[SecurityRatty] tag: front-end

Lessons from Mumbai

Mon, 01 Dec 2008 05:03:41 +0000

I'm still reading about the Mumbai terrorist attacks, and I expect it'll be a long time before we get a lot of the details. What we know is horrific, and my sympathy goes out to the survivors of the dead (and the injured, who often seem to get ignored as people focus on death tolls). Without discounting the awfulness of the events, I have some initial observations:

Low-tech is very effective. Movie-plot threats -- terrorists with crop dusters, terrorists with biological agents, terrorists targeting our water supplies -- might be what people worry about, but a bunch of trained (we don't really know yet what sort of training they had, but it's clear that they had some) men with guns and grenades is all they needed.
At the same time, the attacks were surprisingly ineffective. I can't find exact numbers, but it seems there were about 18 terrorists. The latest toll is 195 dead, 235 wounded. That's 11 dead, 13 wounded, per terrorist. As horrible as the reality is, that's much less than you might have thought if you imagined the movie in your head. Reality is different from the movies.
Even so, terrorism is rare. If a bunch of men with guns and grenades is all they really need, then why isn't this sort of terrorism more common? Why not in the U.S., where it's easy to get hold of weapons? It's because terrorism is very, very rare.
Specific countermeasures don't help against these attacks. None of the high-priced countermeasures that defend against specific tactics and specific targets made, or would have made, any difference: photo ID checks, confiscating liquids at airports, fingerprinting foreigners at the border, bag screening on public transportation, anything. Evenmetal detectors and threat warnings didn't do any good:

"If I look at what we had, which all of us complained about, it could not have stopped what took place," he told CNN. "It's ironic that we did have such a warning, and we did have some measures."
He said people were told to park away from the entrance and had to go through a metal detector. But he said the attackers came through a back entrance.

"They knew what they were doing, and they did not go through the front. All of our arrangements are in the front," he said.

If there's any lesson in these attacks, it's not to focus too much on the specifics of the attacks. Of course, that's not the way we're programmed to think. We respond to stories and not analysis. I don't mean to be sympathetic; this tendency is human and these deaths are really tragic. But eighteen armed people intent on killing lots of innocents will be able to do just that, and last-line-of-defense countermeasures won't be able to stop them. Intelligence, investigation, and emergency response. We have to find and stop the terrorists before they attack, and deal with the aftermath of the attacks we don't stop. There really is no other way, and I hope that we don't let the tragedy lead us into unwise decisions about how to deal with terrorism.

Stampede Death at Wal-Mart

Mon, 01 Dec 2008 01:12:00 +0000

The death of a Wal-Mart employee on Black Friday in New York should never have been allowed to happen.

The Police are said to be reviewing tapes to see if they can identify who was responsible for trampling the poor man to death. What will that achieve? Obviously it was not done on purpose. The findings are bound to result in an "accidental death" determination.

Getting back to; who is responsible? I think that is quite clear. Wal-Mart has to accept responsibility. UNLESS...they really did hire an outside security company and the employees of that company did such a poor job organizing that mob of "door busters", that they lost control of the situation.

One thing is a given. The family of the employee who lost his life is bound to bring a civil law suit against Wal-Mart. If I were them, the first thing I would look to find out would be who(if anyone)was providing security on Thanksgiving night outside of the front door?

Unfortunately, many clients do not take the function of security very seriously and they delegate the responsibility to those with no security training or experience. We have consulted for clients at arenas and found that ordinary ushers will be given a fluorescent vest or jacket with "SECURITY" written on the back and asked to provide security. This is a libility claim waiting to be filed.

If Wal-Mart did in fact outsource their security to an outside company, was the company allowed to provide an adequate number of officers to ensure that shoppers lined up in an orderly fashion? One security officer to a couple of hundred people is another liability suit waiting to be filed.

Next, they should be looking at the training that the security officers (Wal-Mart better hope that shelve stockers were not given the task)receieved. Because it was Thanksgiving night, there is the possibility that the company couldn't get anybody else to work and used untrained and inexperienced personnel. If that turns out to be the case, hopefully the company was legal and had adequate insurance coverage.

Whatever happens regarding a civil law suit, one thing will remain unchanged. A man lost his life in an incident that should have been prevented. It is obvious that not everything was done to ensure the safety of the shoppers who traditonally lined up to get the best bargains when the store opened on "Black Friday".

Whether it was Wal-Mart or the security company who may have been hired to prevent this very incident from happening - somebody failed to do their job. Whichever one it was, they should step up to the plate and apologize to the grieving family for letting them down.

Chairman Tata Surprised by Tricky Terrorists

Sun, 30 Nov 2008 22:29:00 +0000

Chairman Rata Tata, whose company owns the Taj hotel in Mumbai, gave a frank and honest interview to CNN. I would imagine that the Tata Group's PR people and General Counsel are scrambling at the moment trying to do as much damage control as possible.

The sad part of this unfolding story is the feeling one gets that the terrible loss of life at the hotel may have been prevented or at least mitigated had proper security measures been implemented and if the security that had been in place prior to the attack had not been removed.

One eye witness who stayed at the hotel a week before the terrorist assault spoke about metal detectors and baggage being checked. The same witness then went on to say that those security measures had been removed within the last week, allowing people to enter without being checked.

The most surprising news to surface must be the Chairman's comments regarding the terrible event. Unbelievably, he actually said; "They knew what they were doing and they did not go through the front. All of our arrangements were on the front entrance".

Who is Tata's security advisor, a kitchen worker? Actually, he might have been better off if that were the case since the terrorists entered the hotel through the rear kitchen door. ANNOUNCEMENT TO ALL CHAIRMEN AND CEO's; Terrorists are Tricky. That is their job. They are watching your businesses and will do the opposite to what you expect.

In the case of the TAJ HOTEL, you made it easy for them. Did nobody in Mumbai ever stop to think that a bad person can go through the back door? It is one thing for a cafe in a pedestrian area to be attacked as anyone can walk right by or walk through the front and open fire, but how can a major landmark that attracts Western vistors drop their security measures AFTER they have received terrorist alert warnings that the hotel may be the target of terrorsit attacks?

I don't know if it was the case with the Taj Hotel, but cutting corners where security is concerned is common place in corporate culture. Security is often seen as a necessary evil and usually the first department to experience budgetary cutbacks. It is very difficult to convince some clients that nothing happening is really a good thing and that by cutting out security may open the door to evil.

This appears to have been the case with the Taj. There is no doubt that the terrorists had conducted hundreds of hours of surveillance in and around Mumbai. Was it a coincidence that the attack occurred the week after security measures had been removed? What might have been the result if security had remained tight (if you could call watching the front entrance and disregarding the back as "tight security")? Maybe the terrorists would have held back another month or two...maybe in that time they would have been detected...

One thing is for certain, places like the Taj Hotel have to get serious about security. Mr. Tata's claim that; "If I look at what we had...it could not have stopped what took place", must be replaced by more progressive, proactive thinking. If the Tata Group had spent an adequate amount of funding on ensuring that a strict security policy was in force - if only for the period in question - then they might not now be facing a 5 Billion Rupee reconstruction bill. Who knows how high the civil suits against the Taj will run when compensation and punitive costs are calculated.

Kudos though to Chairman Tata for at least recognizing that the Indian authorities may not be able to handle the situation on their own. "These attacks underscore the need for Law Enforcement to seek outside expertise for training, equipment and strategic operations", he said.

We agree Mr. Tata. We also hope that you will recognize the need for the Tata Group to seek similar outside expertise to assist you with your security planning and training.

RIAA Lawsuits May Be Unconstitutional

Wed, 19 Nov 2008 10:33:11 +0000

Harvard law professor Charles Nesson is arguing, in court, that the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 is unconstitutional:

He makes the argument that the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 is very much unconstitutional, in that its hefty fines for copyright infringement (misleadingly called "theft" in the title of the bill) show that the bill is effectively a criminal statute, yet for a civil crime. That's because it really focuses on punitive damages, rather than making private parties whole again. Even worse, it puts the act of enforcing the criminal statute in the hands of a private body (the RIAA) who uses it for profit motive in being able to get hefty fines.
Imagine a statute which, in the name of deterrence, provides for a $750 fine for each mile-per-hour that a driver exceeds the speed limit, with the fine escalating to $150,000 per mile over the limit if the driver knew he or she was speeding. Imagine that the fines are not publicized, and most drivers do not know they exist. Imagine that enforcement of the fines is put in the hands of a private, self-interested police force, that has no political accountability, that can pursue any defendant it chooses at its own whim, that can accept or reject payoffs in exchange for not prosecuting the tickets, and that pockets for itself all payoffs and fines. Imagine that a significant percentage of these fines were never contested, regardless of whether they had merit, because the individuals being fined have limited financial resources and little idea of whether they can prevail in front of an objective judicial body.

Another news story.

Security Manager's Journal: Progress at last on the patching front, and a new priority

Mon, 17 Nov 2008 02:00:00 +0000

A corporate policy on patching is about to become a reality, so it's time to put that project on the back burner and look at the budget.

How to set up a cross-platform network

Thu, 30 Oct 2008 01:00:00 +0000

Your business--and the computers that power it--may have started with an idea that popped into your head while you sat in front of your laptop, freeloading off of the local coffee shop's wireless network. But you can't work out of the Java Hut forever.

Tech tricks and treats of 2008

Tue, 28 Oct 2008 21:00:00 +0000

Growing up, you probably loved Halloween: Dressing up as your favorite superhero or princess, telling ghost stories, eating so much candy that your mom warned you your teeth were going to fall out. Of course, there was the trick side of the equation--the eggs you'd see slimed across some streets the morning after or the paper in someone's front-yard tree. Aahh, those were the days.

Sniffers class for the ISSA Kentuckiana

Mon, 27 Oct 2008 20:20:21 +0000

I'm teaching another free class for the ISSA, hope some of my readers can make it. Here are the details:
Who: Presented by Adrian Crenshaw of IronGeek.com
What: "Using Sniffers Effectively" - hands-on workshop with network analyzers such as Wireshark and Cain.
When: Sat, November 8, 2008 9:00 AM - 12:30 PM
Where: Louisville Technical Institute - Room 364, 3901 Atkinson Square Drive, Louisville KY 402018 (502) 456-6509
Directions: From 264 East get off on 1st Newburg Rd exit, Turn RIGHT at Bishop Lane, Turn RIGHT at Atkinson Dr./Atkinson Square Dr., Go .2 miles, Turn right at LOUISVILLE TECHNICAL/INTERIOR DESIGN INSTITUTE. Park in front parking lot. Go in Main Lobby to sign in.
Why: ISSA Kentuckiana's mission is to be the Louisville Leader in Information Security and Awareness. We want to provide relevant educational opportunities to members that enable learning, career growth, and should enable certification and technical advancement.
Cost: FREE! - Bring your own laptop or use one of the classroom PC's
How to sign up: send email to education (at) issa-kentuckiana (dot) org

Sniffers class for the ISSA Kentuckiana

Mon, 27 Oct 2008 20:20:21 +0000

Piracy Hurts Open Source Also!

Mon, 27 Oct 2008 19:10:01 +0000

I’m willing to bet a good few of those reading are using pirated software, and, until I switched to Linux last year, I was one of those few. Who’s going to keep tabs on you closely enough to send the police kicking down your front door over Microsoft Office 2007? Still, your actions do more damage than you realize.