[SecurityRatty] tag: seas

Of Planes and Ships

Sun, 28 Sep 2008 19:04:11 +0000

Tom Barnett is consistently the most interesting writer on globalization and econo-security seam. This weeks piece confronts a problem every security architect can relate to (emphasis added on the "nail it to the wall" quote at the end):

One of the main problems in counterterrorism today is that there are so many people and vehicles, and so much data and material, moving through globalization's myriad networks that it seems virtually impossible to track it all effectively. Nowhere has this problem been more acute than on the high seas.

In 2006, Adm. Harry Ulrich, then U.S. commander of NATO Naval Forces Europe, decided to do something about it. Despite having virtually no resources, his dream was to transpose the global air-traffic control system onto sea traffic.

Worldwide, aircraft are transparent, because they're all required to carry an identification beacon that allows them to be tracked leaving and entering airports, and monitored between airports, by a global network of sensors. Act suspiciously and somebody's fighter aircraft will soon be on your tail.

No such pervasive system currently exists globally for maritime traffic. While bigger ships carry an ID beacon similar to aircraft, without a shared monitoring network, that's like tracking only selected commercial jets and giving everyone else a pass.
So Ulrich, upon taking command, asked a simple question: "If we can do that in the air, why can't we do it on the sea?" He made a point of pioneering his sea-traffic-control effort first inside the Mediterranean, where NATO's southern naval forces have historically been concentrated, but his real target was waters off Africa -- the most ungoverned maritime space in the world.

Ulrich knew the U. S. Navy couldn't do it alone, much less bring Africa's meager coast-guard-like navies up to snuff so they could do it on their own. So he quickly created a network of assets -- both public and private -- to manage that space, modeling his monitoring system on international air-traffic control.

Ulrich began stitching together a network of shore-based sensors ringing the Mediterranean. His naval command then began initial monitoring by tapping into the International Maritime Organization's existing Automated Identification System, transforming NATO's ability to track ship traffic in the Med.

Almost overnight, NATO went from tracking dozens of ships on the Mediterranean to thousands, and instead of getting the data sometimes up to 72 hours late, now the contacts were being tracked in one to five minutes -- to an accuracy within 50 feet on the earth's surface.

When the classic big-firm systems integrators told Ulrich it would be too costly to pull it off, the admiral turned to the Volpe Center in Cambridge, Massachusetts, a U.S. Department of Transportation research center. Instead of hundreds of millions of dollars, Ulrich's initial network cost $900,000. The shore-based receivers are small, roughly the size of a radar dish you might find on a pleasure craft.

The strength of the system is a function of its reach: the more countries join, the larger the shared operational picture. By the time Ulrich retired at the end of 2007, he had enlisted 32 countries throughout the Mediterranean, the North Atlantic, along the west coast of Africa, around the Black Sea, and in the Pacific. Today, the network continues to spread around the planet.

With Ulrich's system in place, local police, coast guards, and border patrols catch most bad guys, obviating American military responses. As Harry told me for an article I wrote about his work in a fall 2007 issue of Esquire, "I don't do defense; I do security. When you talk defense, you talk containment and mutually assured destruction. When you talk security, you talk collaboration and networking. This is the future."

The admiral's legacy program, the Maritime Safety and Security Information System, earned the Volpe Center a prestigious "Innovations in American Government" award this month from Harvard University's Ash Institute for Democratic Governance and Innovation.

Security Collaboration + Networking = Federation. This is indeed the future - SAML came along just at the nick of time.

When you assume that to do access control you must have "Complete Mediation" in Saltzer and Schroeder's terms of the subject (users), the objects (data), the session, and the roles, then you are going to have an interesting life trying to deliver anything. And if you do it will mucho expensive.

if you take the federated autonomous nodes approach, agree upon an attribute schema plus a protection model for same, and basic protocol, you are then free to move about the country. Security doesn't have to equal centralization or high cost. Get the attributes from point a to point b securely.

Apptis and USNS Mercy Monitoring on the High Seas

Thu, 07 Aug 2008 11:59:40 +0000

Meet Mike Lawson, Pre-Sales Engineer at Apptis, a leading system integrator and ScienceLogic partner that has deployed EM7 to meet the network, systems and application management needs of several customers. We thought Mike would have an interesting perspective to share on EM7, having recently come from the “customer side” and already with a few deployments under his belt.

ScienceLogic: Mike, what’s your background working with network and management system tools?

Mike Lawson: Before joining Apptis, I worked for the Air Force, mainly in satellite communications for almost nine years. I’m probably most familiar with HP OpenView and BMC Remedy. I managed a team that used them but wasn’t involved in tool selection; like many other federal IT workers, we didn’t have a choice of tools because there were existing enterprise licenses and maintenance contracts.

I also saw a large systems integrator do a full Remedy/Crystal Systems/OpenView installation. It took 6 weeks to stand up and customize to meet just the basic monitoring requirements, and it cost something like half a million dollars. At the time, I thought that wasn’t bad and was a pretty typical experience.

ScienceLogic: Coming from where you did, what’s your take on EM7?

Mike Lawson: Honestly, I didn’t believe that EM7 could really do all that it claimed. In many ways, it was the complete opposite of what I had seen first-hand with other monitoring solutions. Could it really cover that much functionality? At relatively much lower cost to the customer and without the licensing nightmare?

That quickly changed when I needed to understand the system enough to run it at a customer’s site. I went back over the training docs I received during my initial training class and jumped in; now, 6 months later, I’m the EM7 expert and can tell you that it delivers on all those promises. (But I still need to show people to get them to believe it too)

I preach the “EM7 gospel” and when anyone wants to talk monitoring, I ask about the universal pain points: cost, maintenance contracts and licensing, and then I explain EM7. The cost difference is real; the solution is based on capacity, so there’s no licensing and it’s easy to use. They are shocked to learn that they can buy multiple EM7 appliances and years of maintenance for what they paid for most other tools.

ScienceLogic: Apptis won the contract for monitoring aboard the USNS Mercy. We love that you’re using EM7 for one of the Navy’s hospital ships. Can you tell us more?

Mike Lawson: The USNS Mercy is a Military Sealift Command hospital ship. Some stats:

849 feet long (nearly the size of a football field)
12 fully-equipped operating rooms, a 1,000 bed hospital facility, digital radiological services, a diagnostic and clinical laboratory, a pharmacy, an optometry lab, a CAT scan and two oxygen producing plants
Crew: 61 civilian mariners, 956 Naval medical staff, and 259 Naval support staff

The USNS recently departed on a five-month humanitarian mission in the Western Pacific and Southeast Asia in support of Pacific Partnership 2008. The partnership provides international medical, dental and engineering teams this summer to provide humanitarian support and conduct joint, combined, and cooperative Civil-Military Operations in order to improve regional stability and build partner capacity to respond to natural disasters and pandemic.

For the most part, the ship’s network is self-contained, but can also use a landline when docked. The network covers 400 devices, including Windows/Exchange servers and VMware for server virtualization. Prior to using EM7, none of the monitoring was integrated; each system was independently monitored through individual vendor-specific consoles.

Out of the box, EM7 provided integrated systems, application and network management for all network gear, applications and virtual machines in one solution. We didn’t have to do a lot of customization – EM7 includes best-practice based thresholds, event and monitoring templates and this covered what USNS Mercy needed to monitor.

ScienceLogic: You’re a systems integrator with a very useful “customer point of view” when it comes to looking at tools. From that perspective, can you share what you think are the biggest benefits that EM7 provides?

Mike Lawson: First of all, EM7 stands up right away. We’re talking days, not weeks. In contrast to the lengthy installation of OpenView and Remedy I witnessed during my military career, I was able to configure, customize, and implement the EM7 solution for the USNS Mercy in three days.

Second, it’s easy to train people on and the support is outstanding. This judgment is from first-hand experience. Right before the USNS Mercy departed on its latest voyage, the system administrator I had trained on EM7 left, so I had all of a day to train some new EM7 admins. I prepared a seven-page “cheat sheet” and over a 3-hour conference call, we walked through the entire EM7 solution; I haven’t gotten a support call since.

And when a problem did crop up with a device being discovered incorrectly, ScienceLogic was very responsive. We contacted ScienceLogic support on a Saturday and they created and emailed us a video to help troubleshoot the same day. Within 30 seconds of watching the video, the problem was resolved.

Finally, EM7 helps us be good stewards of the government’s money. This is very important to me personally and to Apptis as a company. Because EM7 is cheaper and deploys so quickly and easily, you might think that it’s just the opposite of what a system integrator would want to use. But that’s short-term thinking. We believe in deliver the most value for customers every time. It’s what creates trust and long-term relationships with our customers. Instead of that half million spent on standing up the solution and basic setup, I’d much rather (and I know the customer would rather) spend that on fine-tuning or extending the solution to do much, much more.

As a former government employee, I know what it’s like to use a tool that doesn’t fit my needs. EM7 proves that the best solution can totally break the old model of costly, lengthy installations. EM7 has the right model: the right solution and the right price delivered as an appliance that is easy to deploy, train on and use.

ShareThis

Even the Rich and Famous pay the price for being Dishonest and Unethical

Sun, 29 Jun 2008 12:05:00 +0000

All of our courses - in the U.S. and over seas, begin with the same message - ETHICS is the keystone of our profession and our success. It's a shame that famed litigator - Richard "Dickie" Scruggs forgot that lesson.

In yesterday's Washington Post, the headline reads; "Famed Litigator Gets 5-Year Term for Conspiracy to bribe Judge". For those who are not familiar with him, Scruggs became one of the wealthiest and most famous lawyers in the country by taking on tobacco, insurance and asbestos companies.

What did he do? Well, for starters (and what they were able to prove), he attempted to bribe Lafayette County Circuit Court Judge Henry Lackey by offering him $50,000.00. U.S. District Judge Neal Biggers Jr., called Scruggs' conduct "reprehensible" and told him that he picked the wrong Judge to bribe. In addition to the 5 year jail term, he was fined $250,000.00 and lost his law license.

You really got to love it when Justice is rightfully served. Unfortunately, it makes me wonder how many more sleazy lawyers around the country and unethical Judges are not getting reported and prosecuted. It is a little too hard to believe that Scruggs is the only dirt-bag in the legal profession. We welcome the message it sends out; "nobody is above the law".

Like most, if not all common criminals, Richerd Scruggs became greedy. In 1990, Scruggs became famous for suing tobacco companies and winning lawsuits that resulted in a $206 BILLION dollar settlement. If his take of that was just 10%, he walked away with a cool $20.6 Billion dollars. A film was even made about the case - "The Insider" starred Al Pacino and Russell Crowe.

A decade later he is trying to bribe a Judge with $50,000? I would say it was a combination of greed and power going to his head. Maybe that is why the "Post" reported that he nearly fainted and swayed from side to side when the Judge scolded him. He had to sit down before the sentence was read out. He must have believed that he was untouchable.

It's just a shame that he wasn't touched with a heavier sentence. A twenty year sentence would have sent out an even more powerful message. Still and all, the idea of wearing a prison jumpsuit and eating balogna sandwiches is probably like a life sentence to someone who believed themselves to be above the law.

The article claims that many high profile friends petitioned Judge Biggers for leniency when sentencing Scruggs. He's lucky I am not the warden at his jail. I think he would be a perfect candidate for the toilet cleaning squad.

Negotiating rough seas is safer when you are organized and systems are well documented

Mon, 02 Jun 2008 16:53:16 +0000

One thing sailors usually learn before they become “old sailors” is the value of keeping things neat. When you are at the mercy of wind and water - and with nobody around - a good sailor makes recovery from incidents look easy. They know exactly where the lines, tools and emergency equipment are stowed. They [...]

Personal Las Cruces Public Schools Special Ed information posted online

Fri, 09 May 2008 06:02:19 +0000

Technorati Tag: Security Breach

Date Reported:
5/7/08

Organization:
Las Cruces Public Schools ("LCPS")

Contractor/Consultant/Branch:
None

Victims:
Teachers, principals, administrators and other LCPS employees. The breach also affected students enrolled in special education programs.

Number Affected:
1,800*

*1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs AND 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools

Types of Data:
"confidential student and staff information, including some personal identifying data"

Breach Description:
"LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet. Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds."

Reference URL:
LCPS news release (Word document download)
LCPS press conference (Word document download)
Las Cruces Sun-News

Report Credit:
Las Cruces Public Schools

Response:
From the online sources cited above:

LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet. Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds.

"We began a thorough investigation to determine how this happened and to prevent it from happening in the future. The investigation includes a search of the Internet to determine if the information is located anywhere online and how to remove it."

Rounds said there is currently no indication that the data has been misused.

Preliminary information indicates a part-time LCPS computer data analyst unintentionally posted information from a secure LCPS special education computer database, named SEAS (Special Education Automated System), and placed it onto an un-secure website.

The data in question was contained within two electronic database files that were posted on the Internet between Tuesday, April 29 and Monday, May 5, 2008.

For the time being, Rounds said he is not disclosing what specific information was posted online to prevent any potential compromise to those affected
[Evan] The compromise has already taken place. If a bad guy/gal is in possession of the information, he/she probably knows what he/she has without us having to tell him/her.

However, the individuals affected will be notified of what information was released, he said

Those affected include 1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs.

Also affected were 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools
[Evan] It especially stinks when children are affected.

Some data for other special education students may have been released as well.

"We’ve already begun to notify the affected individuals about what specific information is involved and we will assist them in taking appropriate safeguards," Rounds said

"If we find any of the information on the web, we will immediately take all appropriate steps to have it removed," said Jeff Harris, LCPS director of technology support services. "As of today, we’ve located the data in two Internet sites and removed it. We’re continuing to search for any other locations where it may exist."

On Monday, May 5, when the Superintendent learned of the potential breach, he directed that each student and staff member affected be provided credit fraud protection for up to one year to ensure their private information was not jeopardized in any way. This will be paid at school district expense.

Rounds said the experienced part-time employee who unintentionally disclosed the data has been placed on administrative leave and no longer has access to any LCPS computer, data, or server.

"LCPS goes to great lengths to ensure student and staff confidentiality, but this incident appears to be caused by human error," Rounds said. "This also highlights the need for the district to review its data security and privacy policies to make sure it never happens again."

Rounds said an ad-hoc committee is being established to immediately review LCPS policies and procedures. This committee will be chaired by Dr. Shaun Cooper, the current Chief Information Officer at New Mexico State University. Cooper is also the former Director of Security and Research Computing at NMSU

Commentary:
Human errors will happen as long as we are humans, I suppose. Not that we should just accept defeat and use it as an excuse. There are numerous controls with varying degrees of effectiveness that information security personnel implement to reduce the frequency and impact of human error related breaches. Without knowing more detail, it's hard to say what could have been done better. Was the cause of this breach simple oversight or lack of awareness, poor training, lack of production control (no formal review and approval process for posting information to public sites), etc. I guess I'm not sure.

I do appreciate Mr. Rounds' response. The response to the breach and notification was swift. I also like the press conference and ad-hoc committee established to review LCPS policy and procedure. I hope that the committee and effort will be ongoing long after this breach is forgotten (by those not personally affected).

Past Breaches:
Unknown

Comparing Cybersecurity to Early 1800s Security on the High Seas

Wed, 16 Apr 2008 10:27:30 +0000

This article in CSO compares modern cybersecurity to open seas piracy in the early 1800s. After a bit of history, the article talks about current events:

In modern times, the nearly ubiquitous availability of powerful computing systems, along with the proliferation of high-speed networks, have converged to create a new version of the high seas--the cyber seas. The Internet has the potential to significantly impact the United States' position as a world leader. Nevertheless, for the last decade, U.S. cybersecurity policy has been inconsistent and reactionary. The private sector has often been left to fend for itself, and sporadic policy statements have left U.S. government organizations, private enterprises and allies uncertain of which tack the nation will take to secure the cyber frontier.

This should be a surprise to no one.

What to do?

With that goal in mind, let us consider how the United States could take a Jeffersonian approach to the cyber threats faced by our economy. The first step would be for the United States to develop a consistent policy that articulates America's commitment to assuring the free navigation of the "cyber seas." Perhaps most critical to the success of that policy will be a future president's support for efforts that translate rhetoric to actions--developing initiatives to thwart cyber criminals, protecting U.S. technological sovereignty, and balancing any defensive actions to avoid violating U.S. citizens' constitutional rights. Clearly articulated policy and consistent actions will assure a stable and predictable environment where electronic commerce can thrive, continuing to drive U.S. economic growth and avoiding the possibility of the U.S. becoming a cyber-colony subject to the whims of organized criminal efforts on the Internet.

I am reminded of comments comparing modern terrorism with piracy on the high seas.

NGO Security Scenario #18 - High Seas Horror

Sun, 10 Feb 2008 23:43:00 +0000

On July 19, 2006, the cruise liner Crown Pacific was sailing off the Florida coast. In calm waters with good weather, the ship suddenly rolled, tipping an estimated 15 degrees on its side. 240 people were injured during the incident.

Here is a security video footage from the ship's casino as the incident took place. This was not a common occurrence and the force generated by the roll is apparent.

Review the last video and comment on human behavior during an unexpected and potentially life-threatening crisis. Which passenger showed a high level of survival instinct? How did the majority of passengers react? What does the behavior of the passengers playing slot machines in the upper right corner of the video suggest? Have you ever been in a crisis situation where you've witnessed similar behavior as shown in the video? Share your thoughts and observations in the COMMENTS below.

High-tech sits behind high-seas drama

Wed, 16 Jan 2008 21:00:00 +0000

When environmental protestors boarded a Japanese whaling ship in the Southern Ocean, images of the action quickly flashed on the world's TV sets, followed by photos from the Japanese ship after the protestors were taken into custody. Getting these images out is crucial if either side is to win the global PR battle, but doing so can be problematic when you're at sea, thousands of kilometers from the nearest cell phone network or broadband connection.

Data centers take to the high seas

Thu, 10 Jan 2008 21:00:00 +0000

International Data Security, a U.S. startup, plans to open the first of 50 ship-borne floating data centers at Pier 50 in San Francisco in April.