This document discusses vulnerability assessments of security and safeguard devices and programs. It describes how vulnerability assessments have been conducted on over 1,000 different systems and devices. It outlines some key differences between domestic and international nuclear safeguard programs and notes that similar hardware and strategies are sometimes incorrectly used for both applications. It also discusses several common problems with international safeguard programs and outlines attributes of "security theater".
-
As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did one of the largest insurance companies just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?
Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.
Technical tips for OPSEC are all around.
However, what to do in real life encounters?
We provide some easy to follow tips to improve your chances in such situations.
-
As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did one of the largest insurance companies just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?
Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.
Technical tips for OPSEC are all around.
However, what to do in real life encounters?
We provide some easy to follow tips to improve your chances in such situations.
Click and Dragger: Denial and Deception on Android mobilegrugq
A presentation on OPSEC for mobile phones, covering the design and reasoning behind the CryptogenMod ROM and the DarkMatter app.
Source for DarkMatter: https://github.com/grugq/darkmatter
It is impossible to identify all critical assets. It is impossible to determine value of IT assets. It is impossible to manage vulnerabilities. Impossible^3 = Impossible. Presented at ITAC 2013 Boston, November 19, 2013
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
2017年12月10日 - Birds of a Feather ( 簡稱BoF ),語意上是指鳥類會與相同類型的鳥群一起飛翔,之後衍伸為讓志同道合的人們聚集在一起或舉辦非正式聚會。
https://hitcon-girls.blogspot.tw/2017/12/Birds-of-a-Feather.html
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls.
Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page.
This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.
Click and Dragger: Denial and Deception on Android mobilegrugq
A presentation on OPSEC for mobile phones, covering the design and reasoning behind the CryptogenMod ROM and the DarkMatter app.
Source for DarkMatter: https://github.com/grugq/darkmatter
It is impossible to identify all critical assets. It is impossible to determine value of IT assets. It is impossible to manage vulnerabilities. Impossible^3 = Impossible. Presented at ITAC 2013 Boston, November 19, 2013
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
2017年12月10日 - Birds of a Feather ( 簡稱BoF ),語意上是指鳥類會與相同類型的鳥群一起飛翔,之後衍伸為讓志同道合的人們聚集在一起或舉辦非正式聚會。
https://hitcon-girls.blogspot.tw/2017/12/Birds-of-a-Feather.html
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls.
Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page.
This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.
Eight Steps to an Effective Vulnerability AssessmentSirius
As we conduct more and more business online, the digital world has become a hacker’s paradise. To combat the growing threat of cyber attacks, many companies are hiring chief information security officers (CISOs) whose main responsibility is to make sure data is secure. Recent high-profile data breaches have demonstrated that it is not a role for the faint of heart.
“We’re like sheep waiting to be slaughtered,” said David Jordan, the CISO for Arlington County in Virginia. “We all know what our fate is when there’s a significant breach.”
IT research firm Gartner predicts that by 2020, 30 percent of Global 2000 companies will have been directly compromised by independent cyber activists or cyber criminals.
In order to protect information assets, CISOs and other security professionals are facing a difficult challenge: they have to keep up with cyber criminals, check off a growing list of compliance boxes, and keep close tabs on the security practices of their partners and employees.
Addressing the sheer volume and evolution of cyber attacks is daunting for even the most security-conscious IT teams. It requires an in-depth understanding of organizational risks and vulnerabilities, as well as current threats and the most effective policies and technologies for addressing them. Only by understanding their risks can organizations target limited security dollars to the technologies and strategies that matter most.
Getting maximum benefit from a vulnerability assessment requires an understanding of your organization’s mission-critical processes and underlying infrastructure, and applying that understanding to the results. To be truly effective, it should include the following steps:
Master sequence diagrams with this sequence diagram guide. It describes everything you need to know on sequence diagram notations, best practices as well as common mistakes. It also explains how to draw a sequence diagram step by step. Plus it offers Creately sequence diagram templates you can click and edit right away.
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
Deception over the years
• Millions of years in Natural World for survival/aggression
• Millions of years in bacteria and virus to thrive
• 1000s of years in Warfare/Military to attack or defend
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
F. Questier, Computer security, workshop for Lib@web international training program 'Management of Electronic Information and Digital Libraries', university of Antwerp, October 2015
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.
When you work with a lot of companies scrutinizing their security, you get to see some amazing things. One of the joys of being a commercial security consultant working for big name firms, is that you get to see a lot of innovation and interesting approaches to common problems.
However, as great as this is, the discrete projects you work on are usually a small representation of the overall company. When you look at the company in its entirety, a familiar pattern of weakness begins to reveal itself. While some companies are obviously better than others, the majority of companies are actually weak in remarkably similar ways.
My work in the attacker modeled pentest and enterprise risk assessment realms focuses on looking at a company as a whole. The premise is that, this is what an attacker would do. They won’t just try to attack your quarterly code reviewed main web site, or consumer mobile app. They won’t directly attack your PCI relevant systems to get to customer credit card data. They won’t limit their attacks to those purely against your IT infrastructure. Instead – they’ll look at your entire company, and they will play dirty.
In this session, I’ll focus on the things that plague us all (well most of us), and I’ll offer some simple advice for how to try and tackle each of these areas:
– Weaknesses in Physical Security
– Susceptibility to Phishing
– Vulnerability Management Immaturity
– Weaknesses in Authentication
– Poor Network Segmentation
– Loose Data Access Control
– Terrible Host / Network Visibility
– Unwise Procurement & Security Spending Decisions
Presented at the Saskatchewan Access, Privacy, Security and Records Management Forum 2012, in June 2012.
This is a modified version, since I am not including the videos online.
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
APNIC Senior Security Specialist Adli Wahid provides some useful findings of lessons learned from security incidents at the UMS Cybersecurity Awareness Seminar, held online on 25 October 2021.
This is the June 2022 issue of the Journal of Physical Security. In addition to the usual editor’s rants and news about security, this issue has papers about ZigBee vulnerabilities, practical password cracking, humor & security, the costs of police body camera video storage, tips for reducing security guard turnover, and FDA & DHS blessing of security technologies.
Back issues of the Journal can be found at http://jps.rbseurity.com
Vulnerability Assessment: The Missing Manual for the Missing Link Roger Johnston
Vulnerability Assessment: The Missing Manual for the Missing Link. Now available as an ebook, paperback, or hardcover.
This book is written by a Vulnerability Assessor with 35+ years of experience. The book covers the common misconceptions and problems with how Security Vulnerability Assessments are thought of and done. Various security tips and advice are also offered. If you do or think about security, you need this book!
This March 2021 issue of the Journal of Physical Security has papers on:
• tax credits for physical security R&D
• pinhole cameras for surreptitious surveillance
• insider threat issues
• tamper-indicating seals for fast food in the era of Covid
• security for sealed radiological sources
Back issues are available for free at https://jps.rbsekurity.com
This is the Oct 2020 issue with the usual security news and editor's rants, plus Viewpoint papers on Security Assurance and Election Security.
Back issues are available at http://jps.rbsekurity.com
A New Approach to Vulnerability AssessmentRoger Johnston
Most organizations don't do Vulnerability Assessment, or confuse them with something else, or do them but not very effectively, imaginatively, or proactively, thinking like the bad guys. Here is some practical advice for how to do better from a Vulnerability Assessor with 35+ years of experience.
We can't test our way to good #security. Why? Because we can't test—or prevent—what we have not envisioned. (Think 9/11.) Effective, imaginative vulnerability assessments are essential. This book explains how to do them based on the 35+ years experience of a Vulnerability Assessor.
This book is the missing manual for the missing link: It provides practical advice on how to do effective, imaginative, proactive Vulnerability Assessments based on the authors 30+ years of experience as a vulnerability assessor.
In addition to the usual security news and editor's rants about security, this issue (Volume 12, Issue 3) has papers about:
• automatic vehicle security gates
• 3D magnetometer arrays as a more secure replacement for BMS
• best practices in physical security
• design reviews vs. vulnerability assessments
JPS, a peer reviewed journal, is hosted by Right Brain Sekurity as a free public service. See http://jps.rbsekurity.com
In addition to the usual security news and editor’s rants about security, this (August 2019) issue has papers about security by design,defeating electronic locks with radio frequency attack tools, poor seal practice with pressure-sensitive adhesive label seals, wargaming Brexit, and a revised and updated list of popular (mostly smart ass) security maxims.
This is the August 2018 issue of the Journal of Physical Security (JPS). In addition to the usual editor’s rants about security, this issue has papers on
• election security
• physical security networks
• technology for tracking sealed radiological sources
• an analysis of active shooter training videos
• whether security belongs under Facility Management (Operations)
JPS is hosted as a public service by Right Brain Sekurity, a small company devoted to vulnerability assessments, security consulting, and R&D.
This session provides a comprehensive overview of the latest updates to the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (commonly known as the Uniform Guidance) outlined in the 2 CFR 200.
With a focus on the 2024 revisions issued by the Office of Management and Budget (OMB), participants will gain insight into the key changes affecting federal grant recipients. The session will delve into critical regulatory updates, providing attendees with the knowledge and tools necessary to navigate and comply with the evolving landscape of federal grant management.
Learning Objectives:
- Understand the rationale behind the 2024 updates to the Uniform Guidance outlined in 2 CFR 200, and their implications for federal grant recipients.
- Identify the key changes and revisions introduced by the Office of Management and Budget (OMB) in the 2024 edition of 2 CFR 200.
- Gain proficiency in applying the updated regulations to ensure compliance with federal grant requirements and avoid potential audit findings.
- Develop strategies for effectively implementing the new guidelines within the grant management processes of their respective organizations, fostering efficiency and accountability in federal grant administration.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Understanding the Challenges of Street ChildrenSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
Donate to charity during this holiday seasonSERUDS INDIA
For people who have money and are philanthropic, there are infinite opportunities to gift a needy person or child a Merry Christmas. Even if you are living on a shoestring budget, you will be surprised at how much you can do.
Donate Us
https://serudsindia.org/how-to-donate-to-charity-during-this-holiday-season/
#charityforchildren, #donateforchildren, #donateclothesforchildren, #donatebooksforchildren, #donatetoysforchildren, #sponsorforchildren, #sponsorclothesforchildren, #sponsorbooksforchildren, #sponsortoysforchildren, #seruds, #kurnool
ZGB - The Role of Generative AI in Government transformation.pdfSaeed Al Dhaheri
This keynote was presented during the the 7th edition of the UAE Hackathon 2024. It highlights the role of AI and Generative AI in addressing government transformation to achieve zero government bureaucracy
A process server is a authorized person for delivering legal documents, such as summons, complaints, subpoenas, and other court papers, to peoples involved in legal proceedings.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Russian anarchist and anti-war movement in the third year of full-scale warAntti Rautiainen
Anarchist group ANA Regensburg hosted my online-presentation on 16th of May 2024, in which I discussed tactics of anti-war activism in Russia, and reasons why the anti-war movement has not been able to make an impact to change the course of events yet. Cases of anarchists repressed for anti-war activities are presented, as well as strategies of support for political prisoners, and modest successes in supporting their struggles.
Thumbnail picture is by MediaZona, you may read their report on anti-war arson attacks in Russia here: https://en.zona.media/article/2022/10/13/burn-map
Links:
Autonomous Action
http://Avtonom.org
Anarchist Black Cross Moscow
http://Avtonom.org/abc
Solidarity Zone
https://t.me/solidarity_zone
Memorial
https://memopzk.org/, https://t.me/pzk_memorial
OVD-Info
https://en.ovdinfo.org/antiwar-ovd-info-guide
RosUznik
https://rosuznik.org/
Uznik Online
http://uznikonline.tilda.ws/
Russian Reader
https://therussianreader.com/
ABC Irkutsk
https://abc38.noblogs.org/
Send mail to prisoners from abroad:
http://Prisonmail.online
YouTube: https://youtu.be/c5nSOdU48O8
Spotify: https://podcasters.spotify.com/pod/show/libertarianlifecoach/episodes/Russian-anarchist-and-anti-war-movement-in-the-third-year-of-full-scale-war-e2k8ai4
Russian anarchist and anti-war movement in the third year of full-scale war
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
1. Vulnerability Assessments, Physical
Security, and Nuclear Safeguards
Roger G. Johnston, Ph.D., CPP
Vulnerability Assessment Team
Argonne National Laboratory
630-252-6168 rogerj@anl.gov
http://www.ne.anl.gov/capabilities/vat
2. Vulnerability Assessment Team (VAT)!
Sponsors
• DoD
• DOS
• IAEA
• Euratom
• DOE/NNSA
• private companies
• intelligence agencies
• public interest organizations
The VAT has done vulnerability
assessments on ~1000 different
security & safeguards
devices, systems, & programs.
3.
4. Domestic Nuclear Safeguards
• is MPC&A
• is a traditional security application:
ü the “good guys” own the assets & facilities
ü the (unknown) adversaries are a small number of
individuals with limited resources
ü secrecy is allowed
ü the attacks must often be quick
ü the “good guys” can use the facility infrastructure,
personnel, & training to counter the adversary
5. International Nuclear Safeguards
• is treaty monitoring, not MPC&A
• is not a traditional security
application—everything is backwards:
ü the adversary owns the assets & facilities
ü the (known) adversary is the host nation and can deploy
world-class technology & resources to defeat the safeguards
ü the “good guys” aren’t present most of the time
ü no secrecy—details must be negotiated & transparent
ü the attacks can often be leisurely
ü the adversary can use the facility infrastructure,
personnel, & training to help defeat the safeguards
6. Domestic vs. International
Nuclear Safeguards
The differences are so extreme, we must be suspicious
when similar hardware, strategies, expertise, and
personnel are used.
These differences are widely recognized
in theory…but not in practice.
7. Other International Safeguards Problems
Ø Cooperative Nuclear Safeguards gets confused with
International Nuclear Safeguards
Ø Denial & cognitive dissonance
Ø Vulnerability assessments that are weak, non-existent,
or done too late to make changes
Ø Hijacking of the term & concept of “Transparency”
Ø Lots of bureaucrats & engineers who don’t understand
physical security
8. Other International Safeguards Problems
Ø Technologists push their pet technology rather than
solving the problem
Ø Diplomats want simple solutions
Ø Safeguards programs tend to have a life of their own
beyond true needs
Ø Details of inspections & safeguards can become bones
of geopolitical contention
Ø Disparate national and security cultures
9. Other International Safeguards Problems
Ø Poor tamper/intrusion detection in general
Ø Thinking a mechanical tamper switch provides effective
intrusion detection
Ø Wishful thinking about information barriers
Ø No background checks on IAEA inspectors!
10. Warning!
You should always assume a security or safeguards
device or system can be easily defeated, because it
usually can.
Effective security & safeguards are very difficult.
We can only get good at them if we understand this.
Be wary of silver bullets—they don’t exist!
11.
12. Definition
Security Theater: sham or ceremonial security;
Measures that ostensibly protect people or assets but
that actually do little or nothing to counter adversaries.
13. Security Theater
1. Best way to spot it is with an effective thorough VA.
2. Next best is to look for the characteristic attributes:
• Sense
of
urgency
• A
very
difficult
security
problem
• Involves
fad
and/or
pet
technology
• Ques=ons,
concerns,
&
dissent
are
not
welcome
or
tolerated
• The
magic
security
device,
measure,
or
program
has
lots
of
“feel
good”
aspects
to
it
• Strong
emo=on,
over
confidence,
arrogance,
ego,
and/or
pride
related
to
the
security
• Conflicts
of
interest
• No
well-‐defined
adversary
• No
well-‐defined
use
protocol
• No
effec=ve
VAs;
no
devil’s
advocate
• The
technical
people
involved
are
mostly
engineers
• Intense
desire
to
“save
the
world”
leads
to
wishful
thinking
• People
who
know
liOle
about
security
or
the
technology
are
in
charge
14.
15. Why High-Tech Devices & Systems Are
Usually Vulnerable To Simple Attacks
Many more legs to attack.
Users don’t understand the device.
The “Titanic Effect”: high-tech arrogance.
Still must be physically coupled to the real world.
Still depend on the loyalty & effectiveness of user’s personnel.
The increased standoff distance decreases the user’s attention to detail.
The high-tech features often fail to address the critical vulnerability issues.
Developers & users have the wrong expertise
and focus on the wrong issues.
16. Blunder: Thinking Engineers Understand Security"
Engineers...
• ...work in solution space, not problem space
• …make things work but aren't trained or mentally inclined to figure out how to make
things break
• ...view Nature or economics as the adversary, not the bad guys
• …tend to think technologies fail randomly, not by deliberate, intelligent, malicious
intent
• …are not typically predisposed to think like bad guys
• …focus on user friendliness—not making things difficult for the bad guys
• ...like to add lots of extra features that open up new attack vectors
• …want products to be simple to maintain, repair, and
diagnose, which can make them easy to attack
17. Blunder: Wrong Assumptions about Counterfeiting
Ø Usually much easier than developers, vendors,
& manufacturers claim.
Ø Often overlooked: The bad guys usually only needed to
mimic only the superficial appearance of the original
and (maybe) some of the apparent performance.
18. Data Encryption/Authentication
At least currently, data encryption/authentication should have
only a marginal role to play in international safeguards because:
• not conducive to transparency & international cooperation
• of minimal use given our poor physical security & tamper/intrusion detection
• the data remanence problem hasn’t been solved
• pointless if you can’t believe the sensors, the raw data, & the data analysis
in the first place
• the adversary may have access to the plaintext so he can go beyond
ciphertext-only crytoanalysis
• it’s easy to eavesdrop on keys and passwords
19. Warning: Multiple Layers of Security
(“Security in Depth”)
Ø Increases complexity.
Ø Multiple layers of bad security do not equal good security.
Ø It’s unlikely the adversary has to defeat all the layers.
Ø Often mindlessly applied: the layers are not automatically backups for
each other. They may have common failure modes, or even interfere
with each other.
Ø Leads to complacency.
Ø Tends to be a cop-out to avoid improving security
Ø Often a knee-jerk response when security hasn’t been thought through.
Ø How many sieves do you have to stack up
before the water won’t leak through?
20. Blunder: The Band Aide / Kitchen Sink Approach to Security
Ø Only worry about security at the end
Ø Arbitrarily slap on a number of features,
sensors, or fad technologies in hopes the
whole mess somehow results in good
security.
21. Confusing Inventory & Security
Inventory
§ Counting and locating stuff
§ No nefarious adversary
§ May detect innocent errors by insiders, but not
surreptitious attacks by insiders or outsiders.
Security
§ Meant to counter nefarious adversaries (insiders and
outsiders)
§ Watch out for mission creep: inventory systems
that come to be viewed as security systems!
22. Examples of confusing Inventory & Security
• rf transponders (RFIDs)
• prox cards
• contact memory buttons
• GPS
• Nuclear MC&A
Usually easy to:
* lift
* counterfeit
* tamper with the reader
* spoof the reader from a distance
Very easy to spoof,
not just jam!
23. A Sampling of RFID Hobbyist Attack Kits
Available on the Internet
Commercial: Used for “faking RFID tags”, Commercial: $20 Car RFID Clone (Walmart) “reader development.”
RFID Skimmers, Sniffers, Spoofers, and Cloners; oh my! Documents, code, plans needed to build your own: free.
There
is
a
huge
danger
to
customers
using
this
(RFID)
technology,
if
they
don't
think
about
security.
-‐-‐
Lukas
Grunwald
(creator
of
RFDump)
24. (Incidentally, Prox Cards are RFIDs!)
[But then most (all?) access control and biometric devices are easy to defeat.]
25. GPS: Not a Security Technology
Ø The private sector, foreigners, and 90+% of the
federal government must use the civilian GPS
satellite signals.
Ø These are unencrypted and unauthenticated.
Ø They were never meant for critical or security
applications, yet GPS is being used that way!
Ø GPS signals can be: Blocked, Jammed, or
Spoofed
27. Spoofing Civilian GPS Receivers
• Easy to do with widely available GPS satellite
simulators.
• These can be purchased, rented, or stolen.
• Not export controlled.
• Many are surprisingly user friendly. Little
expertise is needed in electronics, computers,
or GPS to use them.
• Spoofing can be detected for ~$15
of parts retail (but there’s no interest).
31. Some Potential GPS Spoofing Attacks
• Crash national utility, financial, telecommunications & computer networks
that rely on GPS for critical time synchronization
• Steal cargo or nuclear material being tracked by GPS
• Install false time stamps in security videos or financial transactions
• Send emergency response vehicles to the wrong location after an attack
• Interfere with military logistics (DoD uses civilian GPS for cargo)
• Interfere with battlefield soldiers using civilian GPS (against policy, but
common practice anyway)
• Spoof GPS ankle bracelets used by courts and GPS data loggers used for
counter-intelligence
• The creativity of the adversary is the only limitation
32.
33. Terminology
lock: a device to delay, complicate,
and/or discourage unauthorized entry.
(tamper-indicating) seal = tamper-indicating
device (TID): a device or material that leaves
behind evidence of unauthorized entry.
34. Terminology
defeating a seal: opening a seal, then resealing
(using the original seal or a counterfeit) without
being detected.
attacking a seal: undertaking a sequence
of actions designed to defeat it.
35. A seal is not a lock.
Yanking a seal off a container is not defeating it!
35
Seal Fact
36. Seals
Some examples of the 5000+ seals
Ø customs
Ø cargo security
Ø counter-terrorism
Ø nuclear safeguards
Ø treaty inspections
Example Seal Applications:
Ø banking & couriers
Ø drug accountability
Ø records & ballot integrity
Ø evidence chain of custody
Ø weapons & ammo security
Ø IT security
Ø medical sterilization
Ø instrument calibration
Ø tamper-evident packaging
Ø waste management &
HAZMAT accountability
37. Seal Use Protocol
A seal is no better than its formal and informal
“use protocol”...
...how the seal is:
• manufactured
• procured
• shipped
• stored
• checked out
• installed
• inspected
• removed
• destroyed after use
• And how the seal data and reader are stored & protected and
• How the seal installers/inspectors are trained.
38. Seals are easy to defeat: Percent of seals that can
be defeated in less than a given amount of time by
1 person using only low-tech methods
39. The Good News: Countermeasures
• Most of the seal attacks have simple
and inexpensive countermeasures,
but the seal installers & inspectors
must understand the seal vulnerabilities,
look for likely attacks, & have extensive
hands-on training.
• Also: better seals are possible!
40. 40
Conventional Seal: Stores the evidence of
tampering until the seal can be inspected. But
this ‘alarm condition’ is easy to erase or hide (or
a fresh seal can be counterfeited).
Anti-Evidence Seal: When the seal is first
installed, we store secret information that
tampering hasn’t been detected. This is
deleted when the seal is opened. There’s
nothing to erase, hide, or counterfeit.
41. 20+ New “Anti-Evidence” Seals
• better security
• no hasp required
• no tools to install or remove seal
• can go inside the container
• 100% reusable, even if mechanical
• can monitor volumes or areas, not just portals
• anti-gundecking and host-inspected seals are possible
Talking Seal
Tie Dye Seal Chirping Tag/Seal Time Trap
42.
43. Facts About Access Control & Biometric Devices
For most security devices (including biometrics and
access control devices), it’s easy to:
• clone the signature of an authorized person
• do a man-in-the-middle (MM) attack
• access the password or key
• copy or tamper with the database
• “counterfeit” the device
• install a backdoor
• replace the microprocessor
• tamper with the software
44. Backdoor, Counterfeit, and MM Attacks
The importance of a cradle-to-grave, secure chain of
custody:
As with most security devices, AC devices can usually be
compromised in 15 seconds (at the factory or vendor, on the
loading dock, in transit, in the receiving department, or after
being installed).
Most “security” and safeguards devices have little built-in
security or ability to detect intrusion/tampering.
48. 50 Years of Cognitive Psychology Research!
• People are remarkably poor observers.
• They don’t realize how bad they are.
• “Perceptual Blindness” = “Inattentional Blindness”:
the phenomena of not being able to perceive things
that are in plain sight, especially if you’re focused on
a particular visual task.
• “Change Blindness” (a kind of Perceptual Blindness):
observers often fail to notice changes—including blatant
ones—even when the changes are expected.
49. Consequences for Security!
There are serious implications for security guards
& safeguards inspectors, especially those who:
ü check security badges
ü watch video monitors
ü make daily rounds
ü inspect seals
ü guard gates
ü operate safeguards equipment
ü etc.
50. Largely Unstudied Human Factors in Security
Ø Two-Person Rule
Ø Security Culture & Security Climate
Ø Correlations between employee attitudes
& the rate of security incidents
Ø Reducing security guard turnover
Ø The psychology of seal inspection
Ø Countermeasures to perceptual blindness
Ø Human factors in nuclear safeguards inspections
Ø Mitigating the Insider Threat
51.
52. Transparent, Negotiable, Reliable
Video Verification for Treaty Inspection
Relatively low-tech ways to make faking live streaming
video difficult in real-time.
Live Verify: Show that the video signals are real-time,
not pre-recorded.
Local Verify: Show they originate within at least a few
km of the monitored nuclear facility (based on time of flight).
Time of flight of electronic signals down a wire: 20 cm per nsec
Video bandwidth: 27-140 MHz
(37 nsec à 7 meters to 7 nsec à 1.4 meter)
53. Live & Local Video Verify
Works best if the inspectors are a few km outside the
facility, recording the live video.
They can occasionally enter the facility for in-person
inspections.
Recorded live video can be analyzed later (frame by frame,
pixel by pixel) for evidence of fakery.
56. For More Information...
~250 related papers, reports, and
presentations (including this one)
are available from
ROGERJ@ANL.GOV
http://www.ne.anl.gov/capabilities/vat
58. Adversarial Vulnerability Assessments
• Perform
a
mental
coordinate
transforma=on
and
pretend
to
be
the
bad
guys.
(This
is
much
harder
than
you
might
think.)
It is sometimes expedient to forget who
we are. -- Publilius Syrus (~42 BC)
• Be
much
more
crea=ve
than
the
adversaries.
They
need
only
stumble
upon
1
vulnerability,
the
good
guys
have
to
worry
about
all
of
them.
It’s really kinda cool to just be really creative and
create something really cool. -- Britney Spears
59. Adversarial Vulnerability Assessments
• Don’t
let
the
good
guys
&
the
exis=ng
security
infrastructure
and
tac=cs
define
the
problem.
Evil will always triumph because good is dumb.
-- Rick Moranis, as Dark Helmet in Spaceballs (1987)
• Gleefully
look
for
trouble,
rather
than
seeking
to
reassure
yourself
that
everything
is
fine.
On a laser printer cartridge: “Warning. Do not eat toner.”
60. We need to be more like fault finders. They find
problems because they want to find problems, and
because t hey are skeptical:
• bad guys
• therapists
• movie critics
• computer hackers
• scientific peer reviewers
• mothers-in-law
I told my psychiatrist that everyone hates
me. He said I was being ridiculous--
everyone hasn’t met me yet.
-- Rodney Dangerfield (1921-1997)
“Two mothers-in-law.”
-- Lord John Russell (1832-1900), on being asked what
he would consider proper punishment for bigamy.
61. Terminology
tag: an applied or intrinsic feature that uniquely identifies an
object or container.
types of tags
inventory tag (no malicious adversary)
*security tag (counterfeiting & lifting are issues)
*buddy tag or token (only counterfeiting is an issue)
anti-counterfeiting (AC) tag (only counterfeiting is an issue)
lifting: removing a tag from one object or container
and placing it on another, without being detected.
62. Polygraphs = Snake Oil
National Academy of Sciences $860,000 study:
“The Polygraph and Lie Detection” (October 2002)
http://www.nap.edu/books/0309084369/html/
Some Conclusions:
“Polygraph test accuracy may be degraded by countermeasures…”
“…overconfidence in the polygraph—a belief in its accuracy that goes
beyond what is justified by the evidence—…presents a danger to national
security…”
“Its accuracy in distinguishing actual or potential security violators from
innocent test takers is insufficient to justify reliance on its use in employee
security screening…”