Showing posts with label Identification. Show all posts
Showing posts with label Identification. Show all posts

February 21, 2018

From Malware To Malevolent People

So in virus protection on the computer, there are 2 common ways antivirus software works:

1) Signature Detection - There are known patterns of viruses and the antivirus software looks for a match against one of these. 

2) Behavior Detection - There are known patterns of normal behavior on the computer, and the antivirus software looks for deviations from this. 

Each has certain weaknesses:

- With signature detection, if there is a zero-day exploit (i.e. a virus that is new and therefore which has no known signature) then it will not be caught by a blacklist of known viruses.

- While with behavior detection, some viruses that are designed to look like normal network or application behavior will not be caught by heuristic/algorithm-based detection methods. 

For defense-in-depth then, we can see why employing a combination of both methods would work best to protect from malware. 

It's interesting that these same techniques for recognizing bad computer actors can be used for identifying bad or dangerous people. 

We can look for known signatures/patterns of evil, abusive, and violent behaviors and identify those people according to their bad actions.

Similarly, we generally know what "normal" looks like (within a range of standard deviations, of course) and people who behave outside those bounds could be considered as potentially dangerous to themselves or others. 

Yes, we can't jump to conclusions with people -- we don't want to misjudge anyone or be overly harsh with them, but at the same time, we are human beings and we have a survival instinct. 

So whether we're dealing with malware or malevolent individuals, looking at patterns of bad actors and significant deviations from the normal are helpful in protecting your data and your person. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

February 9, 2016

Cybersecurity Lost In Unknowns

Today unveiled is a new Cybersecurity National Action Plan

This in the wake of another Federal data breach on Sunday at the Department of Justice where hackers stole and published online the contact information for 9,000 DHS and 20,000 FBI personnel

And this coming on the heels of the breach at OPM that stole sensitive personnel and security files for 21 million employees as well as 5.6 million fingerprints.

While it is nice that cybersecurity is getting attention with more money, expertise, public/private poartnerships, and centers of excellence. 

What is so scary is that despite our utter reliance on everything cyber and digital, we still have virtually no security!

See the #1 definition for security--"the state of being free from danger or threat."

This is nowhere near where we are now facing threats every moment of every day as hackers, cybercriminals, cyber spies, and hostile nation states rapidly cycle to new ways to steal our secrets and intellectual property, commit identity theft, and disable or destroy our nation's critical infrastructure for everything from communications, transportation, energy, finance, commerce, defense, and more. 

Unlike with kinetic national security issues--where we regularly innovate and build more stealthy, speedy, and deadly planes, ships, tanks, surveillance and weapons systems--in cyber, we are still scratching our heads lost in unkowns and still searching for the cybersecurity grail:

- Let's share more information

- Let's throw more money and people at the problem.

- Let's seek out "answers to these complex challenges"

These have come up over and over again in plansreviewsinitiatives, and laws for cybersecurity.

The bottom line is that today it's cyber insecurity that is prevailing, since we cannot reliably protect cyber assets and lives as we desperately race against the clock searching for real world solutions to cyber threats. 

Three priorities here...

1) Build an incredibly effective intrusion protection system
2) Be able to positively tag and identify the cyber attackers 
3) Wield a powerful and credible offensive deterrent to any threats ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

August 25, 2012

Choke Points to Checkpoints


This is some promising biometric technology from AOptix

Enrolling in the system is the first step and means just seconds of standing in the capture field of the slender tower, and the device scans both iris and face of the person. 

The scanning captures images within seconds and the software converts the images into binary code. 

It then subsequently scans and matches the person's biometrics against the database for positive identification. 

The beauty of this system is that it is simple and fast and can be used for passenger screening, immigration, or any other access control for entry/egress for a building, location, or even to a computer computer system and it's information.

According to Bloomberg Businessweek, the Insight Duo Towers sells for $40,000 each.

Eighty of these are currently in use at all air, land, and sea borders in Qatar.  Further, Dubai International Airport has been piloting this at a terminal that handles 40 million people per year, and it has cut immigration waiting times from 49 minutes to 22 seconds. 

This technology has obvious important applications for military, law enforcement, and homeland security, as well as even more generalized security use in the private sector.

And while very impressive, here are some concerns about it that should be addressed:

1) Enrollment of Biometrics and Personal Identification--registering for the system may only take a few seconds for the actual scan, but then verifying who you are (i.e. who those biometrics really belong to) is another step in the process not shown.  How do we know that those iris and face prints belong to Joe Schmo the average citizen who should be allowed through the eGate and not to a known terrorist on the watch list?  The biometrics need to be associated with a name, address, social security, date of birth and other personal information.

2) Rights versus Recognitions--rights to access and recognition are two different things. Just because there is iris and facial recognition, doesn't mean that this is someone who should be given access rights to a place, system or organization.  So the devil is in the details of implementation in specifying who should have access and who should not. 

3) Faking Out The System--no system is perfect and when something is advertised as accurate, the question to me is how accurate and where are the system vulnerabilities. For example, can the system be hacked and false biometrics or personal identification information changed?  Can a terrorist cell, criminal syndicate, or nations state create really good fake iris and facial masks for impersonating an enrollee and fooling the system into thinking that a bad good is really a good guy. 

4) Privacy of Personally Identifiable Information (PII)--not specific to AOptix, but to this biometric solutions overall--how do we ensure privacy of the data, so it is not stolen or misused such as for identity theft.  I understand that AOptix has PKI encryption, but how strong is the encryption,who long does it take to break, and what are the policies and procedures within organizations to safeguard this privacy data.

5) Big Brother Society--biometrics recognition may provide for opportunities for safe and secure access and transit, but what are the larger implications for this to become a "big brother" society where people are identified and tracked wherever they go and whatever they do. Where are the safeguards for democracy and human rights.

Even with these said, I believe that this is the wave of the future for access control--as AOptix's says, for changing choke points to checkpoints--we need a simple, fast, secure, and cost-effective way to identify friends and foe and this is it, for the masses, in the near-term.

Share/Save/Bookmark

August 19, 2011

Supercookies Are Super Invasive


You're alone sitting at the computer surfing the web, you're looking up health, financial, entertainment, shopping, and other personal things.

You feel comfortable doing your thing...you have your privacy and can be yourself without someone looking over your shoulder.

But is the sense of safety real or an illusion?

For the most part, when we are online, we are not safe or in private.

Like at work, where you get the warning that you are being monitored, when you are browsing the Internet, your actions are being tracked site by site (but this is done without warning)--by cookies--or data packets exchanged between web servers and user's browsers.

On the plus side cookies are used for identification, authentication, preferences, and maintaining shopping cart contents; but on the negative side, they are installed on users computers to track your activities online.

The Wall Street Journal (18 August 2011) reports that now there are Supercookies! and "history stealing."

- Supercookies are not cookies with that can fly or lift locatives, but rather they are more difficult to locate and get rid off your computer, so they track your activities, but are hidden in different places such as in the web browsers cache.

- "History stealing" is done when you visit certain websites, and they use software to mine you web browser history to determine where you've visited and then use that to for example, target advertising at you. Imagine though what other profiling can be compiled by categorizing and analyzing your browsing history in aggregate.

Currently, the online ad industry has established self-imposed guidelines to supposedly protect privacy, but they seem wholly inadequate such as "collecting health and financial data about individuals is permissible as long as the data don't contain financial-account numbers, Social Security numbers, pharmaceutical prescriptions or medical records." But knowing people's household finances, credit histories, and personal medical histories is okay--by whose standard?

According to the WSJ, web tracking is not only alive and well, but flourishing with "80% of online display ads are based on tracking data."
Why should anyone have the ability to track our personal web surfing?

We don't need ads targeted at us--we are not targets! We are very capable of searching online for what we what we are interested in and when we are interested in it--thank you!

Session cookies that expire at the end of ones web browsing for session management is one thing; but persistent cookies that collect and mine your personal data--that's should be a definite no-no.

Like with the advertisements that come unwanted in the traditional mailbox and get routinely and speedily placed in the garbage, online advertisements that are based on intrusive website tracking is not only a nuisance, but a violation of our privacy--and should be trashed as a concept and a practice.

Share/Save/Bookmark

April 4, 2010

Advanced Biometrics for Law Enforcement

Homeland Security Today Magazine (March 2010) has an interesting article called “Biometrics on the Battlefield" about how the American military has had significant success in Afghanistan taking biometrics and in using it for “vetting, tracking, and identification.”

Here’s how it’s done:

The biometrics system uses HIIDE (Handheld Interagency Identity Detection System) devices, which is “similar in size to a large camera, [that] connects directly to the BATS [Biometrics Automated Tool Set] database and matches inputs against a biometrics watch list of 10,000 individuals.”

The database “BATS uses a combination of fingerprints, photographs and iris scans, in addition to an in-depth background examination” to “screen potential local employees, identify detainees, and differentiate friendly individuals from insurgents and terrorists.”

How successful has the use of biometrics been?

“The use of biometrics has clearly thwarted security breaches and helped prevent unwanted activities by the enemy. Additionally, in 2008 alone, hundreds of HVTs (high value targets) were identified through the use of this biometrics technology.”

The article suggests the application of this biometric system for domestic law enforcement use.

Currently, fingerprint cards or stationary scanners are common, but with the proposed military biometrics system, there is the technology potential to use mobile scanning devices quickly and easily in the field.

The article gives the example: “if an officer came into contact with an individual under suspect conditions, a simple scan of the iris would ascertain that person’s status as a convicted felon, convicted violent felon, convicted sex offender or someone on whom an alert has been placed.”

In this scenario, quicker and more accurate identification of suspects could not only aid in dealing with dangerous offenders and benefit the officers in terms of their personal safety, but also contribute to ensuring community safety and security through enhanced enforcement capabilities.

Of course, using such a system for law enforcement would have to pass legal muster including applicable privacy concerns, but as the author, Godfrey Garner, a retired special forces officer, states “hopefully, this valuable technology will be recognized and properly utilized to protect law enforcement officer in the United States. I know that I’ve seen it protect our sons and daughters on the battlefields of Afghanistan.”

We are living in an amazing time of technology advances, and the potential to save lives and increase public safety and security through lawful use of biometrics is a hopeful advancement for all.


Share/Save/Bookmark

July 6, 2008

Biometrics and Enterprise Architecture

Biometrics is “the study of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits.” (Wikipedia)

Biometrics is crucial for identifying and taking out of play enemy combatants, terrorists, and criminals or for providing access to trusted employees or partners in public or private sector organizations, like the intelligence community, defense, security, and various sensitive industries like financial, telecommunications, transportation, energy, and so forth.

National Defense Magazine, November 2007 has an article on the significant advances being made in biometric technologies and their applications to our organizations.

According to “’The National Biometrics Challenge,’ a report produced by the Office of the President’s National Science and Technology Council…’a tipping point in the maturation of the technology has been reached.’

Both the FBI’s Information Services Division and The Department of Defense Biometric Fusion Center are leading the way in this field.

Currently, identity is established based on the trinity: “something you know (such as a password), something you have (like an identity card), or something you are, which is where biometrics comes in.”

Biometrics includes technologies for recognizing fingerprints, facial features, irises, veins, voices, and ears, and even gait.

But these are technologies identification means are not fool-proof: remembering multiple complex passwords can be dizzying and identity cards can be lost, stolen, or forged. So biometrics becomes the cornerstone for identity management.

However, even biometrics can be spoofed. For example, fake rubber fingers have been used in lieu of a real fingerprint (although now there are ways with living flesh sensors to protect against this). So therefore, biometrics is evolving toward “multi-modial” collection and authentication. This could involve using 10 fingerprints versus one or combing fingerprint, iris scans, and digital mugshots (called the “13 biometrics template” and used to gain access in U.S. managed detention centers in Iraq) or some other combination thereof.

Biometrics has advanced so much so that an Iris scan system from Sarnoff Corp. of Princeton NJ “can scan and process 20 people per minute from distances of about 10 feet away, even those who are wearing glasses.”

The keys to further enterprise application of these technologies in our enterprises are the following:

  1. Lowering the cost (especially to make it available to local law enforcement agencies)
  2. Making it rugged enough for extreme environments for the military
  3. Making it portable so that it can be used for a variety of law enforcement and defense operations
  4. Reengineering business processes so that measurements are captured, stored, accessible, and readily available for making a match and generating a decision on someone’s identity in real-time
  5. Developing policies that “effectively govern the proper use of the data” and ensure adequate protection for civil liberties and privacy.

Overall, biometrics has moved from emerging technology to applied technology and needs to be planned into your identity management architectures.


Share/Save/Bookmark

January 28, 2008

HSPD-12 and Enterprise Architecture

Homeland Security Presidential Directive 12, 27 August 2004, is a “Policy for a Common Identification Standard for Federal Employees and Contractors.”

HSPD-12 establishes a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees).

The policy mandates promulgation and implementation of secure, reliable identification that covers Federally controlled facilities, Federally controlled information systems, and other Federal applications that are important for security. "Secure and reliable forms of identification" for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee's identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application.”

In Government Computer News, 27 October 2007, Jack Jones, the CIO of the National Institute of Health (and Warren Suss, contractor) discuss how NIH leveraged the mandates of HSPD-12 to not only implement the common identification standard for more than 18,000 federal employees [and another 18,000 part time employees, contractors, fellows, and grant reviewers] on its main campus in Bethesda, Md., and at satellite sites nationwide,” but also modified and improved it's business processes to ensure a holistic and successful architectural implementation.

What business modifications were involved?

HSPD-12 was a catalyst for change at the institutes. The NIH Enterprise Directory (NED), which automated the process for registering and distributing badges to new NIH employees, needed to be revised to comply with HSPD-12...the conversation led to a re-examination of the broader set of processes involved in bringing a new employee onboard. In addition to registering new employees and issuing badges, NIH, like other federal agencies, must assign e-mail addresses, add new employees to multiple agency mailing lists, order new phones, assign new phone numbers and update the phone directory.”

How did NIH address this using enterprise architecture?

NIH changed its enterprise architecture through a formal, facilitated business modeling process that involved all NIH stakeholder groups. The results included clarifications in the policies and procedures for processing new employees along with the transformation of NED into a significantly improved tool to support better communication and collaboration in the broad NIH community.”

From a User-centric EA perspective, this is a great example of EA supporting successful organizational change. NIH, like other federal agencies, was faced with the mandates of HSPD-12, and rather than just go out and procure a new system to meet the requirement, NIH used EA as a tool to look at its entire process for provisioning for new employees including policy. NIT EA modeled it business processes and made necessary modifications, and ensured a successful implementation of the identification system that is supported by sound business process and policy. Additionally, the CIO and the EA did not do this in some ivory tower, but rather in a collaborative “workshops with NIH stakeholder groups”. This collaboration with stakeholders hits on the essence of what User-centric EA is all about and how powerful it can be.



Share/Save/Bookmark