Category Archives: Security

History, Sailing, Security

Somalia Targeted for Nation Building

1 Comment

Defense experts in the US are coming forward to suggest the piracy problem with Somalia might require something like stabilizing the country, DefenseLink reported yesterday.

Whether it’s humanitarian aide to Somalia or possible military training to Somalis, [Pentagon spokesman Bryan] Whitman said, there’s no shortage in ways and means the United States and international partners could approach the piracy issue and Somalia’s lack of a legitimate government. The pure size of the region presents difficulties, he added.

“Clearly, it’s a big challenge when you’re talking about a coastline and body of water as large as it is, and you’re dealing with a country that is largely ungoverned — that certainly is a complicating situation,” Whitman said.

I have mentioned before that the US most likely wanted to destabilize the region for purposes of keeping open access to suspected terrorists. In short, sovereignty of a newly forming Islamic state with historic animosity towards the US would have made strategic anti-terror missions far more difficult in the Horn. Thus, as Somalia was on the verge of stabilizing, the US appeared to undermine the new rulers rather than support them.

Fearing the influence of militant factions within the Islamic Courts, the United States backed a loose coalition of warlords who had the savvy to dub themselves the Alliance for the Restoration of Peace and Counterterrorism. Somali women took to the streets to protest the U.S. policy.

“Many women supported the Islamic Courts in Mogadishu because they received security,” said Alia Adem Abdi, who chairs the Hiran Women Action on Advocacy for Peace and Human Rights Organization, based in Somalia’s restive central Hiran region. “They had an access to move freely in the capital city. Also the children had access to go to school. But not now.”

Last Christmas, a weak Transitional Federal Government stormed Mogadishu with backing from neighboring Ethiopia and tacit support from the United States, sending the coalition of jihadis and militias who backed the Islamic Courts underground.

Perhaps the US did not anticipate the growth of an uncontrolled piracy market as a result of their alliance with Ethiopia and military operations in this region. On the other hand, perhaps the prior administration felt the the risks and side-effects to shipping were an acceptable cost for their anti-terror doctrine. In either case I see a change in policy regarding risk management and Islamic state relations, rather than a new approach to piracy as a result of the Maersk incident.

Security

New Credit Card Security in America

Leave a comment

Every time I speak at a PCI event someone in the audience asks when America will get more security controls for credit cards themselves. It is a valid question. The cards have not changed much in decades, while the threats clearly have grown exponentially. The most often cited reason I hear for America’s lack of security controls in cards is the cost of changing the infrastructure that reads them. Perhaps this was best expressed as a business decision where the cost of fraud was measured against the cost and benefits of securing the infrastructure. The balance has now tilted and Computerworld reports on new security measures as reinforcements for PCI.

Fifth Third is testing the use of magnetic-stripe technology to create unique digital fingerprints for each card. Dan Roeber, vice president and manager of merchant PCI compliance at the bank, said it has distributed about 1,000 new card readers to retailers that haven’t been told about the pilot project. The readers use data from the magnetic stripe on the back of cards to create a “DNA picture,” which is matched against baseline information during the transaction authorization process, Roeber added during a panel discussion at the Visa conference.

The argument for this first technology is that it avoids key management issues for end-to-end encryption, which many companies are still afraid to implement.

The pilot at OfficeMax involves a challenge-and-response technique being used to help authorize card transactions. The retailer is asking shoppers for information such as their ZIP codes, the last four digits of their phone numbers or their three-digit area codes. The responses are then matched against previously submitted answers, said William Van Orman, OfficeMax’s treasurer.

That sounds reasonable, except it is based on a clumsy system of managing secrets, very similar to the fear of key management in the prior case. ZIP codes, phone numbers, area codes…the easier the information to manage the less value in terms of secrecy.

A third option is advanced payment management services. I was recently called by the fraud-alert service to verify charges on my account. Although the service is nice, it seems rather expensive to have a personal call take place. That is why automation will soon take this over and we should see transaction “alerts” pushed in real-time to mobile devices. Imagine instead of taking your receipts home and plugging them into quicken manually, you get instant confirmation on your mobile accounting software when you use your credit card. If you do not recognize the charge, you can respond with a fraud alert notice yourself.

Food, Security

Germany bans GM corn

Leave a comment

Deutsche Welle says Germans do not want US biotech giant’s genetically modified corn strain.

Germany has decided to ban genetically modified corn, Agriculture Minister Ilse Aigner announced Tuesday, amid concerns over its environmental and economical impact.

We in the information security field (you know who you are) often whine about the scarcity of data to make informed risk decisions. The factors that fuel debate over genetically modified crops has many interesting parallels to the study of information security.

  • Crops vary greatly and thus are difficult to evaluate in terms of safety (infosec varies by business)
  • Genetic modification involves many factors beyond the desired state, while toxicity is only measured by known toxins and nutrient levels (infosec struggles with whitelist/blacklist are similar)
  • There do not appear to be any peer-reviewed clinical studies published on animal health risks from GM, let alone human (breach data is only just maturing enough for peer-review and studies of depth)
  • GM companies try to establish a comparison test for crops as a litmus of safety, but there are no regulations for test methods and measures (common controls and frameworks continue to appear, with no one accepted test of security)