The US Government Accountability Office (GAO) has issued a report that says Federal Agencies need to take further actions to reduce risk from wireless. They have boiled it down to just eight things that need to be done properly:

1. Policies
2. Risk-based approach
3. Centralized network management (both wireless and wired)
4. Configuration requirements
5. Training
6. VPN
7. Continuous monitoring
8. Regular security assessments

That’s a comprehensive list and not different from the kind of list you might have found ten years ago for wired and wireless networks. This begs the question of what this has to do with risk; where and how should an agency apply a “risk-based” framework to today’s biggest risks?

The first example they give is dual-connected systems — devices that bridge two security levels on a network. A laptop could access a wireless network and at the same time be plugged into a wired network, theoretically allowing attackers access from the wireless into the wired. Controls should be in place that can prevent this configuration altogether or detect it and initiate enhanced monitoring, response, etc.. Not a new threat, but a vulnerability that has become far more likely as almost all new devices have at least two network options built-in.

Another example they give is “insufficient practices for monitoring or conducting security assessments of their wireless networks.” I find this hard to believe. It is trivial and inexpensive to do a wireless assessment, as well as to build monitoring; what has led to the insufficient practices?

Although there are a number (six, to be exact) recommendations made at the summary of the report on page 38, assessment and monitoring seem to have been omitted. The closest reference I could find is this:

…develop the scope and specific time frames for additional activities that address wireless security as part of their reviews of agency cybersecurity programs.

The report therefore appears to be strong on making recommendations for technical configuration but not on how and when internal tests should be performed.

A blog called My Helical Tryst has posted a lengthy review of the TSA X-ray backscatter body scanner safety report.

The review raises many excellent health questions by a biophysics and biochemistry expert. The subtitle is “hide your kids, hide your wife” but another interesting angle is that the scanner operators are not wearing radiation badges. A badge could be a simple and inexpensive way to demonstrate safety or exposure risk of the scanner.

Finally, I would like to comment on the safety of the TSA officers (TSO) who will be operating these machines, and will be constant ‘bystanders’ with respect to the radiation exposure. The range of exposure estimates is a function of where an officer stands during their duty, what percentage of that duty is spent in the same location and how often the machine is running. A TSO could be exposed to as much as 86-1408 mrem per year (assuming 8 hours per day, 40 hours a week, 50 weeks per year and between 30-100% duty and 25-100% occupancy, as defined by the Johns Hopkins report), which is between 86%-1410% of the safe exposure of 100 mrem. At the high end, if for example a TSO is standing at the entrance of the scanner when it is running at maximum capacity, then that officer could hit their radiation exposure limit in as few as 20 working days (assuming an 8 hour shift). While we may not be very happy with our TSOs at the moment as the face of these policies, we need to keep in mind that they really should be wearing radiation badges in order to know their specific exposure (especially for those officers who may also have to receive radiation exposure for medical reasons).

Excellent analysis of the Somali bomber plot in Portland, Oregon. From The Agonist:

These are well-known among local fellow [Somali] nationals.

1.) The suspect’s father two years ago notified federal authorities that his son was in sympathy with Islamicist terrorists, and even turned over to them his passport, so that he was unable to leave the country.

2.) The young man entered the United States at 3 years of age and had been at odds with his parents for quite some time, since they appreciated the opportunities here much more than he did.

3.) So assimilated are his parents that his mother was present among the crowd celebrating the beginning of the Christmas shopping season while he was engaged in attempting to kill everyone in it.

I have every reason to believe these assertions to be valid. One man after another started to tell them to me, right after joining the conversation at the table, without having spoken to the others about it. Taking them as credible, then, means that the effort to characterize this case as one of entrapment is both weak and superficial.

The real reason for the safe outcome of this incident of a disaffected Islamic man has little to do with the vigilance of our national police. We are no safer today as a result of the efforts of the National Security State. Rather, the potential for violence was averted, fundamentally, due to the unusual openness of American society, which made the parents of the young terrorist wannabee feel welcome enough in the U.S. to sacrifice their own child to the protection of the community of which they felt themselves to be a part.