home
about
services
projects
clients
contact
articles
links
blog
testimonials

23 September 2011

ASIS Annual Seminar & Exhibits, Orlando, FL

 I attended the convention this past week.  More than 20,000 people attended.  There were at least 700 exhibitors.  These are my high altitude observations.

  • No major tech breakthroughs--albeit there were numerous brilliant nuances of existing tech.
  • Intelligent video and video analytics have made tremendous advances. See www.3vr.com; www.briefcam.com; www.genetec.com; and others.
  • Facial recognition is getting close, but, in my opinion, still not ready for prime time.
  • Enhanced video applications and intelligent systems integration products are impressive this year.  (See www.scallopimaging.com; www.alertenterprise.com; www. feelingsoftware.com; and others)
  • IP networking is everywhere, everywhere, everywhere.
  • Biometrics appear to be trending toward fingerprint identification.
  • Foreign companies exhibiting products are up.
  • Sources for megapixel cameras at 15 MP and up are increasing and the prices are coming down. (See www.logipix.com; www.arecontvision.com; and others)
  • LED IR light sources with tremendous range--up to 500 meters (according to manu's specs).  (See Claritii 500; www.vumii.com)
  • CISCO exhibited again this year.  (See www.cisco.com/go/physec) Other leading IT companies are likely to follow.  Convergence is here! Pen testing must be accompanied by physical security pen testing.
  • The security industry has recognized that RFiD is vulnerable and fixes are being developed.  (See www.HIDGlobal.com; and others)
  • Significant increase in thermal and IR imaging this year.  (See www.flir.com; and others)
  • Cloud technology made a modest, initial appearance. (See www.intransa.com; Nimbus 24/7 at www.niscayah.us; and others)
  • No noteworthy advances in security operating system platforms. All the usual suspects attended.
  • Supervision of fiber optics is finally being addressed. (See www.fft-usa.com)
  • Grossly underappreciated but really exceptional security products are still showing up--thankfully.  (See www.protechusa.com

 

30 August 2011

The Militarization of the CIA

It is understandable that many of the CIA directors (DCIs) in the early days would come from the military.  The Agency was, after all, an element of the War Department during WWII.  In fact, even today, by Charter, if Congress declares War, the Agency is subordinated to the Pentagon.  During my stint at the Agency in the 1970s, however, there was a concerted effort to separate it from the military. This was an important check and balance.  During the height of the Cold Ware, the Pentagon--it was alleged--tended to hype intelligence to support appropriation requests and other vested interests.  And because of that, the importance of pure objectivity in reporting intelligence was constantly stressed during my CT training. In recent years, the trend has shifted again.  DCIs from the military or with strong military ties are Turner, Gates, Hayden, and now, Petraeus.  It is troubling!

11 August 2011

Using the PLC's own software library, we were able to not only unlock any door in the prison system, but we could also send false status signals back to central and/or housing control reporting that the door is closed and locked.  Our results were far better than we expected.

04 August 2011

PLCs and Security Systems

The vast majority of electronic security systems DO NOT use PLCs in their architecture.

30 July 2011

Posting By, John Strauchs, Tiffany Rad and Teague Newman

The U.S. government secures its worst liabilities in correctional facilities. However, not many people outside the corrections community knew (or for that matter, knows) that prison electronic systems were controlled by PLCs or that there are vulnerabilities in those PLCs that could put their lives at risk and those of prisoners in correctional facilities if proper system patches and computer usage policies are not followed.  Even within the correctional system, very few people knew unless they were directly involved in the design and construction of a prison. Having completed more than 100 justice design projects, I believe I have the bona fides as an expert in this arena.

Is it even rational or logical to believe that it is widely known that prisons use PLCs? It is just as unlikely that the law enforcement officer or guards within prisons know what a PLC is, or more than “PLCs have something to do with Iranian nuclear facilities.”

You might as well claim that everyone knows that the machines that shave the macadam from roadways before they are repaved use tungsten carbide bits.  People are just not that interested in that kind of technical detail to bother either knowing or remembering. Now that this vulnerability is finally being discussed and critiqued, the first steps in the remediation of this problem are being taken.

Ralph Langner’s letter to the U.S. Representatives to inform them about SCADA and PLC vulnerabilities – as well as about Stuxnet “copy-cat” attacks on critical infrastructure -- was released the same day we publicized our work. Our research team commends Mr. Langner for highlighting the fact that while PLCs vulnerabilities and exploits are not new – they have existed for many years – awareness of the importance of adhering to secure computing practices is important to curtailing future malicious attacks on PLC systems.

Our team has been asked what are the countermeasures to mitigate the risk? There are some vulnerabilities in PLCs that cannot be “fixed”.  Rather, the most effective defense lies in the employees who interact with PLCs within part of the correctional system.

Education and awareness of 1) the existence of PLCs in correctional facilities and 2) the importance of adhering to  the common-sense computer usage policies, 3) air gapping and patching/updating networks and software are the recommendations our team makes in our white paper and in our Defcon 19 presentation.

While we wrote custom exploits for proof-of-concept, these exploits will not be released and are not crucial to our discovery—the vulnerability is. Security through obscurity has never made security better nor has assuming that “everyone knows already.” In this case, those facts could not be farther from the truth.

Since Kim Zetter published her article about our research on Wired.com, it has brought a lot of public discussion and education about PLC vulnerabilities. Over the past two days, Kim’s article on the front page of Wired has also been one of the “top tweets” of Wired’s on Twitter. People reading it have the “oh, wow…” response, just as we did when we made the discovery. Seeing re-tweets of the Wired article around the world have been rewarding to the team and is exactly for what we hoped. Our educational and informational efforts are being achieved. That, alone, will improve security in correctional facilities.

As for the manufacturers of PLCs, they know of these vulnerabilities. We are not as concerned about informing them as we are of government agencies and those who work in secure facilities with PLCs. We have been asked to share our exploits with these manufacturers and we are working with them and interested US government agencies that contacted us. For that reason, it took us 3 months to get the “ok” to publically discuss our research. We believe that the manufacturers are working on what they can fix and, as a result, we are not advocating removing PLCs from facilities but, instead, addressing the vulnerabilities through awareness and education of the people working in facilities with PLCs.  

In summary, as is referenced in our white paper, the correctional facility security system should not have external connections, or if that can’t be avoided, connections need to be safeguarded by security protocols – not security-through-obscurity--and systemic technical countermeasures.  Additionally, the correctional facility’s security managers and the IT managers should mutually and continuously coordinate their activities so that both sides always know what the other is doing.  Finally, no one should ever be permitted to use work stations for personal activities  like checking private e-mail or viewing images  -- both of which our team saw during on-site evaluations of correctional facilities.  

When it comes to re-evaluating security in correctional facilities, security of network connections into and out of correctional facilities, where the U.S. contains its worst liabilities, should be just as robust as the security the U.S. government put into its most valuable, secure assets. Right now, the disparity between the two is extreme.

29 July 2011  

PLC Exploits

It is self-evident that Stuxnet-type attacks on SCADA and other electronic systems that use PLCs have far deeper roots than most observers can imagine.  Attend or follow our presentation at DefCon 19, Las Vegas, on 07 August 2011 at 5 p.m. The White Paper, "SCADA & PLC Vulnerabilities in Correctional Facilities," will be available.  We will also be cited in Wired magazine.

28 July 2011

 Recursion Ventures

Recursion Ventures names John J. Strauchs as Director of Physical Security Services.

29 December 2009

TSA’a knee-jerk responses to the Detroit airport attack 

There is a reason that our society doesn’t allow cops to write laws and leaves that up to legislatures and a –thankfully—cumbersome process.  It is not what cops are good at.  They are outstanding at enforcing laws—not writing them.  Another way of looking at this, give a little boy a hammer and he will immediately determine that everything needs hammering.  But—there is a world in which cops do craft laws…the world of TSA and Executive Branch directives.  If TSA thought it could get away with it, every airport would require body cavity strip searches, including for your 95 year old granny.  And, airline passengers would be padlocked into their seats.  They evidently do believe that they can get away with forbidding potty breaks during the last sixty minutes (a magic number I suppose) of a flight, shutting off in-flight movies, and banning most carry-ons, blankets and pillows.  Hopefully, these knee-jerk decisions will go the way of the past bans on nail clippers, miniature round-nosed sewing kit scissors, and matches.  Rather than remedy the actual abysmal failures that allowed this attack, a White House that is notoriously weak on defending America against radical Islamic terrorists will let the cops write new laws.  A robust intelligence service is the answer--not banning potty breaks.

18 SEPTEMBER 2009

 

The gutting of the CIA

 Our very best and most effective defense against international terrorism is a strong and vibrant intelligence service.  Watching an interview of Dr. Michael Scheuer on Fox, I had pause for contemplation.  Nixon forced out Richard Helms who may very well have been the best DCI, ever.  Clinton hamstrung the CIA.  Now, Obama and Holder are eviscerating it.  That is, of course, hardly a surprise.   The President’s view of the Agency is self-evident.  The FBI is taking over all interrogations.   Super wacky people like Suntein are in charge of new regulations.  Obama appointed a well-meaning political hack as DCI (who seems to be trying to make it work).  A Naval officer is now the intelligence czar and yet another governor was made head of homeland security.  Maybe the only bright reflection in this murky pool is that Brennan was made the terrorism czar, if he doesn’t resign like Melissa Hathway (too bad) and Rod Beckstrom (thank Goodness).   Over the past few decades I have seen friends resign from the Agency—often the best and the brightest.  Our very best and most effective defense is evaporating.  As Pogo wisely uttered, “we have met the enemy and he is us.”

 

09 SEPTEMBER 2009

The Dying of Melody 

It may have started with Rap, but melody probably contracted a terminal illness from N Sync in 1995. Talksinging! Try whistling contemporary music.  You probably can't.

02 AUGUST 2009

Adam Savage, Mythbusters, was a main attraction at DEFCON 17 in Las Vegas this week.  See the link to my article about Mythbusters in "Articles." 

20 JULY 2009

Death of the Town Crier

With the passing of Walter Cronkite the last vestige of objective journalism has evaporated into the miasma of pseudo journalism. Cronkite wasn’t perfect, especially after his retirement, but he was as close to unvarnished news as we are likely to ever get.  In his wake, the spin is accelerating.  We will see more fluffy interviews of people who either don’t have newsworthy knowledge or who we know ahead of time won’t answer questions or won’t answer honestly.  News will be padded and fluffed up.  Then again, just as we get the government we deserve, so too we will get the news we deserve.  Hello Katie Couric!

 

10 MAY 2009

Avaak Vue Personal Video Network has developed a wireless video camera that doesn’t use WI-FI and, therefore, can run for a year on a lithium-ion battery.  It was developed under a grant from the U.S. Navy and DARPA.  Although it is sold as a consumer product (i.e. Nanny-cam), it has creative security application potential.  (www.vuezone.com) (Popular Science, May 2009)

 

02 MAY 2009

Ask a Global-Warmer to show you evidence that human activity can affect global warming in a meaningful way and he or she will give you proof that the earth is warming and glaciers are melting.  Explain that your question wasn't answered and he or she will give you more proof that the climate is changing.  Al is such a trickster!  

  

01 MAY 2009

Do you need to refresh your Weltanschauung? Re-read Mark Twain's Letters from the Earth.   

25 APRIL 2009

President Obama appointed a political hack to be the Director of the CIA, another governor to run Homeland Security, and Rosa Brooks to babysit the Joint Chiefs of Staff at the Pentagon.  His intentions toward the Agency couldn’t be clearer!

24 APRIL 2009

Production Weekly is reporting that Leonardo DiCaprio is looking to produce a remake of the classic 1983 hacker film WarGames.

Strauchs LLC recently started a new project involving the Defense Department’s Base Alignment and Relocation Program (BRAC) with American Security Programs.

23 APRIL 2009

IIAPSC Conference, Palm Springs, CA
John Strauchs will be attending the annual conference of the International Association of Professional Security Consultants in Palm Springs from 26 to 30 April 2009.

Security Technology Transfer
Air Wick recently released a new product that utilizes a sensor that detects changes in light in front of a room odorizer to trigger a spurt of fragrance—spin-off security technology.

New Technology is Old Technology
Hedy Lamarr, 1940s movie star, holds a shared patent for frequency-hopping, spread spectrum radio signals. She and her husband came up with the technology to prevent radio-controlled American torpedoes from having their signals jammed by the Germans during WWII. It was based on using player piano paper rolls. Among many other applications today, if you have a secure garage door opener, it is possible that it used Hedy’s patent. She received an award for her invention in 1997 in New York City.

21 APRIL 2009

Rambo
David Morrell’s early novel, First Blood, introduced his emblematic character, Rambo. David came up with the name while grocery shopping with his wife. Rambo is the name of a kind of apple.

Wendell Willkie
It is worth reading One World by Wendell L. Willkie (New York: Simon & Schuster, 1943) to see that the world and politics haven’t changed nearly as much as we think it has.

18 APRIL 2009

Security in Hollywood, Myths and Legends

Panic Room: This is a room designed for temporary refuge from intruders. Only Hollywood calls them panic rooms. Everyone in security or intelligence calls them safe rooms. Moreover, they only need to resist forced entry for as long as it takes a security or law enforcement response to arrive. Sorry Jody Foster!
  1. Sneakers: These are supposed to be people who specialize in defeating security systems to test effectiveness. Alas—they’re not called sneakers. Some call them tiger teams and others either red hats or black hats. Sneakers are a kind of shoe.
  2. The motion picture, Sneakers, is full of subtle, deliberate technical errors so as not to make a training film for criminals. Hardly anyone noticed!
  3. Holding a lighter under a sprinkler head does not cause all sprinkler heads to activate—only the one above the lighter.
  4. Blowing powder from a compact, puffing cigarette smoke or dispersing other common substances will not make invisible infrared beams to become visible.
  5. Attaching a cool high-tech gadget to a closed-circuit television (CCTV) camera will not result in being able to see what that or any other camera sees. It is theoretically possible to use induction to capture a signal from coaxial cable, but the signal would be too poor to be of any value.
  6. If you call someone a CIA agent, that person is a foreign national. If he or she is American, you might want to use the term case officer.

15 APRIL 2009

Cheesesteaks
For the best cheesesteaks in the nation, find Zandy’s in Allentown, PA.

Coffee
Brewed coffee isn’t worth drinking after seven minutes.

Kingdom of Jordan, Royal Court

Home About Us Services Projects Clients Testimonials Blog Articles Links Contact Us
Copyright 2009 Strauchs, LLC. All Rights Reserved
Site Developed by HindSite Interactive, Inc.