ATC is an excellent working example of complex event processing.   Radar and GPS provide the basic sensory information to accurately track and trace the position of each aircraft in the area of responsibility (AOR) of a particular control tower/zone.     Naturally,  sensory information is preprocessed and formatted in such a way that the data can be processed upstream by multiple real-time applications.

Before we look at complex ATC scenarios, such as “potential collision” or “aircraft off approach vector” we must trace and trace individual objects, aircraft-objects, accurately with very high confidence.    In addition to tracking aircraft-objects, there is a database of information about the aircraft (ideally), such as make, model, age, range, passengers and other properties about the aircraft-object.      In addition, there is a state-model for each aircraft, for example the aircraft might be “on the ground”, “approaching the runway”, “cleared for takeoff”, “cruising altitude”, “approaching runway”, “final decent” etc.  

Tracking and tracing individual aircraft is what is generally referred to as “object refinement” in our CEP/EP reference architecture.   The reason we call this function “object refinement” is that system engineers are focused on optimizing the situational knowledge about individual objects.     Sometimes we refer to this function as “track and trace” because that is what we are doing to  each object in the model.  In Marc Adler’s recent shoplifting scenario, Marc was interested in tracking and tracing people in a store using imaging processing techniques to estimate their behavioral patterns.  In the same way, before we can process for scenarios such as “potential shoplifter” or “suspicious criminal gang activity” we must be able to accurately process (track and trace) individual object, such as people or merchandise.

Back to aircraft and ATC, the “complex event processing” begins when we are looking about object-object relationships, in this model, aircraft-to-aircraft, but this is an overly simplistic model, as we have not yet added (to our model) ground features (towers, buildings, power lines), weather (storm cells, wind) and other flying objects (known migratory bird paths, swarms of insects) to our simple model.  

Complex event processing occurs when we are processing multiple objects in our model looking for threats in real-time.     Practically speaking, all ATC applications are CEP applications.  This means that vendors and integrators who build ATC applications are also CEP vendors.   

Editorial Note: CEP/EP has been around for a long time and was not recently invented in the past decade as some “inventors” would like for us to believe. 

As you can imagine, there is considerable “complex event processing” that goes on “behind the scenes” to provide air traffic controllers and pilots situational knowledge into the “friendly skies”.   As you might further imagine, the situation is more complex when the skies are “not so friendly”, for example, in air combat situations.   

Processing myriad objects is not the end of the processing “chain”.  For example, decisions are being made constantly about potential damage, alternative airports, and more.    In our reference model, we refer to this, generally speaking, as “impact assessment” because we must take an estimated detected complex event, for example “aircraft collision,” and estimate potential damage based on numerous factors such as, the amount of jet fuel in the aircrafts and the location of the aircrafts (over a large city or rural area, near a hospital and emergency services).   Regardless of the scenario, an impact assessment is normally required before optimal decisions can be made.

This is true, by the way, for our shoplifting example (the impact is different if a piece of gum is stolen versus a $1,000,000 diamond necklace or weapons-grade nuclear material) and other scenarios and models.  Static data (information about objects) is required for accurate decision processing.  

Impact assessment is not the end of the “knowledge chain”.    Decisions are constantly being made that effect resources.  For example, suggestion an alternative route for an aircraft is a resource management decision.    Turning on and off radar or switching to alternative tracking devices is a resource management function.  In our CEP/EP reference model (based on the JDL data fusion model), we call this “resource management”.   This function includes contacting emergency services and directing them to a potential crash location or sending out a message to instruct all aircraft to stay off a certain radio frequency.  Resource management is critical.

Our simple ATC model today is by no means complete, it just scratches the surface.  In fact, I have a very close friend, Mark Secrist, who is a former Marine fighter pilot and currently a senior captain for American Airlines.   I have asked Mark to read this post and help me further refine this crude “laymans” ATC model (Thanks Mark!).

So, Anton Security Tip of the Day #15: Fear and Loathing in Event 567

This tip digs into a seemingly simple, but really VERY esoteric subject: monitoring file access and modification via a Windows event log. Now, some people - who never studied this subject - tend to have a very simplistic view of this: just enable Object Access auditing, then right-click on a file or directory, click Security->Advanced->Auditing and then pick what types of events will be logged and by what accessing entities (i.e. users or computers). OK, so this will produce some logs, that is for sure. But are they useful?

First, why are we doing this? We typically need to know the following when we audit file access in Windows (or any other OS for that matter) for security (monitoring and investigation) or compliance:

• Time/date
• Computer where it happened
• User who touched the file
• Application he used to access the file
• File name + location (directory, share, etc)
• Type of access (read, write, create, delete, etc)
• Status (i.e. success or failure)

Can we get this from the above logs? No.

What? No!?! Really?

Yes, really. We can get some of the above, some of the time, not all of the above, all of the time. Here is an example, we are looking at event ID 560 (picture) and then at an extract from its description field.

Event:

Description (selected field):

Object Server: Security

Object Type: File

Object Name: C:\0\TestBed\simple_text_file.txt

Image File Name: C:\WINDOWS\system32\notepad.exe

Primary User Name: Anton

Primary Domain: XXXXXX

Accesses: READ_CONTROL

SYNCHRONIZE

ReadData (or ListDirectory)

WriteData (or AddFile)

AppendData (or AddSubdirectory or CreatePipeInstance)

ReadEA

WriteEA

ReadAttributes

WriteAttributes

WTH is that? Well, we know that the user  'Anton' has successfully read? wrote? changed attributes? did something? with a file named "C:\0\TestBed\simple_text_file.txt" using a program named "C:\WINDOWS\system32\notepad.exe." That's the best we can get, in this case! We may try to look at event IDs 562 and 567, but this missing information (i.e. the exact action performed) will not be added.

BTW, there will be  a few more dozen (sometime hundreds!) of the 560s, 562s and 567s  produced - all from just opening the text file in a notepad. The above event is notable for having BOTH "notepad" and "simple_text_file.txt" in the same event; others will have either of the two.

Anything else gets in the way? Yes, lots! MS Office will write to all files, even just opened for reading (with no user modifications to the content whatsoever), which will screw up your log monitoring efforts. If the file is on a share, more information will be missing (e.g. username might be).

So, how to use Windows event logs for file access tracking?

1. Enable logging (as described above)
2. Pick events 560 (most useful) and 562, 567 (useful too)
3. Look for fun filenames that might be touched by the users (have a list of files and users handy)
4. Figure out what programs were used to access them (this is called "Image File Name" in "WinLogSpeak")
5. Ponder the 'Accesses' section of each event until your brain turns blue :-) or until you decide whether such access is authorized or not...

Overall, this is still very useful for file access monitoring, but the process is paaaaaainful.

BTW, I am tagging all the tips on my del.icio.us feed. Here is the link: All Security Tips of the Day.

• Passport
• Voting ID card
• PAN card
• Driving License card
• Government issued ID card
• Social Security Card
• Military ID card
• Consular ID card
• Postal ID card
• Government Employee ID Card
• Credit Card
• Debit Card
  

Breach Description:
ACAP Security and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store."  The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.

Reference URL:
Merchant 911 Blog

Report Credit:
Tom Mahoney, the Founder and Director of Merchant 911

Response:
From the online source cited above and my own cursory investigation:

Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product.

Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card.

The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc..

I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them.

their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates.
[Evan] The sign-up forms at SoftCard.biz and PinPay.net are not secure.  Neither are their respected login pages.

“Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card.

The form also requires a full name and DOB.

I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.

The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert.

If a company official can’t use his company’s domain for email, I’m not going to talk to him.

I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
[Evan] I also sent emails and heard nothing in return.

I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
[Evan] My advice would be to NOT fill out the form and NOT conduct business with a company that has not demonstrated a willingness to secure your information.

Commentary:
Tom informed me about this vulnerability (and potentially a breach for anyone that signed-up/in) a couple of weeks ago.  I've been a little busy lately, but was finally able to check it out.  Let me recap what I found.

First, let's go to www.softcard.biz. This is the site that Tom originally pointed out to me.



The flash home page forwards visitors to a static index (indexaa.html) page.  The first paragraph on the page informs visitors about PinPay.

"The PINPAY SoftCard is a wise way to carry and transfer money. It gives you the ability to purchase products at participating stores throughout the world (as well as at online shopping malls), with the security of a PIN that travels the internet via private encrypted tunnels. It also allows you the ability to load money to your card, pay bills, transfer money to merchants, transfer money between cards, and withdraw cash from your card at the store."



See where the page says, "Register for your FREE card HERE!!"?  This is a link to the sign-up page that Tom was referring to.



No "https" in the URL.  Tom was right on that.  The sign-up form asks for a personal information ranging from name and address to identity card information (even information for a "Second Identity Card").



The "Select Identity Card" drop down menu displays the choices for the prospective customer, including Passport, Voting ID card, PAN card, Drivers License card, Government issued ID card, Social Security card, Military ID card, Consular ID card, Postal ID card, Government Employee ID Card, Credit Card and Debit Card



SoftCard (or PinPay or ACAP Security) are asking for some very sensitive personal information!  First, this is quite a bit more information than they need to approve a person for a "PINPAY SoftCard".  Second, no encryption?!  Third, who is ACAP/SoftCard/PinPay and what will they do to secure my information once they have it supposing it wasn't intercepted on the way to them?

Let's dig a little (public) information about ACAP Security.  According to Entreprenuer.com, ACAP launched "Personal Private Network" (ppn) technology, commercially available under the trade name ppnPRO, which is described as a "highly secure, and highly private" personal private network.  ppnPRO uses "Government approved AES encryption, with strong personalized 256-bit encryption keys, and encrypting all information- network addresses, applications and ports, as well as the confidential data content".  Sounds impressive, but it also sounds like the company should know a thing or two about securing web site transactions with encryption. 

I want to discuss the risk of sending confidential private information over a public network such as the internet without encryption, in particular.  This is not a new topic, but I will take some time to demonstrate the risk.

In order for my information to be compromised, someone (or something) will need to capture the traffic.  In order for someone to capture my traffic, they will need to tap into the communication somewhere between me (my computer) and the destination (the web server).  My information doesn't travel directly from my computer to the server.  There are intermediaries (routers, switches, firewalls, etc.) that have to get (or forward) my information from my computer to the server.



As you can see depicted in the graphic above, there are at least 16 routers (or hops) between this example source and www.softcard.biz.  The final few hops are not reported due to filtering.  So where could my traffic be captured?  At the very least:

• Between my computer and my router (or firewall)
• Between my firewall and the ISP hand-off
• Between all the traversed devices within my ISP's network
• Between all the traversed devices through the internet
• Between all the traversed devices within the destination ISP's network
• Between all the traversed devices within the destination organization's network and the server itself.