IT Security

Ferguson – A Security Operator’s Perspective

A good friend and colleague of mine participated in a security detail during the Ferguson and St Louis riots recently. I asked him to write about his experiences in the hope that his boots-on-the-ground insights would be useful to all of us in future incidents. 

I was not disappointed. 

I believe his experience there will be useful to security operators in the future and I am happy to share his report.

By Sarge Gish, CPS

“The name Columbine is now synonymous with all school shootings just as the name Ferguson will now be associated with all civil disorder and protests”

I was asked to write an after- action report about my time in Ferguson for one of my friends who has a security blog. I felt time was on my side, since I had another detail to work shortly afterwards and the holidays were just around the corner. Little did I realize that Ferguson would be the beginning of a national period of social unrest in the country. Given the lack of moral responsibility among civilians to confront crime, resulting in destruction and mayhem, in many areas of the country the veneer of civilized behavior has been rubbed off. Unfortunately, from my point of view, I predict there will be plenty more non-peaceful protests. Currently, there are a lot individuals in this country who feel they can control or change how the rule of law is administered. I am not a Sociologist and do not intend to explain why people feel the way they do. Instead, I’ll stick with the elements of working a media protection detail.

Risk & Threat Assessment:

Being called upon to work an armed site security detail for a national security firm in St Louis the week heading into the Darren Wilson Grand Jury indictment, I had no idea what to expect. As everyone knows there were two waves of protests in the town of Ferguson and the city of St Louis.

I will refer both incidents as round 1 (Aug. & Sept. 2014) and round 2 (Nov. & Dec. 2014).

Not being on the ground for round 1, most of our risk and threat assessments were based off of intelligence from those incidents.

Our job was to evaluate one individual or group in order to make a determination whether or not the protesters had the potential to become violent against the news crews we were protecting. Also, the prevention of unintentional injury and embarrassment to the crews was a priority.

Knowing that there were viable threats in the weeks before the grand jury convened, we were better prepared to mentally plan and coordinate our moves, and equipment to bring.

The building I was securing (a major health insurance provider) was located downtown and under no immediate threat. Our intelligence indicated there was no apparent danger for the personnel there.

I had agreed to work for another security firm that was working directly in Ferguson which was associated with a local company named Triangle Sentry. This company was given the assignment of protecting Al Jazeera America and the Fox News crews.

The company is owned by and employs individuals who are ESI graduates. Being from ESI myself, I instantly recognized how much of a professional organization it is and felt comfortable with them having my back.

Advance:

I had taken the Monday afternoon of November 24th off to try and conduct reconnaissance and build intelligence data. Also, this was the day the announcement of the verdict was to be read. Little did I know that this was the night we would be able to determine a threat assessment for the rest of the week.

There was no one out on the street  in front of the Ferguson Police Department except two protesters. The coffee shop down the street was” business as usual” with the local citizens sitting around talking about the anticipation of a peaceful night and week.

Later in the evening when St Louis prosecuting attorney Robert McCulloch was to announce the decision by the grand jury, I decided to leave the downtown area, which was still relatively calm, and go eat out on the main drag of West Florissant.

As the night progressed, you could feel the tension in the air. Within hours after the decision not to indict was made public, I stood on the corner of Chambers and West Florissant and watched a Mobile convenience store get looted. Shortly thereafter, gunfire was erupting up and down the street and stores were starting to burn. I left the area immediately knowing the Walgreen’s store in front of me was going to be the next target.

My advance was done. I had seen the violence that was predicted. It was time to help out the team (Triangle Sentry), which was already protecting the news crews that were already out there.

Mission and role of the Protection Assignment:

The news crews we were attached to had about 4 teams, each consisting of a correspondent, producer, and cameraman. They were constantly on the go, navigated by a higher up who was monitoring scanners, twitter feeds, and cell phones looking for any evidence of contention.

If you’re lucky, you can ride along with them. Otherwise, you need to follow as closely in your own POV and be ready to go.

Once you arrive at the site, you must make sure all your equipment is accessible along with the rest of the crew’s. As with any job associated with security, you must walk a fine line as to what you are allowed to do. Of course, we cannot physically restrain someone or display, threaten, or use our weapons unless it becomes a last resort.

Our job is to protect.

Though you are protecting the whole crew, the cameraman will be your main priority. It is their job to make sure they get the shot for the whole world to see. They are going to go into the middle of crowds of angry protesters to get it.

It is important to be within arm’s reach at all times and have a hand on their back to control their direction and balance.

You must be able to pull them out of situations when harm is prevalent.

Between the two waves of protests a rule called the “Keep Moving “ rule was implemented by the St. Louis County police, which prevented people, including the media, from standing still under threat of arrest. An injunction was issued by a Federal District Judge against the practice. But it was widely used during the 2nd round. It was our job to make sure our crews did not fall into that rule.

Unfortunately, one of the security contractors can testify to this. As I mentioned the importance of close contact with the cameraman, he was just far enough away to get caught up in what I call a police line rush into the crowd. Once taken down, they discovered his armored vest and firearm.

Though he was eventually released, he was initially arrested and spent the night in jail.

Planning and Preparation:

Equipment for this kind of violent civil unrest was crucial and must be in quality shape. It was important that all of us were dressed in civilian clothes to blend in with the protestors. So all concealment was vital.

There was no restriction on the type of firearm we could carry, but I would recommend a lighter caliber (9mm or 40) due to the constant movement in and out of vehicles and locations.

Concealable body armor is also essential with a minimum level III certification.

There was a lot of gunfire the first couple of days. But I also witnessed several knives on belts in the crowds as well.

I had a can of Sabre 3 & 1 pepper spray on my belt, which I planned on using for first use of force if needed. Unfortunately, I did not have the one piece of equipment that would have been helpful: a protective mask.

I noticed right away all the news crews had them. I was under the impression that I would not

need one until I got tear gassed, not once, but twice.

You do not need a military style mask, however. A common household cleaning respirator is sufficient.

Mental preparation is essential in being able to accomplish the task of protecting the media. You are dealing with unimaginable hatred by individuals who have no conscience as to what they are saying or destroying.

A prime example of this would be the security contractor I was working with. I’ll describe him as late twenties, reservist police officer from rural Ohio who never had to deal with this type of situation. His training was focused to serve and protect the citizens of his jurisdiction with any means possible, including use of force.

Unfortunately the morning after all the devastation from the first night, a group of black individuals confronted the Aljazeera news crew he was protecting demanding they go home. Thankfully, a St Louis County patrol came by to break up the demonstrators. He felt vulnerable and unprepared to deal with situation.

He went home that night.

The ability to maintain confidentiality with the news media is as important as having a firearm on your side. I noticed the Fox cameramen would take their logos off the cameras before we would go out. I wasn’t aware of such hatred towards them until hearing the verbal abuses directed about them in the crowds.

Also, I found it was important to let some in the crowd know you are with the media, just not what your specific role was.

A good example of this is when a large group of white and black individuals thought I was law enforcement. I was working with the Fox crew one night and the cameraman had struck up a relationship with one of the higher ranking (Capt.) Missouri State Police Officers during round 1. The Captain ( who I will not give out the name) pulled into the parking lot we were in with his patrol vehicle to give us a update as to what the night looked like. Unfortunately, the parking lot was in front of the Ferguson police station where all the protesters where.

They had seen us talking to him. They automatically assumed I was a cop assigned to the crew.

We left.

Lessons Learned:

The ability to protect principals in an unpredictable crowd is a skill that must be practiced before execution. The majority of private security contractors are current or prior military or law enforcement and have had experience with unruly crowds. Not only is it a constantly changing dynamic of violence, but also a show of embarrassing actions, directed at organizations and businesses that protesters are affecting. So it is important that we, in the security industry, constantly prepare ourselves and study the ever- growing changes in the world of social and civil disobedience and protests.

We must assure ourselves at all times that we are appropriate while working media protection. And, most often, appropriateness is determined by a threat assessment and preparation.

As Rick Colliver states in his book Principal Protection: Lessons Learned, it is important to remember diplomacy, alertness, and professionalism.

An inappropriate response to a situation is the fastest way to unemployment.

In the future we hope there will be ongoing discussions of media protection for management and increased planning. My recommendation for anyone who works these details is to be involved with the discussions and participate

Screenshot 2015-01-09 at 14.26.08

– Fox News crew with Producer, Cameraman, Correspondent, and Myself

Why the Weather Service Infiltration is a Big Deal

The infiltration of the NOAA has been drawing attention, criticism and speculation since the weather service admitted to being infiltrated in September 2014. Most of the articles written up to date have focused on the who as opposed to the why. So, why is the infiltration of the National Weather Service a big deal?

As mentioned in this blog before, cyber warfare, cyber espionage and cyber theft are becoming more and more prominent. Many aspects of civilian infrastructure are vulnerable to cyber attacks including power stations, databases of classified information related to homeland security and infiltration of financial institutions. But the National Weather Service? What could someone possibly have to gain from hacking the Weather Service? After all, all it does is give us the daily weather…right? As it turns out, the Weather Service and its functions play a vital role in US national security.

The mission of the National Weather Service is to  

provide weather, hydrologic, and climate forecasts and warnings for the United States, its territories, adjacent waters and ocean areas, for the protection of life and property and the enhancement of the national economy…”

By this mission statement one might deduce that the Weather Service could have a significant impact on the national security of the United States. Information gathered and disseminated by them is critical to multiple aspects of our economy including, but not limited to, shipping, commercial fishing, farming, and air traffic control. They operate multiple satellite systems orbiting the earth which are responsible for gathering data regarding global weather patterns. These weather patterns are of significant use to the national intelligence community. The US Military relies on information from the Weather Service in order to properly run the gigantic logistical machine that is the armed services. In addition, the NWS also functions to warn the population about weather emergencies and natural disasters.

It is conceivable then that an infiltration and subsequent shutdown of the weather service would cause significant disruption in the government’s ability to function. Such a shutdown could lead to disruptions to air travel, maritime navigation, severe weather warnings and military operations.

Marshall Shepherd, Director of Atmospheric Sciences at the University of Georgia and past president of the American Meteorological Society, made the point clear when he stated

“Every sortie flown in the name of national security relies on weather information and intelligence. If you value Homeland Security, you have to value weather. That means we have to protect it as much as we do anything else.”

Indeed the infiltration of the NWS system should serve as a wake up call to an organization that has placed its cyber security at such low importance.

According to Chief Operations Officer David Titley much of the reason for the poor security at the NWS has to do with budget. He stated that the National Weather Service is in dire need of funding in order to boost their digital security.

“It’s pretty well documented that NOAA doesn’t have enough money to do what it wants to do the way it wants to do it,” he says. “Security is only one of those issues. This is an example of how things in the federal government start to break when they’re ignored.”

In his opinion cyber security was not a significant concern at the time the service was created and older systems remain vulnerable unless the government prioritizes protection.

The attacks in September were not the first of their kind either. In 2013 a hacker accessed sensitive NOAA data by using a contractor’s computer. In 2012 a hacker group from Kosovo reportedly hacked into the weather service computers and released sensitive data. The group responsible for the 2012 incident identified themselves as “Kosova Hacker’s Security” and claimed their attacks were in retribution for American hostility towards Muslim Nations

US response to incidents of cyber violation are dismal, at least in light of what is being released publicly. Leon Panetta even weighed in calling cyber warfare a “digital Pearl Harbor”, warning that the nation is woefully unprepared to deal with these types of violations. Whether the attacks are coming from China, Russia or fringe groups like “Kosova Hacker’s Security” is largely irrelevant. Accusing and threatening suspect nations with reprimands and empty repercussions is ineffective. The anonymous nature of the internet gives hackers and governments incredible plausible deniability. Therefore, focus must be on shoring up digital defenses and preventing attacks.

Sources:

https://nakedsecurity.sophos.com/2012/10/19/national-weather-service-website-hacked-by-kosovo-hackers-security/

http://www.washingtonpost.com/local/chinese-hack-us-weather-systems-satellite-network/2014/11/12/bef1206a-68e9-11e4-b053-65cea7903f2e_story.html

http://www.upi.com/Top_News/World-News/2014/11/12/China-accused-of-hacking-US-Weather-Systems-NOAA/3551415827316/

http://www.popularmechanics.com/technology/how-to/computer-security/americas-weather-forecasting-system-is-under-attack-17422862

Cyber Ghosts: Digital Espionage and the New Cold War

Two new revelations from the intelligence community this week have reiterated the gravity of cyber warfare and its effect on US national defense. The first occurred during President Obama’s visit to China. During that time, China was busy hosting the 10th China International Aviation and Aerospace Exhibition in ZhuHai China (中国国际航空航天博览会). The main attraction at the airshow was the new chinese J-31 fighter. Almost immediately, opinion began circulating regarding how the J-31, like its predecessor prototype the J-20, looked remarkably like the US F-35 Joint Strike Fighter and the F-22 Raptor. A quick look at the above photograph and anyone can see that the resemblance is undeniable.

While much of the conversation surrounding the J-31 in the media, social media and blogosphere is writing off the new jet as a cheap knockoff of the F-35, likely incapable of the same technological feats, the underlying issue here is not the jet itself, but its implications. It is no secret that the Chinese are suspected of many sophisticated cyber attacks against US infrastructure and defense. Examples abound for this type of intrusion and for the sake of length this article will not expand on them, rather the point here is to focus on the ramifications of cyber warfare.

Cyber warfare is “action by a nation-state or international organization to attack and attempt to damage another nation’s computers or information networks” (Rand). Cyber attacks are not limited to attacks on defense apparatuses such as government contractors. These attacks can be targeted toward any number of areas to include critical infrastructure such as power grids or financial centers. The risks of a cyber attack are unique in that they can happen very quickly and be nigh untraceable. Compared to traditional forms of war, cyber warfare is inexpensive, highly effective and offers a high degree of anonymity and plausible deniability.

Two of the main concerns of cyber warfare are disruption of critical infrastructure and cyber espionage. For example, a foreign government may lack the will or ability to launch a true campaign which would cost billions, result in true warfare, and the loss of life and regional stability. Perhaps this country doesn’t want a traditional war with a superpower like the United States due to economic concerns, but still wants to degrade their capabilities and injure their economy. Cyber attacks against infrastructure are an attractive and potent option. Hacking into financial centers or energy infrastructure might allow them to damage our economy, cause widespread blackouts, civil unrest, etc. The ability for cyber warriors to cover their tracks provides this hypothetical country with plausible deniability and a certain degree of shelter from potential repercussions. Still, the risks associated with being discovered are severe which leads to cyber espionage as another attractive option.

Cyber espionage is the use of computer networks to gain illicit access to confidential information, typically held by a government or other organization (Oxford). In essence, it is the stealing of secrets by way of digital intrusion. Going back to the beginning of this piece the J-31 is a foreboding example of cyber espionage. Headlines going back to 2011 claim that both Lockheed Martin, the main company behind the F-35 program, and BAE systems, a program subcontractor, were affected by cyber attacks. What information was taken isn’t widely available but defense experts acknowledge that it played a large role in the production of Chinese 5th generation jets. Furthermore, China’s production of 5th generation equipment likely means that it will not remain in China but will be exported to their allies which are less than amicable to the US.

A huge concern over these attacks and others like it is the possibility that cyber warfare can be used in real time on the battlefield. Some have speculated that with information gained about network security, hackers could conceivably disable or even hijack electronic devices such as those found on the Joint Strike Fighter. This scenario might elicit eye rolls from many but the possibility exists.

During research for a past study I came across the SkyJack. The SkyJack is basically a Parrot AR Drone outfitted with a special program that allows it to sniff out wireless signals from other drones and then take control. Granted, we’re talking about toys here but it is compelling nonetheless. In the hands of sophisticated hackers armed with sensitive information about a next-generation fighter’s network capabilities, it is conceivable that the controls could be seized. At minimum, with access to flight controls and guidance system, the platform could be disabled and rendered useless.

Cyber warfare is a potent weapon in the digital age but is still in its infancy. Everyday, hackers are becoming more sophisticated in their methods. Keeping up with the changes in methodology and technical prowess is a daunting task and one that the bloated bureaucratic system has been failing. Nevertheless, President Obama’s Feb. 2013 executive order stressed the importance of improving our cyber security framework and denying intrusion into our critical infrastructure. Whether or not it is too little too late will remain to be seen but cyber attacks will continue and escalate. It is incumbent on the intelligence community and private industry alike to develop methods to counter such attacks and ensure sensitive information is not surrendered to third parties.

Sources:

http://www.cfr.org/technology-and-foreign-policy/confronting-cyber-threat/p15577

http://www.rand.org/topics/cyber-warfare.html

http://csis.org/files/publication/140313_FireEye_WhitePaper_Final.pdf

http://online.wsj.com/articles/chinas-cyber-theft-jet-fighter-1415838777

http://mobile.reuters.com/article/idUSKBN0HC1TA20140918?irpc=932

http://www.theaustralian.com.au/news/world/security-experts-admit-china-stole-secret-fighter-jet-plans/story-fnb64oi6-1226296400154?nk=e0e4d2d94e1921e8a820447704b756a0

http://www.washingtonpost.com/local/chinese-hack-us-weather-systems-satellite-network/2014/11/12/bef1206a-68e9-11e4-b053-65cea7903f2e_story.html

http://mobile.reuters.com/article/idUSBRE91I06120130220?irpc=932

http://www.nytimes.com/2011/06/04/technology/04security.html?_r=0

http://www.gizmag.com/skyjack-hijacks-other-drones/30055/

http://mashable.com/2013/12/06/hacker-drone-hijack-skyjack/

http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

http://bakerinstitute.org/media/files/Research/e00e5348/Pub-IT-HacksonGas-020514.pdf

http://21stcenturywire.com/2014/08/07/flight-control-boeings-uninterruptible-autopilot-system-drones-remote-hijacking/

The Importance of Password Management

The recent revelation from the website insecam has brought to the forefront the importance of password management and privacy control. For those who are not familiar with insecam and similar sites, it is essentially a database of camera feeds from around the world. These camera feeds are not public feeds such as one might find on a city or state website overlooking a freeway. Many of these are personal, cloud based surveillance systems with feeds ranging from businesses to homes.

The purpose of insecam is allegedly to shed light on the shortcomings of keeping a default password on your system. Most security cameras come pre-programmed with passwords like admin or 1234. While there are some out there who are comfortable leaving default passwords on their systems, whether for convenience or the idea that they’ve nothing to hide and don’t believe they are vulnerable, insecam is out to prove you wrong, and prove it they have.

A short perusal of their site shows that there are nearly 10,000 cameras active in the United States alone. Next up is Republic of Korea with a whopping 6248 feeds. Randomly clicking one of these feeds reveals everything from coffee shops to the interior of a child’s bedroom. Insecam also shows geotags of where these feeds are located. The fact that the location of the camera is tagged should give everyone pause, especially those with private in-home systems. Their intent may be to outline the shortcomings of laziness in network security, but they have inadvertently opened the door to plenty of nefarious characters.

The purpose of this post is not to scare people, although if you are one of the folks with an open feed to your living room or child’s play area you should be plenty concerned. The purpose is to reiterate the importance of password management in all IT functions, especially those that deal with privacy.

Basic password tips

First and foremost: change your default password. Depending on your security needs the password need not be too complicated. In general, passwords should be at least 10 characters long and include a variety of letters, numbers and symbols. Most access controlled sites recommend at least 8 characters, however the US government has been advocating for years that passwords should be at least 15 characters. Also, avoid using whole words as they are easily guessed. A good idea is to use an easy to remember phrase and use letters from that phrase as your password. For example: I like to go fishing on the third of the month can become Iltgfot3RDotm. Also, avoid easy to guess words and dates like kids’ names and birthdays.

A note about password storage and variety

Many people like to store their passwords in a digital file on another device, or in their cloud drive. This is not a good idea. If that device were lost or compromised, that password is now available to whomever hacked the system. If you must store your information electronically try to disguise it well by giving the file a subtle name that does not betray its sensitive nature and consider using basic encryption software.

Many people prefer to write their password on real media such as notebooks and sticky notes and leave them in plain sight. This is especially risky in office environments where someone may see it. Industrial espionage is a real risk and isn’t necessarily the guy in a neoprene jumpsuit rappelling down an air shaft to break into the mainframe. A seemingly benign interaction between co workers can lead to the inadvertent spread of sensitive information. Keep your passwords out of plain sight!

As for variety, do not use the same password for every application. It is tempting to streamline your passwords, especially when you’re constantly jumping between email, social media and work. The obvious risk is that once your password is compromised they will have access to all of your data.

 

sources

http://www.cnet.com/news/website-spies-on-a-lot-of-people-to-shed-light-on-security-flaw/

http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf