Archive for Security Consulting

UPDATED – WRAL and Other News Agencies Effectively Building a “How To” List for Utility Terrorism

It’s not news that two Duke Energy power substations were attacked in Moore county last week.  There is a ton of speculation about why the attacks were carried out and by whom, but the thing we aren’t short of information about is what they did and what law enforcement is doing about it.Photo Credit to News9, Oklahoma City, OK.

Various articles over the last week have been published by local news stations and other news media regarding the attacks, pointing out exactly HOW the attacks were performed, what damage was caused, and the impact upon the power grid by doing so.  All of this information is published under the First Amendment, presumably for the public good.   We think it’s more likely for clicks and advertising viewership, but mmmkay.   One thing is for certain, copy cats and wannabe terrorists are absolutely paying attention, and the media is essentially building for them a “how to” list for carrying out attacks on utility substations and the power grid.   We predict there will be more of this type of activity, with few options for the utilities to actually mitigate this without significant capital expenditures.

The latest “how to” entry is that the FBI is using cell phone data to try to correlate cell phone account holders in the vicinity prior to and during the time of the attacks (we know exactly WHEN the attacks happened because the power went out).  The reality is that there are probably more than a few people that are going to be on that last and will be interviewed by law enforcement about their whereabouts and activities.  Maybe the culprits forgot to turn their phones off or leave them at home will be interviewed and caught.  But rest assured about one thing, the NEXT attack done won’t have anybody carrying an active cell phone…

(Note, we don’t represent Duke Energy in this matter and are not involved in this event in a consulting or investigative capacity) 

We wrote a letter to WRAL requesting the redact portions of their news report (https://www.wral.com/gunfire-caused-damage-that-led-to-moore-county-blackout-schools-closed-monday/20612201/) which provides detailed information about the attack and even quotes former FERC head John Wellinghoff on the effective damage that was caused:

The former head of the Federal Energy Regulatory Commission Jon Wellinghoff explained the severity of the damage to WRAL News.

“Somebody with a high-powered rifle puts a bullet through the case of a transformer and once it goes into the case of the transformer it hits the coils of the transformer, shorts it out, and it’s gone; That that device is no longer operable,” said Wellinghoff. “It can’t be fixed, it needs to be replaced. It cannot be repaired.”

Wellinghoff also shared insight into the repair process.

“A lot of these transformers also are sort of one-offs. It’s not like you can cookie-cutter replace them with another one from some other utility in the next county or the next state,” said Wellinghoff. “They have to be made sort of custom for the particular substation that they’re in. So if they don’t have spares for that particular substation, it could take a considerable amount of time.”

In effect, reading the totality of information presented by WRAL alone helps copy cat criminals build a “how to” list for carrying out similar types of attacks with little risk of getting caught.  This is irresponsible journalism, and they should know better.  For that matter, Wellinghoff should ABSOLUTELY know better.  It’s unfortunately not just WRAL acting alone, but apparently standard journalist practices today to divulge information that could lead to a rash of domestic terrorism that could impact significant portions of the country, and have long lasting effects.

We support and recognize the need for the First Amendment, it’s a critical component that makes America the best country in the world to live and thrive in.  However, the press should honor and respect the need for operational security and the risk for “copy cat” crimes, or even escalation of crimes by their irresponsible reporting.  We’ve seen this effect in school shootings, serial killings, etc, where individuals see news reports and articles and are incepted and maybe even encouraged to perform similar crimes under the guise that such crime will bring them notoriety and fame (or at least infamy).     Yet the media is never held responsible; maybe they should be.   This is the reason you no longer see nude runners streaking on the field during NFL game broadcasts, the cameras are told not to video the streakers so they won’t get their “15 minutes of fame”, just jail time.   That’s called being responsible for what you broadcast.

As a security professional, if you see articles or news broadcasts that represent a danger to society, call or write to that news agency and give them your feedback about irresponsible journalism.  We don’t want censorship, we just want responsible reporting.

UPDATE 12/27/22 – Almost like clockwork, the prediction has come true, with several new attacks on substations in Tacoma, WA.  https://www.nytimes.com/2022/12/27/us/power-substation-attack-washington-state.html

 

Posted in: CPTED, Security Consulting

Leave a Comment (0) →

Playing Around with the PinPoint Survey Application using Amazon Data

We put together a quick demo of the PinPoint Survey Application using some public data scraped from the web for all the US Amazon sites.  The equipment names and photos are all generated, so don’t get too excited about thinking there are real Amazon security equipment details being posted on the web.

Some of the reporting features are turned off, but the overall objective was to show off the speed and utility of the site data and geospatial mapping capabilities for relating sites and equipment within those sites.

Using the application from a tablet, you can use the built-in GPS to map the device lat/lon data to the database, along with any photos, notes, and punch list information that might be relevant.  This is particularly useful for large external sites like ports, refineries, mines/quarries, or power generation/transmission facilities.

GIF Movie of PinPoint Survey Application using demonstration data for Amazon sites

PinPoint Survey Application Short Demo

Posted in: Access Control, Application Development, CPTED, Premises Liability, PSIM, Security Consulting, Security Technology, Vulnerability Analysis

Leave a Comment (0) →

Another installment of (in)secure Cloud storage

Chinchero Airport, Peru | EJAtlas

We know we sound like a broken record when we tell our clients “If you don’t own your server, you don’t own your data. Don’t put anything in the cloud you don’t want potentially exposed to the public.”, but time after time we show examples of why we keep repeating this mantra.

What Happened:

A major data leak by Securitas that affected several Latin American airports and other related companies was discovered by a cybersecurity firm called SafetyDetectives. In late January a team discovered that an Amazon S3 bucket had been left unsecured and exposed to public access, and contained over 1 million files relating to airport and security personnel.

Securitas, a large, well known multinational security company that has been in business for almost a century, has not made any public statements around the incident as of this posting. This isn’t the first time Securitas has had cybersecurity issues. In 2017 the Securitas CEO Alf Göransson had his personal identification stolen at the end of March, when someone applied for a loan in his name. The Stockholm District Court then declared Göransson bankrupt without informing the CEO prior to its decision.

The Breach (From SafetyDetectives briefing):

Securitas left its Amazon S3 bucket open and accessible, without any authentication procedures in place. The misconfigured bucket has therefore exposed almost 1.5 million files, equating to about 3TB of data.

The bucket’s exposed information included employee Personally Identifying Information and sensitive company data of at least four airports in Colombia and Peru: El Dorado International Airport (Bogota D.C, COL), Alfonso Bonilla Aragón International Airport (Valle del Cauca, COL), José María Córdova International Airport (Antioquia, COL), and Aeropuerto Internacional Jorge Chávez (Lima, PE). As mentioned, unobserved files may have exposed other airports and places throughout Colombia, the rest of Latin America, or even the rest of the world.

They observed two main datasets containing the information of Securitas employees and airport employees: photos of ID cards and other unmarked photos.

Photos of ID cards featured on the bucket. There were an estimated 1 million files of this type on the Securitas misconfigured bucket. These files revealed the personal information of employees at the four aforementioned airports that are using Securitas’ services.

Photos of ID cards reveal several forms of employee Personally Identifying Information, including:

  • Full names, incl. first names and surnames
  • Photos of employees
  • Occupations
  • National ID Number

What Was Leaked?

Other unmarked photos featured among the bucket’s content too. There were about 300,000 files of this type. These photos leaked the data of airports, airport employees, and associated companies.

Specifically, these files exposed employees’ personal data, sensitive client data (airports), and the sensitive data of associated companies, such as airlines. Exposed data includes:

  • Photos of employees
  • Photos of planes
  • Photos of fueling lines
  • Photos of luggage being loaded/unloaded

What Was Leaked?

 In addition to the information mentioned above, the two primary datasets analyzed on the bucket (photos of ID cards and other unmarked photos) contained Exchangeable Image File Format (EXIF) data that exposed specific information related to each photo.   Exposed EXIF data includes:

  • Device models (of the cameras used)
  • GPS locations of photos, incl. coordinates and GPS maps
  • Time & date of photos

What Was Leaked?

What it Means to Us

It may be some time before there is any assessment of the extent of damage the data breach, but this obviously serves as an example of how careless data management can cause serious security implications for your firm or those of your clients.   In evaluating software application strategies for our clients, we always ask these simple questions:

  1. What is the criticality if this information if it is leaked to the public?
  2. Can the solution be self-hosted on the Client’s own private network?
  3. Does it really NEED to be a cloud application?
  4. If so, how can we mitigate the potential damage if there is a breach?

Additional measures like a Type I or Type II SOC report are helpful, but likely wouldn’t have prevented the Securitas data breach discussed above.  Regular and ongoing security audits, along with well defined and enforced data management and security policies and procedures are the only real defense against these kinds of mishaps.

This won’t be the last time we see this either, as the Cloud becomes more and more integrated into corporate IT strategies, it will happen again, and again, and again.

 

 

 

Posted in: Security Consulting, Security Technology

Leave a Comment (0) →

The Impact of Closed Circuit Television

Almost 30 years ago when I was first entering the security industry, closed circuit television (CCTV) cameras weren’t terribly different from the cameras that were being used to for movie and television production.  They were smaller, typically had less resolution and no audio, but the basic principles were the same.   Charged Coupled Device (CCD) cameras were fairly new, and if you wanted low light performance, you were resigned to use tube cameras.  Yes, tubes.  As in vacuum tubes.  Tube cameras actually used a vacuum tube for the imager, and the tradeoff for low light sensitivity was a shorter life span, higher power requirements, and reduced reliability.   Later, Complementary metal–oxide–semiconductor (CMOS) cameras came into play and helped overcome some of the limitations of both tube and CCD technologies.

Vidicon Imaging Tube for Old Style CCTV Camera

Since then, digital Internet Protocol (IP) cameras have come into play.    These newer cameras offer increased light sensitivity, much higher resolution, and new enhancements like video analytics and flexible communications options.

While all of these advancements make for better security, the most important enhancements are the video analytics and IP communications.   These two technology advances increase the likelihood of detecting activity and being able to monitor and record that activity from almost any location.

For most small and medium sized businesses or municipalities, the thought of a comprehensive video management system seems not only unnecessary, but impractical from a monitoring and timely intervention standpoint.  “Video cameras don’t stop crimes, all they do is record it”, we often hear.  This is not necessarily true.  CCTV video serves three important roles in security:

  1. Deterrence – Sometimes just the sight of a video camera will deter criminal activity from ever happening in the first place. Because being watched means being held accountable, this is a strong enticement for on premises security cameras.  No, this doesn’t mean adding “dummy cameras” is a good idea.  In fact, installing dummy cameras can make matters worse in premises liability cases for incidents occurring on your property.
  1. Detection – Having all of the campus CCTV cameras monitored in a single location allows for an operator to spot potential negative events during or even prior to them actually happening. IP enabled cameras offer increased detection capability in two ways; first they allow for cameras to be placed anywhere within the corporate network infrastructure (or even further away via hybrid cabling or wireless networking), and second they permit remote monitoring from anywhere there is network or internet access, including smart phones and tablets.  This allows for remote monitoring and recording at an off-site or contract monitoring facility, and also allows the ability to feed recorded or live events to first responders almost in real-time.    It also means that cameras can be located just about anywhere in your corporate footprint, including on-board vehicles.
  1. Assessment – Being able to discern what, where, and when something is happening on camera is critical to determining how to respond to a particular event, and also aids in evidentiary requirements for later prosecution. With the advent of video analytics, that can now be taken a step further with things like video motion detection, face detection, traffic movement, object removal, and facial recognition.   These tools increase the reliability of the observer (or recording device) to actually capture useful video information for use in timely intervention or for evidence in prosecution.   For example, with the right software, imagine a disgruntled employee situation where the former employee’s photo is setup to trigger an alert if the video system “recognizes” his face when he tried to re-enter the campus.  The authorities can be notified and other emergency precautions can be taken much sooner than previously possible.

Each one of these roles is an important piece to the overall security strategy for a business or government entity, and when used with common sense security practices like Crime Prevention through Environmental Design (CPTED) and other industry best practices, CCTV video becomes a powerful tool to both deter, detect, and defend both persons and property in a timely and effective manner.

 

Posted in: CPTED, Premises Liability, Security Consulting, Security Technology

Leave a Comment (0) →

Layers – Not just for Onions and Ogres

Security has been thought of and taught to others as a “layered approach” for centuries, and as such is not a new concept.   The Romans used layered concepts in their infantry tactics as well as their defensive fortifications.   With all due respect to “Shrek“, security is like an onion, and is a complex layer of countermeasures that make up a suite of hurdles that, presumably, are so confounding or problematic that the opponent gives up, gets caught, or never attempts anything in the first place.

The layers of security

Layers of security are a simple concept, but the concept is often overused by security professionals in discussion and even trivialized as not very important.  As Americans, we tend to rely very heavily on technology.  We understand technology, and we’re pretty good at it.   But while having thermal night vision cameras, fiber optic sensing cables, and CCTV drones flying over your campus are an impressive security posture, sometimes just a plain old chain link fence or dense thornbush hedge are enough to deter the would be criminal.  The most effective barrier I ever saw was a dense hedge of thorns called a  “living wall”.   It was 6 feet tall (and still growing), and you couldn’t climb it, cut it, or burn through it.

We once worked with a client that had installed a $4500.00 bullet proof door with a card access proximity reader installed behind Lexan (to protect it too) on the wall.  It we very impressive, until we learned that the wall it was installed  in was only sheetrock and metal studs, and you could kick through it and completely bypass the door.

Security layers mean from the outside in, with each layer adding to the increased security profile.   But security profiles are different for different companies, buildings, or campuses.  It depends upon the corporate philosophy, culture, and threat profile.  What may be reasonable for a chemical company manufacturing DOD explosives may not be suitable for a quarry.

Start with the outside, what are the threats from the street, the site perimeter, or even from the air?  Then work to the building perimeter, where are points of entry, access control weaknesses, or blind spots?  Internally you should look at the lobbies, common areas, break rooms, stairwells, and vestibules.  Then finally to policies and procedures relating to security, safety, and employee awareness.  Each of these areas will generate questions, to which you should generate answers in the forms of layers of security to add to your security profile.

Posted in: CPTED, Security Consulting

Leave a Comment (0) →