Category Archives: Physical security

Reducing risk of major data loss events

Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

Tell your friends and colleagues about us. Thanks!
Share this

Physical security in Afghanistan

If you thought that working in high-tech  is  rough – just consider how tough it is to be a musician in Afghanistan.

JALALABAD, Afghanistan (Reuters) – Taliban fighters beat musicians, shaved their heads and left them tied to trees overnight because they performed at an Afghan wedding, a village tribal chief said Monday, a sign of the fighters’ growing influence. While in power from 1996-2001, the Taliban banned music as un-Islamic.

The militants have returned to areas in the east and south of the country, where violence has sharply spiked in recent years. They attack government officials, Afghan police, foreign troops and schools that teach girls, another practice they forbid.

“A party was going on when a group of Taliban grabbed five musicians and started beating them and smashing their musical instruments,” said Rahmatullah Khan, a head of Merke Khel village in the east of the country.

“The musicians were tied up with rope to trees last night and villagers found them in the morning when going out for prayers,” Khan said.

Khan said Taliban fighters shaved the heads of the musicians and made them take oaths in the presence of villagers that they would not sing or play music at weddings again.

Afghan weddings and engagement parties in rural areas are traditionally celebrated with hundreds of guests, music and singing that often continues until late at night.

(Reporting by Rafiq Sherzad; Writing by Hamid Shalizi)

Tell your friends and colleagues about us. Thanks!
Share this

A great year for data thieves

The Verizon Business Report on data breaches 2009 was released – the data breach investigations report headlines with 285 million data records breached in 2008:

  • 91% of attackers were organized crime
  • 74% of attacks by malicious outsiders
  • 67% of vulnerabilities due to system defects
  • 32% implicated business partners

The report must be particularly disturbing to endpoint DLP vendors focused on preventing data loss by trusted insiders on  PCs (  99.6% of data was breached by  attackers attacking servers…. )

My experience with clients in the past 5 years in the data loss/extrusion prevention business has been focused on discovering internal security vulnerabilities and implementing cost-effective security countermeasures.  Our findings (summarized in our Business Threat Modeling white paper) were based on analyzing empirical data of 167 data loss events points a finger at software defects as a key data loss vulnerability. The Verizon business study appears to suggest that the situation has only gotten much worse – i.e. data breachs are rising as software quality is declining.

A conservative estimate in our research showed that 49% of the events exploited software defects as shown in the below table. Theoretically we can mitigate half of the risk by removing software defects in existing applications. The question, which we  answer in the white paper is how.

Aggregated vulnerability distribution by type
Vulnerability type

Total

Percentage

Accidental disclosure by email

5

3.0%

Human weakness of system users/operators

13

7.8%

Unprotected computers / backup media

67

40.1%

Malicious exploits of system defects

82

49.1%

Grand Total

167

100.0%

The Carnegie Mellon Software Engineering Institute (SEI) reports that 90 percent of all software vulnerabilities are due to well-known defect types (for example using a hard coded server password or writing temporary work files with world read privileges). All of the SANS Top 20 Internet Security vulnerabilities are the result of “poor coding, testing and sloppy software engineering

Tell your friends and colleagues about us. Thanks!
Share this

Why I am voting Likud

My friend Jacob Richman wrote a page on his web site explaining why he will vote Ichud Leumi (NUP). As a person who has traditionally voted for religious/Zionist parties – I feel compelled to answer Jacob in public.

There are a number of flaws in his argumentations regarding the National Union Party (NUP)

1. The NUP doesn’t have a national agenda – i.e. they don’t have positions on economics, industry, trade, energy, environment, transportation and healthcare in their platform.  They are a “one trick pony”
The country runs on taxes  – without a strong economy the entire question is moot.   I believe that our future is at stake on the economic issues and since the NUP doesn’t even have an economic platform – they are non-starters in my book.

2. The NUP has neither  electoral power nor post-elections political power – which brings me to my third point

3. They are politically weak (and whatever political clout they have is generally wasted on the usual internecine politics endemic to the right and religious parties).  As a result – they will never be able to keep their promise of preserving Erez Israel to their voters.  It’s like me promising you that I’ll go to the supermarket and shop for you without having enough money to  pay for the groceries at the checkout counter.

4. The country is better served with 2 large parties with clear national agendas that represent large portions of the electorate. By supporting the continued existence of small parties like the NUP we weaken the democratic process not strenghten it. Crucial national  decisions must be decided on the basis of a majority vote not on the basis of coalition in-fighting and log-rolling.

Tell your friends and colleagues about us. Thanks!
Share this

Nihilistic security

Nihilism asserts that objective morality does not exist: therefore –  there is no objective moral value with which to uphold a rule or to logically prefer one action over another.

The wave of the liberal left which swept Western Europe and is now growing in US as the Obama administration takes office, asserts that there is moral equivalence between Hamas terrorists and Israeli citizens in Ashkelon.  In the information security space – by taking a purely defensive posture, we  assert moral equality between  hackers and malicious insiders and the owners of company assets.  You can hack us, manipulate our financial reports or steal our most precious assets, but we will never mount a counter-attack on you – we’ll only take defensive security countermeasures like firewalls, anti-virus and DLP technology and regulatory compliance for privacy and corporate governance.

The wave of what I will “nihilistic security” is washing up the shores of Israel as well. Israeli media are gushing over civilian casualties in Gaza – with the Jewish mothers of the media aiding and abetting the enemy instead of giving succor to the citizens of their own country.

בימים אלו כשבובליל ושפרה הם כבר פאסה יש לנו דמויות חדשות על המסך

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Better physical security with more eyeballs

Big companies have lobbies and receptionists. They may have many visitors during the day not to mention messengers from FedEx, DHL, TNT, Poczta etc.

A DHL courier recently visited the offices of a client to pick up a package.  He walked in, picked up 5 expensive mobile computers and notebooks, put them in the pouch and walked out.

In China and Taiwan – culturally – a white face is always trusted, in Israel, Turkey and Rome – everyone are friends. In Poland – recipients defer to guests and may be intimidated by non-Polish speakers.

But – people are not always what the seem.

Here are 3 simple steps to improve your physical security that do not involve advanced technology – only the power of the people you already have.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

The truth about the Palestinian-Israeli conflict

The one-sided UN resolution that didn’t even mention Hamas was not surprising. It’s 14 days into the war on Hamas in Gaza and it appears a good time to share  a few brief facts on the Israeli-Palestinian conflict –

1. Nationhood and Jerusalem.  Israel  became a nation in 1312 B.C.E. Two thousand years before the rise of Islam.

2. Arab refugees in Israel began identifying themselves as part of a Palestinian people in 1967, two decades after the establishment of the modern State of Israel .

3. Since the Jewish conquest in 1272 B.C.E., the Jews have had dominion over the land for one thousand years with a continuous presence in the land for the past 3,300 years.

4. The only Arab dominion since the conquest in 635 C.E. Lasted no more than 22 years.

5. For over 3,300 years, Jerusalem has been the Jewish capital.  Jerusalem has never been the capital of any Arab or Muslim entity.  Even when the Jordanians occupied Jerusalem, they never sought to make it their capital, and Arab leaders did not come to visit.

6.  Jerusalem is mentioned over 700 times in the Old Testament.   Jerusalem  is not mentioned once in the Koran.

7. King David founded the city of Jerusalem.  Mohammed never came to Jerusalem.

8. Jews pray facing Jerusalem.  Muslims pray with their backs toward Jerusalem.

9. Arab and Jewish Refugees: In 1948 the Arab refugees were encouraged to leave Israel by Arab leaders promising to purge the land of Jews.  Sixty-eight percent left without ever seeing an Israeli soldier.

10. The Jewish refugees were forced to flee from Arab lands due to Arab brutality, persecution and pogroms.

11. The number of Arab refugees who left Israel in 1948 is estimated to be around 630,000.  The number of Jewish refugees from Arab lands is estimated to be the same.

12. Arab refugees were INTENTIONALLY not absorbed or integrated into the Arab lands to which they fled, despite the vast Arab territory. Out of the 100,000,000 refugees since World War II, theirs is the only refugee group in the world that has never been absorbed or integrated into their own peoples’ lands.  Jewish refugees were completely absorbed into Israel, a country no larger than the state of New Jersey.

13. The Arab – Israeli Conflict: The Arabs are represented by eight separate nations, not including the Palestinians. There is only one Jewish nation.  The Arab nations initiated all five wars and lost.   Israel defended itself each time and won.

14. The P.L.O.’s Charter still calls for the destruction of the State of Israel.  Israel has given the Palestinians most of the West Bank land, autonomy under the Palestinian Authority, and has supplied them.

15. Under Jordanian rule, Jewish holy sites were desecrated and the Jews were denied access to places of worship. Under Israeli rule, all Muslim and Christian sites have been preserved and made accessible to people of all faiths.

16. The U.N. Record on Israel and the Arabs: of the 175 Security Council resolutions passed before 1990, 97 were directed against Israel.

17. Of the 690 General Assembly resolutions voted on before 1990, 429 were directed against  Israel.

18. The U.N was silent while 58 Jerusalem Synagogues were destroyed by the Jordanians.

19. The U.N. Was silent while the Jordanians systematically desecrated the ancient Jewish cemetery on the Mount of Olives.

20. The U.N. Was silent while the Jordanians enforced an apartheid-like a policy of preventing Jews from visiting the Temple Mount  and the Western Wall.

Danny Lieberman

Software Associates

Expert security consultants, providing internal security solutions:  investigating  and preventing data theft and fraud for telecommunications, manufacturing and pharmaceutical companies in Eastern Europe and the Middle East.

Tell your friends and colleagues about us. Thanks!
Share this

What’s in a name?

Would someone explain the difference between Militants and Terrorist Organizations?

Do definitions matter?

The PCI DSS 1.2 standard confusingly labels anti-virus “threat management” and security folks often confuse a vulnerability (a state of weakness of an asset) with a threat (something or someone that exploits the vulnerability to cause damage to the asset). I guess it’s ok – after all, information security is not life and death like the war against Palestinian terror.

The US State Department appears to be confused – are we fighting “militants” or “terrorists”?

Here’s what I mean.

The American Embassy in Tel Aviv came out with a travel warning for US Citizens in Israel December 30, 2008:

U.S. Government Employee Travel Restrictions Due to IDF’s Gaza Operation and Longer Range-Rocket Attacks against Israel by Militants and Terrorist Organizations in Gaza

A common definition of terrorists are people who attack civilians.   It seems that makes all of the Palestinian organizations terrorists ne’st-ce pas? Here’s the full announcement:

Subject: WARDEN MESSAGE FROM US EMBASSY TEL AVIV, Additional travel restrictions, longer-range rocket attacks, message dated 30 Dec 2008

Warden Message

U.S. Government Employee Travel Restrictions Due to IDF’s Gaza Operation and Longer Range-Rocket Attacks against Israel by Militants and Terrorist Organizations in Gaza

Date of Warden Message: December 30, 2008

Today’s Warden Message alerts U.S. citizens to current IDF operations in the Gaza Strip and ongoing rocket attacks from Gaza by militants and terrorist organizations into Israel.  U.S. Government employees, for the time being, have been restricted from travelling within a 30 KM radius of the Gaza Strip, inside of which the vast majority of rockets and mortars have fallen.  To travel inside the 30 KM radius, the Embassy’s Regional Security Officer’s approval is required.  Further, no U.S. government official travel is permitted inside the Gaza Strip.

Militants and terrorist organizations in Gaza continue to launch numerous rocket and mortar attacks against Israel.  On December 28 and 29, several longer-range missiles landed in Ashdod, located about 35 KM from Gaza.  On December 29, a longer range missile also landed in Yavne, which is just north of Ashdod.  Though USG employees’ travel is restricted to 30 KMs, American citizens should be aware that militants and terrorist groups could launch additional longer-range missiles that may land well beyond the 30 KM radius and to take appropriate security measures.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
tours religious conflicts

Why Israel is losing the war against terror

It is crucial to ask how we can adopt and execute a sustainable long-term strategy to combat and win the war against Islamic terror.

I’m an Israeli and we have seen a series of Israeli governments attempt to combat terror. In most cases, the strategy to combat Palestinian terror centers on worrying what the US and EU think of us. Not surprisingly, the focus on PR, image and relations with third parties rather than a root cause analysis of what the Palestinian terrorists really want   has failed. In this post, I will explain why Israel is losing the war on terror, basing my analysis on empirical observations rather than political imagery and spin.

First of all where are we today?  The so-called Oslo Peace process (and similarly-architected roadmaps of various sorts from the US or Saudi) are not only failures but significant contributors to continued violence; empirical evidence shows  many more victims of terror violence after Oslo than before Oslo.

In late 2008, Yossi Beilin – one of the architects of the Oslo Accords, and one of the leaders of the left-wing Meretz party, has announced his resignation from public life. That says something – Oslo is universally declared by both Palestinians and Israelis (across the political spectrum) to be a colossal failure that resulted in loss of thousands of Jewish and Arab lives.

In the wake of the Barack Obama’s election to US President, and his team of policy advisors that came out of the Clinton and Carter administrations – it is time to examine the root causes of the failure of the international community to combat Palestinian terror. Max Abrahams writes in his article “What Terrorists Want”, that “the international community cannot expect to make terrism unprofitable and thus scarce without knowing the incentive structure of its practioners”.

The Carter administration brought us the fall of the Shah in Iran and the rise of Houmeini and now Ahmadinijad. The Clinton adminstration brought us 9/11.

Over the past 30 years, Israeli governments employed a variety of strategies to battle terror: a strict no concessions policy (during the 60s and 70s), promoting democracy (the Oslo agreement that created the PA and resulted in several elections for Palestinian self-determination) and land-for-peace appeasement (the disengagement from Gush Katif). None of the strategies have succeeded and if anything have resulted in more attacks on Israeli citizens, more Palestinian fatalities and economic hardship and higher costs for Israel with building of the security fence that carries a steep economic and domestic and international political cost.

The dominant assumption by Israeli governments (and prevailing model in academic terror studies) is that terrorists attack civilians in order to achieve their political objectivess. According to this model – terrorists act rationally to maximize their political benefit, choosing terror when the expected political gain less the estimated cost is greater than expected benefit of the alternatives.

However – Hamas and it’s competing terror organization Fatah both act irrationally – preferring continued violence to peace. More importantly – Israel and the West are acting irrationally in the war against Islamic terror, consistently taking steps that never work.

The reason for this is fairly simple – although the solution itself requires a very basic change in the way we behave.

Israel, Europe and the US consider this a political conflict with political solutions; in fact this is a religious conflict with military and religious solutions.

Islam values land and does not value human life. Islam’s strategic objective is to convert all non-Muslims to Islam by the sword.

Israel values life and is willing to compromise on land. Judaism’s strategic objective is to bring light to the world.

The religious part of the solution is for Jews all over the world and in Israel to execute their Jewish strategic objective – just as the Muslims as exercising their strategic objective:  bring light to the world  through personal example, strengthening personal belief in God, performing mitzvot and learning Torah.

The military part of the solution must be zero tolerance to Arab violence – one rocket fired against Israel – decimation of an entire city. I am sorry that it must be this way – but the path of fulfilling and living Jewish values with a strong hand against terror is the only way to win this religious war being waged by Islam.

Tell your friends and colleagues about us. Thanks!
Share this

The Israeli Supreme Court is a security vulnerability

I got this from my sister in-law Judith Bedichi this morning – it was written by Dr. Guy Bechor and describes an escalation of security threats to the Jewish State of Israel.  The Israeli Supreme Court is highly-regarded yet clearly preferential to Israeli Arabs, with liberal rulings allowing operations of radical Islamic groups in the name of democracy and human rights.  Dr. Bechor submits that the Supreme Court is a  vulnerability that has been systematically exploited by false claims of groups like Adallah, aiding and abetting security threats to Israel. If you know Hebrew it’s an interesting read.

מסמך החזוןשחיברה הנהגת ערביי ישראל לאור מה שקרה בעכו.

מאת דרגיא בכור

בחדשים האחרונים פרסמו ועדת המעקב העליונה של ערביי ישראל‘, ‘וועד ראשי הרשויות הערביותוארגון עדאלהאת מסמך החזון” ! שלהם, כיצד צריכה להיראות מדינת ישראל, ועל מה הם נאבקים. מעניין לציין שאת הארגונים הללו מממנים או מדינת ישראל או יהודים ליברלים מארצות הברית, החושבים שככה הם עוזרים לישראל.

בקצרה, אם לסכם את המסמך הגזעני הזה, הקובע ש ישראל היא תולדה של פעולה קולוניאליסטית שיזמו האליטות היהודיותציוניות באירופה ובמערב“, אילו הם דרישות הערבים, הרואים ביהודים רוב מהגר“:

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this