Security

Iridium has begun delivering its latest generation handset, which signals a new era for the global satellite carrier. It has been several years since any significant changes have been made in its handheld equipment, so for current users, this should be welcome news. I received one of the first 9555's that was delivered to World Communications in Chandler, Ariz., by Iridium. It has been a primary vendor for Iridium from the first implementation of the network. The new handsets, with accessories, sell for about $1,700, and according to Iridium, are available now.

The Iridium network, conceived, engineered, and built by Motorola, launched in 1997 as the first commercial constellation of 66 low earth orbit (LEO) satellites, crisscrossing the planet at about 500 miles above the Earth. The network was designed to provide secure communications on a global basis from a handheld that weighed about 12 ounces and could fit in your back pocket. While traditional geostationary satellite services, such as Inmarsat, requires the radio to be in one position during use so that the antenna can lock into a satellite beam, Iridium is entirely different. The system works while flying, driving, walking, or onboard a ship. I have had extensive experience with the Iridium network since it commenced operations, and have used each of the three different handsets (the 9500, 9505, and 9505A) that were available prior to the 9555. This system currently offers voice and data communications virtually anywhere, even in the most remote regions of the world, as I can personally attest.

There are several noticeable improvements in the latest phone in terms of design, operation, software, and functionality. After placing a few calls on the new handset, I can say that the audio quality seems to be much improved from my older 9505 unit. I recorded one of the calls that I made to an associate so you can judge this for yourself. The handset closely resembles a larger cell phone, but works very differently with regard to its communications path and network infrastructure. The menu system, display, and software of the 9555 have also been updated. The package is about 30 percent smaller than its predecessor, the 9505, and the special antenna has been redesigned to retract into the body of the radio, rather than rotating and swinging upward to a vertical position. The battery charging system is also better in terms of size and connector. The handset now has a USB data port and new software for simplified Internet access. Although the transmission speed is still very slow, at 9600 baud, it is acceptable for e-mail when there is no other available service.

The communications security of the Iridium network is assured because of the way it transmits data from the handset to one or more satellites, then to a network gateway and the public switched telephone network. The satellites all talk to each other across the constellation in order to relay signals to a gateway facility, but the information is not repeated down to the ground, so intercept is extremely difficult. Even if the 1,640Mhz signal could be captured directly from a handset, it would not provide much intelligence because of the way in which the network is configured. As an example, I was in Havana, Cuba last year and needed to make secure telephone calls back to the U.S. Cuban authorities routinely monitor cell phone traffic but are unable to listen in on Iridium. If you routinely travel to countries where you require the ability to communicate by voice or data without fear of eavesdropping, then Iridium is an excellent solution.

The prime North American competitor is Globalstar, which was originally launched at about the same time as Iridium. The Globalstar network is also based upon a LEO satellite constellation, but the infrastructure and transmission protocol are quite different than Iridium. Their 48 satellites operate about twice the distance from Earth than those of Iridium, and talk to different ground stations that are operated by various Globalstar partners. The network filed for bankruptcy in 2002 but came back two years later after an infusion of capital from Thermo Capital Partners. Unfortunately, Globalstar has been experiencing significant technical problems which have affected its coverage and reliability of service.

Iridium filed for bankruptcy in 1999. When it shut down, the network consisted of 13 planned or constructed gateway facilities throughout the world. The system was supposed to be decommissioned, but at the last minute, it was decided that Iridium could be a vital military communications asset, especially since one of the network operation centers was built in Hawaii specifically to handle all of the government traffic. An entrepreneur purchased the entire Iridium system for about $25 million and then signed an agreement with the Department of Defense to supply communications to the DOD, state, and other government agencies. When it resumed operation, the system was locked into the original two handsets. The 9500 and 9505 (and the slightly modified 9505A) were all that were available because the prime supplier, Motorola, was out of the picture. The network and current handsets have continued to provide primary handheld satellite communications for the Defense Department and state in Iraq and virtually everywhere else in the world. Iridium is utilized for mission-critical applications by many government agencies and private industries. The cost of a call is $1 to $2 a minute, depending upon pricing plan. It is competitive with cellular, but offers a much more cost-effective solution for portable-to-portable communications when roaming overseas on GSM networks.

Pornography in the workplace can pose a serious problem for employers because a significant amount of material is downloaded by employees during business hours.

The viewing of porn at work can result in lost time, creativity, productivity, and employer profitability. More importantly, it can help create a hostile work environment and can be considered sexual harassment, in violation of Title VII of the Civil Rights Act of 1964. Naturally, corporations want to avoid the potentially serious legal consequences and protect their bottom line.

On Sunday, Orem, Utah-based forensic-software maker Paraben plans to introduce a unique piece of enterprise software developed to detect and analyze images on workplace networks and computers for suspect content. The system looks for a number of sophisticated parameters and grades images at three levels, based upon their correlation with criteria that have been programmed into the system.

The software, according to CEO Amber Schroeder, will also aid in the development of evidence for internal or criminal investigations in such cases. It's expected to cost about $17,000 for 500 computers.

I interviewed Schroeder last week, during the Techno Forensics seminar at the headquarters of the National Institute of Standards and Technology (NIST), near Washington D.C. From personal experience, I can attest to the difficulty in analyzing large hard drives. Searching terabytes of data is incredibly time-consuming and difficult, so this software should provide a welcome tool for administrators and investigators.

Schroeder told me that the program cannot discriminate between child and adult pornography, but it is extremely effective at rapidly identifying suspect images, either online or offline. The system is capable of providing an effective real-time monitor, as images are downloaded to individual workstations, and can definitely aid in shielding employers from extremely costly lawsuits.

Even more importantly, such a program can help protect employees from the kind of invidious and offensive conduct that has been ruled as actionable by the courts, she said.

While the Paraben software has been designed for the corporate environment, it isn't prepared to examine other problem areas: cell phones, PDAs, and any other device that provides access to the Internet.

I spent several hours at ISC East in New York last week to see the latest security hardware and software.

I was disappointed because the conference and expo offered more of the same; nothing really innovative caught my attention, or that of my associates. It seems the industry is focusing on video technology: cameras, DVRs, IP, wireless, remote surveillance, and many flavors of software that all essentially accomplish the same result. There were a few lock manufacturers, alarm distributors, monitoring centers, and access control providers, but I thought the number of exhibitors was relatively slim.

The integration of sophisticated electronics, RF and transmission technology, optics, and RFID is all a matter of course now, which perhaps was the most incredible aspect of the show. However, the event did not present a wide enough view of the available security hardware and truly unique applications that I saw three weeks ago at Security Essen in Germany. For those of you that are responsible for keeping abreast of the incredible array of technology and applications that are available, Essen is one of the prime venues every October. Virtually everyone is there, representing every security and software vendor in the incredibly diverse security sector.

What did intrigue me at ISC East were the number applications that involve GPS technology and how it is being applied to anticipate and solve security issues. Location-based service, utilized by commercial and government sectors, will dramatically increase in the future. Already, there is a proliferation of this technology in phones, computers, vehicles, watches, cameras, communications hardware, tracking devices, and a host of other implementations.

Government has employed GPS and Assisted GPS for quite some time for tracking criminal suspects. In fact, Nextel was an early provider of location-based services for the trucking industry and, in so doing, also developed sophisticated mapping capabilities that were used by federal law enforcement agencies for determining the precise location of cell phones. The technology was so good, even five years ago, that the specific floor within a building where a suspect was located could be determined.

Law enforcement has been able to take advantage of GPS technology for tracking and catching criminals and terrorists. Almost everyone who uses a cell phone that was manufactured within the last few years is carrying a personal tracking device. The options available to investigative agencies are awesome, and I believe the public would be more than concerned if everyone realized the extent to which their "personal communicator"--first characterized in the Man from U.N.C.L.E. TV show in the 1960s--has evolved and come to fruition.

Cellular telephones and personal privacy are anathema to each other, especially if there are abuses by government agencies in exploiting the capabilities of the technology.

At ISC East, there were several vendors that specialize in the implementation of GPS technology for use in both the private and public sectors. One of those companies is Brickhouse Security, located in New York. It has been a leader in supplying and implementing this technology in a wide array of products for businesses and police. GPS can provide efficiencies in personnel and fleet management, asset tracking, and employee location and protection. Perhaps as important is the prevention of theft, which is a significant problem and is likely to increase as the economy slows down. Brickhouse also has developed hardware for video and audio surveillance, countermeasures, wireless solutions, biometrics, and other restricted applications.

I interviewed Todd Morris, president of Brickhouse, with regard to the current state of the art and two of his company's products. Brickhouse offers a device for tracking kids, up to 500 feet. It is simple and clever and can also be used to keep an eye on elderly people with dementia. The other system is the P-Track Pro, which uses a CDMA cellular link on Sprint to report the location of an embedded tracking device that can be placed virtually anywhere.

The proliferation of GPS already affects many facets of our mobile life. Although the integration of location-based technologies is almost endless, it does not come without risk. The potential to track the movements of a person and his or her vehicle can seriously erode rights of privacy. Already, spouses are placing store-and-forward or real-time tracking devices in cars to spy on their wives or husbands. Best Buy sells a system called Zoombak, which is a small package that can be implemented by anyone to instantly ping the location of a target and display the data on any computer that is connected to the Net.

By law, every phone in the U.S. must be capable of reporting its location for E911 services. The ability to locate someone who calls for help is obviously a desirable and necessary feature for public safety providers, but the flip side can lead to abuse. We have far surpassed the capabilities that were dramatized in 1984. While we are lucky that we have these sophisticated capabilities, we must also be vigilant as to their use. Presently, there is little legislation dealing with GPS applications to surveillance. I am quite sure that when lawmakers realize that their whereabouts can be instantly tracked, legislation will be enacted, just like when their cell phone call logs were obtained.

Once again I made the annual trek to a little town in the northern Netherlands, Sneek, to meet with about 75 colleagues to discuss the latest security issues and bypass techniques for locks, safes, and access control systems. LockCon, the new name for "The Dutch Open" is organized by Barry Wels and Han Fey. For the past six years, they have put together a three-day event, replete with lock picking contests, safe cracking demonstrations, and briefings on new security technologies.

More importantly, the conference provides a forum for serious discussions and presentations about design flaws in security hardware, and new circumvention techniques. Barry Wels is actually a crypto expert for GSM phones, but is perhaps most well known in Europe for focusing attention on lock bumping in the Netherlands, through Toool (The Open Organization of Lock Pickers).

Two significant events occurred at LockConthis year.

On Friday, the director of research and development at Medeco High Security Locks gave a five-hour presentation on lock design. This is important because Medeco has finally recognized the value and contribution of the lock sport and professional bypass community and their ability to develop methods of compromise that manufacturers often seem incapable of determining in their own products. It is a real departure from the traditional approach of most lock makers, and one that I have supported and advocated for quite some time

The following day, a detailed four-hour presentation and workshop was given by my co-author (Tobias Bluzmanis) and I regarding the bypass of Medeco m3 and Biaxial cylinders. For those who may be unfamiliar with the name, Medeco has been the predominant high security lock manufacturer in North America for the past 40 years. It's responsible for protecting residences, commercial locations, and the most secure government facilities in the U.S. and overseas. Its lock design was revolutionary and very secure, until we figured out the embedded design issue.

In our presentation, we examined the theory and practical aspects of compromising these highly respected locks by various methods, including bumping, picking, and bypass of its key control. On Sunday, a contest provided a real-world confirmation of the theories and techniques that were presented in our new book on the subject.

If you thought your locks were secure, check out the details and video links at In.security.org. The best official time to open a five-pin Medeco high security cylinder was 23 seconds. This flies in the face of the requirements of the two primary testing protocols that apply to these locks in the U.S. These standards set the minimum performance criteria for locks, safes, and other security hardware, and define resistance to covert and forced entry techniques.

UL 437 and BHMA/ANSI 156.30 require a minimum of 10 minutes to bypass these mechanisms by picking and other forms of attack. This is precisely why we have challenged these standards as not being representative of real world attacks, with potentially catastrophic results for facilities or critical infrastructure. Security professionals rely upon these same standards by Underwriters Laboratories and the Builders Hardware Manufacturers Association to establish benchmarks for high security locks. In my view, 23 seconds of protection does not quite make it! That was the documented official time. Actually, a participant opened one of the same locks in five seconds, but we did not record it on video.

More in a later post on the concept of standards, and why many security professionals do not feel they are adequate.

A new book, "Open In Thirty Seconds," was recently released by Marc Weber Tobias and Tobias Bluzmanis regarding high security locks and the techniques and theory to bypass all levels of security in Medeco m3 and some Biaxial cylinders. See stories on CNET earlier this summer from Defcon 16 and HOPE regarding these issues. Marc has lectured and written extensively with regard to Medeco and other lock manufacturers.