[SecurityRatty] tag: death

Lessons from Mumbai

Mon, 01 Dec 2008 05:03:41 +0000

I'm still reading about the Mumbai terrorist attacks, and I expect it'll be a long time before we get a lot of the details. What we know is horrific, and my sympathy goes out to the survivors of the dead (and the injured, who often seem to get ignored as people focus on death tolls). Without discounting the awfulness of the events, I have some initial observations:

Low-tech is very effective. Movie-plot threats -- terrorists with crop dusters, terrorists with biological agents, terrorists targeting our water supplies -- might be what people worry about, but a bunch of trained (we don't really know yet what sort of training they had, but it's clear that they had some) men with guns and grenades is all they needed.
At the same time, the attacks were surprisingly ineffective. I can't find exact numbers, but it seems there were about 18 terrorists. The latest toll is 195 dead, 235 wounded. That's 11 dead, 13 wounded, per terrorist. As horrible as the reality is, that's much less than you might have thought if you imagined the movie in your head. Reality is different from the movies.
Even so, terrorism is rare. If a bunch of men with guns and grenades is all they really need, then why isn't this sort of terrorism more common? Why not in the U.S., where it's easy to get hold of weapons? It's because terrorism is very, very rare.
Specific countermeasures don't help against these attacks. None of the high-priced countermeasures that defend against specific tactics and specific targets made, or would have made, any difference: photo ID checks, confiscating liquids at airports, fingerprinting foreigners at the border, bag screening on public transportation, anything. Evenmetal detectors and threat warnings didn't do any good:

"If I look at what we had, which all of us complained about, it could not have stopped what took place," he told CNN. "It's ironic that we did have such a warning, and we did have some measures."
He said people were told to park away from the entrance and had to go through a metal detector. But he said the attackers came through a back entrance.

"They knew what they were doing, and they did not go through the front. All of our arrangements are in the front," he said.

If there's any lesson in these attacks, it's not to focus too much on the specifics of the attacks. Of course, that's not the way we're programmed to think. We respond to stories and not analysis. I don't mean to be sympathetic; this tendency is human and these deaths are really tragic. But eighteen armed people intent on killing lots of innocents will be able to do just that, and last-line-of-defense countermeasures won't be able to stop them. Intelligence, investigation, and emergency response. We have to find and stop the terrorists before they attack, and deal with the aftermath of the attacks we don't stop. There really is no other way, and I hope that we don't let the tragedy lead us into unwise decisions about how to deal with terrorism.

Stampede Death at Wal-Mart

Mon, 01 Dec 2008 01:12:00 +0000

The death of a Wal-Mart employee on Black Friday in New York should never have been allowed to happen.

The Police are said to be reviewing tapes to see if they can identify who was responsible for trampling the poor man to death. What will that achieve? Obviously it was not done on purpose. The findings are bound to result in an "accidental death" determination.

Getting back to; who is responsible? I think that is quite clear. Wal-Mart has to accept responsibility. UNLESS...they really did hire an outside security company and the employees of that company did such a poor job organizing that mob of "door busters", that they lost control of the situation.

One thing is a given. The family of the employee who lost his life is bound to bring a civil law suit against Wal-Mart. If I were them, the first thing I would look to find out would be who(if anyone)was providing security on Thanksgiving night outside of the front door?

Unfortunately, many clients do not take the function of security very seriously and they delegate the responsibility to those with no security training or experience. We have consulted for clients at arenas and found that ordinary ushers will be given a fluorescent vest or jacket with "SECURITY" written on the back and asked to provide security. This is a libility claim waiting to be filed.

If Wal-Mart did in fact outsource their security to an outside company, was the company allowed to provide an adequate number of officers to ensure that shoppers lined up in an orderly fashion? One security officer to a couple of hundred people is another liability suit waiting to be filed.

Next, they should be looking at the training that the security officers (Wal-Mart better hope that shelve stockers were not given the task)receieved. Because it was Thanksgiving night, there is the possibility that the company couldn't get anybody else to work and used untrained and inexperienced personnel. If that turns out to be the case, hopefully the company was legal and had adequate insurance coverage.

Whatever happens regarding a civil law suit, one thing will remain unchanged. A man lost his life in an incident that should have been prevented. It is obvious that not everything was done to ensure the safety of the shoppers who traditonally lined up to get the best bargains when the store opened on "Black Friday".

Whether it was Wal-Mart or the security company who may have been hired to prevent this very incident from happening - somebody failed to do their job. Whichever one it was, they should step up to the plate and apologize to the grieving family for letting them down.

A Less Tasteful Internet

Fri, 14 Nov 2008 04:59:47 +0000

It may take awhile, but ICANN can change things for the good. The public comment period is still open on the formal policy on AGP DELETEs, but the stopgap budget measure in place seems to be very effective. ICANN announced that AGP DELETEs declined "... from approximately 17.6M in June 2008 to 2.8M in July 2008." 2.6M of the 2.8M were subject to the fee, so it would seem that even those would continue to decline as the people paying them realize they're wasting their money. AGP DELETEs are the mechanism used by "domain tasters" who register a domain, throw PPC ads up on it and DELETE the registration before five days are up for a full refund of all fees. Under the new budget policy, registrars who exceed a certain threshold of DELETEs as a percentage of total registrations can no longer refund the 20 cent ICANN fee. This alone has led to the massive decline in DELETEs, showing how little margin is involved in each domain. Let's hope that ICANN keeps the policy at least as restrictive as this. Domain tasting may no longer be a problem. ICANN has placed the EstDomains registrar back on death row. Read about it here.

There is a fix for the AVG update

Tue, 11 Nov 2008 15:04:36 +0000

Read the post for info on how to recover from this.
In my opinion, AVG is still a great product.

clipped from www.ghacks.net

AVG 8 Update Marked User32.dll As Virus Infected

Users who followed the advice of the AVG software program were greeted with a Blue Screen of Death as soon as they clicked on the Heal button to remove the virus. Any attempts to boot the system afterwards failed because of the missing file. AVG was quick to react and released another update that corrected the issue.

Pakistan Declares Death Penalty for 'Cyber Terror'

Sat, 08 Nov 2008 15:20:01 +0000

American officials can have some pretty over-the-top reactions to hackers and so-called cyber terrorists. Once, I saw a briefing comparing our own Kevin Poulsen to Osama bin Laden and Pablo

Keeping Contraband Out of Prisons

Tue, 28 Oct 2008 04:09:21 +0000

Chilling story of a death-row inmate with a contraband cell phone.

If we can't keep contraband out of prisons, how can we possibly hope to keep it out of airports?

Do you have poorly trained security guards working for you? If you do, al-Qa'ida may be watching

Sun, 19 Oct 2008 15:37:00 +0000

It seems strange that the Department of Homeland Security would be mentioning a recording by deceased al-Qa'ida operative Yousef Al-Ayeeri made before his death in 2003.

Eventhough DHS said there was no credible or specific information, they still deemed it necessary to release the note because it is "important for local authorities, building owners and operators to be aware of potential attack tactics".

Apparently, Al-Ayeeri made the recording to encourage other al-Qa'ida operatives to take over a publicly accessible building(s) in the U.S. and destroy it by using a series of strategically placed explosives.

What makes the plan especially interesting to a security consultant is the way Al-Ayeeri describes the ease with which operatives would be able to take over public buildings. His recording advises that it will be quite easy due to "poorly trained and lightly armed or unarmed security guards".

What does this tell us? It tells us that terrorists are carrying out surveillance right under our noses and taking notes when they observe a breach of security or "poorly trained security".

Hopefully none of you reading this have "poorly trained security" working for you. If you did, how would you know? Perhaps it is time to have a security review and or/survey of your premises conducted.

They say "dead men can't talk", but it nearly seems like this one is sending out a warning.

Outsourcing Infrastructure Management

Fri, 17 Oct 2008 12:30:15 +0000

Have you experienced this? You call [fill in the blank] tech support and reach “Bob Smith” whose accent doesn’t quite match the name. If you’re like me, you wonder two things: is his name really Bob Smith? And if it’s not, why is he lying?

Is it supposed to make me feel better about getting my problem fixed if I’m talking to someone in the Midwest versus someone in Bangalore? (Please no hate mail – I’m from the Midwest.) Honestly, I just want my computer to stop showing me a blue screen of death.

But apparently, I might be in the minority. According to the Black Book of Outsourcing (yes, outsourcing has a black book), reverse outsourcing is on the rise with “India’s leading service providers opening offices on Main Street, USA” to be closer to customers (mainly North American) and draw from the “local talent pools”.

The one area of outsourcing bucking this trend – infrastructure management. Co-writer Scott Wilson says that infrastructure management is largely automated, low touch and does not involve a lot of interaction.

Speaking as a vendor of infrastructure management tools, that’s a bunch of malarkey. Perhaps at a very low level this is true (i.e., is the device responding), but that’s just the tip of the iceberg when it comes to monitoring performance, availability and SLAs for today’s networks, systems and applications.

Certainly as vendors, we try to put as much automation as possible into our toolsets – helping our customers to simplify IT management wherever possible, enabling them to be proactive by setting up “intelligent” alarms and thresholds that warn of problems before they become showstoppers and reacting at a speed in this increasingly virtual world that simply is not possible for human manual interaction.

But infrastructure management doesn’t happen in a vacuum and you can bet when something goes wrong which affects some mission-critical app state-side, that there is a LOT of communication and interaction. And it takes a lot of work and setup to get to a level of automation where the alerting is proactive and intelligent and customized for each business.

One of the main points of tools like ours is to automate where possible in order to free up the valuable time of the sysadmins, network engineers, IT managers, etc to do the higher order work – which is how they’ll get to the next level of infrastructure management. Beyond “is it up”, infrastructure management should be providing answers to questions like: “is it always up”, “is it doing what I expected it to do” and “will it still be working as expected as my company grows”.

Halloween Came a Little Early...

Wed, 15 Oct 2008 20:00:00 +0000

Halloween came a little early for Rob Enderle. Is he right to be very, very afraid..?

Rob Enderle recently attended an EMC conference where, among the speakers, he heard from Uri Rivner regarding the growing sophistication–and mass-production capabilities—of the online fraud industry. In his excellent piece in Dark Reading on the subject entitled “How RSA/EMC Scared Me Half to Death”, Rob admitted to being more than a little scared by what he heard. And among his fears is that, in these tight economic times, companies will not make the investments needed to ensure that they and their customers are secure against these increasingly robust threats...

Army Orders Pain Ray Trucks; New Report Shows 'Potential for Death'

Fri, 10 Oct 2008 11:17:00 +0000

After years of testing, the Active Denial System -- the pain ray which drives off rioters with a microwave-like beam -- could finally have its day. The Army is buying five of the truck-mounted systems for $25 million. But the energy weapon may face new hurdles, before it's shipped off to the battlefield; a new report details how the supposedly non-lethal blaster could be turned into a flesh-frying killer.