[SecurityRatty] tag: tear

"Would you feel safe with this man looking after you?

Sun, 28 Sep 2008 16:44:00 +0000

That was the caption under the picture of Rocker,Ted Nugent, in last Tuesday's Guardian. Nugent had volunteered to be Sir Paul McCartney's "Bodyguard" when he played a concert in Israel.

Unfortunately,this is what our industry has to tolerate. Many people, from broken down celebrity deer hunters to jail guards think that if you know how to shoot a rifle or open a gate for inmates to go to the yard, it automatically follows that you know everything about protecting the life of a executive.

So, Ted Nugent knows how to play guitar and shoot deer. Just what part of that background would equip him to keep the former Beetle safe in the Middle East? It is certainly not like Mr. Nugent is trying to pull the wool over our eyes when it comes to any specialized training he may have received. "I'm Dirty Harry with a ponytail", claims the singer.

First of all Mr. Nugent, "Dirty Harry" was a film produced by Hollywood to entertain people, not a "training aid". Secondly, even if we were to stretch our imaginations and consider Harry Callaghan's actions, we would recall that the character was a Police Detective and as such, would have undergone rigourous training at a professional Police Academy.

Refering to reported Islamic Extremist Death Threats made against McCartney if he insisted on playing the concert, Nugent informed us that he "will not bend or waiver to Voodoo Religions or Whackjobs".

It is unknown whether or not Mr. Nugent thinks that Islamic Extremists come from Haiti, but if he is serious about a future career in Executive Protection, we would advise him to attend our upcoming course in Dubai next month where he will not only learn first hand the Art of Personal Protection, but he will also learn about Middle Eastern Cultures, Tradition and Religion.

Unfortunately, there's no way of predicting how much culture we may be able to pass on to Mr. Nugent, as the course is only a little over a week long. We will also be teaching etiquette and which knife and fork to use when attending a formal event with your Principal. That's right Ted, you don't get to tear the meat from the bone with your hands.

Someone call the U.A.E. and let the Hilton know that we may have to stay longer than planned.

Database statements that can make you tear out your hair

Thu, 28 Aug 2008 19:52:11 +0000

Its been a long time since I’ve written anything here. I’ve been extremely busy with my family move to the bay area. I still can’t believe the amount of paperwork required. I’ve filled virtually hundreds of forms and it’s not over yet. But, after a month here, I can say that we’ve finally settled down. [...]

Tucson area Domino's Pizza customer information exposed

Wed, 18 Jun 2008 06:43:34 +0000

Technorati Tag: Security Breach

Date Reported:
6/18/08

Organization:
Domino's Pizza

Contractor/Consultant/Branch:
Unnamed former owner of 24 Tucson area locations

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names and credit card numbers

Breach Description:
Hundreds of credit card receipts dating back as many as five years were found "blowing in the wind" after a former owner of 24 Domino's Pizza stores in the Tucson, Arizona area was found to have been discarding boxes of old records near her home.

Reference URL:
KVOA Channel 4 News

Report Credit:
Tom McNamara, KVOA Channel 4 News

Response:
From the online source cited above:

Investigators found credit card numbers blowing in the wind for anyone to see.

These piles and papers strewn across the alley contain hundreds of old receipts from Domino's Pizza stores.

When we got a call about this, we went down to University Avenue and Euclid and saw these receipts were three, four, and even five years old.
[Evan] Is there any business reason to keep credit card receipts for this period of time? I suppose a case could be made that these should be kept for up to seven years for tax purposes.

We contacted the former owner of 24 Domino's Pizza stores in Tucson.
[Evan] This could have been a very risky breach in terms of overall potential impact considering the number of affected persons. 24 stores, x number of credit card transactions per year, and 5 years could add up to a pretty significant number.

She won't talk with us on-camera, but told us she'd been discarding boxes of old records near her home and somehow all those receipts got loose.
[Evan] Incidents like this tear me up. I very much doubt that this lady had any malicious intention behind her actions, but nonetheless her actions could have caused considerable inconvenience (and possible loss) to a number of individuals. I presume that she just didn't know any better.

We found Scott Brumage's name and credit card number on one of those receipts in the alley.

Tom McNamara asks him, "See that? Recognize that name? Recognize the number?" Scotts nods, "Uh huh."

Tom asks, "Well how'd you feel when we called you out of the blue and told you what we'd found? What went through your mind?"

"It was just kind of surreal at first because I like to think I can trust using my card [because of] the convenience and everything of course."

Scott was startled to see his name and card numbers on our screen.

He says he's ordered a lot of pizzas over the years and expects privacy and protection when he pays for his pepperoni pie.
[Evan] Is this an unreasonable expectation? Maybe it is an unreasonable expectation, given the current environment and considering the bigger picture (merchants, processors, banks, "the system", etc.). I don't think that it is an unreasonable requirement, but requirements, expectations and practices are not in alignment.

Scotts tells us, "I don't know. [I'm] just dumbfounded, other than they need to figure a better way of disposing."
[Evan] It is dumbfounding, isn't it. I often wonder what people are thinking when they do some of the things they do.

The Investigators contacted the Federal Trade Commission in Washington and they say thieves could potentially use discarded credit card numbers even if the card has expired. The numbers on the card in many cases are still the same.

They say there could be enough information on the receipt to help a thief reveal more information about you, such as your social security number.

It's small comfort for Scott. He says, "I'm hoping this is a one time only [situation]. They might have just lost a loyal customer."
[Evan] The impact to the victim is usually pretty clear and easy to quantify. The impact to the business (or organization) is not usually as easy to measure. In a competitive business like pizza sales, companies need to identify and communicate differentiators like ingredient quality, service, taste, price, location, etc. Maybe if customers viewed information security practices as an important differentiator, businesses would put more time and effort into securing information. Pipe dream?

In this case, the Investigators contacted Tucson Police and several officers came to collect the records we found and have them destroyed.

Commentary:
This breach reminds me of a recent discussion I had online with Benjamin Wright in the comments section of the "Cotton Traders confirms that their website was compromised" breach. He makes a very good argument regarding accountability in credit card breaches. My responses to him are included.

Past Breaches:
Unknown

Hurricane season officially begins in 24 hours and many are doing nothing about it.

Fri, 30 May 2008 23:50:00 +0000

I was watching the weather channel yesterday to see what the weekend would be like and was surprised to learn that the price of oil is being blamed for people's lack of preparation leading up to hurricane season.

According to the broadcaster, 50% of people living in areas that are most likely to be hit by hurricanes have not conducted any disaster planning whatsoever. Of people surveyed, 30% admitted that they will wait until they hear warnings on the television before they do anything. The report said that this is the first time since Huricanes Katrina and Rita struck, that people were so poorly prepared.

One very interesting fact that 95% of people do not realize is that garages are the most vulnerable area of a dwelling to be hit by a Hurricane. The Hurricane will tear off the roof of the house right after gaining access to the property through the garage. We would urge all of our readers living in areas susceptible to hurricanes to make sure that their garages are well secured. Times may be tight and the cost of fuel is becoming more and more burdensome but there is no point losing your house when you just may have been able to prevent it.

If you didn't realize this fact about your garage, check it out today. Time may be running out.

In Next-Gen Bullets and Bombs, Even the Casing Explodes

Tue, 06 May 2008 21:00:00 +0000

The Pentagon has quietly been working on a new arsenal of advanced weaponry that replaces metal casings with "reactive materials," normally harmless matter that combines to release explosive amounts of energy on impact, tearing targets apart with violent fury.

In development for more than 30 years, the research is beginning to bear fruit, and may soon spawn more powerful bombs, warheads that tear apart stone and concrete, mines that can be set to stun or kill, and grenades that can swat rockets or mortar rounds out of the sky like flies.

"You can get effects that are more precisely tailored to a particular target," says John Pike, director of Washington military research group GlobalSecurity.org. "And you're able to get a greater effect out of a smaller munition."

Reactive materials are combinations of materials that are normally stable, but, when subjected to sudden shock -- such as striking a target -- release a large amount of energy. Depending on the composition and warhead design, the energy can be released as heat, a blast or a combination of the two. Unlike conventional explosives, RMs cannot be set off by fuses. Technically, they are classified as flammable solids, and they are less hazardous to transport and store than explosives.

While they're more energetic than explosives, RMs are not intended to be a substitute. Instead, they will replace warhead components normally made of metal.

An analysis of U.S. military procurement papers and defense contractor presentations, as well as interviews with companies working on the technology, suggests that a wave of munitions using reactive materials may be headed for a battlefield near you.

The material can dramatically magnify the yield of conventional bombs, and do away with the waste embodied by a bomb's inert metal skin. The U.S. Air Force's 5,000 BLU-122 bunker buster, for example, contains just 780 pounds of explosives; the other 80 percent is the bomb's thick steel casing. DARPA's Reactive Munition program (.doc) aims to replace that steel with RMs, to create a bomb with a blast four times as powerful. Alternatively, a new bomb could be half the size of existing weapons but twice as powerful.

Conventional warheads could also benefit from an RM makeover. For centuries, shells have blasted out steel shrapnel, small pieces of metal that cause damage with their high speed. Defense contractor Alliant Techsystems is developing a warhead called BattleAxe for the Air Force that uses fragments made of RM instead of metal. Those fragments will explode on impact, making the warhead far more effective against soft targets like trucks.

RM shrapnel is also being touted as the ideal way of shooting down incoming rockets and mortar bombs (.pdf).

A radar-guided defense pod can automatically engage incoming rockets or other threats using RM-based grenades. Weapons designers suggest that RMs can be five to ten times as effective as the existing inert shrapnel for this task. Moreover, RM shrapnel can be engineered to burn out at a set distance, so there is no hazard to nearby friendly forces.

Bullets can even be made of RM. The Navy's new electromagnetic railgun has been criticized because it can only fire solid slugs, not the usual explosive shells. However, documents reveal that tungsten-based RM rounds are being developed for the weapon. These will explode on impact, making the railgun effective against buildings, ships and vehicles.

Shaped charges are another application where RMs can increase the effectiveness of existing designs. In a shaped charge, a hollow metal cone is surrounded by explosive material, which is then detonated, forcing the blast through the small end of the cone.

"The action is analogous to stamping on an open toothpaste tube, ejecting the liquid contents," says Douglas Millard of British defense contractors QinetiQ.

Replace the metal liner with RM, and the explosive power of that jet will increase dramatically.

"Such reactions are highly exothermic and therefore lead to the release of large amounts of energy, which is in addition to the kinetic energy within the jet," Millard says. "An increase in the energy coupled into the target occurs and this results in the creation of greater damage to the target."

QinetiQ is marketing an RM-based shaped charge called Connex for oil-well perforation in the civil market. Meanwhile, the U.S. Army is developing a demolition charge called Bam Bam that blasts a jet of RM deep into stone or concrete, producing massive damage

One version of the Bam Bam charge is intended for demolishing bridges and other structures. An alternative version blasts broader, shallower craters in roads or runways, making them useless.

RMs will also transform another mutation called the Explosively Formed Penetrator, a modified version of the shaped charge. Instead of producing a narrow, short-range jet, the Penetrator fires an aerodynamic slug of metal over a long distance. It's best known as a favored weapon of insurgents in Iraq. Again, replacing the metal with RM makes a much deadlier weapon -- after punching through armor, the slug releases energy like a grenade going off.

If you're a weapons designer, RMs also offer amazing flexibility. Alliant Techsystems is building a variable landmine (.pps) -- a so-called "dial-a-yield" weapon that can produce a range of different effects.

At the lowest setting, most of the output would be light -- a dazzling warning that would be impossible to miss. A higher setting would produce intense heat, creating a "discomfort zone" to drive off intruders. The third setting produces a nonlethal blast, like the concussion stun grenades used by Special Forces. If lethal force is called for, the mine could be set to produce either inert shrapnel or reactive shrapnel that explodes on impact.

RM munitions may face legal challenges. Under the St. Petersburg Declaration of 1868, the use of explosive projectiles with a weight of less than 400 grams is forbidden, as is using incendiary ammunition, like napalm, against personnel. But RMs are not technically explosive or incendiary, and although the effect on human targets might cause protests from some groups, they are likely to be accepted, human rights experts say.

"Like any weapon, it would have to go through a lengthy effectiveness and then legal review, " says Marc Garlasco, senior military analyst at Human Rights Watch. "If used in the open against military targets, it does not seem to have any obvious problems at first blush."

However, there may be technology issues too. Although the developers sound very upbeat in all their descriptions of RM munitions, producing material that will reliably release energy only when required is extremely challenging.

"The fact that they've been working on it so long and don't seem to have fielded anything yet suggests that there may be a problem with the technology," GlobalSecurity's Pike says.

Normally new weapons are fielded rapidly if there is a military demand -- assuming they work. So far, RMs have not made it into the field, and the technology may not be as mature as developers suggest.

But Pike also notes that there has been an unprecedented surge in munitions development over the last few years, with "all kinds of weird stuff" being developed.

So after decades of being kept very quiet, reactive materials may soon be making a lot of noise.

---

Check out Danger Room for more on reactive materials.

Its about convergence, stupid

Fri, 18 Apr 2008 05:19:00 +0000

Dmarti's blog over on LinuxWorld has an article up titled "Dumbest networking vendor idea since Network Access Control", which talks about what a dumb idea it is for Cisco to allow Linux apps to run on their ISR routers. Besides the fact that the title of the article alone is enough to make me want to tear this one apart, the underlying logic of the authors argument is just weak.

On one hand he talks about why would someone want to run Linux apps on a router, it is potentially bad design. On the other hand he says it is better to run them on a cheaper router alternative like Vyatta and than spouts some PR by Vyatta about their price/performance advantage over Cisco. They back up this advantage with "3rd party testing". Turns out the testing is by Tolly Group. Oh, now that changes everything. Have any of you ever had a Tolly evaluation done? Anytime you submit a form that contains what you would like to see the testing show in the final report and the final report shows it, well you know what I am saying. But seriously if it is good for Vyatta, why would it not be also good for Cisco?

Here is the real issue though that the author misses. We live in an age of convergence! The idea of having a stand alone box that only does routing is history and when Cisco themselves acknowledge it, you know it is fact. People want more functionality out of their hardware. Now that is not to say that your router should be your database server or mail server. But there are certainly network functions that make sense to put on a router. Security is a no brainer to start. IPS, VPN, firewall, gateway AV- easy. What about network functionality like DHCP, DNS, Radius, etc. How about some next gen network stuff like WAP and VOIP? That would make sense. By embracing Linux on the router all of these things and more are possible. By the way you can do all of this now with our own Cobia platform.

That's right, we had this idea 2 years ago and have been working on it since. With the convergence of networking, security, VOIP and wireless technologies, why wouldn't you want a multi-use box that can deliver all of this.

Its about convergence, stupid

Fri, 18 Apr 2008 04:19:01 +0000

Tear Gas/Pepper Spray Resource

Tue, 15 Jan 2008 13:43:00 +0000

Tear gas and pepper spray are widely used by police and military forces throughout the world to control crowds. Because of the dynamic nature of protests, aid workers may find themselves exposed to riot control agents (if you've never been gassed before, the first time can be very disconcerting). Unfortunately, this topic isn't discussed very much in traditional humanitarian security training and manuals. So to learn more we need to look to other sources, in this case, street medics.

Street medics are independent, trained volunteer medical personnel who support activists during protests. Organized street medic groups have sprung up in a number of Western, urban locations. One of the groups, known as the Black Cross Health Collective, has published extensive information on the effects of and treating tear gas and pepper spray. Check it out.