Hong Kong police are struggling to figure out who is pouring acid on pedestrians, Time Magazine reports:

After Mongkok’s last acid attack, which occurred May 16, police installed eight CCTV surveillance cameras on two buildings in the area to try to catch the culprit the next time he or she struck. But after spending about $220,000 on the equipment, none of the cameras’ footage caught this week’s attack. Senior Superintendent Edward Leung Ka-ming of the Kowloon West regional crime unit said the collected footage needed to be “enhanced” because of its poor resolution to prove useful. While the district council decides what step to take next with the cameras, the police hope pedestrians might have some tips of their own.

A bottle full of acid was dropped from a building on June 8th, said to have been a rainy night. When it exploded twenty-four people were injured.

Did police realize they needed better resolution only after installing the cameras? And did they plan on any upgrade path for resolution or will it require physical and on-site replacement? Perhaps an even better question is whether the $200K could have been spent on other control measures such as nets covering the street. Not an ideal solution, but if the concern is keeping shoppers feeling safe then nets probably make more sense as they have prevention capabilities rather than just detection.

News is circulating that T-Mobile servers have been breached. An anonymous message to the Full Disclosure mailing list on Saturday was the start of the topic. This message included a claim that T-Mobile has been owned for some time, and that the attackers “have everything” up for sale to the highest bidder. It also included a list of 511 production server details such as their hostname, IP address, OS and applications.

This situation raises two distinct questions. First, how can an organization best anticipate and detect breaches? The second question is how an organization can best respond to a breach, especially with regard to preventing another.

Before answering those questions, a quick look at the spreadsheet of servers raises several other questions. For example, do the 511 servers in the message have anything in common? Are they managed from a particular department or under a specific project? This kind of analysis could help reveal that the attack was a leaked document rather than a breach of network security. A quick review shows all of the systems listed are a UNIX flavor. Either the attackers did not want to reveal a more representative sample from their victims or they may really just have found a UNIX project manager’s USB in a parking lot.

Back to the core questions, the best way to anticipate and detect breaches is by analyzing logs. If the attackers were trying inventory systems on the network, for example, this activity would leave a trail of evidence in those system logs. All 511 servers listed should have the same or similar footprint left by the attackers. The network devices connecting the servers also would have log information to help identify attacks. This means a robust log archive and analysis system would need to be in place when attacks begin in order to capture enough information to identify the problem and alert administrators before the breach is successful or spreads. Log management is no longer just about operating systems and network devices, however. It also needs to incorporate detailed user information from identity systems, especially with regard to shared or system accounts. Identity integration means that if the attackers compromise the “root” account, logs can be correlated to show which user was really using root.

Log management is also critical in responding to a breach. Proving that there was no attack requires an archive of logs that can go back several years. This can be used to counter any claims that the servers have been breached for “some time”. The logs could show that a breach actually did not happen. On the other hand, the ability to identify attack signatures, as mentioned above, also helps with avoiding future breaches. When the attack vector is thorougly understood, an alert can be programmed into Security Information and Event Management (SIEM) systems. Every time a log or set of logs has a particular attack, or even just similarities to other attacks, the SIEM can send out an instant alert or start a watch list for administrators to investigate.

Perhaps most important of all is to recognize the potential cost of disruption from this kind of message. Does your organization have a system in place to rapidly assess the validity of an attack claim? Without an effective system of managing logs and security information, an anonymous message to a forum could pose a significantly high risk even without any validity or proof. The T-Mobile message raises a number of important points that organizations should reflect upon as they review their logs tonight.

Spiegel Online has the best analysis I have seen so far on the Air France crash. They highlight the Call for Airborne ‘Black Box’ Data Stream

If search teams fail to recover the flight recorder, which consists of two metal devices that record flight data and cockpit conversations, this question may never be answered. “It would be a real shame for aviation,” says Robert Francis, the former vice chairman of the National Transportation Safety Board, the agency that investigates aviation accidents in the United States. “If we want to avoid dramas like this in the future, we have to know what went wrong,” says the safety expert. For this reason, Francis wants to see all important flight data transmitted via satellite in the future, using ACARS technology. “This crash demonstrates how valuable this technology could be,” he says.

The technology exists today. A simple change to the black box program is all that would be necessary.

Krishna Kavi, an engineer and professor at the University of North Texas in Denton, presented the US Federal Aviation Administration (FAA) with a similar system 10 years ago. “The cost is low,” he says. For the 256 parameters recorded by a black box, Kavi came up with a volume of data requiring transmission of four to eight kilobits per second. “This is a fraction of what mobile wireless devices transmit today,” says Kavi.

There will be debates about the bandwidth necessary, the level of information to send, etc. just like with log management. This is a fascinating way to look at the problems that most organizations face everyday. Are you logging the right level of information to detect a failure in time and to avoid a repeat? It is not clear that AF 447 would have been avoidable with better monitoring systems, but it would certainly help with the speed and cost of post-incident analysis. Note that it is the pilots who seem to object most to increasing the signal rate and using surveillance. They claim privacy rights, to which the response obviously should be encryption.