Now incorporating 112 Review, Community Safety Review & Military Review
Perimeter Security
In today's world our perimeter to be secured is not just the immediate physical of building walls, fences and borders.
by Michael Smith
While the Great Wall of China did something for that country by way of protection and a good perimeter fence and watchtowers may guard and protect a military or such installation, we must consider today, in the world of computers and the Internet, also and especially our virtual perimeter. This, in many case, is rather fluid.
While many companies, institutions, and others, place guards at their entrances, require passes of all kinds of levels, have fences, intruder sensors, and much more, despite the fact that they work rather on an international level, and have all manner of anti-virus protection and all manner protection against all manner of intrusions, by way of firewalls and such, few, so it would appear, have a policy in place to ensure that sensitive and mission critical data is not taken out by employees, especially temporary staff, or disgruntled staff, on removable medis such as floppy discs (yes, I am showing my age here, for I even remember when they, in fact, were floppy and rather big as well), to CDs/DVDs, USB flash memory, or even small removable USB hard drives.
We all have seen what can happen – and I am sure we all wonder where that data that was thus lost is now – when the likes of the British government offices sent data, very sensitive data, unencrypted, around the country on CDs.
Apparently, the real problem is that the two departments concerned have different encryption tools and the receiving department would not have been able to read the data had the discs been encrypted. No one thought of those implications before? Doh?!?
This is very much like NATO with all its different kinds of weapons and even communications systems all of which could really have caused a great deal of trouble had we ever had to go to war with the Warsaw Pact in those days. Unlike us they all had everything interchangeable. Proper compatibility should have been thought of one would have thought but, it does not seem to be thus. But, alas, those that sit in ivory towers.
Encryption is but one thing.
That, however, which often – more often than not – gets forgotten as far as securing data is the “physical” security of it and securing the ports – not the shipping kind though.
Who has access to the USB ports and do they need to be able to remove data by downloading it on removable media?
Organizations go to all lengths to control access to a network from the outside but often have no policy and measures in place for securing the devices. This means that basically anyone can steal sensitive data by using a USB memory stick, for instance, or an iPod.
The question is to ask who has access in an organization who could compromise data, as this could be more important than the possibility of an external breach and resultant data theft.
Too often only the “break in” from the outside into the system is being considered as far as data and security is concerned and the he possibility of data theft from within an organization by an employee is often overlooked.
Today with flash memory devices getting smaller and smaller and also being “concealed” in other objects, such as pens, and also getting more powerful with ever more data storage capacity plugging in a USB stick and copying a large amount of data only takes from some seconds to something like ten minutes and USB sticks nowadays are so common and, in fact, part of work, that the fact that someone has one or more on his or her person says and means nothing to the security guards, for instance. Hence the protection has to be at a different level.
Music players too, such as an iPod or similar, straight-forward MP3 player can often store data aside from just music files and are therefore also a way in which data can leave your institution; a way in which someone can take out data who, maybe, should not be able to.
Also, such devices, whether players or memory sticks, and such like, can be used by someone with malicious intent, whether employee or not, to inject malware into a PC or an entire network. All it needs is access to computer that is not locked down, for instance.
It would appear that many organizations do not have any systems and policy in place that control who may access and especially copy data to removable media of whatever kind.
All it takes, as we have seen more than once, is a disgruntled employee – or even an ex-employee whose password and such is still active – to ruin the reputation of an organization or to hold it to ransom.
© M Smith (Veshengro), December 2008
<>
by Michael Smith
While the Great Wall of China did something for that country by way of protection and a good perimeter fence and watchtowers may guard and protect a military or such installation, we must consider today, in the world of computers and the Internet, also and especially our virtual perimeter. This, in many case, is rather fluid.
While many companies, institutions, and others, place guards at their entrances, require passes of all kinds of levels, have fences, intruder sensors, and much more, despite the fact that they work rather on an international level, and have all manner of anti-virus protection and all manner protection against all manner of intrusions, by way of firewalls and such, few, so it would appear, have a policy in place to ensure that sensitive and mission critical data is not taken out by employees, especially temporary staff, or disgruntled staff, on removable medis such as floppy discs (yes, I am showing my age here, for I even remember when they, in fact, were floppy and rather big as well), to CDs/DVDs, USB flash memory, or even small removable USB hard drives.
We all have seen what can happen – and I am sure we all wonder where that data that was thus lost is now – when the likes of the British government offices sent data, very sensitive data, unencrypted, around the country on CDs.
Apparently, the real problem is that the two departments concerned have different encryption tools and the receiving department would not have been able to read the data had the discs been encrypted. No one thought of those implications before? Doh?!?
This is very much like NATO with all its different kinds of weapons and even communications systems all of which could really have caused a great deal of trouble had we ever had to go to war with the Warsaw Pact in those days. Unlike us they all had everything interchangeable. Proper compatibility should have been thought of one would have thought but, it does not seem to be thus. But, alas, those that sit in ivory towers.
Encryption is but one thing.
That, however, which often – more often than not – gets forgotten as far as securing data is the “physical” security of it and securing the ports – not the shipping kind though.
Who has access to the USB ports and do they need to be able to remove data by downloading it on removable media?
Organizations go to all lengths to control access to a network from the outside but often have no policy and measures in place for securing the devices. This means that basically anyone can steal sensitive data by using a USB memory stick, for instance, or an iPod.
The question is to ask who has access in an organization who could compromise data, as this could be more important than the possibility of an external breach and resultant data theft.
Too often only the “break in” from the outside into the system is being considered as far as data and security is concerned and the he possibility of data theft from within an organization by an employee is often overlooked.
Today with flash memory devices getting smaller and smaller and also being “concealed” in other objects, such as pens, and also getting more powerful with ever more data storage capacity plugging in a USB stick and copying a large amount of data only takes from some seconds to something like ten minutes and USB sticks nowadays are so common and, in fact, part of work, that the fact that someone has one or more on his or her person says and means nothing to the security guards, for instance. Hence the protection has to be at a different level.
Music players too, such as an iPod or similar, straight-forward MP3 player can often store data aside from just music files and are therefore also a way in which data can leave your institution; a way in which someone can take out data who, maybe, should not be able to.
Also, such devices, whether players or memory sticks, and such like, can be used by someone with malicious intent, whether employee or not, to inject malware into a PC or an entire network. All it needs is access to computer that is not locked down, for instance.
It would appear that many organizations do not have any systems and policy in place that control who may access and especially copy data to removable media of whatever kind.
All it takes, as we have seen more than once, is a disgruntled employee – or even an ex-employee whose password and such is still active – to ruin the reputation of an organization or to hold it to ransom.
© M Smith (Veshengro), December 2008
<>
Powers of RIPA legislation abused
Ex-Chief of MI5 'astonished'
by Michael Smith
The Regulation of Investigatory Powers Act (RIPA) was passed in 2000 to regulate the way in which public bodies such as the police and the security services carry out surveillance.
To begin with originally only a small handful of authorities were able to use RIPA but its scope has, for some reason, been expanded enormously and now there are at least 792 organisations using it, including hundreds of local councils.
This has generated dozens of complaints about anti-terrorism legislation being used to spy on, for example, a nursery suspected of selling pot plants unlawfully, a family suspected of lying about living in a school catchment area, and paperboys suspected of not having the right paperwork.
Now those campaigning against the abuse of RIPA have got a new ally in the person Lady Manningham-Buller, the former head of MI5. In a speech in the House of Lords recently, she said she was "astonished" when she found out how many organisations were getting access to RIPA powers.
Those that nowadays, more or less willy-nilly seem to be granted the right to carry our surveillance for this or that reason, should never, so it seems as far as the Security Services are and were concerned, be given those powers and rightly so.
While there may be reasons in fact for councils and others to, at times,m be granted powers under RIPA no council, per se, needs to carry our covert surveillance of dustbins for instance as to what people put into them. The same is true in respect to other uses that RIPA has been used for.
When RIPA was introduced the activities authorised by that legislation were meant be confined to the intelligence and security agencies, the police, and Customs and Excise.
The legislation was drafted at the urgent request of the intelligence and security community so that its techniques would be compatible with the Human Rights Act when it came into force in 2000.
Nowadays, however, for reasons unfathomable, every authority of whatever kind, from local councils and trading standards – and that latter one can still be understood – over the Milk Marketing Board equivalent and the one responsible for eggs and whatever else, aside from police, security services and HMRC, that is to say Customs and Excise, are given such covert surveillance powers.
Britain is the fast becoming, if it is not already, an all-pervasive surveillance society and British subjects are the most spied upon people on this planet, ahead even, so it would appear to citizens of Russian and even of Cuba.
On the principle governing the use of intrusive techniques which invade people's privacy, there must be total clarity in the law as to what is permitted and they should be used only in cases where the threat justifies them and their use is proportionate.
Presently, however, it would appear to be neither and as far as a great many people who are in the know amongst the general public are concerned this is very disconcerting and it is creating resentment amongst the people.
However, it seems that the current Labor administration in the United Kingdom could care less as to what the public thinks really. They have a majority in the House and hence do not care one iota about the people.
How can we expect to combat terrorism on our shores when we alienate the general law-abiding public who should be the eyes and ears of the authorities by using spy techniques and anti-terror legislation against them who have done nothing wrong.
The idea of the DNA and fingerprint database and the idea of monitoring all email and Internet traffic of every subject of Her Britannic Majesty is not going to bring the people onto the side of the government. Rather the opposite.
People who work in the field of security, I am sure, can see that but those that try to lord it over the people, whether central or local government do not care, it would seem. Councils up and down the country use RIPA powers against people that may or may not put the wrong stuff into their dustbins; who may put their dustbins out at the wrong day, and such like. As far as I, and Lady Manningham-Buller, see this is a total misuse of the powers of the act. Time some reigning on was done here.
© M Smith (Veshengro), December 2008
<>
by Michael Smith
The Regulation of Investigatory Powers Act (RIPA) was passed in 2000 to regulate the way in which public bodies such as the police and the security services carry out surveillance.
To begin with originally only a small handful of authorities were able to use RIPA but its scope has, for some reason, been expanded enormously and now there are at least 792 organisations using it, including hundreds of local councils.
This has generated dozens of complaints about anti-terrorism legislation being used to spy on, for example, a nursery suspected of selling pot plants unlawfully, a family suspected of lying about living in a school catchment area, and paperboys suspected of not having the right paperwork.
Now those campaigning against the abuse of RIPA have got a new ally in the person Lady Manningham-Buller, the former head of MI5. In a speech in the House of Lords recently, she said she was "astonished" when she found out how many organisations were getting access to RIPA powers.
Those that nowadays, more or less willy-nilly seem to be granted the right to carry our surveillance for this or that reason, should never, so it seems as far as the Security Services are and were concerned, be given those powers and rightly so.
While there may be reasons in fact for councils and others to, at times,m be granted powers under RIPA no council, per se, needs to carry our covert surveillance of dustbins for instance as to what people put into them. The same is true in respect to other uses that RIPA has been used for.
When RIPA was introduced the activities authorised by that legislation were meant be confined to the intelligence and security agencies, the police, and Customs and Excise.
The legislation was drafted at the urgent request of the intelligence and security community so that its techniques would be compatible with the Human Rights Act when it came into force in 2000.
Nowadays, however, for reasons unfathomable, every authority of whatever kind, from local councils and trading standards – and that latter one can still be understood – over the Milk Marketing Board equivalent and the one responsible for eggs and whatever else, aside from police, security services and HMRC, that is to say Customs and Excise, are given such covert surveillance powers.
Britain is the fast becoming, if it is not already, an all-pervasive surveillance society and British subjects are the most spied upon people on this planet, ahead even, so it would appear to citizens of Russian and even of Cuba.
On the principle governing the use of intrusive techniques which invade people's privacy, there must be total clarity in the law as to what is permitted and they should be used only in cases where the threat justifies them and their use is proportionate.
Presently, however, it would appear to be neither and as far as a great many people who are in the know amongst the general public are concerned this is very disconcerting and it is creating resentment amongst the people.
However, it seems that the current Labor administration in the United Kingdom could care less as to what the public thinks really. They have a majority in the House and hence do not care one iota about the people.
How can we expect to combat terrorism on our shores when we alienate the general law-abiding public who should be the eyes and ears of the authorities by using spy techniques and anti-terror legislation against them who have done nothing wrong.
The idea of the DNA and fingerprint database and the idea of monitoring all email and Internet traffic of every subject of Her Britannic Majesty is not going to bring the people onto the side of the government. Rather the opposite.
People who work in the field of security, I am sure, can see that but those that try to lord it over the people, whether central or local government do not care, it would seem. Councils up and down the country use RIPA powers against people that may or may not put the wrong stuff into their dustbins; who may put their dustbins out at the wrong day, and such like. As far as I, and Lady Manningham-Buller, see this is a total misuse of the powers of the act. Time some reigning on was done here.
© M Smith (Veshengro), December 2008
<>
Environmental protesters get into secure airport area
What the h*** happened to the security?
by Michael Smith
When, on Monday, December 8, 2008, environmental activists, gained access to a high security area air side on Stanstead airport in Essex one can only ask as to what the h*** has happened to the security at that airport, whether their own security teams or the police. Was everyone asleep at that time of the early morning?
If that is the security on the air side side of our airports then what is going to prevent a more or less major terrorist attack. If environmental activist – unarmed – except for bolt croppers and such like – can get air side on a more or less major airport, the second-largest airport in the UK in fact.
Not so long ago activists got onto a parked aircraft at Heathrow, Britain's largest airport, and one of the world's busiest and no one had noticed until some of them in fact unfurled a banner on the plane.
I must say that if that is our air side security at airports then all the other security measures are a waste of time and useless and will not make our airports and air travel secure.
While those measures aimed at air travelers inconvenience those traveling by air and make check ins and arrivals and longer process they will not prevent explosives, for instance, being placed on a plane. Not as long as the security on airports remains a joke as it is presently. The problem is that this joke is not funny by a long shot.
All the measures currently in place, as I have said already, do is inconvenience the airline travelers and not the terrorists for all they have to do is get air side, by cutting through a fence a la environmental activists and place a device at the belly, for instance, of a parked aircraft. And, the way security (what security?) is on that side of the airports at the present this is not, despite what we are being told, a difficult undertaking and this should make us really worried.
This is also very much the same as regards to security of the railroad rolling stock. While, for instance, as regards to the Eurostar trains, for example, airport style scanners and security checks are used and now even small penknives are illegal to be taken on that train there is very little stopping any more or less determined person getting near the parked trains and attaching a device to it or getting onto the tracks and sabotaging them.
I know that as much as with cyber security there is no 100% security possible anywhere and it cannot be unless we would surrender all our liberties and freedoms and we, as people, should take some responsibility – in fact the greatest part of it – for our own personal security and that of our families and loved ones, and, to some degree of society as a whole.
However, when we look at the ease that people can get into supposedly secure areas and get onto, as in the instance of Heathrow, a parked aircraft then we must ask what is going on.
One must then also wonder as to whether there really is the threat that we are told is there or are we just being told that so that the powers that be can make things more and more difficult for the ordinary people to go about their daily lives, such as having biometric ID cards (probably with transponders) forced upon them and the threat that any cop may demand to see ID and if no ID carried that one then might find oneself in jail.
If the security is allowed to be as lax as it appears to be then on can but come to the conclusion that in reality there is no such threat as the security services and government keep trying to tell us. If not then the lackadaisical approach taken to the air side security at British airports is criminal negligence and some heads should, nay indeed must, roll, and security must be made nigh on watertight.
As I said already, I know, and I hope that everybody else does too, that there is no such things as 100% security without living in a fortress and giving up all liberties and freedoms, and it would be then that the terrorists and enemies of freedom have succeeded and this we must not allow to happen.
If anyone is supposed to feel secure again flying – I for one would not, then again I do not like flying, period – then air side security must be enhanced and made as good as watertight. No good inconveniencing the passengers with all those checks and searches and restrictions when anyone can just saunter into any airport directly through the fence with bolt cutters and then can do, unmolested for quite some time, what they wish to do. There are many countries in the world where anyone entering such a secure are of an airport would simply be shot by snipers.
I do not think that we would, necessarily, want to have such kind of operations in the United Kingdom, but...
© M Smith (Veshengro), December 2008
<>
by Michael Smith
When, on Monday, December 8, 2008, environmental activists, gained access to a high security area air side on Stanstead airport in Essex one can only ask as to what the h*** has happened to the security at that airport, whether their own security teams or the police. Was everyone asleep at that time of the early morning?
If that is the security on the air side side of our airports then what is going to prevent a more or less major terrorist attack. If environmental activist – unarmed – except for bolt croppers and such like – can get air side on a more or less major airport, the second-largest airport in the UK in fact.
Not so long ago activists got onto a parked aircraft at Heathrow, Britain's largest airport, and one of the world's busiest and no one had noticed until some of them in fact unfurled a banner on the plane.
I must say that if that is our air side security at airports then all the other security measures are a waste of time and useless and will not make our airports and air travel secure.
While those measures aimed at air travelers inconvenience those traveling by air and make check ins and arrivals and longer process they will not prevent explosives, for instance, being placed on a plane. Not as long as the security on airports remains a joke as it is presently. The problem is that this joke is not funny by a long shot.
All the measures currently in place, as I have said already, do is inconvenience the airline travelers and not the terrorists for all they have to do is get air side, by cutting through a fence a la environmental activists and place a device at the belly, for instance, of a parked aircraft. And, the way security (what security?) is on that side of the airports at the present this is not, despite what we are being told, a difficult undertaking and this should make us really worried.
This is also very much the same as regards to security of the railroad rolling stock. While, for instance, as regards to the Eurostar trains, for example, airport style scanners and security checks are used and now even small penknives are illegal to be taken on that train there is very little stopping any more or less determined person getting near the parked trains and attaching a device to it or getting onto the tracks and sabotaging them.
I know that as much as with cyber security there is no 100% security possible anywhere and it cannot be unless we would surrender all our liberties and freedoms and we, as people, should take some responsibility – in fact the greatest part of it – for our own personal security and that of our families and loved ones, and, to some degree of society as a whole.
However, when we look at the ease that people can get into supposedly secure areas and get onto, as in the instance of Heathrow, a parked aircraft then we must ask what is going on.
One must then also wonder as to whether there really is the threat that we are told is there or are we just being told that so that the powers that be can make things more and more difficult for the ordinary people to go about their daily lives, such as having biometric ID cards (probably with transponders) forced upon them and the threat that any cop may demand to see ID and if no ID carried that one then might find oneself in jail.
If the security is allowed to be as lax as it appears to be then on can but come to the conclusion that in reality there is no such threat as the security services and government keep trying to tell us. If not then the lackadaisical approach taken to the air side security at British airports is criminal negligence and some heads should, nay indeed must, roll, and security must be made nigh on watertight.
As I said already, I know, and I hope that everybody else does too, that there is no such things as 100% security without living in a fortress and giving up all liberties and freedoms, and it would be then that the terrorists and enemies of freedom have succeeded and this we must not allow to happen.
If anyone is supposed to feel secure again flying – I for one would not, then again I do not like flying, period – then air side security must be enhanced and made as good as watertight. No good inconveniencing the passengers with all those checks and searches and restrictions when anyone can just saunter into any airport directly through the fence with bolt cutters and then can do, unmolested for quite some time, what they wish to do. There are many countries in the world where anyone entering such a secure are of an airport would simply be shot by snipers.
I do not think that we would, necessarily, want to have such kind of operations in the United Kingdom, but...
© M Smith (Veshengro), December 2008
<>
Subscribe to:
Posts (Atom)