Sailing, Security

Cruise Ship security comes under scrutiny

Leave a comment

The US Senate is hot on the trail of security aboard cruise ships. Security Management reports:

Because cruise ships operate in international waters or the jurisdictions of foreign countries, they are required to report crimes to the FBI or the U.S. Coast Guard. However, because the ship might be miles from the closest federal officials, it often takes days for the FBI to arrive to investigate a scene. In that time, the investigation can be undermined. Witnesses noted that evidence can disappear, victims can be intimidated, and suspects can be coached. Also, the cruise industry is not required to disclose crime statistics, making it difficult to assess the rate of shipboard incidents

That sounds like what most IT environments used to be like before laws like California’s SB1386 were passed.

Just last year I had to argue with company executives about an investigation after a telecommunications breach where they wanted to destroy evidence. They had “back-to-business” fever and wanted to move on in life as quickly as possible. Without outside governance, it can be almost impossible to get a person driven by sales numbers and pride to stop and dwell on a fault or flaw, especially when harm is externalized.

Sen. John Kerry (D-MA), the subcommittee chairman, noted that the cruise industry lacks mandatory, standardized procedures to prevent and respond to criminal acts on board ships. Terry Dale, president and CEO of Cruise Lines International Association, stated that mandatory procedures were unnecessary because cruise lines implemented voluntary processes to protect passengers.

Where have I heard that before? This is the “trust us” line of reasoning, which is based on an toothless promise. What penalty exists if voluntary measures, even when documented clearly, are not followed? None, of course, because there is no penalty mechanism in volunteerism without governance. A more logical response from Dale (well, from a security professional perspective) would be that governance is welcome because he understands the safety and security needs of customers and is ready to address their concerns directly and with accountability.

The problem with hiding behind toothless volunteerism and not taking a more proactive approach to regulation is that a law could be passed anyway, but without collaborative input. This just wastes everyone’s time.

Bill S.3204 is now under consideration with numerous security measures:

…peep holes, security latches on cabin doors, and CCTV. The bill would require that all ships have crew members aboard who are trained in crime scene investigation. Cruise lines would be required to report all incidents of criminal activity to the Coast Guard, who would then make that information available to the public via the Internet. Under the bill, members of the Coast Guard would be dispatched to cruise ships to ensure that they comply with the law.

Sounds reasonable to me, although it raises the issue of who will be responsible for the privacy of passengers under the surveillance system. Can you trust the same crew already under suspicion of unethical and criminal behavior. Lets hope screening is used and privacy controls are in place to prevent new information security violations from adding fuel to the fire.

Security

Card Social Engineering Still a Problem

Leave a comment

Stories like this one just reinforce how hard it is to educate the consumer. Credit card companies started using the security code on the back of the card to fight fraud, and so criminals created a scheme to update their database with the security code information:

Recently, a representative of Senior Health Insurance Counseling for Kansas (SHICK) called our office to report that a number of their clients were being called and asked for their credit card information. The scam they described is particularly insidious because of the professionalism of the caller on the other end of the line.

Of course these are professionals. There is money at stake, and a growing underground economy, so the criminals will not only pay to increase their chance of success but they also might be in competition with each other — the bar has been raised for criminals.

The caller will ask you to read the three numbers to him to verify you are in possession of the card.
[…]
What makes this such a successful scam is that they never ask for your account number or other personal information. They have most of the information, and so they sound legitimate.

Agreed. People tend to trust someone who can authenticate themselves to them. “I know these three things about you…”

The problem is the victims do not realize that there never should be a reason to read the security code to the card companies. This is a business logic flaw. Why prove possession of the card to a credit card company? The opposite is supposed to be true. If you call the card companies and say you do not have the card, they will send you a new one. If you say you are in possession of the card, they will say “ok, have a nice day”. They need you to prove your identity, but they need no proof of card possession from you. They only need retailers to prove that a purchase was made by you.

History, Poetry, Security

A Caucus Race and a Long Tale

Leave a comment

Written in 1865, before the typewriter, this is from Alice in Wonderland, Chapter III, “A Caucus Race and a Long Tale” by Lewis Carroll (Charles Lutwidge Dodgson):

                      "It _is_ a long tail, certainly," said Alice, looking
                     down with wonder at the Mouse's tail; "but why do you
                     call it sad?" And she kept on puzzling about it while the
                     Mouse was speaking, so that her idea of the tale was
                     something like this:----"Fury said to
                               a mouse, That
                                     he met in the
                                          house, `Let
                                              us both go
                                                 to law: _I_
                                                  will prose-
                                                   cute _you_.--
                                                  Come, I'll
                                                 take no de-
                                              nial: We
                                           must have
                                        the trial;
                                     For really
                                   this morn-
                                 ing I've
                                nothing
                               to do.'
                                Said the
                                 mouse to
                                   the cur,
                                      `Such a
                                         trial, dear
                                             sir. With
                                               no jury
                                                or judge,
                                                  would
                                                 be wast-
                                               ing our
                                             breath.'
                                          `I'll be
                                       judge,
                                    I'll be
                                  jury,'
                                said
                               cun-
                               ning
                                old
                                  Fury:
                                   `I'll
                                      try
                                        the
                                         whole
                                          cause,
                                           and
                                          con-
                                        demn
                                    you to
                               death'."
History, Security

The case for and against personal surveillance

Leave a comment

Bruce Schneier thinks an article in the London Review of Books is “nice”.

It’s hard to disagree with nice, but I will try. Take for example, this quote from the article about sharing mobile data:

Such services are obscure, and barely legal, but it’s about to be brought home to the majority of mobile users that what they’re up to isn’t private information

This needs some perspective.

I have heard from engineers working on this functionality for at least five years, and I first used Helio’s buddy finder system years ago.

At one evening social in 2004 I remember a bright young engineer from Berkeley who told me he was building a system that would reveal “hot spots” for dinner and nightlife by mapping the concentration of mobile devices. For example, he said you would want to go to the dance club once a certain threshold of people had arrived. Although I could imagine alerts based on certain conditions (e.g. Bob and Alice are on site, Charlie has not, therefore it is time/safe to arrive) I instead pointed out to him how I would game the system.

A restaurant, depending on his system’s authentication and authorization, could easily create high numbers of bogey attendees as a form of marketing. If people started showing up on site soon after, their presence would either confirm what they saw on the map or drive them to question the accuracy of the system. I asked him whether trust was critical to the success of his system.

He walked away with a worried look.

Perhaps more to the point I had to work extensively with an army of lawyers to build privacy protections into “public info” mobile services at least two years ago.

The pressure from mobile carriers to share user information is intense, because data is where the mobile companies and the software vendors derive and push value to you, the ever-demanding customer. They think you will buy more “stuff” from them if it can tell you more about your communities and friends.

While the author of this article dismisses the “approval” message control as insufficient, there is no mention of the usability balance (curse?). Most users are statistically challenged when it comes to security. They want ease-of-use and the mobile companies are all too willing to oblige.

A few people, like myself, are hired by software and mobile companies to argue on behalf of consumers. We say the usual things, such as privacy is paramount and controls need to be tough to circumvent.

In response, we inevitably are faced with a series of user feedback studies and support-queue reports that suggest the majority of users really just want the easiest interface possible (which also just happens to be the least cost solution to the provider) with a data-rich source at their fingertips.

I am not surprised that we are moving towards the capability of a private and open surveillance society. In fact, I think that has always been the trend. I am only surprised when people try to pretend that this is a new problem, and that there is no precedent or case to be made for giving people fair and balanced governance system. If you leave decisions to mob rule, or a benevolent dictator…hopefully you get the picture. I met with Motorola, Nokia, Sony, Helio and others about these issues years ago and it was always fun to draw upon concepts like economics, ethics and political systems to resolve the security disputes.

We’ve been here before. Designing protections against abuse related to mobile device data should be like designing the next wheel — new technology, same old concepts.