Archive for November, 2012

Tech This Out: GPS Tracking Devices

I think having a child get lost or kidnapped would be any parent’s worst nightmare.

The closest thing I have to a child is my dog and I know if she went missing I wouldn’t be able to function.

Now that the holiday season is upon us, it’s likely you’ll be out in crowded malls, busy public places, airports or doing holiday activities.

It’s easy for kids to slip away in a toy store or get separated in a big crowd.

It’s also possible that you could lose your luggage on a trip or get your purse stolen while out shopping.

I thought this might be a good time to review some personal GPS device trackers.

The idea came up during Halloween because of trick-or-treating but I’ve decided that when it comes to things that are most precious to you, keeping those things safe is important any time of year.

I’ve tested two small devices that you can use for your child, your pet, your car, your purse, your luggage, elderly people, anything you want to keep track of.

The two devices are are about the size of your keys, fun size candy bar, or a stick of gum.

Read More

In light of the massive Twitter security breach (yes, we’re still skeptical of the claim that it was just a password reset) earlier this month, some users might be worried about protecting their accounts on social media networks.

Andrew Jaquith, CTO of Perimeter E-Security and former Forrester analyst on password security, posted some great suggestions regarding account security on the Perimeter E-Security blog (where he is a frequent contributor). Consider this one a freebie, social network aficionados! It’s not every day you get expert advice at no charge.

Protip no. 1: Password expiration:

“Prevailing security dogma holds that security passwords should be complex and frequently changed. But requiring your employees to change their passwords every 90 days just annoys them, and they will do highly insecure things to cope as a result. They will scribble passwords on sticky notes, re-use the same password everywhere, or make the absolute smallest changes to their passwords that they can while still complying with policy.

“For example, an employee might pick a ‘complex’ 8-character password ‘rosebud1!’ and then increment the ’1′ every 90 days. Even worse, because passwords must be changed so often, IT managers use the shortest passwords their regulators will let them squeak buy with: 8 characters.

“For these reasons, researchers from Microsoft, Cambridge University among other institutions have concluded that password aging is a massive waste of time.

“It’s far better to require comparatively longer passwords that never change, such as passphrases or mnemonic passwords. Although employees will face a slightly longer learning curve initially, once they commit them to memory, they becomes reflexes. The best part: long passphrases can’t be broken as easily, so you’ve increased security and productivity at the same time.“

Protip no. 2: Using LDAP, AD, and single sign-onto reduce passwords you need to remember:

“As with password length and aging considerations, the employee’s ability to remember their passwords is a strong predictor of how likely (or unlikely) they will be to behave in ways that are less secure. The fewer passwords they have to remember, the less likely they are to make mistakes or game the system.

“Tying your applications into your LDAP or Active Directory servers is a good way to reduce the burden — think of it as the poor-man’s SSO. Full-blown single-sign-on (SSO) systems, of course, are even better. Consolidating password stores has benefits beyond just convenience, though.

“You also get better security because you can centrally enforce your password policies, and suspend access to applications and infrastructure much more quickly.”

Read More

Airport security breach caught on camera

A passenger at Hartsfield-Jackson Atlanta International Airport says he caught a blatant security breach on his cell phone camera. The passenger with an iPhone was in the cell phone waiting lot when he recorded a woman tossing a bag over a fence to an airport worker.

The bag gets stuck and the worker climbs up to get it, all this unfolding just feet from the runway. One air safety expert wonders what’s in the bag but says that’s not the biggest concern.

“It’s obvious that they’re not concerned that security is going to be on top of them,” Air safety expert Brent Brown says.

He also says it tells him this isn’t the first time this has happened.

The worker was standing next to a Delta Air Lines luggage truck so Delta and airport officials say they are investigating the security breach.
A TSA spokesman says airport perimeter security is not their responsibility, but they are helping with the investigation.

Read More

If you pay peanuts you get…… This holds true for private investigations and back ground checks too. What will be the better avenue to take when investigating?

It’s no secret to anyone at this point in time that we’re definitely living in a digital age. That said, computers and digital data are more than just conveniences that we can take or leave. They’re important parts of many aspects of our lives. This is especially the case when it comes to the evaluation of specific individuals for any number of reasons.

Background checks may have seemed like science fiction a long time ago, but nowadays they’re par for the course and have a number of uses. Employers perform background checks on potential hires in order to confirm information and evaluate their character. People even order background checks on acquaintances, neighbors, or potential spouses wishing to better know who it is that they’re really letting into their lives and allowing around their loved ones.

However, one thing people never really consider is the importance of hiring professionals to conduct background checks in order to make sure that information gathered is accurate and as valuable as it should be.

The Myth of Online Background Check Services

As much as computers and the internet have brought a wealth of convenience and choice into the modern person’s life, there are certainly ways in which this can easily backfire. A common misconception in regards to background checks today is that those inexpensive services you can use online actually have the value that they should. Sure you can pay your $50 or so and wind up with plenty information that looks extensive. However, it’s important to note that the most important information is actually left out of a lot of those reports.

Background checks should consist of more than a list of old addresses and phone numbers. Real ones also include extensive criminal records, credit information, traffic violations, civil court records, and so forth. The best way to make sure your background checks contain all of the necessary information is to hire a professional to conduct them.

What to Look for in a Good Private Investigations Firm

One way to get a really solid background check conducted on a given individual is to locate a reputable private investigations firm and enlist their services. Background checks are important parts of many different types of investigations, so most PI’s are going to be old hats when it comes to performing thorough ones. They know what to look for, what a given check should entail, and how to make sure they find all necessary information out there to be had.

When evaluating a given firm, it’s important to ask about their experience level in regards to not only background checks, but investigations in general. Do they have any credentials they can present to prove their mettle? How many years have they been in business? What kind of experience do they have with performing background checks in regards to your unique type of situation – spousal investigation, employee background checks, and so forth? How about references you can call?

You will also want to make sure that the firm you choose makes use of all the technological options available to the world of private investigation today. A good PI firm knows the ins and outs of combing databases for information, using top of the line software, and assessing digital data in order to build solid cases and comprehensive reports. Ask for information in regards to a given investigator’s experience with all of these things.

In the end, it almost always pays to hire an experienced professional when it comes to just about anything and background checks and private investigation situations are no exceptions. Look into your options today and get the job done right!

View Source

Cybercrime vs. Cybersecurity

Many people rely heavily on the internet for running their daily lives. And every day, the number of internet-dependent people increases. From studying, socializing or shopping, many technologically savvy individuals use their computers or mobile devices to run errands and to entertain themselves. While technology has vastly improved our lives, countless dangers lurk on the internet. Cybercrime is on the rise and has already affected many individuals and companies.

Stu Sjouwerman, founder of KnowBe4, a site dedicated to cyber security awareness and training, stated that it has been a challenge to compete with the dynamic “industry” of cybercrime, but it is a challenge that Sjouwerman welcomes.

“There are people in Eastern Europe who go to work, punch the clock, work all day, get health benefits, leave at 5 p.m., and what they do is steal your identity or hack into your network,” Sjouwerman said.

Cybercrime has completely professionalized over the last few decades, in contrast to when only a handful of individuals had the time and money to hack into systems.

While cybercrime evolves into a larger industry, some people have yet to adapt. They are not aware of Sjouwerman’s number one rule in cyber security, “There is no security.”

Additional layers of good security can alleviate an individual’s stress regarding cyber-attacks, but security is no good replacement for human vigilance. It only takes one human error to let criminals into the system.

Professor Sean Peisert, a research computer scientist from the Lawrence Berkeley National Laboratory and a faculty member of the UC Davis Computer Security Lab, said that most anti-virus or anti-malware software only protects from known threats. As long as a hacker has enough time and resources, he or she can crack through any security system by creating something that security programs have not been programmed to deal with yet.

However, various computer and internet security companies and programmers adapt quickly in response to the challenge, studying from past hackers. Some computer security programmers work directly with hackers to improve security. For example, KnowBe4 has worked together with infamous computer hacker Kevin Mitnick. Mitnick was one of the first true computer hackers, breaking into company networks belonging to Motorola, NEC, Nokia, Sun Microsystems, Fujitsu and Siemens.

As for UC Davis, the busy people of the UC Davis Cyber-safety Program and the UC Davis Computer Security Lab work for better internet security.

The professors involved in the UC Davis Computer Security Lab explore and research various areas of internet security. Some, like Professor Hao Chen, work with mobile computing and mobile app security, while others, like Professor Karl Levitt, work on a variety of projects from intrusion detection to network tracking, and even election security.

Professor Peisert helped with the cyber attacks on the San Diego Supercomputer Center perpetrated by “Stakkato,” the alias of a group of hackers who broke into systems belonging to the U.S. Military, White Sands Missile Range, NASA and multiple universities.

In particular, Professor Matt Bishop of the UC Davis Computer Security Lab detects weaknesses in security systems.

“I look for vulnerabilities, break into things and try to fix them,” Bishop said.

He often looks at certain aspects of internet security, such as how people hide personal information. In addition, he is interested in computer security education, which includes teaching robust coding, a class of software in which the program can respond elegantly to unknown situations instead of crashing.

“Campus folk are good with security,” Bishop noted when asked about UC Davis’ status.

In the frontline for UC Davis’ cyber security is Robert Ono, IT security coordinator of the UC Davis Cyber-safety Program. Currently, the campus staff upholds the adopted Cybersecurity policy of 2005 through governance models and stringent security standards for campus network devices. While maintaining the program’s website and handling security risks, Ono oversees campus security training.

“A biennial security symposium [hosting] hands-on training and lecture seminars for technologists,” Ono said, is one of the methods for training new staff.

Along with the symposium, training includes log management, threat management and coding techniques.

Although there are companies, professors and staff all working hard to improve cyber security, they provide steps and advice to help the general public to protect themselves.

“Make sure you patch your computer and applications. If there is an update, do the update. Last but not least, use strong passwords and for god’s sake don’t use the same password all over the place,” Sjouwerman said.

Bishop gave an apt analogy regarding passwords.

“Use common sense. Realize that there are nasty folks on the internet. You wouldn’t give your car keys to someone you didn’t know very well, and you shouldn’t do the same with your password.”

Peisert said computer owners don’t need to buy loads of security software, since most end up ignoring the security alerts anyway.

“So, rule number one is back up your systems: Time Machine, CrashPlan, BackBlaze, Mozy, Dropbox and others are simple, inexpensive means for doing this.”

Ono suggested that the public “identify files on [their] computer that contain personal identity information (e.g. your name, Social Security number or credit card/financial account number) and remove the files if at all possible. There are free tools for personal use, such as IdentityFinder, that are available for scanning your Mac and Windows computer(s) for identity information.”

The overall lesson is this: practice caution and be wary, but do not be too paranoid since the internet is still a wonderful tool.

View Source

Making sense of computer forensics

Information security organizations usually have very detailed plans to prevent incidents like security breaches or employee misuse of resources. However, they also need to be prepared for the possibility that an incident could occur that will have significant legal implications or lead to a criminal investigation. In this type of case, data stored in the organization’s systems may be critical evidence that could make or break a legal case.

Converting digital information into usable legal evidence presents some unique challenges. For example, imagine if critical evidence resides only on a machine’s RAM memory: it could easily be lost if the machine is powered off. An operating system’s normal operations could alter the attributes of an important file unless proper precautions are taken. The simple act of opening a file can change its last access attribute, rendering it unusable as legal evidence.

So how do forensic investigations work?

Computer forensics basically deals with identifying, collecting, analyzing and protecting information residing on computer systems that could be used as evidence in legal procedures or even a trial. Computer forensics specialists have a number of tools at their disposal for dealing with many of the different challenges posed by the proper handling of digital evidence. A typical forensic investigation involves the following steps:

Identification: the first step of an investigation is to identify the location of the relevant data that can be used as evidence. These days many devices could contain information besides computers, such as smartphones, USB drives and even videogame consoles.

Collection: Once the location of the data has been identified, an investigator has to then apply the appropriate collection technique or tool. For example, the most common technique for computer hard drives involves the use of imaging software that can capture every sector of a drive, including unallocated or residual data (such as data remaining from deleted files). Usually multiple copies are made and at least one is kept for control purposes in case a working copy becomes damaged during analysis.

Analysis: Depending on the case and the type of data and its location, there can be several procedures that can be used to analyze the collected data. A common objective in the analysis is to create a timeline of events. For example, the analysis of a breach can lead to the construction of a timeline that describes the chain of events that led to the incident: a spear-phishing e-mail led a user to a malicious website that exploited a vulnerability in his machine that in turn allowed the attacker access to the corporate network. The analysis of evidence must be thoroughly documented since the evidence and the process to obtain it are usually required in legal procedures.

Protection: this is probably one of the most critical aspects of a forensic investigation. Take for instance the previous example of how opening a file can change its attributes: recklessly opening files can alter their attributes and their integrity can be questioned. The chain of custody is essential for dealing with any type of evidence, and it refers to the proper handling of evidence and a formal documentation of everything (and everyone) involved in the investigation or handling of said evidence. Any break in the chain (for example, a period of time where the location of the evidence cannot be accounted for) can cast doubts on the integrity of the evidence or its usability in a legal procedure.

What can an organization do to prepare?

The role computer forensics can play in an incident should be taken into account in your security incident management and response plans. Since there is an important legal factor involved, be sure to first consult with your organization’s lawyers for guidance on the applicable laws and regulations.

When an organization needs to perform a computer forensic investigation, they typically rely on their internal staff, hire external specialists or a combination of both. Be aware that depending on the incident or legal jurisdiction, it may be mandatory that the investigation be performed by a law enforcement agency. Using internal staff or external consultants have different advantages and disadvantages for an organization:

Internal staff: these days there are a great deal of resources for training forensic professionals such as those from SANS, among many others. Having someone on staff with knowledge on the tools and procedures in forensic investigations could be invaluable when building or improving incident response programs. Trained staff members can provide a fast way to get started with an initial assessment. However, depending on the type of incident, an internal investigation might not the most effective or appropriate strategy. In some jurisdictions, they must be properly licensed or registered with a local law enforcement agency.

External specialists: these experts usually have extensive experience in handling digital evidence and may have the required licenses to operate in your area. They may also have a higher number of technical tools and resources required for many types of investigations. The cost associated with these experts however, could be very high. As noted before, make sure to check with your legal counsel first.

Perhaps the most important step an organization can do to prepare is to decide and properly document the method or procedures to follow in the incident response plans. Organizations that wait until an incident occurs to make these decisions could find themselves at a disadvantage in any number of legal situations.

View Source

The United States Department of Homeland Security collects and retains personal information on potential security risks to U.S. transportation security including airline passengers, flight crews, contractors and TSA employees – and anyone else’s personal information stored on several data lists created by the federal government since 9/11 in an attempt to “connect the dots” that may have been previously overlooked.

The U.S. Department of Homeland Security (DHS) Transportation Security Administation’s (TSA) Office of Intelligence & Analysis Trends and Patterns Branch (TPB) will now integrate all the personally identifiable information (PII) collected into one “jumbo list,” in order to better analyze and identify previously unknown links or patterns among individuals who undergo a TSA security threat assessment.

Exactly whose information is stored in the FBI’s Terrorist Screening Database (TSDB) and DHS and TSA compiled lists is a secret.

Most Americans are aware of the U.S. government “no fly lists,” which supposedly flag potential terrorists before they board commercial airliners, and security threat assessments of flight crews and passengers, and individuals with questionable identification and airport workers. Some lesser known TSA security threat assessments are conducted on registered overnight hotel guests (Registered Guest) at certain hotels physically connected to airport terminals, Commercial Driver’s License (CDL) holders, certain non-travelers, and anyone seeking Sensitive Security Information (SSI) in a civil proceeding, and much more.

On the FBI website, the agency quotes an Washington Post editorial to explain why watch lists such as “No Fly list” and “Selectee list” remain undisclosed:

“There are legitimate law enforcement reasons for keeping the list secret: Disclosure of such information would tip off known or suspected terrorists, who could then change their habits or identities to escape government scrutiny.”

Who can access all of the personal information collected by the U.S. government? It is entirely at the discretion of the TSA.

View Source

Cell phones long ago ceased to be a luxury and became something we can’t leave home without. But even when your device is idle or turned off, it’s sending information about your location to a cell phone tower every seven seconds. One thing most of us don’t consider is access to that information isn’t limited to your cell phone carrier.

“Police and the government can use that ping to track your whereabouts. There is no expectation of privacy in carrying that cell phone,” said Savannah attorney Bates Lovett of Hunter Maclean. Lovett said carriers can give out this information without your knowledge or permission, and in some cases without a court order.

“They can pull your text messages. They can pull your search history. Those are the types of data and information that they’re being able to pull off now that they don’t always need a warrant for,” said Lovett.

Cell phone companies are now answering more demands for your data than ever before. Nine U.S. carriers responded to questions from U.S. Rep. Ed Markey (D – Massachusetts) earlier this year. According to Markey, the group reported receiving more than 1.3 million requests for information from law enforcement in 2011.

There is no denying that cell phone data is useful and often essential for investigators working to solve crimes. Privacy advocates question whether law enforcement is being allowed too much leeway with what should be protected information.

“They’re going after one person but get information on anyone who was around a cell phone tower at a certain time. Even though they’re investigating one person, they have information on hundreds or thousands of people,” said Trevor Timm of the Electronic Frontier Foundation.

Experts say the problem is the law hasn’t kept up with technology.

“That’s certainly an issue that legislatures are taking into consideration now is what level of requirement must the government go through to get that type of information,” said Lovett.

A bill called the GPS Act that would require warrants for the data has stalled in the U.S. Senate. U.S. Rep. Jack Kingston said he believes it is time for Congress to act.

“There should be a very high firewall in terms of personal information and what can be done with that information, who gathers that information, who sells, who buys that information,” Kingston told News 3.

Until regulations are in place, remember that what you do with your cell phone is more public than you think.

“Your expectation of privacy and what you and I would think of as private is just not the same thing as what the government thinks of as privacy,” cautioned Lovett.

Many of the cell phone carriers that responded to Markey’s inquiry said they don’t keep track of the law enforcement requests they reject, so the number of requests for data is actually more than estimated.

A study by the American Civil Liberties Union found that some cell phone carriers have manuals for police that explain what data the companies store, how investigators can obtain the data, and how much it would cost.

View Source

Store mannequins are meant to catch your eye. Soon you may catch theirs.

Fashion brands are deploying mannequins equipped with technology used to identify criminals at airports to watch over shoppers in their stores. Retailers are introducing the EyeSee, sold by Italian mannequin maker Almax SpA, to glean data on customers much as online merchants are able to do.

Five companies are using a total of “a few dozen” of the mannequins with orders for at least that many more, Almax Chief Executive Officer Max Catanese said. The 4,000-euro ($5,130) device has spurred shops to adjust window displays, store layouts and promotions to keep consumers walking in the door and spending.

“It’s spooky,” said Luca Solca, head of luxury goods research at Exane BNP Paribas in London. “You wouldn’t expect a mannequin to be observing you.”

The EyeSee looks ordinary enough on the outside, with its slender polystyrene frame, blank face and improbable pose. Inside, it’s no dummy. A camera embedded in one eye feeds data into facial-recognition software like that used by police. It logs the age, gender, and race of passers-by.

Read More

An Introduction to Social Media E-Discovery

Social media is here to stay – in the living room, at the kitchen table, at the movies, in the coffee shop, and even in the workplace. The boom of mobile applications has taken popular social web apps like Facebook, Twitter, Pinterest, and LinkedIn to new levels of user growth and virality. More users mean more data; and where there is data, you’re likely to find a case for electronic discovery (or e-discovery, for short).

Let’s start with a definition. Electronic discovery is the process of searching for and finding electronically stored information (ESI) – often a procedural necessity in civil litigation. In the past, we’ve thought about e-discovery when dealing with such things as the exchange of company email, saved documents, etc.. If any of these things were evidentiary in nature, they might be “discovered,” (using some form of software for e-discovery) and presented as evidence in court proceedings.

Social media, as it happens, is no different. I alluded earlier to the fact that employee-to-employee communication via social media during the workday has become no less than a commonality. In some companies, it’s actually encouraged. Many executives contend that social media use can in fact improve overall productivity. While this sort of encouragement is obviously warranted (to some degree), it should not come without preparedness for possible litigation down the road.

Collecting Social Media Data

This is the ‘how’ side of the coin. It is imperative that – before moving forward with encouraging workplace social media communication – you understand how you’re going to collect social media data. Social media is sort of the Wild West of the Web. Communications are moving so quickly in such high volumes that it’s hard to keep track of the goings on. Unfortunately, “it’s too hard” won’t get you any slack cut in a court of law.

For this reason, it’s a good idea to explore all of the possible options for collecting social media data. Some of the avenues you might explore include:

-Screen shots of communications
-Communications sent/monitored via proxy server
-Communications indexed by custom web crawler
-Communication data pulled from application APIs

There are other viable solutions worth considering. As is the case with those listed above, each method will always have its pros and cons. Nonetheless, it’s vital that you have some methodology in place before you give the go-ahead.

Implementing Defensible Policies

To be discovered, the data must first exist. One of the key aspects of surviving an e-discovery request is the presence of defined retention and litigation hold policies. This is true of document discovery, as well as email. You can bet that it’s true of social media e-discovery.

With a retention policy, companies can provide a stringent outline of the type of social media data they collect, where they archive it, and how long they keep it archived. This way, when the deletion of a particular item comes up in litigation, there are clear guidelines that point to the defensibility (or lack thereof) of the deletion. The system understands that storage is an issue; data won’t be stored forever.

A litigation hold policy, on the other hand, is put into effect when a company suspects impending litigation. The primary function of this policy is to mandate that any data that might be evidentiary in nature remains archived (and undeleted). With social media, though, the litigation hold policy might include limitations on future social media communications (Facebook posts, Twitter tweets, Pinterest pins, etc.), changes in the types of communications permitted during the period prior to litigation, etc. Any and all of these things are worth considering. With email, a comprehensive litigation support software can aid you in implementing these policies.

Social media is a great tool. It can breed collaborative culture and even productivity in the workplace. However, without strict policies in place to govern social media communications and methodologies to collect and archive those communications, it will be difficult to build a legitimate defense when workplace social media exchanges become the subject of litigation. Prepare your strategy early, and you’ll be able to relax down the road.

View Source