By analysing the movements of human shadows in aerial and satellite footage, JPL engineer Adrian Stoica says it should be possible to identify people from the way they walk -- a technique called gait analysis, whose power lies in the fact that a person's walking style is very hard to disguise.

Video taken from above shows only people's heads and shoulders, which makes measuring the characteristic length and rhythm of a person's stride impossible. That's not true of shadows, though, Stoica told a security conference in Edinburgh, UK, last month. Shadows, he says, provide enough gait data to deduce a positive ID. To prove it, he has written software that recognises human movement in aerial and satellite video footage. It isolates moving shadows and uses data on the time of day and the camera angle to correct shadows if they are elongated or foreshortened. Regular gait analysis is then applied to identify people. In tests on footage shot from the sixth floor of a building, Stoica says his software was indeed able to extract useful gait data.

The article goes on to say that using satellite images would be harder, but that the basic idea is the same.

Of course, this is less useful for finding individuals and more useful for tracking a population as it moves about its day. But some individuals will have more distinctive gaits than others, and will be easier to track. Soon we may all need to walk with rocks in our shoes.

Braving the Cold (Boot) – A Sneak Peek of My Presentation at Black Hat

by Patrick McGregor

Cold boot attacks aren’t theoretical academic exercises. Cold boot attacks are real. And they’re serious.

In the past few years, companies have poured hundreds of millions of dollars into full disk encryption technologies. Companies expect full disk encryption to reduce the risk of exposure of sensitive information such as intellectual property or customer data. Reality often deviates from what is expected, however. Researchers from Princeton shocked the industry earlier in 2008 when they released a research paper that showed that low-cost “Cold Boot” attacks could be used to defeat the security of most full disk encryption systems. They recently even published all the tools needed to do this at home!

Some have argued that Cold Boot attacks are not serious security threats. I disagree! First, an unskilled person can capitalize on the exploit using simple, automated steps and publicly available tools. In fact, Cold Boot attacks require nothing more than plugging a USB drive into a laptop. Second, the physical target of a Cold Boot attack, such as a laptop, is very easily obtainable (see the recent Ponemon report on laptops lost/stolen in airports – scary!). Third, although many laptops and desktops are stolen via random acts of theft, it is well known that some criminals profit from organized, calculated data theft. It is only a matter of time before we hear of a high-profile data breach that results from a simple Cold Boot attack.

I am excited to present at Black Hat several innovations for preventing Cold Boot attacks. In addition to summarizing how a Cold Boot attack works, I’ll describe four new software techniques for hardening full disk encryption against the attacks. The software technology was developed by myself, Tim Hollebeek, Alexander Volynkin, and Matt White. All of us work for BitArmor, an exciting security startup based in Pittsburgh. Here’s a sneak peek:

· Wash up: Wipe keys immediately before certain OS state transitions, such as before the computer shuts down or goes into hibernation mode – accessing the memory will yield nothing.

· Take advantage of BIOS memory smashing: By strategically placing keys in certain regions of memory, we can rely on the BIOS boot process to overwrite keys before any operating system can dump the contents of memory.

· Is it chilly in here?: Using built-in temperature sensors, we can lock down the system in reaction to temperature drops that may indicate a Cold Boot attack is in progress.

· Create a virtual enclave for keys: We can implement special cryptographic, OS and processor architecture techniques to provide robust protection for keys against the most aggressive cold boot attacks. By creating a “virtual secure enclave” for encryption keys in software, an attacker cannot extract critical keys from memory – even if the RAM is super-cooled.

Hope you can join us at Black Hat as we take an in-depth look at the future of full disk encryption technology.

News from Portfolio.com

Also on Portfolio

Time for Tech to Throw Everything Into Energy

Hollywood Frets Over Corruption Crackdown

McCaw's Back to Remake the Wireless Landscape

Subscribe to Portfolio magazine

Apollo Robbins won't say whether he's ever stolen anything in his life, but it's clear he could if he wanted to. Having grown up in Missouri with three half-brothers who were all involved in various criminal activities (one of them is in the witness protection program after testifying against former colleagues of his), the 34-year-old Robbins was indoctrinated at an early age into the finer aspects of pickpocketing and con games.

He eventually developed those skills into a successful career as a sleight-of-hand artist and performer in Las Vegas. His latest act, though, has him starring as a corporate security consultant. In this role, it is less his dexterous hands that appeals to his clients than his mastery of all aspects of criminal cons, grifts, and social-engineering ploys.

"When you're trying to steal something, you find the weakest link and work that," Robbins says. "Nowadays, as technology gets better and security systems get harder to break through, the weakest link in any system is the human running it."

Robbins founded his consulting operation, Whizmob Inc. (the name comes from the street term for a team of pickpockets working together), two years ago while still performing full-time.

After doing a show a few years back in which he pickpocketed Secret Service agents accompanying former president Jimmy Carter, the resulting publicity led several law-enforcement agencies and other groups to contact him about his techniques.

"At first, I'd refer them to security people I knew," says Robbins. "Then I realized that instead of being a referral service, I could capitalize on this."

It was a good time to get in on the act. Information security consulting, which barely existed in the mid '90s, has become an estimated $10 billion to $12 billion business as the need to protect sensitive information stored on computers and servers has become a more central concern.

Today, Robbins counts the N.F.L., TNT, and several Fortune 500 companies among his customers. He recently advised the N.F.L. on information security protection at this year's Super Bowl in Phoenix to combat the expected flow of thieves and con artists lured by all the deep-pocketed spectators coming to town.

His work included getting a major hotel to upgrade its WiFi security so that fake access programs known as Trojans couldn't extract valuable data and password information from unsuspecting guests' computers. And at the stadium where the game was held, Robbins and his team identified areas where pickpockets would most likely operate—specifically, places with lots of traffic where bumping into people would be customary, and easy access to exits for escape purposes.

Besides the shadier elements of Robbins' childhood, his father, a blind minister, instilled in him a strong sense of morality. "It was like living in two worlds," Robbins says.

In many ways, he still is living in two worlds, since he keeps in regular contact with some professional thieves he knows in order to stay abreast of the latest cons. (While he doesn't pay them, Robbins says that "a lot of these guys are really good at what they do but they can't exactly discuss it with a lot of people.") But increasingly, Robbins is spending time in the more staid settings of the corporations that hire him to vet their security systems.

"It's a good time to be in the business," he says.

So, Anton Security Tip of the Day #15: Fear and Loathing in Event 567

This tip digs into a seemingly simple, but really VERY esoteric subject: monitoring file access and modification via a Windows event log. Now, some people - who never studied this subject - tend to have a very simplistic view of this: just enable Object Access auditing, then right-click on a file or directory, click Security->Advanced->Auditing and then pick what types of events will be logged and by what accessing entities (i.e. users or computers). OK, so this will produce some logs, that is for sure. But are they useful?

First, why are we doing this? We typically need to know the following when we audit file access in Windows (or any other OS for that matter) for security (monitoring and investigation) or compliance:

• Time/date
• Computer where it happened
• User who touched the file
• Application he used to access the file
• File name + location (directory, share, etc)
• Type of access (read, write, create, delete, etc)
• Status (i.e. success or failure)

Can we get this from the above logs? No.

What? No!?! Really?

Yes, really. We can get some of the above, some of the time, not all of the above, all of the time. Here is an example, we are looking at event ID 560 (picture) and then at an extract from its description field.

Event:

Description (selected field):

Object Server: Security

Object Type: File

Object Name: C:\0\TestBed\simple_text_file.txt

Image File Name: C:\WINDOWS\system32\notepad.exe

Primary User Name: Anton

Primary Domain: XXXXXX

Accesses: READ_CONTROL

SYNCHRONIZE

ReadData (or ListDirectory)

WriteData (or AddFile)

AppendData (or AddSubdirectory or CreatePipeInstance)

ReadEA

WriteEA

ReadAttributes

WriteAttributes

WTH is that? Well, we know that the user  'Anton' has successfully read? wrote? changed attributes? did something? with a file named "C:\0\TestBed\simple_text_file.txt" using a program named "C:\WINDOWS\system32\notepad.exe." That's the best we can get, in this case! We may try to look at event IDs 562 and 567, but this missing information (i.e. the exact action performed) will not be added.

BTW, there will be  a few more dozen (sometime hundreds!) of the 560s, 562s and 567s  produced - all from just opening the text file in a notepad. The above event is notable for having BOTH "notepad" and "simple_text_file.txt" in the same event; others will have either of the two.

Anything else gets in the way? Yes, lots! MS Office will write to all files, even just opened for reading (with no user modifications to the content whatsoever), which will screw up your log monitoring efforts. If the file is on a share, more information will be missing (e.g. username might be).

So, how to use Windows event logs for file access tracking?

1. Enable logging (as described above)
2. Pick events 560 (most useful) and 562, 567 (useful too)
3. Look for fun filenames that might be touched by the users (have a list of files and users handy)
4. Figure out what programs were used to access them (this is called "Image File Name" in "WinLogSpeak")
5. Ponder the 'Accesses' section of each event until your brain turns blue :-) or until you decide whether such access is authorized or not...

Overall, this is still very useful for file access monitoring, but the process is paaaaaainful.

BTW, I am tagging all the tips on my del.icio.us feed. Here is the link: All Security Tips of the Day.

- Take a risk based approach - Focus on business needs - Talk the language of the business - Don’t make wild statement about cost savings and ROI - Work to reduce costs - Put risk assessments into context - Present a decent set of meaningful security metrics