Homeland Security Science & Technology at the University of the District of Columbia: January 2015

Thursday, January 22, 2015

Hackers well-versed in Wall Street vernacular hack publicly traded companies

Published 3 December 2014

Security firm FireEye’s recent reporton a group of hackers who have been infiltrating e-mail correspondence from more than 100 organizations, differs from the company’s previous reportson cyber criminals operating from China or Russia. This time, the hackers are based in North America or Western Europe, and are well-versed in Wall Street vernacular. The hackers, who FireEye named “FIN4” because they are one of many groups that hack for financial gain, targeted mostly publicly traded healthcare or pharmaceutical companies, along with their advisory firms, in pursuit of information that could affect global financial markets.

Security firm FireEye’s recent report on a group of hackers who have been infiltrating e-mail correspondence from more than 100 organizations, differs from the company’s previous reports on cyber criminals operating from China or Russia. This time, the hackers are based in North America or Western Europe, and are well-versed in Wall Street vernacular. The hackers, who FireEye named “FIN4” because they are one of many groups that hack for financial gain, targeted mostly publicly traded healthcare or pharmaceutical companies, along with their advisory firms, in pursuit of information that could affect global financial markets.

“FIN4 probably focuses on these types of organizations because their stocks can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues,” the report reads. All but three of the affected organizations were publicly listed on the New York Stock Exchangeor Nasdaq, and the others were listed on foreign exchanges.
Messages written in industry vernacular, sometimes disguised as e-mails from current or past clients, duped some senior executives into clicking on links embedded in email messages. The New York Times reports that in one case, hackers posed as an adviser to one of two companies in a potential acquisition. In some other cases, hackers relied on previously stolen confidential company documents to give the impression of authenticity. All identified victims clicked on links or opened attachments that redirected them to a fake e-mail login page, designed to steal the victim’s credentials.
Unlike other hacking groups uncovered by FireEye, FIN4 does not use malware to intrude further into a firm’s digital infrastructure. Instead FIN4 relies on information stored in victims’ e-mail accounts, and automatically deletes notices that inform an account owner of possible intrusion. “Given the types of people they are targeting, they don’t need to go into the environment; the senior roles they target have enough juicy information in their inbox,” said Jen Weedon, a FireEye threat intelligence manager. “They are after information protected by attorney-client privilege, safety reports, internal documents about investigations and audits.”
FireEye began responding to FIN4’s intrusions of e-mails belonging to top-level executives; legal counsel; regulatory, risk, and compliance officers, researchers; and scientists in mid-2013, but the company did not compile its findings until five months ago. FireEye has informed the FBI and notes that it is difficult to track the hackers because they logged into their victim’s e-mail accounts using Tor, the anonymity Web browser that directs Web traffic through Internet Protocol addresses around the world
“We don’t have specific attribution but we feel strongly this is the work of Americans or Western Europeans who have worked in the investment banking industry here in the United States,” Weedon said. “But it’s hard because we don’t have pictures of guys at their keyboards, just that they are native English speakers who can inject themselves seamlessly into email threads.” She added that “If it’s not an American, it is someone who has been involved in the investment banking community and knows its colloquialisms really well.”

Smart keyboard can tell who you are – and also powers and cleans itself

Published 22 January 2015

In a novel twist in cybersecurity, scientists have developed a self-cleaning, self-powered smart keyboard that can identify computer users by the way they type. The smart keyboard can sense typing patterns — including the pressure applied to keys and speed — that can accurately distinguish one individual user from another.

In a novel twist in cybersecurity, scientists have developed a self-cleaning, self-powered smart keyboard that can identify computer users by the way they type. The device, reported in the journal ACS Nano, could help prevent unauthorized users from gaining direct access to computers.

Zhong Lin Wang and colleagues note that password protection is one of the most common ways we control who can log onto our computers — and see the private information we entrust to them. As many recent high-profile stories about hacking and fraud have demonstrated, however, passwords are themselves vulnerable to theft. So Wang’s team set out to find a more secure but still cost-effective and user-friendly approach to safeguarding what’s on our computers.

An ACS release reports that the researchers developed a smart keyboard that can sense typing patterns — including the pressure applied to keys and speed — that can accurately distinguish one individual user from another. So even if someone knows your password, he or she cannot access your computer because that person types in a different way than you would. It also can harness the energy generated from typing to either power itself or another small device. And the special surface coating repels dirt and grime. The scientists conclude that the keyboard could provide an additional layer of protection to boost the security of our computer systems.

— Read more in Jun Chen et al., “Personalized Keystroke Dynamics for Self-Powered Human-Machine Interfacing,” ACS Nano, Article ASAP (30 December 2014) (DOI: 10.1021/nn506832w)

U.S. power plants, utilities face growing cyber vulnerability

Published 19 August 2013

American power plants and utility companies face a growing cyber vulnerability. No U.S power plant has so far suffered a significant cyberattack, even if small-scale attacks are nearly constant, but experts say preventative actions must be taken to ensure safety. Utilities provide services which, if disrupted for long periods of time, may result in economic chaos and may even lead to social unrest.

Utilities face growing cybervulnerability // Source: fibco.com.pk

American power plants and utility companies face a growing cyber vulnerability. No U.S power plant has so far suffered a significant cyberattack, but experts say preventative actions must be taken to ensure safety.
Utilities provide services which, if disrupted for long periods of time, may result in economic chaos and may even lead to social unrest. Consider the 2003 blackout, which left about fifty million people across North America without electricity for about four hours. That outage, caused by a sagging power line coming in contact with overgrown trees, cost $6 billion.
A cyberattack with intentions to create chaos could inflict far greater economic damage, and cost lives.
Electric Light & Power reports that a 2011 report from McAfee and the Center for Strategy and International Studies (CSIS) in Washington, D.C., states that small-scale attacks occur often. According to the report, 85 percent of executives in the power, oil and gas, and water sectors experience network infiltrations, and 25 percent reported they had been victims of a network-related extortion.
Power and utility firms are implementing solutions to prevent and thwart cyberattacks, but security professionals who design cybersecurity systems face several challenges. Utilities are complex systems depending on a variety of instruments and technologies. No pre-package solution or off-the shelf product can fully secure a utility or solve its cybersecurity needs. Security professionals must thus implement customized solutions which are unique to each utility’s systems. These solutions must protect established technology platforms yet remain flexible to adapt to new devices and technologies. Utilities must also consider cyberattacks as both external and internal concerns. Security solutions must therefore protect against staff mishandling of technologies, from downloading software to using file-sharing programs which can expose utility operations to malware and viruses.
Writing in ELP, Jose Granado andJosh Axelrod — principal and security practice leader, and senior manager and power and utilities information security sector, respectively, at Ernst & Young LLP — suggest that when power and utility companies develop a cybersecurity solution, they should consider the following questions to help identify the risk profile of a facility:

How does the organization define cybersecurity risk? Does the potential risk affect the business?
What are the avenues by which such threats might enter the organization’s environment?
How prevalent are the risks in the industry in which the organization operates? What have the organization’s peers and competitors faced, and what can the organization learn from those incidents?
What threats might be invited by the behavior of the organization’s own employees? Are the organization’s policies about network access clear and effectively communicated?
How can the organization align its responses to cybersecurity risk with industry standard security principles, such as ISO 27001/27002 or NIST SP800-53?

After making the determinations, the organization should develop a cybersecurity strategy. Steps utilities should consider include:

Align cybersecurity to the organization’s overall IT strategy based on the defined risk profile. This helps build support from company board members and top executives, as well as field managers and other personnel.
Analyze the cybersecurity issues unique to operations, supply, procurement, human resources management, etc., and noting areas of difference and integration.
Get all parts of the organization working together.
Rather than focus on tactics to address possible security breaches, develop a cybersecurity approach based on a broad security principle — a rating of breach tolerance, for instance — that can be achieved via several techniques.
Not assume that a large-scale solution, equivalent to a brand-new IT security system, is needed. Additional security controls implemented for your specific technology environment might be as effective.
Define the governance and support structure necessary to maintain the solution.

Regulatory and cost concerns cannot be ignored when developing a cybersecurity system. Utilities and power companies face high cost when investing in cybersecurity solutions, and state regulators have not been willing to approve rate hikes to help utilities cover the cost of these investments. Utilities and power companies must not allow lack of government funding or lack of rate increases to undermine security investments, because the cost of not investing in cybersecurity are far too great.

8 Tips to prevent data breaches

Published 22 January 2015

Securing electronic messages should be one of the top IT priorities for organizations in 2015. The process should not be overly complex or expensive, but it does require proper planning and regular revisions. While there is no such thing as a 100 percent breach-proof security system, the majority of attacks can easily be prevented by following the simple steps outlined in this article.

Data breach incidents occur when unauthorized parties gain access to sensitive or confidential records. Sensitive Corporate records can be breached virtually anywhere - on internal servers, in the cloud, or simply intercepted while in transit to a third party.
When thinking about data breaches, most people imagine professional hackers breaking into a highly secured data system. It is a popular image introduced by Hollywood and often favored by the press. The reality, however, is much more banal. Data breaches often happen through a simple e-mail transmission, human error, inferior passwords, or poorly thought out security measures. Often we hear about large and highly publicized data breaches, but statistically speaking, small companies are affected at a far greater rate.
According to Forbes, in 2013 alone, about 40 percent of small businesses were victims of data breaches. Small businesses with limited resources pay dearly for losing sensitive data — it is estimated 60 percent of small organizations hit by cyber security attacks will close within six months.
Over the past five years, according to Beazley, we have seen a 30 percent increase in data breaches, especially due to malware and hacker attacks. This trend is expected to increase even more over the next several years. Once viewed as merely an inconvenience, data breaches often cripple many small businesses, as data is the most important asset of companies. Failure to protect consumer and corporate data will result in low consumer confidence, reduction in business, regulatory fines and financial losses. Current government regulations are targeted at organizations of all sizes, requiring companies to implement policies and procedures in order to safeguard sensitive consumer information.
If you are one of the many organizations confused about how successfully to protect against data security vulnerabilities, then you are not alone. With a little effort and strategic planning, however, electronic data protection can be successfully implemented by organizations of all sizes.
The following eight steps will help you properly assess your current electronic communication security situation, provide you with guidance to implement appropriate measures, and shield your data from being exposed or exploited.

Understand regulatory compliance requirements — To begin planning a security strategy, be aware of regulations affecting your business. These regulations can range from federal and state laws covering all businesses when handling sensitive customer data to regulations targeted at your specific industry. Implement a quarterly review of these regulations to ensure adherence.
Identify and assess security risks in your organization — Determine the location of all sensitive data and whether any protective measures are currently in place. Also, determine how your sensitive information is distributed (via e-mail, texts, or various other channels) and who has access to information stored on corporate servers as well as in the cloud.
Establish written security policies regarding collection/use of personal information — This is a document requiring semi-annual updates and should define the following items:
- Proper storing and disposal of electronic personal data
- Identify an officer responsible for information security
- Identify users inside your company with access to sensitive information, especially those with administration rights or unrestricted access to data
- Adopt a least-privilege approach to data, providing users only enough access privileges to allow them to complete their duties
- Block social media channels you cannot or do not wish to supervise
- Automatically log users out and lock computers when not in use
Educate your employees regarding common scam methods/breach threats — Many internal breaches occur due to simple human error or lack of awareness, making it important to ensure your employees are aware of their actions and understand how to protect sensitive data.
Take steps to protect when accessing Wi-Fi networks— Since this is one of the easiest way for perpetrators to access your data. Precautions should include:
- Use Wi-Fi networks with caution when traveling, only use wireless networks secured with passwords
- Ensure business Wi-Fi networks are secured at all times. Utilize a VPN (Virtual Private Network) when possible
Ensure all devices are adequately secured— Since data leaks can occur across all channels. Important things to remember include:
- Utilize complex passwords on mobile and computer devices
- Limit users to only devices which can be adequately protected and monitored
- Always install patches and updates as soon as they become available
- Ensure all software downloads are from trusted sources
Use encryption technology — This is a proven way to prevent security attacks. Studies in 2013 indicate that 73 percent of all breaches could have been prevented if encryption technology was utilized. Implementing encryption technology to protect consumer data is a safe harbor under most state or federal breach regulations, according to Beasley. Utilize a layered approach in all communication channels including computers, mobile devices, networks, and hard drives.
Revise and improve your email usage standards — While 70 percent of businesses consider e-mail as the top means of communication, it is surprising that they often take so little care to secure it. Unsecured e-mail is easily accessed even by the most inexperienced hackers. E-mail confidentiality statements are not adequate, nor do they protect from regulatory violations. The only sensible solution is to implement a user-friendly e-mail security product or service.

Mandatory cybersecurity regulations necessary to protect U.S. infrastructure: Experts

Cybersecurity Mandatory cybersecurity regulations necessary to protect U.S. infrastructure: Experts

Published 21 January 2015

Since last year’s cyberattacks made public the cyber vulnerabilities of major U.S. firms including Sony Entertainment, JPMorgan Chase, and Target, President Barack Obama has been on the offensive, proposing strict rules better to prosecute hackers and make U.S. firms responsible for protecting consumer information. Experts say, though, that private firms are unlikely, on their own, to make the necessary financial investment to protect against a critical infrastructure cyberattack. What is needed, these experts say, is a mandatory cybersecurity framework followed by all entities involved with critical infrastructure, strong protection of information regarding cyberattacks shared with DHS, and a sincere effort from the private sector to secure their own networks.
Since last year’s cyberattacks made public the cyber vulnerabilities of major U.S. firms including Sony Entertainment, JPMorgan Chase, and Target, President Barack Obama has been on the offensive, proposing strict rules better to prosecute hackers and make U.S. firms responsible for protecting consumer information. Obama’s cybersecurity proposals call for a law requiring companies to notify consumers of a data breach within thirty-days of discovery, make it a crime to sell malicious software designed to control computers remotely (botnets), and allow the Justice Department to pursue criminals suspected of selling stolen financial information overseas. Obama also wants to make cybercrime punishable under the Racketeering Influenced and Corrupt Organizations (RICO) Act, a proposal he introduced to Congress in 2011.
Considering the rise in cyberattacks over the past three years, Congress is expected to support many of Obama’s cyber proposals. “The security of our computer networks is woefully inadequate, and the threats against them are growing more sophisticated each day,” said Senator Harry Reid (D-Nevada) in a statement on his Web site. “It is time to create the proper authorities and enhance the tools to protect the computer networks that are so crucial to our daily lives.”
Many private sector groups including the U.S. Chamber of Commerce and the National Retail Federation, also support Obama’s cyber proposals, but a growing number of industry experts who have reviewed the proposals have called them inadequate.
The proposals are unlikely to stop the influx of cyberattacks, said Albert Whale, founder and chief security officer of cybersecurity firm ITSecurity. “Proposals don’t get work done. However (the proposal) may be enough for executives and companies to finally spend the money to get started. We have to start somewhere; any first step we take is a step in the right direction.”
The Pittsburgh Post-Gazette notes that while criminalizing the sale of botnets and stolen financial information may reduce the frequency of attacks, unprotected systems that operate critical infrastructure will still remain vulnerable to hackers. “This is reinforcing the concept that cybersecurity is strictly a confidentiality problem and not a problem that could affect physical things like electric grids, pipelines — you name it — where equipment could be damaged or people killed,” said Joe Weiss, managing partner of industrial control systems cybersecurity firm Applied Control Solutions.
DHS has issued guidelines to protect critical infrastructure systems in the private sector, but according to Weiss, true protection would require collaboration with international firms who share the same control systems equipment as the United States. He calls for a mandatory cybersecurity framework followed by all entities involved with critical infrastructure, strong protection of information regarding cyberattacks shared with DHS, and a sincere effort from the private sector to secure their own networks.
For now, Weiss is not convinced that private firms will make the necessary financial investment to protect against a critical infrastructure cyberattack, since no U.S. firm has directly tied any physical damages to a cyberattack. “People have a tendency to not believe this is real. It’s all hypothetical, like you’d see it on TV but it could never really happen. So there’s a reticence to want to spend money on something they don’t want to believe is real,” Weiss said. “If you don’t believe it’s real, any money is too much money.”

U.S.-U.K. cyber war games to test the two countries’ cyber resilience

CybersecurityU.S.-U.K. cyber war games to test the two countries’ cyber resilience

Published 22 January 2015

American and British security agencies have agreed to a new round of joint cyber “war games” to test each country’s cyber resilience. The move comes after a year of high profile cyberattacks against the U.S. private sector and after warnings from the U.K. Government Communications Headquarters that computer networks of British firms face daily attacks by hackers, criminal gangs, competitors, and foreign intelligence services.

“Just as we have worked with our closest ally, the U.S., to protect our people and our countries from traditional threats, so we must work together to defend ourselves from new threats like cyberattacks,” British prime minister David Cameron said last week.
The games will build on the successes of previous collaborations which have been a regular occurrence for nearly a decade. The cybersecurity industry supports the effort and many feel increasing collaboration between both countries is long overdue. “U.S. exercises, such as Cyber Flag and Cyber Guard which take place every year, have been a crucial factor in developing qualified responses to cyberattacks,” said Andy Settle, chief cybersecurity consultant and head of practice at Thales U.K. Unlike previous war games, the new exercises will go beyond testing systems for resilience against standard threats and will instead focus on custom malware built specifically to infiltrate a particular service, company, or industry.
According to ComputerWeekly, the major 2014 cyberattacks show that the economy and financial sector of both the United States and the United Kingdom are under considerable threat from cybercriminals and state-sponsored actors. Robert Norris, director enterprise and cybersecurity, Fujitsu U.K. and Ireland, worries that a recent Fujitsu research revealed that only a third of financial services organizations are “very confident” that they could guarantee security measures in the event of an IT failure. “Clearly there is a need to address these issues to ensure the finance industry does not fall victim to significant cyberattacks. The collaboration between the U.S. and U.K. will bring together companies at the forefront of the cyber security industry to share knowledge, skills and technologies which will help to address these growing threats and strengthen the defenses already in place,” he said. The first U.S.-U.K. cyber drill will involve the Bank of England and commercial banks, targeting London and Wall Street, following “further exercises to test critical national infrastructure,” according to a spokesperson for Cameron.
DHS has already issued voluntary cybersecurity guidelines for securing critical infrastructure, but hackers are constantly building more complex techniques to bypass security systems, therefore regular exercises will help keep cyber defenses up to date. “With the majority of their critical national infrastructure running on connected networks, these industries cannot afford to take any liberties,” said Ross Brewer, vice-president and managing director for international markets at LogRhythm.

European govts. urge U.S. tech companies to remove terrorist-related postings from sites

Terrorism & social mediaEuropean govts. urge U.S. tech companies to remove terrorist-related postings from sites

Published 22 January 2015

The terror attacks in Paris have led French and German authorities to call on U.S. tech firms to help identify terrorist communications and remove hate speech from social media sites. The United Kingdom has also, for several months now, pressed Internet firms to be proactive in removing extremist content such as videos of sermons by radical Islamic preachers or recruitment material, from their sites. German interior minister Thomas de Maizière has called on Twitter, Facebook, and other sites to work closely with law enforcement authorities. “The less people take responsibility, the more legislators will be forced to take the initiative,” he said at a recent cybersecurity conference.
U.S. tech firms do not see themselves as digital police forces, but they fear potential laws which may limit their operations in Europe.
“Just because the vast majority of this content is found on American services doesn’t reduce their impact on French people,” said French interior minister Bernard Cazeneuve. “We won’t succeed in our fight against terrorism unless Internet actors start taking responsibility.”
The Wall Street Journal notes that these recent requests for more cooperation between U.S. tech firms and European governments contrast with calls from many of the same governments who, following the Edward Snowden leaks, criticized U.S. tech firms for being too close to law enforcement agencies. The Paris attacks certainly have much to do with this shift in rhetoric, one U.S. tech executive points out.
Two week since the attacks, French authorities have flagged and requested the removal of more than 25,000 terrorist-supporting postings on Internet sites. “It’s a major issue,” Cazeneuve said. In response, hackers linked to terror groups, including the Islamic State (ISIS), have launched almost 1,300 cyberattacks aimed to take offline French Web sites or defacing them with pro-jihadi messages. On Tuesday, French newspaper Le Monde, confirmed that hackers linked to ISIS unsuccessfully attempted to take control of its publishing tools.
“This is something we’ve never seen before,” said Vice Adm. Arnaud Coustillière, head of cyberdefense for the French army.
U.S. tech firms object to European governments’ requests for pre-emptive filtering, partly because it is challenging automatically to distinguish hate speech from sarcasm and hyperbole. Facebook’s vice president for messaging products, David Marcus, said this week that the company individually removes content which supports terrorism. “Anything remotely connected to that is generally gone from the platform the minute we see it,” said Marcus. “If there are requests from law enforcement we make sure they are real requests; if not, we fight back.”
U.S. tech firms also note that they already collaborate with foreign law enforcement authorities in matters of emergency. Following the Paris attacks, Microsoft Corp. answered French authorities’ request for e-mail content from two customer accounts within forty-five minutes. The content delivered to the FBI at France’s request is an example of existing relationships with foreign governments, said Brad Smith, Microsoft’s general counsel. “There are times, especially in emergency situations, when existing international legal processes work well.”
The next few weeks will reveal how tech companies decide to respond to European requests. One U.S. tech executive suggested that the United Kingdom, France, and Germany are pushing for faster responses “just to appear tough on terrorism.”

Tuesday, January 20, 2015

If you seek to “switch off” encryption, you may as well switch off the whole Internet

By Bill Buchanan

Published 19 January 2015

Prime Minister David Cameron has stated that the U.K. government will look at “switching off” some forms of encryption in order to make society safer from terror attacks. This might make a grand statement but it is impossible to implement and extremely technologically naïve.
Encryption is a core part of the Internet; its use is increasing every day — Google’s services, including search and e-mail, use encrypted streams, as do Facebook and Twitter and many other widely used sites. Encryption makes it almost impossible for eavesdroppers to read the contents of the traffic. It is the foundation upon which all e-commerce is based.
It’s just impossible to ban. There is no way to define a law which constrains the use of encryption. Would it be only when used in certain applications (such as email), or by disallowing certain methods (such as the encryption program PGP)? Would using a Caesar code, a cipher nearly 2,000 years old, be illegal?
Such a move would make the United Kingdom — or any country that followed suit — unsafe in which to do business. Free countries wouldn’t consider switching off encryption due to the insecurity it introduces for both consumers and businesses.
Much online content accessed in the United Kingdom is actually stored and processed outside the country. Someone who suspects that they may be monitored can set up a secure connection to a remote site in the cloud — Amazon’s for example — and store and process information there. How would this fall under any new law?
And where would the ban end? Would it include character encoding, such as the Base-64 encoding that allows for e-mail attachments, or the encoding that provides non-Roman character sets for other languages? Encryption is also the basis for cryptographic signing, a digital signature used by all manner of organizations to verify that digital content — software, audio-visual media, financial products — is what it claims to be. It is the basis of trust on the internet.
We have a right to some privacy. Few people would not object to their letters being examined or their phones being tapped — and the rights enjoyed in the days of traditional communications should be no different when applied to their modern digital equivalents.
We also have a right to protect ourselves. With major losses of data occurring regularly, whether from attacks or due to error, we need to protect ourselves and our data. Encryption of data when stored or communicated is one way of doing so. The tools used by the security services to hack systems and break encryption are largely the same used by criminal hackers — reducing encryption levels will increase our vulnerability to both.
The trouble with cryptography
Law enforcement agencies have had an easy ride with computer systems and the internet — it’s relatively easy to pull evidence from the hard drives of suspects, given the lack of security. But the increasing focus on privacy and security has put the pressure on investigators. The battle lines between the right to privacy and the need to investigate crime have been drawn.
The Internet was not designed with security in mind, and most of the protocols in use — HTTP, Telnet, FTP, SMTP — are clear-text and insecure. Encrypted versions such as HTTPS, SSH, FTPS and authenticated mail are replacing them by adding a layer of security through Secure Socket Layers (SSL). While not perfect, this is a vast improvement to a system where anyone can intercept a data packet and read (and change) its contents. The natural step forward is to encrypt the data where it is stored at each end, rather than only as it is transmitted — this avoids what’s called a man-in-the-middle attack(interception of traffic en route by a third party impersonating the recipient), and the encryption key needed to decode the message only resides with those who have rights to access it.
Keeping defense on its toes
Reading enemy communications provides a considerable advantage, so cryptography has become a key target for defense agencies. Conspiracy theories have blossomed around the presence of backdoors in cryptography software. Defeating encryption otherwise requires finding a flaw in the methods used (such as the Heartbleed bug discovered in OpenSSL) or with the encryption keys (such as weak passwords).
There has been a long history of defense agencies trying to block and control high-grade cryptography. The U.S. government took copies of encryption keys through its Clipper chip, attempted to prevent publication of the RSA public key encryption method, and dragged Phil Zimmerman through the courts after claiming his PGP (“pretty good privacy”) encryption software leaving the country was tantamount to illegally exporting weapons.
Hand me your finger
Ultimately username and password combinations alone are too insecure, as computers are now sufficiently powerful to perform brute-force attacks by checking all possible permutations of characters. The introduction of multi-factor authentication improves this by requiring two or more methods such as passwords, access cards, text messages or even fingerprints.
But Virginia Circuit Court judge Steven C. Fucci ruled last year that fingerprints are not protected by the Fifth Amendment (“no person shall be compelled in any criminal case to be a witness against himself”). This means that those using their fingerprints as access keys may have to offer them up to investigators. Unusually, the same does not apply to passwords.
The U.K. equivalent, the right to silence, also comes with encryption key-related exceptions: failing to hand them over is an offense in itself.
Encryption by default
Both Apple’s iOS and Google’s Android operating systems for phones and tablets now offer encryption by default, so that data on their devices are protected straight out of the box. Now that we carry so much data with us on our phones, one might reasonably ask why this took so long.
Of course this ratchets up the tension between privacy and police investigation. With iOS 8 and Android Lollipop, there are no electronic methods to access encryption keys from existing digital forensics tool kits, nor will the users have a password to hand over, so the encryption method technically breaches the law in both the United States and the United Kingdom. The same battle rages over the encrypted Web service Tor which law enforcement sees as a domain where crime can go undetected, but the privacy-minded advocate see as an important bulwark against authoritarianism.
The technical case for switching off encryption is simply a non-starter. In fact we are moving in the opposite direction, replacing the old, open Internet with one that incorporates security by design. If you wish to switch off encryption, it will unpick the stitching that holds the Internet together.

Bill Buchanan is Head, Center for Distributed Computing, Networks and Security at Edinburgh Napier University. This story is published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives).

Concerns grow about attacks on rail systems by domestic terrorists

Published 19 January 2015

Between September 2001 and December 2011, at least838 attacks on passenger rail systems have killed more than 1,370 people. As DHS officials focus on assuring the American public that security agencies remain on high alert, last week’s incidents on two of the nation’s major metropolitan rail systems raised more concerns about public safety and preparedness.

The terror attacks in Paris have renewed a sense of insecurity among residents of major U.S. cities. One of the latest Islamic State threats calls on its supporters to target and bomb key U.S. targets, including public transportation hubs, and even police stations. Law enforcement officers in New York have been ordered to remain vigilant. “Pay close attention to people as they approach and look for their hands as they approach you,” reads an internal New York Police Department safety memo which the Daily News obtained.
As DHS officials focus on assuring the American public that security agencies remain on high alert, last week’s incidents on two of the nation’s major metropolitan rail systems raised more concerns about public safety and preparedness.
Last Monday, one person died and eighty-four fell ill after heavy smoke filled the L’Enfant Plaza Metro in Washington, D.C. Officials believe an “electrical arcing event” caused the incident. “The train did not derail. There was no fire on the train. The arcing event was on the wayside, involving the third rail and the supply cables going to the third rail,” National Transportation Safety Board Investigator Mike Flanigon said. “The early indications are this did not involve terrorism but involved a mechanical failure that occurred,” White House press secretary Josh Earnest told reporters.
The following day, roughly 150 New York Fire Department firefighters responded to a three-alarm fire at a construction site in Penn Station that began before 2.30 a.m. The fire, labeled an accident, injured two firefighters. Western Journalism notes that an ISIS supporter published multiple threats on Twitter a few hours before the fire, warning that “tomorrow New York will burn” and predicting a “3:00 a.m. bomb.”
From the 1997 New York City subway-bombing plot to the attacks in Madrid (2004) and London (2005), terrorists have targeted Western rail systems. Between September 2001 and December 2011, at least 838 attacks on passenger rail systems have killed more than 1,370 people. Al-Qaeda militants in Guantanamo told interrogators in 2003 of a plot to target the D.C. metro rail system, and in 2010, Afghan-born jihadist Najibullah Zazi pleaded guilty to terrorism charges after planning to blow up New York subways. Last year, two al-Qaeda-backed terrorists were arrested after plotting to bomb and derail Canada’s rail service between Toronto and Penn Station.
Some commuters involved in the D.C. metro incident reported that the evacuation process was “poorly managed.” “It’s disheartening because there did not appear to be an emergency plan,” said longtime metro rider Lesley Lopez. Chris Geldart, director of the District of Columbia’s Homeland Security and Emergency Management Agency insists that the response was as efficient as possible giving the circumstances. “We had our firefighters go down in a smoke-filled subway tunnel with 200 people on a train and all of the people coming out of the station itself. To … do an event where we go through and do what we call a mass casualty — assess all the folks and get 84 people transferred all in the amount time that they did it — that’s a good response.”

University of Maryland opens new drone test facility

DronesUniversity of Maryland opens new drone test facility

Published 11 December 2014

The University of Maryland has recently opened a new drone test site on the Eastern Shore which will allow researchers and students to help in the safe development of drones for use in U.S. airspace. The university will partner with companies to develop projects in a safe space. Already there are plans to use drones to monitor fish populations in the nearby Chesapeake Bay, examine power lines in the southern part of the state, and perform jobs which are considered “dirty, dull [or] dangerous,” in the words of the head of the facility.

University of Maryland launches drone test facility // Source: umd.edu

The University of Maryland has recently opened a new drone test site on the Eastern Shore which will allow researchers and students to help in the safe development of drones for use in U.S.s airspace.
TheBaltimore Sun reports that after years of planning and coordination, the facility is now open for business. Last Friday, the state Economic Development Secretary Dominick Murray called the potential of the project and the technology “unbelievable.”
“[It] will give industry a place to go,” said Matt Scassero, a former Navy pilot who is in charge of the facility.
Scassero’s statement comes against a backdrop of continuing controversy over the place and role of drones in the United States. Privacy groups are wary of drones being used by law enforcement, while others fear of privacy violations by prying media. The commercial aviation industry is concerned with safety issues in crowded skies.
Many, however, see the benefits of the technology — such as their use to deliver goods, monitor agricultural sites, and measure environmental conditions around the country.
The Maryland facility opens at a time when the Federal Aviation Administration (FAA) is supporting research into how drones may be safely used by private industry. With few exceptions, industry is currently not allowed to operate drones.
The university will partner with companies to develop projects in a safe space. Already there are plans to use drones to monitor fish populations in the nearby Chesapeake Bay, examine power lines in the southern part of the state, and perform jobs which are considered “dirty, dull [or] dangerous,” in Scassero’s words.
The university has already successfully launched its first drone last week, but there is still uncertainty about how much drone use will be allowed in the future. Congress has directed the FAA to develop policies and regulations for drone flight, Currently, each operation at the site require a separate FAA authorization.
The FAA, however, is considering an amendment which would allow for certain small drones to fly at lower altitudes, but the clearances for larger models is likely further away, probably beyond two years.
“With any revolutionary or disruptive technology it always outpaces the regulations,” said Michael Toscano, the head of an unnamed drone industry group, “You don’t write laws for things you don’t know about.”
At the University of Maryland, however, they are focusing on securing a successful flight, and on how these tests can benefit the state. After the successful flight of a radio-controlled propeller craft on Friday, the team loaded it up and returned it to the campus, a symbol of what the future may bring to the site.

Terrorists develop tactics to evade U.S. drones

TerrorismTerrorists develop tactics to evade U.S. drones

Published 9 January 2015

The CIA’s use of Predator drones against Islamic militants in the Middle East began shortly after the 9/11 attacks and has increased dramatically during the Obama administration. Only a handful of drone strikes were issued through much of the 2000s, but in 2012 alone, forty-one strikes were aimed at Al-Qaeda in the Arabian Peninsula (AQAP), followed by twenty-six in 2013 and twenty-three in 2014, according to the Longwar Journal. Many of these strikes have killed high valued targets including the first major strike in 2002 which killed Ali Qaed Senyan al-Harthi, and five other militants as they rode in a jeep across the desert. Anwar al-Awlaki, the American-born cleric who recruited militants across the world to join al-Qaeda in Yemen, was also killed in a drone strike in 2011.
As president the number of drone strikes in Yemen increased, AQAP militants began to develop tactics to hide themselves from a drone’s sensors.
In a recent AQAP video posted on social media sites, militants describe how fighters can avoid detection by U.S. drones. According to the Washington Times, the video, “Combating Spy Airplanes” shows a step-by-step process for making and using an aluminum-based portable body wrap which it claims will prevent the drone’s infrared cameras from detecting a human’s heat signature. “The aluminum is supposed to act like a heart barrier, keeping the fighter’s body heat from being detected by the drone camera system,” read an analysis by the Middle East Media Research Institute (MEMRI). A camouflage version of the wrap is said to help hide fighters from the drones during the day.
Whether AQAP’s body wrap is actually effective is unclear, but the idea of it shows how militants are studying U.S. military tactics, and then countering them. The homemade AQAP instructional video uses clips from the Pentagon’s official video of the Predator drone. A spokesman for U.S. Central Command, which conducts military operations in Yemen, said “For operational security reasons, we wouldn’t discuss the possible effectiveness or ineffectiveness of specific enemy (tactics, techniques and procedures) nor would we speculate on how they derive their information.”
Some military analysts question the gains made by U.S. efforts in Yemen. They claim AQAP is controlling more territory now than before. “Our long drone war against AQAP has been remarkably ineffective,” said Robert Spencer, who heads Jihad Watch. “Awlaki was killed, but AQAP now controls much of Yemen and acts at will there. They are clearly not cowed, not afraid, not on the defensive.”
Others believe that the need for terrorists to produce videos promoting tactics for countering drones means that the Predator strikes are effective. “One part of their military strategy is to distribute videos and information to followers online, particularly via Twitter and YouTube, showing that they are actively engaged in countering the impact drones have had on their capabilities,” said Steven Stalinsky, executive director of MEMR

Thursday, January 15, 2015

Cybercrime imposing growing costs on global economy

Published 12 January 2015

A new report has found that the cost of cybercrime to the global community and infrastructure is not only incredibly high, but steadily rising as well. The study concluded that up to $575 billion a year — larger than some countries’ economies — is lost due to these incidents. The emergence of the largely unregulated, and unprotected, Internet of Things will make matters only worse.

A new report released by the Center for Strategic and International Studies (CSIS) and the Intel Security Group have found that the cost of cybercrime to the global community and infrastructure is not only incredibly high, but steadily rising as well.
As theTelegraph reports, the study carried out by the two organizations concluded that up to $575 billion a year — larger than some countries’ economies — is lost due to these incidents. Additionally, up to 150,000 jobs could be lost in Europe due to damage from cybercrime and the theft of personal records from 40 million people in the United States, 54 million in Turkey, 20 million in Korea, 16 million in Germany, and over 20 million in China. These thefts have occurred due mostly to the vulnerability of the majority of the world’s data.
Additionally, the report broke down which types of attacks had occurred, including the percentages of “physical” attacks, data leaks, password captures, and stolen accounts. Further, the researchers found a significant rise in these events from the previous year, as well as an increase between 2012 and 2013.
The culprit? The majority of the world does not properly value the precautions needed for actual cyber security.
“One worrying finding is that 260 incidents involved organizations that have reported a data break in the past, and 60 organizations reported multiple incidents in 2013,” said Barry Kouns, president and CEO of Risk Based Security, “I would not want to be the one to explain that to stakeholders.”
Additionally, the Internet of Things (IoT), or the interconnectedness of non-human devices to the Internet, is making the damage much more severe — whether it is through cell phones, utility computers, corporate networks, or even home appliances.
“Once you connect thirty billion devices to the Internet you are opening yourself up to a much bigger attack surface,” said Neil Thacker, an Information Security & Strategy Officer for security firm Websense.
Because of this, many are seeing a greater threat to the actual infrastructure of the global community, since the IoT has been so plugged into that but is still largely unregulated — and unprotected.
These incidents are beginning to be taken more seriously following these ever-alarming numbers. The U.S. State Department has planned a summit to tackle the issue more head-on.
“The inaugural meeting…will formalize and broaden co-operation of cyber issues as envisioned during the US-EU Summit. This cooperation is founded on our shared interest in an open and inter-operable internet, and our commitment to a multi-stakeholder approach to internet governance, internet freedom, and the protection of human rights in cyberspace,” the department stated.

Obama to unveil several cybersecurity initiatives this week

Published 12 January 2015

President Barack Obama, in anticipation of the 20 January State of the Union address, has been sharing details of his address to a generate buzz. This week, Obama will focus on cybersecurity initiatives, including identity theft and electronic privacy laws, aimed at protecting citizens and the private sector. Obama will also announce a policy package designed to provide affordable access to broadband Internet nationwide.

President Barack Obama, in anticipation of the 20 January State of the Union address, has been sharing details of his address to a generate buzz. “I didn’t want to wait for the State of the Union to talk about all the things that make this country great and how we can make it better, so I thought I’d get started this week,” Obama said last week in Michigan, where he discussed more plans for a rebounding U.S. auto industry. “I figured, why wait? It’s like opening your Christmas presents a little early.”
TheNew York Times reports that this week, Obama will focus on cybersecurity initiatives, including identity theft and electronic privacy laws, aimed at protecting citizens and the private sector.
Later today, speaking at the Federal Trade Commission, Obama will announce plans to tackle identify theft and improve consumer and student privacy. Last October, Obama signed an executive order creating the BuySecure Initiative that equipped government payment cards with chip and PIN technology that makes them more difficult to counterfeit. Today, Obama “will discuss the next steps in his BuySecure Initiative on consumer financial protection and new efforts to bring more innovation to the classroom by bringing peace of mind to educators and parents,” according to an official White House statement.
On Tuesday, at the National Cybersecurity and Communications Integration Center, Obama will discuss plans to improve cyber information sharing between the private sector and federal government. The Cyber Intelligence Sharing and Protection Act (CISPA) would encourage the private sector to share information about cyberattacks with federal agencies specifically DHS and the Justice Department, and should shield them from some privacy protection laws. Previous attempts in Congress to pass an information sharing bill failed. Representative Dutch Ruppersberger (D-Maryland), a former top Democrat on the U.S. House Intelligence Committee, reintroduced the bill last week. The bill is likely to receive more support from a Republican-led Congress.
On Wednesday, Obama will be in Iowa to announce a policy package designed to provide affordable access to broadband Internet nationwide.
On Thursday, Vice President Joe Biden in Norfolk, Virginia, will announce new funding to help train more people to work in the cybersecurity industry. Last September, roughly $450 million dollars in grants were awarded to community colleges working with employers on cyber-related job training.
The move to make cybersecurity a key White House initiative in 2015, comes weeks after the Sony Hack and months after cyberattacks on several U.S. companies including banks, retailers, and other service providers. In February 2013, Obama issued an executive order to improve cybersecurity for critical infrastructure and in February 2014, the National Institute of Standards and Technology released the Cybersecurity Framework, a set of cybersecurity guidelines for businesses and organizations.

Last Year's Cyberattacks; Something Must Be Done!

Last year in September, Home Depot confirmed that the company had been attacked by hackers since April. As a result, 56 million Home Depot accounts were put at risk. The company anticpated to pay $62 million to fit the bill of the attack. Of those expenses are: legal fees, overtime compensation for staff, causing an estimated $90 million in costs for banks to replace 7.4 million debt and credit cards. Staff within Home Depot, who chose to remain anonymous, stated that the company’s information security department struggled with old software and high turnover. Home Depot resisted using the Endpoint security feature of Symantec’s cybersecurity program; which is a feature that tracks and alerts system administrators of suspicious activity. The company refused to use this security feature even though security specialists suggested that they did so. More appalling, the company did not encrypt customer card data until September 2014. Of course, we are not going to prevent every attack; cyberattacks are inevitable. However, there is no excuse why a large companies like Home Depot did not take the necessary steps to protect themselves. A company has much at stake and they at least owe it to their customers, if no one else to provide adequte protection. Now, customers might think twice about purchasing from Home Depot as a result of improper preparation. It would have been one thing if the proper steps of security were taken ahead of time but it is inexcusable not to take the proper precautions. Preparation is essential in securing our Homeland, without preparation we can expect an early demise. Home Depot was not the only company attacked, however, Target, J.P. Morgan, Staples, Healthcare.gov, Neiman Marcus and many others also suffered cyberattacks that left customers susceptible.

Written by Bria White, a Homeland Security Graduate Assistant for the University of the District of Columbia.

Wednesday, January 14, 2015

Be prepared: What to do if an asteroid is heading our way

I am interested in what the dialogue will be about preparing for such an unexpected, massive catastrophe like this. It is certainly not an easy task, but being prepared for something like this is essential. This article speaks to preparedness, action, and reaction; which is the framework of Homeland Security.

Planetary security Be prepared: What to do if an asteroid is heading our way

Published 19 December 2014

Last month, experts from European Space Agency’s (ESA) Space Situational Awareness (SSA) program and Europe’s national disaster response organizations met for a two-day exercise on what to do if an asteroid is ever found to be heading our way. The exercise considered the threat from an imaginary, but plausible, asteroid, initially thought to range in size from twelve meters to thirty-eight meters — spanning roughly the range between the 2013 Chelyabinsk airburst and the 1908 Tunguska event — and travelling at 12.5 km/s. Teams were challenged to decide what should happen at five critical points in time, focused on 30, 26, 5, and 3 days before and one hour after impact.

Asteroid Eros // Source: commons.wikimedia.org

The European Space Agency (ESA) and national disaster response offices recently rehearsed how to react if a threatening space rock is ever discovered to be on a collision course with Earth.
Last month, experts from ESA’s Space Situational Awareness (SSA) program and Europe’s national disaster response organizations met for a two-day exercise on what to do if an asteroid is ever found to be heading our way.
In ESA’s first-ever asteroid impact exercise, they went through a countdown to an impact, practicing steps to be taken if near-Earth objects, or NEOs, of various sizes were detected.
An ESA release reports that the exercise considered the threat from an imaginary, but plausible, asteroid, initially thought to range in size from twelve m to thirty-eight meters — spanning roughly the range between the 2013 Chelyabinsk airburst and the 1908 Tunguska event — and travelling at 12.5 km/s.
Critical times to take action
Teams were challenged to decide what should happen at five critical points in time, focused on 30, 26, 5, and 3 days before and one hour after impact.
“There are a large number of variables to consider in predicting the effects and damage from any asteroid impact, making simulations such as these very complex,” says Detlef Koschny, head of NEO activities in the SSA office.
“These include the size, mass, speed, composition and impact angle. Nonetheless, this shouldn’t stop Europe from developing a comprehensive set of measures that could be taken by national civil authorities, which can be general enough to accommodate a range of possible effects.
“The first step is to study NEOs and their impact effects and understand the basic science.”
How should Europe react
Participants came from various departments and agencies of the ESA member states Germany and Switzerland, including Germany’s Federal Office of Civil Protection and Disaster Assistance. They studied questions such as: how should Europe react, who would need to know, which information would need to be distributed, and to whom?
“For example, within about three days before a predicted impact, we’d likely have relatively good estimates of the mass, size, composition and impact location,” says Gerhard Drolshagen of ESA’s NEO team.
“All of these directly affect the type of impact effects, amount of energy to be generated and hence potential reactions that civil authorities could take.”
Chelyabinsk: Injuries due to overpressure
During the 2013 Chelyabinsk event, for instance, the asteroid, with a mass of about 12,000 tons and a size of nineteen meters, hit the upper atmosphere at a shallow angle and a speed of about 18.6 km/s, exploding with the energy of 480 kilotons of TNT at an altitude of 25-30 km.
While potentially a real hazard, no injuries due to falling fragments were reported. Instead, more than 1,500 people were injured and 7,300 buildings damaged by the intense overpressure generated by the shockwave at Earth’s surface.
Many people were injured by shards of flying glass as they peered out of windows to see what was happening.
“In such a case, an appropriate warning by civil authorities would include simply telling people to stay away from windows, and remain within the strongest portions of a building, such as the cellar, similar to standard practice during tornados in the United States,” says Gerhard.
In a real strike, ESA’s role would be crucial. It will have to warn both civil protection authorities and decision-makers about the impact location and time. It would also have to share reliable scientific data, including possible impact effects, and provide trustworthy and authoritative information.
Establishing internationally coordinated procedures
The exercise ended on 25 November, a significant step forward at highlighting the unique factors in emergency planning for asteroid strikes, and possible courses of action. It also clarified a number of open points, including requirements from civil protection agencies and the type and time sequence of information that can be provided by ESA’s SSA.
It is another step in the continuing effort to set up an internationally coordinated procedure for information distribution and potential mitigation actions in case of an imminent threat.
The release notes that ESA’s NEO team is also working with international partners, agencies and organizations, including the UN, to help coordinate a global response to any future impact threat (see “Getting ready for asteroids”).
With the aim of strengthening ESA’s and Europe’s response, similar exercises will be held in the future. The next, in 2015, will include representatives from additional countries.

The science of airport bomb detection: chromatography

DetectionThe science of airport bomb detection: chromatography

By Martin Boland

Published 12 December 2014

As the holidays draw near, many of us will hop on a plane to visit friends and family — or just get away from it all. Some will be subjected to a swab at the airport to test clothes and baggage for explosives. So how does this process work?
The answer is chromatography — a branch of separation chemistry — along with mass spectrometry (which I will address in a later article).
The word “chromatography” is roughly translated from Greek as “the science of colors.” The reason for the name becomes obvious when you realize that most people have accidentally performed a simple chromatography experiment.
If you’ve ever spilled water onto a hand-written shopping list, then held it up to let the water run-off, you’ve probably noticed the ink diffuses across the paper, and that the pen’s color is made up from several pigments (if you’ve not, you can do the experiment — try it with a couple of pens of different brands, but the same color). This separation is chromatography.
There are several different types of chromatographic separation. What they all have in common is that a mixture of materials that need to be separated (the analytes) is washed over a solid material (called the matrix), causing the analytes to separate.
That may sound like chromatography is just filtration, or separation by particle size. In some cases, that is almost exactly what happens (size exclusion chromatography is often referred to as gel filtration chromatography).
But most chromatography methods work by some other chemical effect than just the size of the materials being separated, including (but not limited to):

normal-phase chromatography, such as ink on paper
reverse-phase chromatography, often used in university lab experiments
gas chromatography, seen in airport bomb detectors
“capture” chromatography, used to purify drugs.

Each of these can be performed with one solvent, such as dropping water on your shopping list – known as isocratic (Greek for “equal power”) or with a changing mixture of solvents (known as a gradient).
So how does it work?
Technically speaking, it is the differential affinity of the analyte for the solvent and the solid matrix that drives chromatographic separation. So what does that mean, really?
You’ll need to bear with me here.
Have you ever been shopping with someone who stops to look at things while you’re trying to move though the store as quickly as possible?

Nuclear facilities Studying cancer risks near nuclear facilities

Published 6 January 2015

The National Academy of Sciences has issues a brief report which provides an expert committee’s advice about general methodological considerations for carrying out a pilot study of cancer risks near seven nuclear facilities in the United States. The pilot study will assess the feasibility of two approaches that could be used in a nationwide study to analyze cancer risk near nuclear facilities regulated by the U.S. Nuclear Regulatory Commission (NRC).

Analysis of Cancer Risks in Populations Near Nuclear Facilities: Phase 2 Pilot Planning is a brief report from the National Academy of Sciences that provides an expert committee’s advice about general methodological considerations for carrying out a pilot study of cancer risks near seven nuclear facilities in the United States. The pilot study will assess the feasibility of two approaches that could be used in a nationwide study to analyze cancer risk near nuclear facilities regulated by the U.S. Nuclear Regulatory Commission (NRC).

A NAS release notes that the report comprises the committee’s advice, which is presented in the form of fourteen considerations related to procedures and methodologies for carrying out the pilot study; it is not intended to be a comprehensive workplan of how to conduct the pilot study. Among the considerations is an emphasis on transparency during the pilot study with respect to process, procedures, assumptions, and uncertainties about available information — as well as an emphasis on ongoing, two-way communication with stakeholders and the public.
One of the approaches that could be used in the pilot study is a population-level, or ecologic, study that would describe the rates of cancer occurrence and death in populations that live within approximately thirty miles of nuclear facilities. The ecologic study would examine multiple cancer types at all ages. A second approach is a case-control study, which would assess whether children younger than fifteen years old born near a nuclear facility are at a higher risk of developing cancer than those born farther away but still within a 30-mile radius of the facilities.
The pilot study will make use of existing health information from state cancer registries and vital statistics offices along with data from the nuclear facilities on radioactive effluent releases. The committee that wrote the report cautions that because of the small sample size, data collected during the pilot study will have limited use for estimating cancer risks in populations near the seven pilot nuclear facilities. Interpretation and communication of risk estimates from the pilot study, if reported, should be done with great caution. Carrying out the pilot study, which was recommended in a 2012 National Academy of Sciences report, is subject to receipt of funding from the sponsor, the U.S. Nuclear Regulatory Commission.
— Read more in Analysis of Cancer Risks in Populations Near Nuclear Facilities: Phase 2 Pilot Planning (National Academies Press, 2014)

New technology quickly traces source of tainted food

Food safety New technology quickly traces source of tainted food

Published 8 January 2015

Foodborne illnesses kill roughly 3,000 Americans each year and about 1 in 6 are sickened, according to the Centers for Disease Control and Prevention.
Yet most contaminated foods are never traced back to their source. This is because existing methods to track tainted food following its supply chain from table to farm are highly inefficient, jeopardizing the health of millions and costing the food industry billions. A typical process to trace food includes interviewing consumers and suppliers and examining every detail of the supply chain, a tedious method that takes weeks at best to complete.
Lawrence Livermore National Laboratory (LLNL) researchers, in collaboration with the startup DNATrek, have developed a cost-effective and highly efficient method to accurately trace contaminated food back to its source. Lawrence Livermore originally designed the technology, known as DNATrax, to safely track indoor and outdoor airflow patterns.
“One of the unexpected capabilities from DNATrax was being able to apply it to food products,” said George Farquar, an LLNL physical chemist who led a team of researchers that developed the technology for biosecurity applications. “You can spray it on food products in the field to identify and track the source of the food.”
An LLNL release reports that DNATrax are particles comprised of sugar and non-living and non-viable DNA that can serve as an invisible barcode. It’s an odorless and tasteless substance that’s been approved by the Food and Drug Administration as a food additive, safe for consumption. Think of it as a microscopic barcode that’s sprayed on food at the farm or processing plant.
If the food turns out to be contaminated when it reaches the store or dinner table, DNATrax can be lifted off the food and analyzed in the lab using polymerase chain reaction (PCR) to identify the source in an hour. A tainted apple, for example, can be traced back to the orchards by DNATrax to determine when it was picked, who picked it and potentially which tree it came from.
“We all hear horror stories about contaminated foods,” said DNATrek CEO Anthony Zografos, who recently licensed the technology from Lawrence Livermore. “We are not prepared to deal with an outbreak of pathogens such as E. coli and salmonella in tainted foods. However, DNATrax is a quick and efficient way to stop these foods from sickening more people and costing producers more money due to massive recalls triggered by poor traceability.”
About 128,000 Americans are hospitalized each year from contaminated foods, according to CDC statistics. Beyond health concerns, foodborne illnesses cost the food industry nearly $70 billion annually in the form of recalls and other related costs, according to the FDA.
DNATrax also can be used to trace fraudulent food back to producers using similar methods. Mislabeled foods are becoming a serious problem that are costing the food industry billions of dollars, Zografos said. It’s particularly problematic with premium goods such as olive oil and wine.
“Usually, the producers themselves are not the ones who commit the fraud,” Zografos said. “It’s committed down the supply chain.”
In the case of olive oil, DNATrax can be added to the olives as they are pressed into oil. If the fraudulent bottle is pulled off a store’s shelf, a quantitative analysis can be done on the DNATrax to determine how much of the oil has been diluted.
DNATrax’s original application was to monitor airflow patterns inside buildings and other facilities to plan safe evacuation routes and outside to determine routes that biological agents travel. The technology does not detect for biological agents, but is used in advance to ensure detection systems work properly.
To do this, tiny DNATrax particles are released as an aerosol and carried by the airflow inside a building. The particles are collected from the interior or exterior by swipes or filters, in a manner similar to forensic investigations. Using a PCR Thermo Cycler, a common instrument that serves as a photocopier for DNA, the data are analyzed to provide valuable information that can be used to improve the ability to protect lives if a harmful biological agent is released intentionally or accidentally.
“This technology provides a safe and cost-effective way to ensure biodetection systems are working as designed,” Farquar said. “So far, we’ve successfully conducted three tests at the Pentagon. Each test provided valuable information on how to enhance the Pentagon’s biodetection systems.”
In the future, Farquar hopes DNATrax can be used to assist in training to determine if personal protective equipment (PPE) — such as hazmat suits used by emergency responders and health care workers to treat Ebola patients — have been breached. The DNA particles can be applied to the PPE’s exterior, and if contaminants appear on a person’s skin, then a breach has occurred.
“This is important because current detection methods give a false impression of PPEs working properly,” Farquar said.

When the camera lies: our surveillance society needs a dose of integrity to be reliable

We all have rights, that is without a doubt but the real question is: When should the government draw the line on watching its citizens? Sure, cameras are there to keep us safe and to ensure that nothing illegal goes on, I get that. But it seems the governement is taking omnipresence to another level (being present in all places at all times). But when is enough, enough? When does hiding cameras inside domes of wine-dark opacity infinge upon our right to privacy? The answer is unclear, however, I believe that we should have the right to know that we are being watched. Even if crime were to decrease, it would be a smoking gun because it would be very hard to argue that the fact that crime rates went down as a result of these camera's shrouded in secrecy. The article also poses a magnificent question and that is: Who is watching these camera's and ensuring the data they collect as evidence against us is reliable? We need to know these things because, "surveillance evidence is frequently being used in legal proceedings, however, the surveillants – law enforcement, shop-keepers with a camera in their shops, people with smartphones, etc. — have control over their recordings, and if these are the only ones, the one-sided curation of the evidence undermines their integrity".

Written by Bria White, a Homeland Security Graduate Assistant for the University of the District of Columbia.

http://www.homelandsecuritynewswire.com/dr20150113-when-the-camera-lies-our-surveillance-society-needs-a-dose-of-integrity-to-be-reliable?page=0,1

Source of article: Author Joshua Gans; Professor of Strategic Management at University of Toronto; Steve Mann is Professor of Electrical and Computer Engineering at University of Toronto. This story is published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives).