes. "In particular if you use standard software to perform your steganography."

One other lesson to heed if you're a spy is never to use an old password to encrypt a new password. Once an attacker figures out the password, they will be able to decrypt all the others. The spies made this mistake as well. But for once it's nice to see the U.S. government finding the vulnerabilities and exploiting them against the perpetrators, not the other way around. The reports still are developing, but it does appear that cybersecurity principles played a big role in this investigation. This will remain an important lesson, not only for spies, but also especially for those employees who communicate away from work and bring home important information. Don't make the same mistakes, or your company's/agency's data could be compromised in a similar fashion.

For nearly three years, the Transportation Security Administration has been assembling a database of airline passengers who are overly rude or threaten a screener. USAToday published an article on the database Monday, reporting:

Incidents in the database include threats, bullying or verbal abuse, remarks about death or violence, brandishing a real or fake weapon, intentionally scaring workers or excessive displays of anger such as punching a wall or kicking equipment, [a TSA] report says.

The American Civil Liberties Union doesn't think much of the database, saying it has the potential for misuse. What if a screener just doesn't like your attitude and decides to include you in the database? Or the information, which could include "names, birth dates, Social Security numbers, home addresses and phone numbers of people involved in airport incidents, including aggressors, victims and witnesses" is misused by other agencies or accessed by hackers?

TSA officials say the database was created to protect workers, who are harassed and at times accosted. Besides, after about three years in use, 240 incidents have been submitted to the database, TSA says. Now, an incident can include more than one name. But still, just how many names can be in the database, exactly? Two times that? Maybe three times? Even if it is, say, 1,000, is that a lot? And do you have a good chance to be included?

Let's see, the Bureau of Transportation Statistics at the Transportation Department reported in March that 770 million passengers moved through all U.S. airports in 2009, that was on top of 812 million in 2008. With those numbers, 240 is put a bit in perspective.