Ten Principles of Opportunity and Crime – INDEPENDENT SECURITY CONSULTANTS

 

Preparing for the InfraGuard Keynote I have been digging in to criminal psychology and specifically the concept of Opportunity. If you’ve heard me speak recently this year you’ve been exposed to the concept as I’ve applied it to online crime.

Rutger’s School of Criminal Justice professors Marcus Felson and Ronald V. Clarke developed Ten Principles of Opportunity and Crime which describes how opportunities, or vulnerabilities, are the root cause of crime. I’ve highlighted the last two of their ten principles below. I’d welcome those in the cyber security industry and seeking to safeguard the sensitive data (private or IP) to read these with an open mind. I believe they expose an incorrect assumption and an opportunity for approaching cybersecurity differently.

Principle 9 is reducing opportunities does not usually displace crime. Crime displacement means that by blocking crime at one facility, security measures will force crime to another, less hardened facility. While displacement does occur, it is not absolute.

Finally, principle 10 is focused opportunity reduction can produce wider declines in crime. This is the concept of diffusion of benefits. Diffusion is a process where increased security measures at one location may also benefit neighboring facilities.

Source: Ten Principles of Opportunity and Crime – INDEPENDENT SECURITY CONSULTANTS

Best,

James

P.S. Buy to understand how to keep you and your family safe: – The definitive guide for regular people: How Not To Be Hacked today!

Chromium Blog: Introducing the Security Panel in DevTools

Love seeing the push from Google to their larger developer base to enhance transparency of iterate highly. The greatest advantage I see here (and consistent with my analysis of the leading product companies developing products) is the pressing forward of quality (security included) testing and activities to the developer.
This is a key attribute (developers owning security as they are closest to the product and the areas that develop into issues).
Look forward to seeing everyone at RSA this year as I speak on How Not To Be Hacked! I am looking for collaborators on my protecting children in a connected world effort.

IoT future: The world’s tiniest temperature sensor is powered by radio waves

All things technology interest me and in my research and professional work the development of products, building efficient technology operation centers, and managing vast cyber related assets allows a great view on where we are and where we need to be in the future. As our further dependence on technology continues to all levels of life – no we are not speaking just social connection through Facebook and Snaps, but technology today that is being embedded in our brains, hearts, homes, cars, managing the electricity to our homes, balancing the nuclear reactions at plants, and precisely throttling the water purification systems of our water the importance is paramount to survival.

It is our opportunity to ensure that technology continues to benefit life and enjoyment, but it comes at a cost of active persistence in striving for high quality performance. Yes, performance does include security. A car can be fully maintained and the best money can buy, but if the lock doesn’t lock it’ll quickly be stolen.

I have been tracking a technology being developed where tiny sensors are powered by radio waves allowing them to operate without ever requiring a recharge. These are extremely small (grain of sand small) and can be used for a vast amount of (currently) single purposes. A recent thesis and accomplishment was made by the researchers at TU/e, and I have highlighted the possibilities below, plus a bit of the article.  Enjoy

  • Sensor’s current range is 2.5 centimeters, but will be 1 meter in a year
  • Sensor size is 2 square millimeters
  • Can be painted onto walls, added to concrete, or added to latex (insert fantastic spy usage here)
  • Is powered by radio waves in the room / provided by a “router” that directs radio waves and receives data from sensor

The sensor stores that energy and, once there is enough, the sensor switches on, measures the temperature and sends a signal to the router. This signal has a slightly distinctive frequency, depending on the temperature measured. The router can deduce the temperature from this distinctive frequency. The same technology enables other wireless sensors to be made, for example to measure movement, light and humidity. The application areas are enormous, Baltus says, ranging from payment systems and wireless identification to smart buildings and industrial production systems. They won’t be expensive either: mass production will keep the cost of a sensor down to around 20 cents.

The project, called PREMISS, has received funding from the STW technology foundation. The title of Hao Gao’s thesis is ‘Fully Integrated Ultra-Low Power mm-Wave Wireless Sensor Design Methods’

Source: The world’s tiniest temperature sensor is powered by radio waves

Think outside the box,

James

DHS performing free cyber security assessments, as reported by Krebs

ncats14vulnsInteresting to read that DHS has been providing free security assessments of private industry upon request. Krebs posted a nice bit of detail on this vaguely known program. Bottom line this is not the only third party assessment, but it certainly is always worthwhile to engage such evaluations.

Among the findings in that report, which drew information from more than ~100 engagements last year:

  • Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans);
  • More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of “high” (4o percent) or “critical” (13 percent).
  • RVA phishing emails resulted in a click rate of 25 percent.

“The Department of Homeland Security (DHS) works closely with public and private sector partners to strengthen the security and resilience of their systems against evolving threats in cyberspace,” DHS spokespersonSy Lee wrote in an email response to an interview request. “The National Cybersecurity Assessments and Technical Services (NCATS) team focuses on proactively engaging with federal, state, local, tribal, territorial and private sector stakeholders to assist them in improving their cybersecurity posture, limit exposure to risks and threats, and reduce rates of exploitation. As part of this effort, the NCATS team offers cybersecurity services such as red team and penetration testing and vulnerability scanning at no cost.”

The RVA program reportedly scans the target’s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with “social engineering” attempts to see how employees respond to targeted phishing attacks.

The Cyber Hygiene program — which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders — includes both internal and external vulnerability and Web application scanning.

The reports show detailed information about the organization’s vulnerabilities, including suggested steps to mitigate the flaws.  DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is here (PDF).

How do the vulnerabilities identify balance out on a Critical -> Low scale? Here we go:

Screen Shot 2015-12-02 at 8.15.32 AM

As always, Krebs article is worth the deeper dive.

Do good,

James

Moody’s: Threat of cyber risk is of growing importance to credit analysis

Moody’s, following the example of S&P, has added cyber risk to it’s stress tests when determining the credit rating of an organization. This is a forward thinking move by these organizations, as the technology, intellectual property, processes, and capability to do business is now abundantly dependent upon the information technology and it’s resiliency to disruptions.

While this is a first step – it is just another perspective for leaders of every company to consider as they expand their dependence on technology. In 2010 I wrote most businesses were becoming software companies, and today it is even more so … though not wholly obvious. To sustain future operations, be innovative, and frankly remain relevant businesses must be cyber resilient to ensure their products win in the market and operate safely within the margins expected.

Check out the Moody’s press release below, and if you are a customer you can read their full report too!

Other sectors considered critical infrastructure such as electric utilities, power plants, or water and sewer systems are more exposed to attacks that could lead to large-scale service disruption, causing substantial economic — and possibly environmental — damages to sovereign, state and local governments or utilities. However, Moody’s believes such an attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk.

**It is interesting to me that Moody’s believes the worst of possible cyber failures will be financially backed by governments and not born by the business, yet this was/is not the case with Oil spills (such as BP in the Gulf). It’d be interesting to examine that analysis further to better appreciate their point of view.

Source: Moody’s: Threat of cyber risk is of growing importance to credit analysis

Loose Tweets Destroy Fleets – a lesson for professionals and personal safety

The US military learned the hard way how destructive a social media slip-up can be. In 2007, four AH-64 Apache helicopters were destroyed in Iraq after US soldiers uploaded photos to social media. The photos’ geotags showed insurgents exactly where to strike, according to an Army press release quoted on Defense Tech.

The warning is “a reminder that OPSEC [operations security, military speak for the protection of mission-critical information] must remain in the forefront of actions,” Osburn.

Source: Loose Tweets Destroy Fleets | Motherboard

As mentioned in How Not To Be Hacked, personal and professional safety, same as with safeguarding those in harms way, sharing location data and information loosely in public can be very harmful to everyone. In order to protect yourself:

  1. Never post Geo-Tag photos when traveling alone
  2. Use Groups to share updates about travel to prevent accidental sharing with the public

Businesses need to be careful beyond personal safety (still, obviously, important) to consider references to projects and activities in the market:

  1. Never mention Clients + Type of Work (one or the other .. never both..)
  2. Take care with photos (geo-tag) to not include prototypes or passcodes in the background

So much more can be said here, but focus on incremental improvements and limit the threat to yourself, your family, and your business.

Best,

James

Welcome to The Internet of Compromised Things – How not to be hacked, routers

squid eating a router!!!

A good write-up by Jeff addresses a problem that has existed for several years, but only recently is starting to get malicious. A few hackers demonstrated how the software running common internet modems and routers were vulnerable to attack. A few good-minded-souls even wrote code to scan the internet; find them; and exploit them to install the update.

Of course, there were those who used those same routers to mine for crypto-currency and others who created attack bot networks. The article highlights how these unprotected devices are hacked and allow for anyone passing traffic through them to be infected with malware on their machine.

A good article with rather excellent tips for mitigation at the end. Very much inline with several tips I drafted for How Not To Be Hacked, the book, and some tips that didn’t make it due to complexity. If you only skim it … be sure to make it to the end where the tips are listed!!!

For security professionals Jeff raised one point that I thought was a challenge to our industry, and highlighted it below:

Buy a new, quality router. You don’t want a router that’s years old and hasn’t been updated. But on the other hand you also don’t want something too new that hasn’t been vetted for firmware and/or security issues

via Welcome to The Internet of Compromised Things.

How ridiculous our world is sometimes … buy a new router, but not too new … but also not too old. HAH… That fails the How not to be hacked, Can you explain it to your grandma test (something I learned in the Head Game). It is valid though … and reflects the challenge of security professionals.

Good write-up,

James