Monday, July 30, 2007

ARC Training Completes Three Major Consultancy Projects in First Half of 2007

Since adding a consultancy capability to its services at the beginning of 2007, ARC Training has successfully completed three major consultancy projects:

- A comprehensive review of security plans and procedures, Board briefings and awareness training for a major Middle East LNG supplier, exporting to international markets all over the world

- A security review of the strategic oil reserve storage site for an EU member country

- Writing security policies and procedures for one of the world’s best known pharmaceuticals

If you have a requirement for security consultancy of any kind, David will be happy to assist with finding the appropriately-skilled consultant.

Friday, July 27, 2007

Is There a Spy in Your Blackberry? Servers in the UK May Be Tapped, Warns Evening Standard

Servers for BlackBerry in the UK may be being tapped into, in order to steal information from private handsets, according to the London Evening Standard.

France's national security services have warned that the wireless devices can be intercepted and have banned their use in the president's and prime minister's offices, and they are reported to have advised all government officials working in sensitive offices not to use Blackberry devices because "they use overseas servers, opening up an espionage risk."

The security services said BlackBerry's servers in this country and in the US can be used to gather state secrets. French oil company Total also warns staff from using a BlackBerry for "security reasons".

The insecurity of Blackberry servers was raised at the recent ASIS Advanced Physical Security Applications and Technology workshop in California, at which a US Secret Service delegate admitted that his organisation's Blackberry sets are still in boxes, awaiting back-shipping to the supplier due to unresolved data security vunlerabilities.

For more on these stories follow these links:


Ideas to Help You Design Your Own Security Posters

Need some ideas to help you develop some security posters? Try starting here:



Useful Resource for Your Information Security Awareness Briefings

Thinking about conducting an in-house information security awareness seminar? Scare the pants off the iPod users by using some of the warnings put out in this presentation:

www.fast.org.uk/groups/POINTSECPRESINTERNALTHREATS.pdf

Getting Security Buy-In from the Business - Security Force Multiplying

One of our valued customers, a world-leading energy company, has been running a five day course attended by 25 business managers in which they learned the basics of both international and company best security practice.

The company’s security philosophy is to use a small number of highly qualified security professionals backed by a wide network of business managers and supervisors who act as local focal points for security issues.

The Regional Security Advisor for the client said “There people are our force multipliers - they keep an eye on local conditions, fix whatever they can and call us of they can not. In the event of a local crisis or incident, they become our local eyes and ears."

The group received training in risk management; security design; physical and electronic security and information security. This was combined with input from the parent company to present the specific corporate view. One delegate said “It has been really worthwhile – I return to work far better equipped to watch the security at my location.

Tuesday, July 24, 2007

China Breaks up $500 Million Piracy Ring

Pirated software worth more than $500 million (£242 million) has been seized by authorities in China as part of a joint operation run by Chinese police and the FBI. The syndicates targeted by the raids in the southern Chinese province of Guangdong are believed to have distributed more than $2 billion (£968 million) worth of counterfeit software to countries around the world, including the UK.

Chinese police arrested 25 people and shut down six manufacturing and retail facilities as part of the operation, which was described by officials in China as "an unprecedented co-operative effort" with the FBI. More than 290,000 counterfeit software CDs were seized by the Chinese Public Security Bureau (PSB), including 47,000 which contained fake Microsoft products, such as the Windows Vista operating system and the Office suite.

As many as a third of UK businesses were unaware they were running counterfeit software in their organisation, Microsoft said.

Managing the Risk of Counterfeiting is one of the many subjects addressed in Security Management Stage 3, 24th Sep - 5th October. Contact Janet for details.

Security Experts Claim First iPhone Hack

In what appears to be the first successful hack of Apple's iPhone, according to the Times Online, a group of security experts have shown how to take control of the device remotely using its internet connection.

The researchers at Independent Security Evaluators (ISE) demonstrated that by tricking the phone into accessing a particular website, or by using a rogue wi-fi connection, hackers could force the phone to forward on personal information, such as text messages and contact numbers.

By installing a piece of malicious code in the iPhone via its Safari internet browser, a hacker could take "complete control" of the device, Charles Miller, principal security analyst at ISE, said.

Cellphones - On the Air In the Air

In June 2007 the European Union approved the use of cellphones on passenger airliners. Although most airlines and aviation authorities have yet to allow cellphone use in the air, it is only a matter of time. So, apart from being irritated by your fellow passengers talking throughout the flight, why else should you be worried? Well, if you are doing business during the flight, either on a laptop, looking at documents or discussing plans and issues with colleagues, you should remember that most cellphones now have internal memory, voice recorders and cameras built in. The covert use of such devices to steal information will make it much easier for an adversary to target you if surrounded by passengers using their phones.

Remember also that if you are able to receive e-mail on a Blackberry or similar device, your information will also be vulnerable to theft. And, for example, if you visit the WC during the flight, leaving your devices and documents unattended will provide a gift to anyone wishing to access them - your information could be retrieved, forwarded and deleted from the cellphone before you return to your seat. Traveller's information is already under threat from a variety of technical and non-technical sources; this latest approval for cellphone use adds another layer of threat.

For more on cellphone usage in the air click on:



IT Security and Incident Response

Ever wondered what was the difference between a botnet and a botnet herder, a bullet-proof hosting and a dead-drop?

The meaning of these, and other hi-tech crime terminology, is revealed in a very useful BBC web page, which can be accessed by clicking on the following link:

http://news.bbc.co.uk/1/hi/uk/5400052.stm#bph

ARC Training will be conducting a new IT Security and Incident Response course during the period 9-10 October. Led by renowned IT security expert Ed Wilding, topics will include:

- IT threats to the organisation
- Legal issues relating to IT crime and misuse
- Analysing an IT scene of crime
- Managing IT evidence
- Investigating IT misuse

The programme is ideally suited for security managers who wish to raise their level of competence in this problematic area.

Al Qaeda in North Africa Threatens New Attacks

The North African branch of Al Qaeda threatened new attacks against "enemies of God" in North Africa in a statement posted on the Internet on 23 July, according to the International Herald Tribune.

"The Holy warriors, thanks be to God, have managed to reorganize their ranks and set forth their plans, and they are preparing a lot of surprises," said the statement posted on a militant Web site usually used by Al Qaeda.

These "surprises" will escalate "until the enemies of God's religion realize that they have no choice but to repent to God and halt the war against Islam and Muslims" in North Africa, the statement said. The message's authenticity could not be independently verified.

The North African branch of Al Qaeda claimed responsibility for a July 11 suicide bombing that killed at least 10 Algerian soldiers and wounded 35. Algeria suffered another suicide bombing two months ago, and Morocco was hit by suicide attacks in April.

On April 17 this blog warned of a reconstituted Al Qaeda threat in North Africa. Click below to be taken to this article:

For further details of this latest warning click on:





Monday, July 23, 2007

New Risks in Using USB Flash Drives

Cybercriminals are increasingly targeting portable USB drives as a way of spreading viruses, according to security experts.

ARC Training has long warned about the dangers of such devices being used by employees to steal information. - a typical 4Gb client database can be copied in about 6 minutes with most off-the-shelf sticks and only a small percentage of companies exercise any control over these devices – but now hackers have created malware programs that specifically target removable drives.

Examples of infectious malware seen in recent weeks include a Trojan than permanently deletes data from a users computer and another that purports to provide information about HIV/AIDS, while infecting the PC.

Security experts at Sophos advise that users disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC. Any storage device which is attached to a computer should be checked for virus and other malware before use. Floppy disks, CD ROMs, USB keys, external hard drives and other devices are all capable of carrying malicious code which could infect the computers of innocent users.

These, and other IT security issues, are discussed in Security Management Stage 1.

The Hidden Dangers of File Sharing Software – Tokyo Police Officer Inadvertently Shares Information on 400 Members of Yakuza!

Experts at Sophos's global network of virus and spam analysis centers have reminded companies of the importance of computer security and control after it was revealed that a policeman has lost his job for using file-sharing peer-to-peer (P2P) software.

The fired policeman, who has not been named, worked for the Metropolitan Police Department in Tokyo which confirmed recently that personal information about 12,000 people related to criminal investigations had been distributed across the net from an officer's PC. The police officer had installed the Winny file-sharing software on his PC, and did not know that confidential data was being made available to other users via the P2P network.

About 6,600 police documents are said to have been compromised, including interrogation reports, statements from victims of crime, and classified locations of automatic license plate readers. Among the files was a list of the names, addresses and personal information about 400 members of the criminal Yamaguchi-gumi yakuza gang.

Millimeter Waves May Present Some Hope for Detecting Pedestrian Suicide Bombers

For a few weeks in July 2006, according to Scientific American, a commuter rail station in New Jersey enjoyed the same screening protection as that surrounding the soldiers and civilians in Baghdad's Green Zone.

Using millimeter waves -wavelengths of light shorter than microwaves but longer than infrared - a walk-through portal produced images of passengers before they boarded the trains. Like an x-ray, the technology creates a revealing picture that can highlight items, such as plastic guns, that typical transit security sensors fail to detect.

The challenge now is to get the technology to work at a stand-off distance.
For the full article go to:

Wearable Wi-Fi CCTV Takes to the Football Terraces

LONDON (Reuters) - When English soccer fans take to the terraces next season, there's every chance they won't just be watching the game, they'll be being watched watching the game too. In the latest addition to what civil liberties campaigners have dubbed Britain's "surveillance society," a British company is in talks to supply wireless CCTV technology to a Premier League soccer club's security staff.

Hidden in lapels and hats, minute cameras would allow spotters in the crowd to beam live pictures from inside the stadium back to a control room where the images could be scanned in real-time for troublemakers and hooligans. Already trialled in city centres across Britain to cut down on crime, the technology is also used to tackle cash-in-transit theft, an increasingly common form of robbery, and to protect VIPs, according to 802 Global, the company that makes it.

For the technology-savvy, each wearable system connects back to a fixed or deployable wireless mesh infrastructure using encrypted wireless communications. The advanced mesh technology means that the nodes automatically search out and link to their neighbours without any need for user programming on site. Multiple cameras can connect back to a single hub either directly or via one or more repeaters. The same infrastructure also supports rapid deployment cameras mounted on poles, walls or tripods.

For further information click on:

Virtual Strip Searching at Airports Soon to Be a Regular Feature

During recent months passengers randomly selected for additional screening at Phoenix's Sky Harbor International Airport have had the option of a typical pat down by security personnel or a one-minute, full body scan from a new type of x-ray machine that allows screeners to see through clothes. The US federal government is testing so-called backscatter x-ray machines there, which can detect potentially threatening objects under a person's clothes by picking up x-rays scattered by materials. (Traditional x-ray machines pick up signals that pass through or are absorbed.)

"It's using edge detection to detect anomalies," says Joe Reiss, vice president of marketing at American Science and Engineering (AS&E), the Boston-based manufacturer of the SmartCheck machine. "If you are a suicide bomber and have a vest on, that would appear as clear as day in an image."


The system can operate in full scan mode, or can be configured to obscure the details from certain, more sensitive, body areas. Security specialists argue that in the latter mode the system is ineffective.


Similar trials have taken place in the UK, Russia and elsewhere.

Biometrics Feature – It Could Only Happen in Holland!

Plans to introduce biometrics screening for cannabis users in the Dutch town of Maastricht have been dropped. Buying cannabis in the Dutch city of Maastricht was to have meant having your fingerprints taken, your face scanned and your biometric data recorded. Cannabis is theoretically illegal in the Netherlands but has been tolerated in small amounts since the 1970s.

All 15 coffee shops in the southern city planned to spend about 100,000 euros ($134,000) installing a security system that would have made it harder for an under-age cannabis smoker to enter than a terrorist to set foot in Europe, according to Marc Josemans, head of the local coffee shop union.


Customers in Maastricht were to have their fingers and face scanned. The scans would have been compared with stored data and, if everything matched, they would be able to enter the coffee shop. No names and addresses were to be stored and details on the amount of cannabis bought every day were to have been saved only until midnight.


A less expensive form of fingerprint taking will now be used instead.

Newly Declassified Window Film Keeps Out Hackers, Phone Calls, EMPs

Like a tinfoil hat for your house, new technology promises to block hackers' access to your wireless transmissions - and protect against EMP attacks and explosions, to boot.

The coating, which in its thinnest incarnation is only two one thousandths of an inch thick, can block Wi-Fi signals, cell phone transmissions, even the near-infrared, yet is almost transparent, making it no more intrusive than conventional window treatments. It can keep signals in (preventing attempts to spy on electronic communications) or out, minimizing radio interference and even the fabled electronics-destroying electromagnetic pulse (EMP) generated by a nuclear blast.

The film has already been plastered across the windows of more than 200 US government buildings, including structures operated by the departments of Defense and the Treasury, as well as in the homes of high-level members of the current administration. Currently the film is not widely available and is very expensive.

For the full article, click on:

http://sciam.com/article.cfm?chanID=sa001&articleID=6670BF9B-E7F2-99DF-3EAC1C6DC382972F

Fake Job Emails - Several Leading US Companies Fall Victim to Downloading Malware Which Steals Information

Hackers stole information from the U.S. Department of Transportation and several U.S. companies by seducing employees with fake job-listings on advertisements and e-mail, a computer security firm announced on 17 July. The job listings carried malware payloads which were able to slip under the firewall radar.

Security experts say such crimes occur frequently because hackers have access to software that allows them to build undetectable malware that security firms are unable to fight, and the fact that sensitive information is rarely encrypted plays into hackers hands.

For the full story click on:

http://www.sciam.com/article.cfm?alias=hackers-steal-us-governme

Jamming Tags Block RFID Scanners

RSA Security has developed a countermeasure to block scanning of radio-frequency ID tags, responding to privacy concerns about the tiny devices that would allow retailers and manufacturers to track the whereabouts of their goods within a store and beyond.

The blocker tag, which can be placed over a regular RFID tag, prevents a receiver from scanning information transmitted by a tag by sending the receiver more data than it can read -- the equivalent of a denial-of-service attack. RSA doesn't have immediate plans to market the blocker and is waiting to see whether industry widely adopts RFID technology.


Concerns Continue to Simmer over RFID Privacy

If you are in the retail sector and are considering using RFID tags as a theft control means, you should be aware of consumer privacy concerns, which have spurned entire websites and blogs.

Most concerns revolve around the fact that RFID tags affixed to products remain functional even after the products have been purchased and taken home, and thus can be used for surveillance and other nefarious purposes unrelated to their supply chain inventory functions. Although RFID tags are only officially intended for short-distance use, they can be interrogated from greater distances by anyone with a high-gain antenna, potentially allowing the contents of a house to be scanned at a distance, something distinctly Orwellian in nature.

Even short range scanning is a concern if all the items detected are logged in a database every time a person passes a reader, or if it is done for nefarious reasons (e.g., a mugger using a hand-held scanner to obtain an instant assessment of the wealth of potential victims). With permanent RFID serial numbers, an item leaks unexpected information about a person even after disposal; for example, items that are resold or given away can enable mapping of a person's social network.

RFID will be one of the technologies addressed in ARC Training's new Specifying Security Technology Course, due for 2008.

For more information on RFID privacy click on:

http://www.networkworld.com/news/2006/040406-rfid-security-concerns.html?fsr

ARC Raises Awareness of Cybercrime

Businesses, especially in the banking sector, have publicly expressed frustration that no one appears to have taken over the duties of the UK's former cybercrime fighting squad, the National High Tech Crime Unit (NHTCU), which was absorbed last year into the Serious and Organised Crime Agency.

Now IT leaders have called for the re-establishment of the NHTCU. "A lot of trust was built up between large businesses and the NHTCU, and that took a lot of time to develop," says Ollie Ross, head of research at the Corporate IT Forum. "Just when that structure seemed to have reached fruition, it was taken away and nothing has filled its place. There is no reporting mechanism now." Businesses say they feel marooned and angry at what they perceive as a lack of interest from the police.

Last year, 84% of large companies surveyed by researchers for accountancy firm PricewaterhouseCoopers that they had suffered a malicious attack on their computers between 2004 and 2006. According to the report, the average loss for businesses was between £65,000 and £130,000, with the largest companies reporting losses of around £1m. Click on the following link for the full report:

http://www.securityoracle.com/news/detail.html?id=12427

ARC is pleased to announce the IT Security and Incident Response Course, 9-10 October, which is intended for those who are involved in the detection and investigation of internal crimes using IT systems. Delivered by Ed Wilding, a nationally recognised expert in this field and author of the book "Information Risk and Security", the course will be of great benefit to general security managers, and no specific IT knowledge is required.

Current UK Aviation Security Measures Not Credible, Says BA

"To be effective, security has to be credible, but current UK security requirements are no longer credible," warns Martin Broughton, Chairman of BA.

Broughton was referring specifically to the one-carry-on-bag rule, which is crashing Heathrow's baggage handling system and causing a series of problems for passengers, but there are numerous other security inconsistencies that experienced travellers will have noticed. For example, it is not possible to take sharp objects, such as scissors, through security, but premium priced shaving razors (at about £10 for three) can be bought airside at Birmingham!

Also, measures to prevent a repetition of the Glasgow incident are not being uniformly applied. Vehicles can still gain access to terminal interiors by crashing unprotected public doors at Heathrow. In one recent incident, witnessed by the author, it was five minutes before a traffic warden responded to three vehicles (including a 4x4) which had parked next to the unprotected Terminal 3 arrivals door. There were obviously no barriers to prevent access to the area, detection “systems” reacted too slowly and the police response was non-existent – ARC delegates will know that delay, detection and response are the three cornerstones of any effective security system.

And many airports are now literally cashing in on travellers’ misery and adding to the time taken to pass through security screening by withdrawing issue of mandatory plastic bags for liquids. Instead the bags have to be bought from newsagents and vending machines, a fact of which many travellers are unaware.

Terrorism Threat Map Online

The insurance broker and risk management consultant, Aon has recently made available online its 2007 Terrorism Threat Map. This document provides an objective view of the terrorist threat in over 200 countries, assessing the current situation worldwide.

The map, which is available without charge, is especially useful for security professionals and those responsible for the protection of travelling corporate employees and is an important and useful reference for anyone interested in the trends and developments in global terrorist activity.

This link: http://www.aon.com/uk/en/about/media-centre/terrorism-map.jsp
will take you to the Aon site where you can request the 2007 map.

Alternatively, if you would prefer not to give your contact details to Aon you can obtain a copy of the map by emailing David.

Disclaimer: ARC recognises that "terrorism" is an emotive word with many different viewpoints, and so does not necessarily endorse any of the information provided by Aon in this publication.

Increasing the Security of ID Cards with Holograms

ID card systems have come a long way. Today’s card printing technology delivers superior image quality and exceptional card durability at a surprisingly affordable cost. A typical card in daily use should last at least two years, while card readers have a typical life of up to seven years.

But, with forgery and counterfeiting now a serious issue, what defence mechanisms are solutions providers putting in place to protect the end user? Detailing the holder’s name, photograph and/or signature – or colour coding cards to show access entitlement – makes it easier to identify the owner at a glance. That said, what’s to stop someone duplicating these ID cards and gaining access to restricted areas? In some cases nothing at all, other than access to a standard plastic card printer.

The following linked article discusses some considerations for increasing security, including the use of holograms:


(Please note that ARC Training does not specifically endorse any of the products in the above-linked article)

Security Strategists from the Middle East, Asia and Africa Meet in Dubai

The showcase hotel of Madinat Jumeirah in Dubai is playing host to 19 delegates from the Middle East, Asia and Africa for the Strategic Security Management Course run by ARC Trainings Phil Wood MBE CPP, in conjunction with Precept Management Consultancy.

The delegates, from various business sectors including hospitality, oil, gas and telecomms, are undergoing an intensive course in the skills and knowledge required to operate successfully at the strategic level within their organisations and the fundamentals of successful business integration.

Tuesday, July 17, 2007

Investigations Feature – 10 Ways to Spot a Liar

J.J. Newberry was a trained federal agent, skilled in the art of deception detection. So when a witness to a shooting sat in front of him and tried to tell him that when she heard gunshots she didn't look, she just ran - he knew she was lying.

How did Newberry reach this conclusion? The answer is by recognizing telltale signs that a person isn't being honest, like inconsistencies in a story, behaviour that's different from a person's norm, or too much detail in an explanation.

While using these signs to catch a liar takes extensive training and practice, it's no longer only for authorities like Newberry. You can become adept at identifying dishonesty, and it's not as hard as you might think. Experts explain the top 10 ways to let the truth be known in the following link:


Managing Port Facility Security

If your responsibility includes a maritime facility serving vessels that operate on international routes or mobile offshore drilling rigs, it is probable that you need to comply with the International Ship and Port Facility Security (ISPS) Code.

This entails, at very least, the appointment of a properly trained Port Facility Security Officer, the production of a Port Facility Security Plan, the establishment of port facility security levels and, depending on your government’s ruling, carrying out of a Post Facility Security Assessment.

The ARC Training Maritime Security Management Course (13–17 August 2007) has been designed to provide you with the skills necessary to manage the security of port facilities and to ensure that you reach the necessary standard to become ISPS compliant. The five-day interactive programme addresses not only the requirements of the ISPS Code but also provides a complete overview of a physical security regime suitable for a port facility, as well as addressing the duties of the Ship Security Officer and Company Security Officer.

For more information or to reserve a place on the forthcoming programme contact Janet.

Business Travel Security - Prepare for the Unthinkable

Only 40 percent of companies have any type of travel risk-management programme in place to help employees deal with unforeseen overseas events such as medical emergencies, kidnapping and extortion threats, claims the US National Business Travel Association.

“People are under the impression that nothing bad can happen to them,” says NBTA Chairman Craig Banikowski, adding: “And if something does, they believe their embassy is going to step in and make everything right.”

Many of the risks to business travellers can be mitigated by taking certain proactive steps. Some, such as scanning credit card and passport details and storing on a secure internet-accessible network for download in an emergency, are very simple and obvious.

Business Travel Security is covered in detail during Security Management Stage 2, 15-26 October, or can be delivered via a one-day workshop to your staff collectively on site. Contact David for details.

For delegates who have attended Senior Security Management or Security Management Stage 2, a detailed 25-page PDF handout is available on request.

Americans Warned to Expect Further Al Qaeda Attempts to Attack US Homeland

The US has today released declassified portions of its 2007 National Intelligence Estimate report entitled The Terrorist Threat to the US Homeland.

The report warns that AQ will continue to enhance its capabilities to attack the US through greater cooperation with regional groups. Plotting is likely to focus on prominent political, economic, and infrastructure targets with the goal of producing mass casualties, visually dramatic destruction, significant economic aftershocks, and/or fear among the US population.

AQ is proficient with conventional small arms and improvised explosive devices, and is innovative in creating new capabilities and overcoming security obstacles, and will try to acquire and employ chemical, biological, radiological, or nuclear material in attacks, the warning continues.

For a copy of the declassified summary contact David.

What To Do if You Think You Have Been Exposed to a Dirty Bomb (RDD)

A dirty bomb, or radiological dispersion device (RDD), is a bomb that combines conventional explosives with radioactive materials in the form of powder or pellets. The purpose is to blast radioactive material into the area around the explosion, causing radiation exposure and long-term contamination of buildings.

The latest US National Intelligence Estimate reports that “Al Qaeda is probably still pursuing chemical, biological or nuclear weapons and would use them if its operatives developed sufficient capability”.

Response measures to a suspected RDD attack include: leaving the immediate area but avoiding public transport so not to spread radiation; getting inside a building away from blast dust; removing clothes and placing in a sealed plastic bag; taking a shower as soon as possible.

For more information on dirty bombs go to:

http://www.nationalterroralert.com/dirtybomb

Monday, July 16, 2007

"Around the Clock, Around the World" - Overseas Training with ARC

ARC Training activities switch to Dubai next week for two very different programmes.

Peter Horsburgh CPP PSP will be conducting a programme for BP Middle East business security representatives, focusing on developments in security and security technology.

Meanwhile, Phil Wood MBE CPP will be delivering a one-week open Strategic Security Management Skills Course in conjunction with Precept, ARC’s Middle East partner.

For details of the latter, which begins in Sunday, contact: precept@omantel.net.om

ARC Training conducts regular open overseas courses in Dubai, Oman, Cyprus, Bangladesh, and Malaysia. Africa will be added to the list of venues in 2008. For further information contact David.

One in Five US Workers Aged under Twenty Five Is on Drugs, Official Report Claims

According to a US federal study by the Substance Abuse & Mental Health Services Administration into illegal drug use and the workplace, released on 16 July, almost 1 in 5 of workers aged 18 to 25 admitted using illegal drugs in the preceding month.

Worst affected sectors were restaurant and construction workers, where the incidence of illegal drug use is twice the US national average.

Drug misuse and the workplace will be one of the topics covered on Security Management Stage 1, which begins 30th July.

For the full story click on:

http://seattletimes.nwsource.com/html/nationworld/2003791051_drugs16.html

Research Suggests WiFi Could Replace PIR as Standard Intrusion Detection System

Researchers at University College London are developing a wireless system that could allow continuous, real-time radar-style detection and tracking of people or objects in any area with wireless network coverage.

In most current situations intrusion detection is accomplished with PIR sensors, while more sophisticated target detection and tracking systems rely on co-operative targets, such as with RFID, which requires subjects to carry a tag, or have restricted coverage including systems using video surveillance, which may have their vision blocked by objects such as parked cars. Both CCTV and RFID require the installation of high-cost equipment.

But according to UCL's researchers, WiFi-based tracking could be developed with low-cost wireless hardware using the 802.11 standard. It would be able to be used indoors and outdoors and would allow monitoring to take place without the subject's knowledge or co-operation.'The system could be deployed anywhere with a WiFi capability using the existing infrastructure.

Furthermore, by using the longer range WiMax technology a detection range of up to 40 Km could be achieved.

This, and other advanced developments in intrusion detection, will be addressed in the new Specifying Security Technology Course, due to be launched in 2008. Contact David for details.

For the full story go to:


Britain Sets the Lead in CCTV Surveillance Society

Britain sets the lead in public CCTV surveillance, reports the International Herald Tribune. After last month's failed terror attacks in London and Glasgow, the 7/7 London suicide bombings and another botched plot on the British capital's trains and buses in 2005, authorities zeroed in on suspected terror rings with lightning speed.

The nation's vast web of surveillance cameras is credited with playing a crucial role. Now, to the alarm of some privacy advocates, Europe and the United States are starting to follow Britain's lead.

Dutch cities and towns are increasingly monitored. French President Nicolas Sarkozy says he is contemplating a "vast plan" to install more cameras on public transport. In New York, officials have announced plans to outfit hundreds of Manhattan buses with cameras and to add 1,000 others and 3,000 motion sensors to subways and commuter rail facilities.

Britain has about 4 million closed-circuit security cameras. Police say the average Briton is on as many as 300 cameras every day.

For the full story click on:

RUSI Comments on Recent Car Bombs in UK

Car bombs, or Vehicle Borne Improvized Explosive Devices (VBIED), have a long and deadly history. They are a weapon equally popular with assassins, terrorists and guerillas and have been used throughout history to variously kill the occupants of the vehicle and people near the blast site, as well as to cause damage to buildings or other property. Their popularity rests largely in the fact that they act as their own delivery mechanism, can carry a relatively large amount of explosive and, because of the sheer volume of vehicles on the road, attract very little suspicion. Additionally, due to their popularity, there is a vast body of international know-how and expertise within the criminal and terrorist communities on how to construct viable and effective devices.

The car bomb has five main attributes that make it attractive: stealth, low-cost, simplicity, indiscriminate in nature and anonymous. Together these attributes make it very difficult to defend against in an open society.

For the full text of this article click on:


How to defend against VBIEDs will be one of the topics covered on Security Management Stage 1, which commences on Mon 30 June.

Sunday, July 15, 2007

Chief Security Officer Concept Gains Ground But Do You Have the Requisite Skills?

The CSO (Chief Security Officer) concept is gaining ground in the US but, alarmingly for “traditional” physical security managers, many of those now being recruited into the post are formally-qualified information security managers.

The impetus for the CSO concept comes from convergence - the incorporation of information technology into traditional business processes to provide for more efficient management and operations. In security, convergence is generally used to refer to the convergence of physical and IT security. In many companies, the threats to information systems far outweigh physical threats.

CSOs are taking increasing responsibility for compliance as the regulatory landscape intensifies, and their status is rising, but the bar to many traditional security managers being appointed to the post of CSO is that the majority cannot manage converged security as they do not understand IT network security. Many information security specialists, on the other hand, understand physical security.

For more information click on:

http://www.zdnetasia.com/news/security/0,39044215,61998886,00.htm

The CSO concept will be one of the many subjects addressed in Security Management Stage 3, 24th September to 5th October.

Is the World Becoming More Complicated or Am I Just Not Getting It?

During recent months I have purchased three laptops at various intervals. Superficially, the machines have been the same, but in fact each has been a technical improvement, in terms of components, on the previous. Such is the speed of development of high-tech systems that entire model ranges are frequently replaced after six months.

This rate of change is often mirrored in the high-tech security industry, especially CCTV, which means that a technical specification could be obsolete as soon as the ink is dry on the paper! Many are the security managers who have specified obsolete equipment, or who have found themselves the “beta testbed” for unproven new technology.

The solution, as delegates on the recent Security Management Stage 2 learned, is - unless there is a very strong case for the contrary - always to use a functional specification and to deal with a reputable system integrator. Of course, if you are happy with the terms ABF, HAD CCD, CMOS, 40pcs of IR LEDs, TVL, SNR, F1.2, VD2, VBS, ADNR, H.264, dual stream, DDNS support, 10/100BASE-T, DHCP, ARP, DNS and ICMP – and the dynamic interaction of each – go ahead and tech-specify!

The next Security Management Stage 2 Course, when the trainers will attempt to demystify this jargon, takes place 15-26 October.

Creating a Return on Investment with CCTV over Ethernet

Increasingly, image streams from digital CCTV systems are being transmitted across IT networks, allowing for much greater versatility and use of the recorded data. Any network user with the correct access privileges can, theoretically, be granted rights to view images from specific cameras at his or her workstation.

The potential value of CCTV over Ethernet for non-security tasks such as remote process supervision, safety monitoring, behavioural correction and for use as a staff training aid are considerable. Supermarkets regularly use CCTV to monitor and analyse customer buying habits. One US casino gets payback from its CCTV over Ethernet system investment in being able to accurately investigate false injury compensation claims, such as trips and slips.

When considering over-Ethernet digital CCTV security managers should think creatively, working with other potential users to share costs and share benefits, thereby maximising ROI.

PS. For simple Excel-based digital CCTV bandwidth and storage calculators contact David.

Most Security Installers and Integrators Have No Formal Qualification in Security

Addressing an audience of almost 100 security professionals at a recent ASIS event in the USA, California-based security consultant Bill Glover declared that there were only 6-8 reliable security systems integrators operating across the USA. His message was supported by another consultant, Greg Thornbury, who presented images of botched security installations.

One of the problems highlighted by Glover was the inability to benchmark security consultants against specific competences or qualifications. Just as in the UK, there is no specific qualification for a security integrator in the USA. When trying to ascertain whether a security system integrator is suitably “qualified” for the task, the only advice the speaker could offer was to look at what the integrator has done before.

Security systems are becoming ever more complex and there is a need for a single qualification encompassing security management, electronics engineering and IT. But this will only be created if the end users, regulatory bodies and professional associations work together to formalise the requirement. Until then, caveat emptor!

Thursday, July 12, 2007

Biometric Locks Begin to Replace “Digilocks”

Stand-alone digital locks are used widely as a low-level security device to prevent unauthorised staff from entering areas such as storerooms, security control rooms, mailrooms, generator rooms etc. Combinations to such locks, however, very quickly become common knowledge across the business, and by those unauthorised to enter.

A new generation of biometric/numeric keypad locks, costing as little as $200 a unit, are increasingly overcoming this vulnerability. These locks, which are often marketed as home security devices, can operate in biometric mode, biometric and PIN mode or PIN mode only, and are designed to support about 100 users.

The application of such devices in the retail environment and in hotels are obvious.

An example of such a device, designed primarily for home use, can be found at:

http://www.homesecuritystore.com/fingerprint_lock.html

Please note that ARC is unable to endorse any product, manufacturer or supplier unless specifically stated.

Control of Physical Security Systems Continues to Migrate to the IT Guys!!

Convergence is the new buzzword. It is incorporation of information technology into traditional business processes to provide for more efficient management and operations. As well as increasing efficiency, convergence has slashed costs and enabled different business process components to interact dynamically.

In security, convergence refers to the convergence of physical and IT security. This operates at two levels:

1. Threats are becoming increasingly “converged”, necessitating a joined-up physical/logical security approach.
2. Traditional stand-alone security systems are migrating to IT platforms and are becoming increasingly integrated.

It is essential that traditional “physical” security managers grasp the basics of IT system topology and operability in order to be able to effectively manage Ethernet-operated physical security systems.

Door locks represent one of the latest physical security systems to be “collapsed” over an IP/Ethernet network and integrated with video over IP. Furthermore, developments in "Power over Ethernet" mean that many of these systems increasingly will take their power from an Ethernet cable.

David will be happy to provide more detailed information on this subject.

Wednesday, July 11, 2007

Give Me back My Data!!!

In the US more than 100 million computer-based records with sensitive information have been affected by data breaches since early 2005. These incidents will continue to increase as companies are forced to make them public knowledge.

Often the information stored on stolen or lost computers is more valuable than the device itself. In addition, fear of liability, penalties or other negative repercussions will drive data recovery or remote data deletion technologies to mitigate risks associated with data security breaches.

Identity theft will rise and become more organized in cyber crime rings during 2007-08. However, the worst enablers of identity theft are often employers with lax security for data or sensitive information stored on computers. Although consumers often fear putting credit card information into forms on an unknown website for a transaction, it is more likely that someone they know or work with will actually use their identity or credit cards illegally. And more and more corporations are exposed in public for having put their employees or clients at risk.

Security managers, start communicating with IT and devise solutions to avoid your company becoming tomorrow's headline news!

H.264 Video Compression Promises up to 50% Reduction in Video over IP Bandwidth Demand

Thinking of switching to video over IP but put off by scare stories of angry IT administrators and Ethernet congestion? The solution may have arrived.

H.264 (or MPEG Pt 10) is the latest official video compression standard, which follows on from the highly successful MPEG-2 and MPEG-4 video standards and offers improvements in both video quality and compression. The most significant benefit for IP video systems is the ability to deliver the same high-quality, low latency, digital video with savings of between 25% and 50% on bandwidth and storage requirements. Or to put it another way, deliver significantly higher video quality for the same bandwidth.

If this blog isn’t techie enough for you, follow this link for a more detailed explanation of the new standard:

http://www.indigovision.com/learnabout-cctvh264.php

And the following link for an example of an IP camera offering H.264 compression:

http://www.networkwebcams.com/product_info.php?products_id=445

(Note: ARC is unable to comment on the distributor)

The implications (practical and legal) of specifying various video compression types for digital CCTV systems will be one of the topics address in the planned Specifying Security Technology Course, set for 2008. Details to follow soon in brochure.

How Did Your Virus Get in My Video?

Viruses, trojans and worms are going multimedia in '07. We have been trained like Pavlov's dogs not to open executable attachments from people we don't know, but what harm will an innocent video of a talking cat do? A lot.

This year we are going to see the rise of multimedia malware. In addition, Web 2.0 will create new security vulnerabilities. As we enable anonymous users to interact and post messages and files on our websites and servers, we are offering new platforms for their malicious intent.

Downloading a free ringtone may be giving someone a free pass to your address book. Viewing an "uplifting" PowerPoint may enable someone to "lift" the passwords from your desktop.

Detection Beyond the Boundary

There are mixed views on the merits of thermal imaging cameras. During a recent ASIS advanced technology workshop in LA, Steve Surfaro of Panasonic USA urged security managers not to invest in thermal imaging (TI) technology if they didn’t really need it, as a conventional camera mounted with an active IR illuminator would give better results. This is certainly the case for close-up person identification.

Independent consultant Severin Sorensen, however, remarked that the cost of TI cameras had dropped so dramatically that they are now a viable solution, especially for long distance applications, or for looking out beyond a perimeter where no lighting, IR or otherwise, is available or desirable. This has certainly been the experience at Copenhagen Airport, where TI cameras are used to monitor for runway intrusions at distances in excess of 1.5km. The full story on the Copenhagen experience can be found at: http://www.security-int.com/categories/thermal-imaging-cameras/thermal-imaging-cameras.asp

Friday, July 6, 2007

ASIS PSP Certification Study Begins

A record 15 delegates have just embarked upon a course of distance learning study with ARC Training that will culminate on 3 November in sitting the ASIS Physical Security Professional Certification examination.

This certification, aimed primarily at those who will have to oversee, specify or project manage the installation and management of technical security systems, has experienced a dramatic rise in demand since its introduction into the UK just three years ago. Twice the number of candidates will sit the examination in 2007, as sat in 2006.

For further information on the PSP contact David, who is the UK ASIS Chapter Professional Certification Representative.

Still Time to Book for Security Management Stage 1, 30 July - 10 August 2007

There are just three weeks left to book on the Security Management Stage 1 (Core Skills) Course, 30 July – 10 August.

Whether you are considering embarking upon a path to a security MSc, or simply want to cover the full remit of security management core skills in an interactive learning environment with peers from across the world, this is the ideal course.

Subjects covered include security risk management, security design, security operations management, physical and electronic security and manpower, access control, CCTV, leadership and management, investigating, anti-terrorism, crisis management, information and IT security, security policies and procedures, security surveying, crime prevention, protecting people, and substance misuse.

The course has been successfully completed by several hundred security managers worldwide and is considered by many of the world’s biggest companies to be the “standard” in corporate security management training.

For more details contact Janet.

"The Security of the City Depends Less on the Strength of Its Fortifications Than on the State of Mind of Its Inhabitants"

Congratulations to Bruno Rosenthal, Shell France, on becoming the first student to complete the Shell distance learning “Knowledge”-level programme in Security Management.

The programme is divided into 3 parts. First, participants have to complete an online training module with a test. Second, the knowledge gained is then used to carry out a small-scale risk assessment and security survey, assessed by an ARC trainer. The programme culminates with the candidate being required to produce materials for, and deliver, a short security awareness session for a group of colleagues. The theme of Bruno’s awareness discussion was taken from ancient Greek historian Thucydides, who stated: “The security of the city depends less on the strength of its fortifications than on the state of mind of its inhabitants.”

It is expected that all Shell Security Focal Points worldwide, required to have “knowledge” level in security, will undertake this programme of study. Commenting on the programme, Bruno remarked: “Very interesting training really because a lot of practice and not only theory.”

Please contact David if you would like to discuss how to create a similar project for your company.

Pee-Ping Tom - Take Care When Deploying Covert CCTV

A teacher in the UK has narrowly escaped a jail sentence and has been put on the Sex Offenders’ Register after installing a covert camera in a school’s female toilets.

While this was a deliberate and perverse act, security managers should nevertheless be aware of all the potential consequences of deploying covert CCTV, and the rules regarding where and under what circumstances CCTV can be used. Female facilities, such as changing rooms, are definitely off limits.

Before using such devices, advice should be sought from both HR and Legal departments.

In January 2006 two Liverpool Council CCTV security guard camera operators were put on the National Sex Offenders’ Register and jailed for using CCTV to spy on a naked woman in her own home.

The use of CCTV is one of the subjects covered on the Security Management Stage 1 (Core Skills) Course, 30 July – 10 August.

Tell Me What Happened, Beginning at the End! – Uncovering Deception

Ever wondered how to tell if the person you are interviewing is lying to you? Perhaps he/she is blushing, blinking when you ask questions, avoiding your eyes? Research by academics at the University of Portsmouth, funded by the Economic and Social Research Council (ESRC), has cast doubt on the reliability of watching for such so-called “lie signs” such as suspects shifting uncomfortably, stumbling over words or breaking eye contact.

Instead, they suggest that putting extra mental pressure on suspects by asking them to reverse their accounts can lead to clearer signs that they are lying. More details by clicking on the following link:

Determining suspect truthfulness will be one of the subjects covered in ARC Training’s new one-week basic investigations course, currently under development and due for launch early 2008.