Entries Tagged "economics of security"

Page 31 of 39

GAO Homeland Security Reports

Last week the Government Accounting Office released three new reports on homeland security.

Posted on April 3, 2006 at 7:55 AMView Comments

iJacking

The San Francisco Bay Guardian is reporting on a new crime: people who grab laptops out of their owners’ hands and then run away. It’s called “iJacking,” and there seems to be a wave of this type of crime at Internet cafes in San Francisco:

In 2004 the SFPD Robbery Division recorded 17 strong-arm laptop robberies citywide. This increased to 30 cases in 2005, a total that doesn’t even include thefts that fall under the category of “burglary,” when a victim isn’t present. (SFPD could not provide statistics on the number of laptop burglaries.)

In the past three months alone, Park Station, the police precinct that includes the Western Addition, has reported 11 strong-arm laptop robberies, a statistic that suggests this one district may exceed last year’s citywide total by the end of 2006.

Some stories:

Maloney was absorbed in his work when suddenly a hooded person yanked the laptop from Maloney’s hands and ran out the door. Maloney tried to grab his computer, but he stumbled across a few chairs and landed on the floor as the perpetrator dashed to a vehicle waiting a quarter block away.

[…]

Two weeks before Maloney’s robbery, on a Sunday afternoon, a man had been followed out of the Starbucks on the corner of Fulton Street and Masonic Avenue and was assaulted by two suspects in broad daylight. According to the police report, the suspects dragged the victim 15 feet along the pavement, kicking him in the face before stealing his computer.

In early February a women had her laptop snatched while sitting in Ali’s Café. She pursued the perpetrator out the door, only to be blindsided by a second accomplice. Ali described the assault as “a football tackle” so severe it left the victim’s eyeglasses in the branches of a nearby tree. In the most recent laptop robbery, on March 16 in a café on the 900 block of Valencia Street, police say the victim was actually stabbed.

It’s obvious why these thefts are occurring. Laptops are valuable, easy to steal, and easy to fence. If we want to “solve” this problem, we need to modify at least one of those characteristics. Some Internet cafes are providing locking cables for their patrons, in an attempt to make them harder to steal. But that will only mean that the muggers will follow their victims out of the cafes. Laptops will become less valuable over time, but that really isn’t a good solution. The only thing left is to make them harder to fence.

This isn’t an easy problem. There are a bunch of companies that make solutions that help people recover stolen laptops. There are programs that “phone home” if a laptop is stolen. There are programs that hide a serial number on the hard drive somewhere. There are non-removable tags users can affix to their computers with ID information. But until this kind of thing becomes common, the crimes will continue.

Reminds me of the problem of bicycle thefts.

Posted on March 31, 2006 at 1:06 PMView Comments

80 Cameras for 2,400 People

This story is about the remote town of Dillingham, Alaska, which is probably the most watched town in the country. There are 80 surveillance cameras for the 2,400 people, which translates to one camera for every 30 people.

The cameras were bought, I assume, because the town couldn’t think of anything else to do with the $202,000 Homeland Security grant they received. (One of the problems of giving this money out based on political agenda, rather than by where the actual threats are.)

But they got the money, and they spent it. And now they have to justify the expense. Here’s the movie-plot threat the Dillingham Police Chief uses to explain why the expense was worthwhile:

“Russia is about 800 miles that way,” he says, arm extending right.

“Seattle is about 1,200 miles back that way.” He points behind him.

“So if I have the math right, we’re closer to Russia than we are to Seattle.”

Now imagine, he says: What if the bad guys, whoever they are, manage to obtain a nuclear device in Russia, where some weapons are believed to be poorly guarded. They put the device in a container and then hire organized criminals, “maybe Mafiosi,” to arrange a tramp steamer to pick it up. The steamer drops off the container at the Dillingham harbor, complete with forged paperwork to ship it to Seattle. The container is picked up by a barge.

“Ten days later,” the chief says, “the barge pulls into the Port of Seattle.”

Thompson pauses for effect.

“Phoooom,” he says, his hands blooming like a flower.

The first problem with the movie plot is that it’s just plain silly. But the second problem, which you might have to look back to notice, is that those 80 cameras will do nothing to stop his imagined attack.

We are all security consumers. We spend money, and we expect security in return. This expenditure was a waste of money, and as a U.S. taxpayer, I am pissed that I’m getting such a lousy deal.

Posted on March 29, 2006 at 1:13 PMView Comments

No Funding for Homeland Security

Really interesting article by Robert X. Cringely on the lack of federal funding for security technologies.

After the 9-11 terrorist attacks, the United States threw its considerable fortune into the War on Terror, of which a large component was Homeland Security. We conducted a couple wars abroad, both of which still seem to be going on, and took a vast domestic security bureaucracy and turned it into a different and even more vast domestic security bureaucracy. We could argue all day about whether or not America is more secure as a result of these changes, but we’d all agree that a lot of money has been spent. In fact, from a pragmatic point of view, ALL the money has been spent, and that’s the point of this particular column. For a variety of reasons, there is no money left to spend on homeland security ­ none, nada, zilch. We’re busted.

I think his assessment is spot on.

Posted on March 21, 2006 at 12:39 PMView Comments

Bypassing the Airport Identity Check

Here’s an article about how you can modify, and then print, you own boarding pass and get on an airplane even if you’re on the no-fly list. This isn’t news; I wrote about it in 2003.

I don’t worry about it now any more than I worried about it then:

In terms of security, this is no big deal; the photo-ID requirement doesn’t provide much security. Identification of passengers doesn’t increase security very much. All of the 9/11 terrorists presented photo-IDs, many in their real names. Others had legitimate driver’s licenses in fake names that they bought from unscrupulous people working in motor vehicle offices.

The photo-ID requirement is presented as a security measure, but business is the real reason. Airlines didn’t resist it, even though they resisted every other security measure of the past few decades, because it solved a business problem: the reselling of nonrefundable tickets. Such tickets used to be advertised regularly in newspaper classifieds. An ad might read: “Round trip, Boston to Chicago, 11/22-11/30, female, $50.” Since the airlines didn’t check IDs and could observe gender, any female could buy the ticket and fly the route. Now that won’t work. Under the guise of helping prevent terrorism, the airlines solved a business problem of their own and passed the blame for the solution on to FAA security requirements.

But the system fails. I can fly on your ticket. You can fly on my ticket. We don’t even have to be the same gender.

Posted on March 14, 2006 at 7:58 AMView Comments

Credit Card Companies and Agenda

This has been making the rounds on the Internet. Basically, a guy tears up a credit card application, tapes it back together, fills it out with someone else’s address and a different phone number, and send it in. He still gets a credit card.

Imagine that some fraudster is rummaging through your trash and finds a torn-up credit card application. That’s why this is bad.

To understand why it’s happening, you need to understand the trade-offs and the agenda. From the point of view of the credit card company, the benefits of giving someone a credit card is that he’ll use it and generate revenue. The risk is that it’s a fraudster who will cost the company revenue. The credit card industry has dealt with the risk in two ways: they’ve pushed a lot of the risk onto the merchants, and they’ve implemented fraud detection systems to limit the damage.

All other costs and problems of identity theft are borne by the consumer; they’re an externality to the credit card company. They don’t enter into the trade-off decision at all.

We can laugh at this kind of thing all day, but it’s actually in the best interests of the credit card industry to mail cards in response to torn-up and taped-together applications without doing much checking of the address or phone number. If we want that to change, we need to fix the externality.

Posted on March 13, 2006 at 2:18 PMView Comments

School Bus Drivers to Foil Terrorist Plots

This is a great example of a movie-plot threat:

Already mindful of motorists with road rage and kids with weapons, bus drivers are being warned of far more grisly scenarios. Like this one: Terrorists monitor a punctual driver for weeks, then hijack a bus and load the friendly yellow vehicle with enough explosives to take down a building.

It’s so bizarre it’s comical.

But don’t worry:

An alert school bus driver could foil that plan, security expert Jeffrey Beatty recently told a class of 250 of drivers in Norfolk, Va.

So we’re funding counterterrorism training for school bus drivers:

Financed by the Homeland Security Department, school bus drivers are being trained to watch for potential terrorists, people who may be casing their routes or plotting to blow up their buses.

[…]

The new effort is part of Highway Watch, an industry safety program run by the American Trucking Associations and financed since 2003 with $50 million in homeland security money.

So far, tens of thousands of bus operators have been trained in places large and small, from Dallas and New York City to Kure Beach, N.C., Hopewell, Va., and Mount Pleasant, Texas.

The commentary borders on the surreal:

Kenneth Trump, a school safety consultant who tracks security trends, said being prepared is not being alarmist. “Denying and downplaying schools and school buses as potential terror targets here in the U.S.,” Trump said, “would be foolish.”

This is certainly a complete waste of money. Possibly it’s even bad for security, as bus drivers have to divide their attention between real threats—automobile accidents involving children—and movie-plot terrorist threats. And there’s the ever-creeping surveillance society:

“Today it’s bus drivers, tomorrow it could be postal officials, and the next day, it could be, ‘Why don’t we have this program in place for the people who deliver the newspaper to the door?’ ” Rollins said. “We could quickly get into a society where we’re all spying on each other. It may be well intentioned, but there is a concern of going a bit too far.”

What should we do this with money instead? We should fund things that actually help defend against terrorism: intelligence, investigation, emergency response. Trying to correctly guess what the terrorists are planning is generally a waste of resources; investing in security countermeasures that will help regardless of what the terrorists are planning is much smarter.

Posted on February 21, 2006 at 9:07 AMView Comments

Security, Economics, and Lost Conference Badges

Conference badges are an interesting security token. They can be very valuable—a full conference registration at the RSA Conference this week in San Jose, for example, costs $1,985—but their value decays rapidly with time. By tomorrow afternoon, they’ll be worthless.

Counterfeiting badges is one security concern, but an even bigger concern is people losing their badge or having their badge stolen. It’s way cheaper to find or steal someone else’s badge than it is to buy your own. People could do this sort of thing on purpose, pretending to lose their badge and giving it to someone else.

A few years ago, the RSA Conference charged people $100 for a replacement badge, which is far cheaper than a second membership. So the fraud remained. (At least, I assume it did. I don’t know anything about how prevalent this kind of fraud was at RSA.)

Last year, the RSA Conference tried to further limit these types of fraud by putting people’s photographs on their badges. Clever idea, but difficult to implement.

For this to work, though, guards need to match photographs with faces. This means that either 1) you need a lot more guards at entrance points, or 2) the lines will move a lot slower. Actually, far more likely is 3) no one will check the photographs.

And it was an expensive solution for the RSA Conference. They needed the equipment to put the photos on the badges. Registration was much slower. And pro-privacy people objected to the conference keeping their photographs on file.

This year, the RSA Conference solved the problem through economics:

If you lose your badge and/or badge holder, you will be required to purchase a new one for a fee of $1,895.00.

Look how clever this is. Instead of trying to solve this particular badge fraud problem through security, they simply moved the problem from the conference to the attendee. The badges still have that $1,895 value, but now if it’s stolen and used by someone else, it’s the attendee who’s out the money. As far as the RSA Conference is concerned, the security risk is an externality.

Note that from an outside perspective, this isn’t the most efficient way to deal with the security problem. It’s likely that the cost to the RSA Conference for centralized security is less than the aggregate cost of all the individual security measures. But the RSA Conference gets to make the trade-off, so they chose a solution that was cheaper for them.

Of course, it would have been nice if the conference provided a slightly more secure attachment point for the badge holder than a thin strip of plastic. But why should they? It’s not their problem anymore.

Posted on February 16, 2006 at 7:16 AMView Comments

Security in the Cloud

One of the basic philosophies of security is defense in depth: overlapping systems designed to provide security even if one of them fails. An example is a firewall coupled with an intrusion-detection system (IDS). Defense in depth provides security, because there’s no single point of failure and no assumed single vector for attacks.

It is for this reason that a choice between implementing network security in the middle of the network—in the cloud—or at the endpoints is a false dichotomy. No single security system is a panacea, and it’s far better to do both.

This kind of layered security is precisely what we’re seeing develop. Traditionally, security was implemented at the endpoints, because that’s what the user controlled. An organization had no choice but to put its firewalls, IDSs, and anti-virus software inside its network. Today, with the rise of managed security services and other outsourced network services, additional security can be provided inside the cloud.

I’m all in favor of security in the cloud. If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud. But even that wouldn’t substitute for security at the endpoints. Defense in depth beats a single point of failure, and security in the cloud is only part of a layered approach.

For example, consider the various network-based e-mail filtering services available. They do a great job of filtering out spam and viruses, but it would be folly to consider them a substitute for anti-virus security on the desktop. Many e-mails are internal only, never entering the cloud at all. Worse, an attacker might open up a message gateway inside the enterprise’s infrastructure. Smart organizations build defense in depth: e-mail filtering inside the cloud plus anti-virus on the desktop.

The same reasoning applies to network-based firewalls and intrusion-prevention systems (IPS). Security would be vastly improved if the major carriers implemented cloud-based solutions, but they’re no substitute for traditional firewalls, IDSs, and IPSs.

This should not be an either/or decision. At Counterpane, for example, we offer cloud services and more traditional network and desktop services. The real trick is making everything work together.

Security is about technology, people, and processes. Regardless of where your security systems are, they’re not going to work unless human experts are paying attention. Real-time monitoring and response is what’s most important; where the equipment goes is secondary.

Security is always a trade-off. Budgets are limited and economic considerations regularly trump security concerns. Traditional security products and services are centered on the internal network, because that’s the target of attack. Compliance focuses on that for the same reason. Security in the cloud is a good addition, but it’s not a replacement for more traditional network and desktop security.

This was published as a “Face-Off” in Network World.

The opposing view is here.

Posted on February 15, 2006 at 8:18 AMView Comments

Multi-Use ID Cards

My eleventh column for Wired.com is about ID cards, and why you don’t—and won’t—have a single card in your wallet for everything. It has nothing to do with security.

My airline wants a card with its logo on it in my wallet. So does my rental car company, my supermarket and everyone else I do business with. My credit card company wants me to open up my wallet and notice its card; I’m far more likely to use a physical card than a virtual one that I have to remember is attached to my driver’s license number. And I’m more likely to feel important if I have a card, especially a card that recognizes me as a frequent flier or a preferred customer.

Some years ago, when credit cards with embedded chips were new, the card manufacturers designed a secure, multi-application operating system for these smartcards. The idea was that a single physical card could be used for everything: multiple credit card accounts, airline affinity memberships, public-transportation payment cards, etc. Nobody bought into the system: not because of security concerns, but because of branding concerns. Whose logo would get to be on the card? When the manufacturers envisioned a card with multiple small logos, one for each application, everyone wanted to know: Whose logo would be first? On top? In color?

The companies give you their own card partly because they want complete control of the rules around their own system, but mostly because they want you to carry around a small piece of advertising in your wallet. An American Express Gold Card is supposed to make you feel powerful and everyone else feel green. They want you to wave it around.

Posted on February 9, 2006 at 6:39 AMView Comments

1 29 30 31 32 33 39

Sidebar photo of Bruce Schneier by Joe MacInnis.