Security Summit: News You Can Use

May, 2012
Issue 1; Vol. 5

Bomb Threats: An Effective Denial-of-Service Attack

 

The University of Pittsburgh received over 80 bomb

Threats during a recent 30 day period Each

time, the university evacuates the threatened building, searches it top

to bottom, including its 42 story main classroom building. Officials find nothing, and eventually classes resume.

 

**************************************************************************

IN THIS NEWSLETTER

BOMB THREATS: AN EFFECTIVE DENIAL OF SERVICE ATTACK

OLLIVIER HOT TOPICS

HACKING CRITICAL INFRASTRUCTURE

LOST CELL PHONES

**************************************************************************

 

Think of this as what IT security professional call a denial-of-service attack…and it troubling when you consider how effective it is.

 

Police have no leads. The threats started out as handwritten messages

on bathroom walls, but are now being sent via e-mail and anonymous

remailers. The University response has announced the following:

 

To enter secured buildings, we all will need to present a

University of Pittsburgh ID card. It is important to understand

that book bags, backpacks and packages will not be allowed. There

will be single entrances to buildings so there will be longer

waiting times to get into the buildings. In addition,

non-University of Pittsburgh residents will not be allowed in the

residence halls.

 

From a security perspective, this may not help and it may even encourage this and other such attacks….but what else can the University do?

 

The incentives for university officials are such that they’re stuck with what appears to be overreacting. If they ignore the threats and they’re wrong, people will be fired. If they overreact to the threats and they’re wrong, they’ll be forgiven.

 

For the attacker, though, the cost-benefit payoff is enormous. E-mails

are cheap, and the response they induce is very expensive.

 

This is a very dicey situation for any institutional management team.

 

**************************************************************************

Ollivier Hot Topics

 

Security System as Application Software. We find that many companies with security systems do not think of their system as application software with an owner, a custodian and an architecture. This lack of a differentiated view of the system and its functions can cause disorganization and duplication of work and very suboptimal system configuration. We are particularly distressed when we find user organizations having multiple integrators with access to the application and its configuration settings.
One Camera and X Camera Views. We like the new technologies that enable multiple camera view from a single physical camera. We like it especially when there are no moving parts and a single lens. Mobotix cameras were our first experience, then IQ Invision and now Immmervision. This last one may become our favored because it is a lens-only piece of equipment. It fits on most any camera the enables interchangeable lens’. It provides 360 degree views that can be displayed as, say 4 camera views, during live operation or review of recorded video. We believe these technologies promise increased benefit to our customers.
Many pharmacists need to access the narcotics cabinets every ten minutes or so. At the same time, they need to protect the contents of those cabinets to avoid shrinkage and to maintain regulatory compliance. This happens to be one of those applications where there exists no ready solution. In response to one of our customers, Ollivier has combined access control software, a unique electrified lock and a mechanical key override to create a customized solution for this niche. It appears to be just what the doctor ordered.
.

**************************************************************************

 

Hacking Critical Infrastructure

 

An article, reported by one of the most thoughtful security experts that I follow, Bruce Schneier, contained the following paragraph in regard to Internet threats:

 

At a closed-door briefing, the senators were shown how a power

company employee could derail the New York City electrical grid by

clicking on an e-mail attachment sent by a hacker, and how an

attack during a heat wave could have a cascading impact that would

lead to deaths and cost the nation billions of dollars.

 

If you think you might be in a similar situation, consider taking critical critical computers off the public Internet?

 

**************************************************************************

Lost Cell Phones

 

Ever wonder what the risk might be when employees lose their cell phone? Symantec conducted a little study. They deliberately “lost” a bunch of smart phones with tracking software on them. Here is some interesting findings:

Approximately 43 percent of finders clicked on an app labeled ‘online banking.
53 percent clicked on a file named ‘HR salaries.
57 percent opened the file named ‘saved passwords
60 percent of the finders checked social networking tools and personal e-mail
72 percent felt compelled to open a folder labeled ‘private photos’

**************************************************************************

“Security Summit: News You Can Use” is a free newsletter providing summaries, analysis, insights, and commentaries on physical and data security. Ollivier Corporation relies on its own experience plus the commentaries of Bruce Schneir and SANS Newsbites for content. Please feel free to forward Security Summit: News You Can Use, in whole or in part, to colleagues and friends who will find it valuable.
Copyright (c) 2012 Ollivier Corporation

 

**************************************************************************

For more information about Ollivier Corporation, visit:
www.olliviercorp.com

 

**************************************************************************