Tuesday, August 24, 2010

'Pain Beam' to Be Installed in LA Jail

An invisible heat-beam weapon developed in secrecy by the military is set for use in a U.S. jail.

Law enforcement officials recently revealed plans to use the nonlethal device at the Los Angeles County Sheriff's Department's Pitchess Detention Center, according to the Los Angeles Daily News. The weapon, which shoots an invisible beam of energy, would be used in the prisoners' dormitory to stop an assault or break up a fight.

Called the Assault Intervention Device, it uses millimeter waves to heat the top layer of skin, causing an intense burning sensation that forces the person being targeted to move away immediately.

View more news videos at: http://www.nbclosangeles.com/video.

"I equate it to opening an oven door and feeling that blast of hot air, except instead of being all over me, it's more focused," said Bob Osborne, commander of the Sheriff's Department's Technology Exploration Program, according to the Daily News.

The weapon being installed in the jail is a smaller version of a technology originally developed by the military for use on the battlefield. The military's weapon, called the Active Denial System, can be put on a Humvee or truck, and researchers are also working on a aircraft-mounted version.

Raytheon, which makes the Assault Intervention Device, markets several versions of the weapon on its website.

The smaller version of the weapon being installed in the jail creates pain on a single part of the body, rather than all-over heat like the military version. A local news video showing the device being tested features a laughing test subject clutching a single part of the body where he has been hit, and then moving out of the way.

The device's use at the Pitchess Detention Center is part of a six-month evaluation being conducted by the National Institute of Justice to look at possible widespread use of the technology in jails. If that happens, then it will place law enforcement agencies well ahead of the military.

Despite spending years and tens of millions of dollars to develop the nonlethal technology, the military has not yet deployed the Active Denial System, in large part because of concerns of a public relations backlash against using a "microwave weapon." Ironically, a former Air Force secretary even suggested that the weapon should first be used in the United States before being deployed abroad.

The Pentagon this year did send a truck-mounted version of the weapon to Afghanistan for testing, but it was sent home without ever being used.

Monday, August 23, 2010

FBI Alert

It’s back to school time. Time to be more alert of suspicious strangers, unusual or unfamiliar vehicles and abnormal activity in your neighborhood. Talk to your children about strangers. Watch out for school crossing zones; be aware of the speed limits and slow down for our future generation.

EXTRA!! The FBI is warning the public about an ongoing scheme involving jury service. Most of us take that summons for jury duty seriously, but enough people skip out of their civic duty that a new and ominous kind of fraud has surfaced. The caller claims to be a jury coordinator. If you protest that you never received a summons for jury duty, the scammer asks you for your social security number and date of birth so he or she can verify the information and cancel the arrest warrant. If you give out any of this information, bingo; your identity was just stolen!
The fraud has been reported so far in 11 states, including Oklahoma, Illinois and Colorado. This scheme is particularly insidious because they use intimidation over the phone to try to bully people into giving information by pretending they are with the court system. The FBI and the federal court system have issued nationwide alerts on their websites, warning consumers about the fraud.

Thursday, August 19, 2010

New analysis of stolen data brings surprises

By Woody Leonhard

Every year, the highly respected Verizon Business RISK data crime–investigation team publishes an analysis of major online data thefts it's been asked to study.

This year, a first-ever joint report by VBR and the U.S. Secret Service presents a fascinating view into the state of the data-stealing art, with many surprising facts that should interest all consumers.

Throughout 2009, according to the 2010 Data Breach Investigation Report (PDF), Verizon investigated 57 "confirmed breaches" that included data theft. The Secret Service investigated 84 similar cases. That's 141 verified cases covering a total of 143 million data records owned by organizations around the world. Verizon's efforts led to arrests in 15% of its cases; the Secret Service's rate was a more-impressive 66%.

As you might imagine, many of the victimized companies don't want their identities to be known. The report states, "... about two-thirds of the breaches covered herein have either not yet been disclosed or never will be." Nevertheless, this aggregate report is still important: it gives an excellent overview of security problems that could affect you, the consumer.

Who's stealing sensitive data? Surprise!

I always assumed that most people involved in stealing sensitive data from organizations — bank records, credit-card numbers, personal information — were rogues acting alone, selling their booty via clandestine channels to the highest bidder.


An astonishing 85% of all stolen data records can, according to this report, be traced to organized crime. "Banding together allows criminal groups to pool resources, specialize skills, and distribute the work effort." Lone wolves aren't stealing our data. Rather, it's groups of people, acting in concert with one simple motive: profit.

The report quashed many of my other preconceived notions. For example, insiders (employees, executives, programmers) were actively involved in 48% of the cases — which doesn't surprise me — but they were implicated in only 3% of the total number of records stolen. Insiders participate in smaller jobs.

I was also surprised to find that the percentage of pilfering attributable to business partners — a category that includes IT service providers, suppliers, and vendors — has fallen steadily. The report can't pinpoint the reason for the decline in partners' shenanigans, but does point to the possibility that increased awareness of third-party security threats may be a factor.

It also mentions organizations such as hotel, restaurant, and retail companies that hire outsiders to provide IT services: "Organizations that outsource their IT management and support also outsource a great deal of trust to these partners." If your company's thinking about outsourcing, that's a word to the wise.

And, contrary to widespread publicity, no foreign governments were implicated in data thefts, according to this report.

How the bad guys get your personal information

While headlines herald stories about a bank employee losing a notebook with a gazillion account records or a civil servant dropping a disc with Social Security numbers, the report notes that 98% of the stolen data was snatched directly from company servers — mostly by use of malware and direct hacking.

Once again, the Verizon/Secret Service numbers surprised me. More than half of the malware infections came from direct installation (injection) by the attacker, and SQL databases led the list of subverted systems. SQL injections frequently rely on well-known quirks in SQL systems; craftily assembled SQL database queries, for example, can install programs that pluck data and send it to the requester.

Perhaps the best-known SQL-injection attack involved American Albert Gonzalez, who on March 25 was sentenced to 20 years in federal prison for stealing more than 90 million credit- and debit-card numbers. (See Wired's March 25 Threat Level post.) As the Verizon report says, "SQL infection vulnerabilities are endemic, and to fix them you have to overhaul all your code."

The second-most-popular method for subverting servers uses drive-by Web infections (where you get an infection without actually clicking anything on a malicious site), followed by infections that require user interaction ("click here to clean your system" come-ons, for example).

Added together, injections and Web infections using malware accounted for 79% of all stolen data — not e-mail, not infected documents, and not zero-day attacks.

Keyloggers — those surreptitiously installed programs that record what you type — made up 36% of all the data breaches but accounted for only 1% of the clandestinely collected data. That's a big change from last year, when keyloggers collected more than 80% of the compromised data. The bad guys have found more efficient ways to take your information.

And what of the never-ending process of receiving and applying security patches to quickly shore up those security vulnerabilities? Not an issue, says the report. "It is very interesting to note that there were no confirmed cases in which malware exploited a system or software vulnerability in 2009 … there wasn't a single confirmed intrusion that exploited a patchable vulnerability."

What companies must do to protect our data

If this is all starting to sound hopeless, it isn't. The authors of the report offer many suggestions that every company with sensitive data should consider. Most of it doesn't stray too far from common sense: give access to sensitive information only to employees who need it, watch your access logs, encourage strong passwords, warn employees about installing rogue antivirus programs, and so on.

Even if you aren't involved with an organization that handles sensitive data, you need to know that the kinds of attacks documented by Verizon are getting larger and more complex.

You can help by regularly checking all of your online information that you can access, reporting any data or activity you see that's out of the ordinary. Immediately tell your bank, your credit card company, and your stock broker if you think something's gone awry.

As the report says, "Third-party fraud detection is still the most common way breach victims come to know of their predicament" — in other words, companies learn of breaches when customers report them.

So if you think your data's been stolen, holler yer head off!