return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ InfoT Public ]

UK ammonium nitrate fertilizer device

  #

In reading British Arrest 8 in Anti-Terror Raids, once again, we have to be lucky every time and they only occasionally. All eight suspects are British nationals and while no religious affiliation had been released, a press statement did speak to the fact that "[We] in the police service know that the overwhelming majority of the Muslim community are law abiding and completely reject all forms of violence."  That is a UK police code phrase for Muslim suspects.

Add fuel oil to a thousand pounds of ammonium nitrate and it is ta redux of the Oklahoma City federal building, the Bali nightclub, and the Istanbul bank blast all over again.  If this group has modeled al Oaeda properly, there will be redundnacy, i.e., additional devices.

It will be interesting to see what security measures enter UK agribusinesses. In the US there are already growing rules for delivery of fertilizer, agrochemicals and fuel to farms, not to mention rules to prevent grain and food supply tampering. (Recreational pharmaceutical production has also added strictures to try to stem items like methamphetamine.)

British Arrest 8 in Anti-Terror Raids
By Michael McDonough
Associated Press
Tuesday, March 30, 2004; 6:33 AM

Gordon Housworth



InfoT Public  Terrorism Public  Weapons & Technology Public  

discussion

  discuss this article

Intelligently restoring sequestered governmental geospatial information to public access

  #

The lessons drawn from America's Publicly Available Geospatial Information: Does It Pose a Homeland Security Risk? extend beyond the vast number of libraries removed from federal and state agencies and into documentation that is, and will be, captured in Sarbanes-Oxley compliance efforts. Federal agencies have restricted considerable, formerly publicly available geospatial information, especially that available by the net. (In the case of public utilities and power producers, a portion of their Sar-Ox compliance documentation will be part of the same body of materials removed from view.)

RAND notes that while "publicly available geospatial information on federal Web sites and in federal databases could potentially help terrorists select and locate a target, attackers are likely to need more detailed and current information -- better acquired from direct observation or other sources" such as textbooks, street maps, non-governmental web sites, and trade journals. (Remember last year's FBI warning to police with regards to possession of almanacs.)

"Fewer than 6 percent of the 629 federal geospatial information datasets examined appeared as though they could be useful to meeting a potential attacker’s information needs. Furthermore, the study found no publicly available federal geospatial datasets that might be considered critical to meeting the attacker’s information needs (i.e., those that the attacker could not perform the attack without). Additionally, most publicly accessible federal geospatial information appears unlikely to provide significant (i.e., useful and unique) information for satisfying attackers’ information needs (i.e., less than 1 percent of the 629 federal datasets examined appeared both potentially useful and unique). Moreover, since the September 11 attacks these useful and unique information sources are no longer being made public by federal agencies. In many cases, diverse alternative information sources exist. A review of nonfederal information sources suggests that identical, similar, or more useful data about critical U.S. sites are available from industry, academic institutions, nongovernmental organizations, state and local governments, foreign sources, and even private citizens."

RAND notes that an analytical, rather than wholesale, examination process needs to be instituted to identify sensitive geospatial information and offers a starting point for assessing the Homeland Security sensitivity of publicly available geospatial information by filters for usefulness, uniqueness, societal benefits, and costs.

For more complete information, see the larger document: Mapping the Risks: Assessing the Homeland Security Implications of Publicly Available Geospatial InformationChapters Two and Three are of great interest:
  • What Are the Attackers’ Key Information Needs?
  • What Publicly Available Geospatial Information Is Significant to Potential Attackers’ Needs?
Gordon Housworth
 


Cybersecurity Public  InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

Detect your "serial openers" prone to social engineering attacks

  #

As I read Security breaches: Blame the new guy I thought why not test who is prone to social engineering breaches by sending an internal spoof 'virus' that has no payload save for a counter of offenses? Of course, firms that would launch it would capture names and email addresses but that is acceptable so long as any penalty is reserved for repeat performances.

"Independent research conducted on behalf of SurfControl has revealed that almost half the HR and IT departments surveyed believe it is junior positions which expose the company to the greatest threat."

"... junior and temporary staff doesn't often feel the same degree of responsibility at work "mostly because they haven't been allowed and encouraged to share it.""

The untrained, inexperienced, and the guileless are the equivalent to the "serial buyer" prized by spammers and, formerly, telemarketers. These "serial openers" and proto-openers may or may not be the new hire or the pedestrian positions. Why not test to find out? Send out different style 'simulants' to see who responds to what.  I think that many firms will be surprised, especially when it comes to those who frequent P2P sites.

Security breaches: Blame the new guy
By
Will Sturgeon
Silicon.com
March 26, 2004, 11:25 AM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Lisa Dean and TSA: Will opposites attract?

  #

In what can only be called an inspired choice, the Transportation Security Administration (TSA) has appointed one of its harshest critics, Lisa Dean, as it first chief privacy officer. I say inspired as Dean's credentials as an adversary of government surveillance at the Electronic Frontier Foundation and the Free Congress Foundation leave her, at the moment, above reproach.

My question is, has TSA silenced, absorbed or adopted this critic. While that may not have been the intent of those who hired her, bureaucracies have a way of convincing and co-opting those they envelop. What seems implausible from the outside can come to seem valuable from the inside.

I can only assume that CAPPS II, its purpose to combat international terrorism, and potential "scope creep" that draws it more deeply into the national fabric will be high on her priorities. In a 17 February, 2004 letter to the House Committee on Transportation and Infrastructure, Dean raised critical questions with respect to CAPPS II (Computer Assisted Passenger Prescreening System) and airline PNRs (Passenger Name Records):

What passenger information is collected, how is it shared and with whom?
How long is the information retained?
What are the names and numbers of government contractors (Torch), data-brokers and other third parties as well as their level of involvement in the PNR process?
What rights do passengers have to correct information, as they do their credit reports?
What rights do passengers have to view their personal data, as they do their medical records?
What recourse do passengers have if they believe they have been wrongly "flagged"?
Will CAPPS II be effective for identifying individuals who pose a threat to aviation security?
How much will it cost the travel industry as a whole to comply with requirements to provide TSA with data not currently collected by the agency?

Only days earlier, the GAO had noted that TSA had no effective answer for any of these questions. Dean will have to resist not only federal employees who have heretofore seen state protection as a higher calling, but commercial firms that seek to implement such data mining applications. The excesses of the JetBlue affair again highlighted the fact that tool builders and data repository owners have not previously demonstrated restraint in this respect.

The understandable intent of the contracting firms is to leverage their TSA/CAPPS investment and so that will drive them to expand their tools content. Should Dean stipulate limitations, it will require diligent verification that the applications do not exceed their brief and that neither private data or their source code migrate to inappropriate venues.

It will be interesting to follow Dean's trajectory at TSA.

See GAO's Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges

Gordon Housworth



InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

Don't tug on superman's cape: Underrate Dick Clarke to your peril

  #

Watching the inside-the-beltway, alpha-interviewer, Tim Russert, question Richard Clarke on Meet the Press this morning, I believe that the administration continues to underrate Clarke to its peril. Russert quoted and then questioned Clarke about a litany of matters that attempted to discredit his skills and motives. Clarke’s pause-less, flawless, mastery of nuance performance matched his 9/11 Commission testimony.

Under direct question from Russert regarding Senate Majority Leader Bill Frist’s floor comments that Clarke "has told two entirely different stories under oath, " was likely guilty of perjury, and why wouldn’t he renounce any financial gain from the book, Clarke called for even greater release, including both the:

(1) July 2002 classified testimony before a joint House-Senate intelligence inquiry, and the
(2) classified 9/11 Commission testimony.

Clarke further lifted the bar by asking that more items be declassified:

(3) 25 January 2001 memo to Condi Rice containing the plan that Clarke had proposed, and which Rice and others say didn’t exist.
(4) 4 September 2001 National Security Directive authored by Clarke.
(5) All of Clarke’s emails to Rice from 20 Jan to 11 September.
(6) All of Rice’s replies to Clarke in the same period.

I am moved to question the current the White House communications and PR plan in this White House, which is to say, perhaps, where is Karen Hughes? She is returning but she also advocated the assault on Clarke.  Given the gaffs and misteps, I wonder who is looking at secondary effects and implications of their actions or lack of action. Richard Clarke, as the article, "The Wonk That Roared," below notes, is the "alpha-bureaucrat."

Clarke went on to cite the opinions of a doyen of the right, Pat Buchanan, on writing a backgrounder to defend an administration, which matches Clarke’s approach precisely.

Clarke dealt with the timing issue with a lockstep chronology from leaving the administration in February 2003 to releasing the NSC-approved text to his publisher in February 2004.

In dealing with Frist’s call to renounce all royalties from the book, Clarke replied that he had not only had plans to donate monies to the victims but also the widows and orphans of the Special ops KIA.

I still find Clarke's arguments arresting to the point that the administration will have to release someone, the leading candidate of which is Condi Rice.  I would think that the administration would try to find a way to co-opt or transcend Clarke rather than continuing to attack him. As the song writer Jim Croce noted:

You don't tug on superman's cape
You don't spit into the wind
You don't pull the mask of the ol' lone ranger
And you don't mess around with ….

I suggest three citations:

The Wonk That Roared
Richard Clarke and the Rise Of the Heroic Bureaucrat
By Joel Achenbach
Washington Post Staff Writer
Sunday, March 28, 2004; Page D01

Ex-Bush Aide Calls for Testimony on Terrorism to Be Opened
By THE ASSOCIATED PRESS
March 28, 2004
Filed at 11:10 a.m. ET

Bush's Efforts to Offset Clarke Stymied
Republicans Say Administration Struggling for Momentum After Ex-Aide's Assertions
By Mike Allen
Washington Post Staff Writer
Sunday, March 28, 2004; Page A23

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Just 20, She Captures Altered Japan in a Debut Novel

  #

This is not the "Japan" with which I was raised: A renascent Postwar Japan that grew from a producer of cheap goods to an economic powerhouse that seemed on the verge of 'buying America,' or at least California, in the 1980s; a land of bland salarymen and equally docile labor unions (after socialist ambitions were broken in the 1950s); of marginalized women forces to quit the labor force, move to the suburbs, and reproduce themselves; of a GNP that knew no demand of defense spending under the US nuclear umbrella; of an economic engine granted free access to American markets in return for supporting US foreign policy; a land for which each year meant rising wealth while demanding yet harder work so as to never slip back to the privations of the postwar era; has all slipped into another realm. The changes that this young authoress flags will not soon be offset by upticks in, say, Asia trade boom boosts Japan Inc. Japan cannot now be certain of US support and China has emerged as both an economic and political competitor with demonstrated nuclear ambitions.

Reading Onishi-san's account of a generation that has only known decline and insecurity gives me a bit of the feeling of the fall of the Berlin Wall. I am just not certain in which direction it will fall:

Just 20, She Captures Altered Japan in a Debut Novel
By NORIMITSU ONISHI
March 27, 2004
New York Times

Gordon Housworth



InfoT Public  Strategic Risk Public  

discussion

  discuss this article

McLuhan Tetrad & technology food chain analysis

  #

As I read RFID chips watch Grandma brush teeth, I had the thoughts that I so often have about RFID:

How will the story read above the fold in the New York Times?

What are the secondary effects?

What is the latency or persistency of a feature that was 'good' but can later morph into something 'bad' -- or the reverse?

What user perception issues will overdrive purely technical issues?

Where is the point of confluence where a group of tags takes on a very different capability, or threat, or completely new application?

The Marshall McLuhan "tetrad" analysis comes again to mind as a predictive tool to gauge the impact of emerging information technologies. I use the tetrad in a wide variety of applications in conjunction with technology food chain analysis. I think that the process has great merit to emerging RFID.

This pair of approaches has good application in any series of technology fields, either a fast moving field or a 'stagnant' field in which you are looking for a 'flip condition' to make something old very relevant. I used it to good effect for Japanese firms seeking an early, low/no risk point to invest in US firms:

RFID chips watch Grandma brush teeth
11:50 17 March 04
NewScientist.com news service

Tiny computer chips that emit unique radio-frequency IDs could be slapped on to toothbrushes, chairs and even toilet seats to monitor elderly people in their own homes.

Data harvested from the RFID chips would reassure family and care-givers that an elderly person was taking care of themselves, for example taking their medication. Unusual data patterns would provide an early warning that something was wrong.

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

Experts fear terrorists are seeking fuel-air bombs

  #

With the phrase, "they go to school on us," in frequent usage in the 9/11 Commission hearings, why does it come as a surprise to some that al Qaeda would attempt to deploy "near-nuclear effect" FAE (fuel air explosives) and thermobaric weapons. One of my drumbeats is that all technology "has a glide slope to the desktop," i.e., it is only a matter of time before any technology, be it laser printing or thermobarics, is small enough and cheap enough to be widely manufactured and distributed. Yet, it still comes as a surprise to so many, which is, to me, a sure sign of underestimation and our failure to "go to school" on them.

The US used thermobaric devices in March 2002 against al Qaeda caves near Gardez, Afghanistan. The weapons are "conventional" in their materials and so do not have telltale signatures but have near-nuclear effects -- a near perfect terror weapon -- and in the case of FAEs they can be assembled in country (I had manuals for them dating from the 80s from open sources) and they do not have the design challenges -- yet -- of thermobarics. The only surprise is why it would take so long.  See Defense officials defend using new bomb.

While jurists and purists dance on the head of a pin discussing whether a two-stage device (FAE) or single stage (thermobaric) classify as a WMD, i.e., two stages do but one stage does not, it makes no difference to the victim or the terrorist. (But you will be relieved to know that our thermobarics are consistent with the laws of armed conflict and our treaty obligations.) Terrorists will take the path of least resistance and start with homemade FAEs and purchased thermobarics.

If you design your first stage burst and mix properly, any fuel tanker truck becomes an FAE -- and it has the benefit of having a built-in transport means. (It is possible that the Tunisian synagogue blast was a developmental step in that direction.) Should the terrorist be unwilling to build, they can buy on the black market (Soviet devices have been found with rebels in the DRC (Democratic Republic of Congo).

FAEs and thermobarics greatly redraft the tactical landscape as truck-barriers would have to have far greater perimeters and defensive strategies become far more complex as these weapons "go around walls." The blast effects are extraordinary, sustained, effective at a greater distance, and consume any breathable oxygen in the confined space and replace it with combustion gases. Lethality is assured.

As I noted in Nov 2001, "If you want to know anything substantive about Soviet tactical military operations, and especially areas of operations in Chechnya and Afghanistan, Lester Grau and Ali Jalali are your guys. As we consider digging anyone out of the underground sanctuaries of Afghanistan, be it natural limestone caves, irrigation tunnels, or purpose-made bunkers, it seemed wise to have a primer on the geography and the tools." Grau and Jalali’s "Underground Combat: Stereophonic Blasting, Tunnel Rats, and the Soviet-Afghan War" is still topical in employment. Just add significantly greater blast effects.

Put a thermobaric in a subway, especially an older, single tube system as the London Underground, and the effects would be profound. FYI, if you are doing research on thermobarics, there is a lot of incorrect reporting in 2001-2002 that they are two stage devices.

Experts fear terrorists are seeking fuel-air bombs
New Scientist
09:45 21 March 04
David Hambling

Some experts fear that terrorists are trying to develop thermobaric and fuel-air bombs which can be even more devastating than conventional devices...

The devices use a small charge to generate a cloud of explosive mixed with air. The main explosion is then detonated by a second charge (a fuel-air explosion), or by the explosive reacting spontaneously with air (a thermobaric explosion). The resulting shock wave is not as strong as a conventional blast, but it can do more damage as it is more sustained and, crucially, diminishes far more gradually with distance.

Gordon Housworth



InfoT Public  Terrorism Public  Weapons & Technology Public  

discussion

  discuss this article

Privacy and Consumer Profiling

  #

With regards to the DARPA/Poindexter email regarding TIA data aggregation from commercial sources, the magnitude of what is available form commercial sources is vast.  If TIA or any other entity can integrate what is commercially available, the owner will have an astonishing snapshot of US nationals.  The following is snippet from a much larger description.  (The demographic categories noted in "TSA Helped JetBlue Share Data, Report Says" is the tip of an iceberg.):

Profiling is the recording and classification of behaviors. This occurs through aggregating information from online and offline purchase data, supermarket savings cards, white pages, surveys, sweepstakes and contest entries, financial records, property records, U.S. Census records, motor vehicle data, automatic number information, credit card transactions, phone records (Customer Proprietary Network Information or "CPNI"), credit records, product warranty cards, the sale of magazine and catalog subscriptions, and public records. Profiling has sparked an entire industry euphemistically labeled "Customer Relations Management" (CRM) or "Personalization."

Companies collect information derived from a number of resources to build comprehensive profiles on individuals in order to sell products and to sell dossiers on behavior. This is often done without notice or extending a choice to the individual to opt-out of the dossier building. These dossiers may be used by marketers for target advertising, and they may be sold to government for law enforcement purposes. Companies also "enhance" dossiers that they already own by combining or "overlaying" information from other databases. These dossiers may link individual's identities to the following attributes:

These profiles are also indexed by other factors, such as wealth. For instance, American List Counsel sells an "ultra affluent database" that is overlaid with information on age, sex, and presence of children. The database includes the individuals' home phone numbers. Many of the "affluent persons" databases are mined from public record filings (Security and Exchange Commission, State Corporations Registration lists) where individuals are compelled by law to reveal their personal information.

Profiling companies have well-developed lexicons to classify individuals. Claritas, for instance, divides individuals into fifteen different groups, which are in turn categorized into various subgroups.

Snip

No aspect of an individual's private life is too sensitive to be categorized, compiled, and sold to others. For instance, the Medical Marketing Service sells lists of persons suffering from various ailments. These lists are cross-referenced with information regarding age, educational level, family dwelling size, gender, income, lifestyle, marital status, and presence of children. The list of ailments includes:

[A list of some 68 diseases follows]

Gordon Housworth



InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

Cooptation of commercial data warehouse firms by TIA

  #

An August 2002 DARPA email obtained by EPIC (Electronic Privacy Information Center) under FOIA is an unsettling look at the cooptation of commercial data warehouse firms by TIA. Remember the admonition from Adbusters Media Foundation, "The Product is you."

(A) The most arresting points is: "Ultimately, the U.S. may need huge databases of commercial transactions that cover the world or certain areas outside the U.S. This information provides economic utility, and thus provides reasons why foreign countries would be interested. Acxiom could build this mega-scale database."

These data bases will become targets in and of themselves which (should) initiate an intensive effort to protect this data and, more importantly, the knowledge base of the analytics that examines it.

(B) The next arresting point is the close relationship between DARPA/TIA and commercial data providers who seem to be happy to comply with a requested data load if they can make a commercial case of it.

Prefiguring the name change of old TIA (Total Information Awareness) to new TIA (Terrorism Information Awareness), the issue of privacy is sidestepped by a sequential process in which "we should start with the goal, tracking terrorists to avoid attacks, and then identify the data needed (although we can’t define all of this, we can say that our templates and models of terrorists are good places to start)." The suggestion came from a commercial provider.

(C) As we saw from the recent JetBlue and Northwest Airlines 'sample exercises' (see my note, TSA Helped JetBlue Share Data) that postdate this email, things did not turn out well and, of course, once digital data gets harvested and then sourced through a series of vendors that it becomes functionally impossible to insure that the personal data will be retained at security levels of the original instance.

The personnel involved in this exchange are:

'Jpoindexter' is John Poindexter, now resigned from DARPA
'ddyer' is Lt Col Doug Dyer, PhD DARPA/IAO
'rpopp' is Dr. Robert L. Popp , Acting Director DARPA/IAO

Security can come at a rather high price. I found the points that Doug Dyer brought forward as opportunities to be both a direct abuse and a later opportunity for data attacks against the database and its analytics. The fact that it appears to have been made with the best of intentions unsettles me further. We should also remember that while Congress later slashed funding for TIA that a parallel effort proceeds unabated:

I have made an OCR text copy of the email in the PDF if someone desires it.

Gordon Housworth



InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

Prev 51  52  53  54  55  56  57  58  59  60  61  62  63  64  [65]  66  67  68  Next

You are on page 65
A total of 68 pages are available.

Items 641-650 of 673.

Pages: [1 - 25] [26 - 50] [51 - 68]


<<  |  August 2019  |  >>
SunMonTueWedThuFriSat
28293031123
45678910
11121314151617
18192021222324
25262728293031
1234567
view our rss feed