History, Security

US Protected Nazi War Criminals

Leave a comment

The US National Archives has issued a report based on newly declassified material, which confirms that the US protected Nazi war criminals as early as 1946. I noticed it mentioned on German news, ironically.

The report, titled “Hitler’s Shadow: Nazi War Criminals, US Intelligence and the Cold War,” draws on information classified until 2005 and made available under the Nazi War Crimes Disclosure Act, an effort by Washington to shed more a critical light on its own secrets.

The report looks into a number of former SS and Gestapo members who escaped justice with the US either knowingly tolerating their escape or even helping them to flee.

The report is available at www.archives.gov (PDF). Here are some excerpts:

The CIA moved to protect Ukranian nationalist leader Mykola Lebed from criminal investigation by the Immigration and Naturalization Service in 1952.

[…]

…on October 15, 1959, only 10 days after the CIA Munich base made the request [for a US Visa], a KGB assassin named Bogdan Stashinskiy murdered Bandera with a special gun that sprayed cyanide dust into the victim’s face. The Soviets, who had penetrated Bandera’s organization and the BND years before, evidently decided that they could not live with another alliance between German intelligence officers and Ukrainian fanatics.

[…]

Once in the United States, Lebed was the CIA’s chief contact for AERODYNAMIC. CIA handlers pointed to his “cunning character,” his “relations with the Gestapo and … Gestapo training,” that the fact that he was “a very ruthless operator.”

Security

US Navy Builds Schools in Africa

Leave a comment

Earlier this year the U.S. Africa Command announced a successful construction project in the Comoros.

The ceremony marked the completion of a $500,000 project funded by U.S. Africa Command (AFRICOM), providing eight classrooms and 10 latrines.

“Today’s dedication represents the commitment and respect of our two nations towards the idea that education is a key to reaching our future goals and dreams,” Losey said to an auditorium full of local Comorians and U.S. military members. “For many, many months now, the Comorian military and elements of the U.S. military have worked together, side-by-side, and have persevered and prevailed through many challenges to bring this school to fruition.”

My math might be a little rusty, and I know schools need all facilities, but I hope the majority of money was not spent on toilets. Maybe the Navy means plumbing when they say latrines. I wonder what the many challenges were. I found a clue in a report by Captain Joe BluBaugh, several months after the school was finished:

Next we traveled to a government-run hospital to review a project the MCAT (Maritime Civil Affairs Team) members designed to provide the hospital laboratory with running water throughout the day as they normally only have water provided through the city distribution system for two hours a day. The project will use a cistern that will fill up when city water is available to supply water throughout the whole day.

Upon arrival, the director of the hospital took us to their main water line to show where it had broken. Furthermore, the pump that supplied water to the hospital through the main line had overheated and was no longer functional. The hospital did not have the resources or expertise to fix either of the problems. Now the entire hospital was without a basic necessity. Situations like this make me realize how much we take basic necessities for granted.

In my short time on the continent, maintaining equipment and basic infrastructure appears to be a significant challenge facing many East African countries. Military teams forward deployed from CJTF-HOA, similar to the MCAT in the Comoros, are working with our partner nations to provide knowledge and build capacity to help address these challenges.

The importance of AFRICOM efforts should not be understated. Terror groups like al Qaeda are infamous for recruiting disenfranchised youth from Islamic countries that offer them limited opportunities.

The school story shows a relatively inexpensive countermeasure. Hopefully the American military is intent on helping ensure there are good reasons to want to stay in school; it is nice to see evidence of the US thinking about international security in terms of graduations, health care and economic development. Now, if they could just take the same view for national security.

Food, Security

Amazon and PCI DSS Level 1 Compliance

Leave a comment

Although I have panned Gartner for hyping Amazon standards in the past, congratulations might be in order for Amazon’s recent PCI DSS certification announcement.

Maybe.

Amazon has a PCI DSS Level 1 Compliance FAQ that has been written in an odd way — to convince us of several key points.

They say they did not have to get certified, but they did it anyway. Good for them.

AWS, as a service provider, does not directly manage cardholder environment (and therefore, unlike merchants, does not require certification). AWS provides a secure environment that has been validated by a QSA, allowing merchants to establish a secure cardholder environment and to achieve their own certification, having confidence that their underlying technology infrastructure is compliant.

Got that? AWS is “unlike merchants”. They did not get certified beyond a minimum level of infrastructure that you would have to certify yourself, which also theoretically makes them far less cloud-ish. Cloud-esque? Cloud-y? They are just a service provider. The ball of responsibility (to establish a secure cardholder environment) will be thrown by Amazon into your court when you say PCI-me. In other words, you say hot potato, they say…”have confidence in your potato”.

The bottom line appears to be that you are going to do the same work you would have done before, even as an Amazon customer, but now they want you to feel that you can do it with confidence because they have allowed a QSA to certify them. This could have value (i.e. less paperwork, reduced audit time) but from where does it really come, this confidence?

Maybe you want to read their report. AWS’ compliance validation was completed and submitted on November 30, 2010 but is not yet public let alone approved by the Security Standards Council (SSC). That’s a tough start.

…customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification…. All merchants must manage their own PCI certification. For the portion of the PCI cardholder environment deployed in AWS, your QSA can rely on our validated service provider status, but you will still be required to satisfy all other PCI compliance and testing requirements that don’t deal with the technology infrastructure, including how you manage the cardholder environment that you host with AWS.

Perhaps you only wanted to use Amazon infrastructure as a service (IaaS), but that kind of begs the question of why go to Amazon instead of a competitor who specializes in infrastructure.

Amazon says in their FAQ over and over that you can rely on them. It really seems to mean that if you need PCI they will downgrade you to an infrastructure-only customer (e.g. uncloud-able) rather than treat you like a full platform or even software customer.

With that in mind it is hard not to notice how Amazon infrastructure customers must face a certain exception.

They will not give you physical access to assess their security.

Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center?

No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.

I get confidence from the word extensive. Another good word is thorough. Exhaustive? Comprehensive? But I digress…customers of Amazon do not get to verify the work performed by the Amazon QSA, and do not get to review the physical security of their data centers (at least not directly).

Requirement 9.1 of PCI DSS 2.0 says “Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment.” Perhaps it soon will add “…unless you have a service provider who has been certified, and then you should just rely on them”

There will be no merchant verification of the existence of physical security controls at Amazon. The one option offered is to rely on the work of their QSA, but we have to keep in mind that their QSA’s review was limited in nature because AWS positions itself to be only a service provider for PCI customers.

All that being said, on the one hand I can see why infrastructure providers ask for sympathy. They argue that it is exhausting to have every customer come on-site to demand access and time for compliance reviews. It may be a burden with thousands of customers. On the other hand, if they had controls working properly the reviews would require very little resources on their part. In fact, I have spent many hours in on-site audits helping providers see things that their auditors did not catch. Some were appreciative because one customer ends up paying for an assessment that benefits all their customers. The burden becomes proportional to how well security is managed; those that complain and refuse access most likely have the most to worry about.

Amazon’s position thus sounds a lot like a restaurant that tells customers they are not allowed to see or ask anything about the kitchen because a food inspector has that role. Does that give you confidence?

Maybe it’s just me, but I find it hard under those terms to give congratulations to the chef.

Update: The McKeay blog has a prior official statement from Amazon in August of 2009:

We are excited to hear about your interest in moving to EC2. We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data.

That is a reference to the PCI DSS 2.0 Requirement, that a service provider must acknowledge responsibility for cardholder data security.

12.8.2 Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data.