Thanks to Malisa Vincenti, leader of the LinkedIn Group Security & Technology – Critical Infrastructure Network & Forum, for highlighting the CNN article entitled “Why face recognition isn’t scary – yet.”

Much of the article was dedicated to describing the benefits and deficiencies of facial recognition software used by online services like Facebook, Picasa and iPhoto to make it easier for users to keep track of photographs.  Speaking of such functionality,  Michael Sipe, vice president of product development at Pittsburgh Pattern Recognition, a Carnegie Mellon University split-off company that makes face-recognizing software said these types of photo programs are a response to the hassles of keeping track of growing digital photo collections.

"In general, there’s this tsunami of visual information — images and video — and the tools that people have to make sense of all that information haven’t kept pace with the growth of the production of that information," he said. "What we have is a tool to help extract meaning from that information by using the most important part of that media, which is people."

It is interesting that one of the most distinguishing attribute of a person’s identity – his or her face – is so difficult for computers to recognize.  We humans often say, “I can remember faces much better than names,” yet computers are just the opposite.  It turns out that a person’s smile, which may be one of the most easily-remembered feature of the human face (for us humans, at least), is the most difficult for computers to comprehend:

Anil Jain, a distinguished professor of computer science at Michigan State University, said it’s still not easy, however, for computers to identify faces from photos — mostly because the photos people post to the internet are so diverse.

Computers get confused when a photo is too dark, if it’s taken from a weird angle, if the person is wearing a scarf, beard or glasses or if the person in the photo has aged significantly, he said.

Smiling can even be a problem.

"The face is like a deformable surface," he said. "When you smile, different parts of the face get affected differently. It’s not just like moving some object from one position to another," which would be easier for a computer to read.

So … what will happen when this technology matures and makes the leap from family-friendly Facebook to applications in real live security or survellance applications?

Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the motives behind the technology are what worry him.

Governments and corporations intend to use facial recognition software to track the public and to eliminate privacy, he said, noting that automatically identifying people in public in the U.S., when they are not suspected of a crime, could be a violation of constitutional rights.

When facial recognition comes to surveillance cameras, which are already in place, "you’re no longer racing through iPhoto to figure out how many pictures of Barbara you have," Rotenberg said. "You’re walking around in public and facing cameras that know who you are. And I think that’s a little creepy."

I suppose this is like many other technologies – there are an abundance of positive applications, and the potential for terribly nefarious uses.

For example, if facial recognition can be used to identify  terrorists so they could be detained prior to boarding airplanes, we would generally think that was a good application. 

Similarly, if I could be granted entrance to my corporate office building or be logged onto necessary computer systems just by smiling (or frowning) into a camera, the building and computer systems might be more secure and the present-day use of passwords or ID cards might go the way of the buggy whip.

However, if an abusive husband used facial recognition software to stalk his estranged wife, or if the government successfully tracked every movement its citizens made in the normal course of events, we would generally think of those applications as negative.

I have a crazy habit of smiling and waving at security cameras I see in airports or banks or convenience stores. Who knows what is happening on the other side?  At the present level of today’s technology, I’m probably being recorded and not much more.  In a few years, however, the sophisticated software behind the camera will probably recognize Mark Dixon and report my antics to the NSA.  That will surely make me frown, not smile, when I wave to the ubiquitous cameras.

The Wall Street Journal published an excellent article today entitled, “U.S. Program to Detect Cyber Attacks on Infrastructure” (subscription required),  reviewing a large U.S. government program, named “Perfect Citizen,” with the stated objective to:

“… detect cyber assaults on private U.S. companies and government agencies running critical infrastructure such as the electricity grid and nuclear power plants, according to people familiar with the program.”

We all know that the national infrastructure is vulnerable, as I mentioned recently in my blog about NERC Critical Infrastructure Protection (CIP) Cyber Security Standards. The object of this program appears to be an attempt to discover security holes that may not be CIP compliant, and detect patterns of attack before harm can be done.

U.S. intelligence officials have grown increasingly alarmed about what they believe to be Chinese and Russian surveillance of computer systems that control the electric grid and other U.S. infrastructure. Officials are unable to describe the full scope of the problem, however, because they have had limited ability to pull together all the private data.

How do you tackle this challenge?  Just monitor the network and find “unusual activity” that may suggest a pending cyber attack.

The surveillance by the National Security Agency, the government’s chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system.

This accumulation and analysis of vast amounts of data from numerous sensors is a fascinating topic.  Last September, I blogged about work led by Jeff Jonas to analyze large data sets to detect the types of anomalies the NSA are seeking – all to catch threats to the Las Vegas gaming industry.  It would be interesting to know if the NSA is building upon his work to find terrorists before they strike.

Of course, any surveillance program led by the NSA is bound to be controversial, and this is no exception:

Some industry and government officials familiar with the program see Perfect Citizen as an intrusion by the NSA into domestic affairs, while others say it is an important program to combat an emerging security threat that only the NSA is equipped to provide.

Who knows … perhaps some day the NSA wizards might think my blogging efforts are a threat to national security and plant sensors to detect my email, blogging and social networking communications activity to see if something fishy is going on.   After all, I am not a “Perfect Citizen,” whatever that means.  No one is.

"The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security," said one internal Raytheon email, the text of which was seen by The Wall Street Journal. "Perfect Citizen is Big Brother."

It will be fascinating, in an apprehensive way, to see how this all comes together:

Because the program is still in the early stages, much remains to be worked out, such as which computer control systems will be monitored and how the data will be collected. NSA would likely start with the systems that have the most important security implications if attacked, such as electric, nuclear, and air-traffic-control systems, they said.

I doubt that covert surveillance of US citizens is the initial intent of this program, but unintended consequences are what trouble me.  For some diabolical reason, increasing the amount of power vested in any one person or group of people tends to lead to oppression of others.  And it sounds like this program will put vast informational power in the hands of a few.

When I woke up this morning, I read an intriguing tweet from my son Eric, who lives about a mile away from our house:

“Power has been out for 30 minutes. We have like 15 candles lit… And it’s starting to heat up.”

Well, for young Eric and his wife, a temporary power outage might be a romantic diversion, but we are all tremendously dependent upon available, reliable electricity distribution.  We simply expect the lights to go on when we flip a switch or power our laptops when we plug them in.

In order for that to happen, the national electrical grid or Bulk Electrical System (BES) must reliably carry energy from generating plants to our homes and places of business.  We have grown to rely on that happening, 24x7x365.

However, according to a new white paper published by Oracle,

“there is mounting evidence that North America’s bulk power systems are dangerously exposed to threats from both within and abroad.” 

A few warning signs include:

• In June 2007, the Department of Homeland Security (DHS) leaked a video that showed how researchers launched a simulated attack that brought down a diesel electrical generator, leaving it coughing in a cloud of smoke, through a remote hack that was dubbed the Aurora vulnerability.
• In January 2008, a CIA analyst revealed that a number of cyber attacks had cut power to several cities outside the U.S.
• In May 2008, the Government Accountability Office (GAO) issued a scathing report on the number of security vulnerabilities at the Tennessee Valley Authority, the nation’s largest public power company.
• In April 2009, The Wall Street Journal reported, according to unnamed current and former national security officials, that Russian and Chinese attackers penetrated the U.S. power grid, installing malware that could potentially be used to disrupt delivery.
• In July 2009, NERC CSO Michael Assante told the House subcommittee on Emerging Threats, Cyber security, and Science and Technology, “Cyber threats to control systems are

In response to these and other conditions:

”the federal government has responded to this threat with a set of security standards for protecting cyber assets that comprise the BES, and set an aggressive schedule for mandatory compliance, beginning in 2007, with all covered entities required to be in ‘audit compliance’ by June 2010. Non-compliance could cost power companies up to $1 million per day in penalties.

“The North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber security standards, mandated through the approval of the Federal Energy Regulatory Commission (FERC), provide a broad, though not very prescriptive guide to implement a comprehensive cyber security program, stressing responsibility and accountability for protecting the organization’s critical assets.”

The new Oracle white white paper, entitled, “Protecting the Electric Grid in a Dangerous World,” describes how Oracle Identity Management solutions and the Oracle data security portfolio offer an effective, defense-in-depth security strategy to help meet this challenge, playing a key role in NERC CIP compliance, security and efficient use of resources.

Identity Management:

“Oracle Access Manager, Oracle Identity Manager, Oracle Identity Analytics and other products in the suite of Oracle Identity Management solutions provides application and system-level security, giving power providers and distributors the tools to create sustainable, manageable and auditable controls over access to their critical assets. Identity management and access control are essential components in CIP-003, CIP-004, -005, -006, -007, and are applicable in -008, -009.”

Data Security:

“Oracle’s comprehensive data security portfolio, including Oracle Advanced Security, Oracle Data Masking, Oracle Database Vault, Oracle Label Security and Oracle Audit Vault, allow managing critical information throughout the data protection lifecycle by providing transparent data encryption, masking, privileged user and multi-factor access control, as well as continuous monitoring of database activity. Database security, especially data access controls and privileged user management are essential in CIP–003, -004, -005, -006, -007, -008 and -009.”

It’s great to be a associated with a company whose products can play a major role in the protection of our electrical grid upon which we depend so much.

However, I must admit, lighting a few candles after dark may be enjoyable as well!

PS:  The grid map shown above comes from an interesting interactive map on the NPR.org website.  Enjoy!

The most enjoyable segment of my CISSP training course is reviewing Cryptography.  The science of cryptography has always been fascinating to me, although I do not consider myself to be an expert in the field.

This morning we briefly reviewed the Diffie-Hellman protocol:

“Diffie–Hellman key exchange (D–H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. It is a type of key exchange.”

Of course, the Diffie in Diffie-Hellman is Dr. Whitfield Diffie, a US cryptographer and one of the pioneers of public-key cryptography, who served as Chief Security Officer of Sun Microsystems for most of the time I spent there.  I only met him once and certainly didn’t know him well, but was impressed with his deep intellect and command of the information security field.

Perhaps (I hope) we’ll meet again.

Thanks to Mike Waddingham for sharing the link to an article in the Canadian National Post on Monday:

“Telus announced an electronic health service yesterday that will give patients instant online access to all their medical files.”

Telus chief executive Darren Entwistle said this move will "revolutionize" health care:

"Now, Canadians will have the ability to create, store and manage their personal health information across their computers and smartphones and, in the future, TVs," Mr. Entwistle said in an announcement at an e-health conference in Vancouver.

"In a world where wireless network technology has enabled powerful mobile computing, their health information can be right at their fingertips, wherever their lifestyles or business travels take them because their smart-phone will accompany them."

The article further states:

In a demonstration, Telus officials showed how a patient could start a personal health record, inputting their own information — from childhood vaccinations, to allergies, to blood pressure readings — to share with their doctors, pharmacists and other health-care providers.

In turn, patients would have access to their medical records, so if they move, see a specialist or end up unexpectedly in an emergency department, vital health information would be instantly available.

Parents would be able to start and maintain health records for their children.

I applaud this type of automation that puts more control of personal health information in the hands of consumers.  While it certainly demands necessary privacy and security controls, this move recognizes the need to make health records from multiple sources more available, which should lead to improved health care and reduced costs.

It will be interesting to seek how quickly this type of system become available in the US.

Struggling to understand what the PCI Data Security Standard really means? Please take a few minutes to enjoy a  clever short video published by the PCI Security Standards Council. Bob Russo, General Manager of the Council, showed this video as part of his presentation at the Pittsburgh CSO Breakfast Club PCI Security Forum in which I participated last week.

The music might be a bit corny, but the message is right on – and a fun respite from the normal dryness of PCI DSS discussions.

In response to my colleague, Jack Crail, who circulated the link to the video in my previous post, another colleague, Brad Diggs, responded:

Hey Jack,

No this isn’t an urban legend.  I have been working up a blog post that gives folks a strategy for how to deal with it.  I am the deacon of IT at my church and we have had to deal with it head on.  For everyone’s benefit, your best friend in this is Darik’s Boot and Nuke.  Of course the best thing is to make sure that the drive is not accessible by anyone that shouldn’t be accessing it.  You also need to make sure that you pull the drive when ever you have it serviced, sell it or dispose of it.

Lastly, note that this risk applies to both photocopiers AND printers with internal print queues.

Have a great day!

Brad

Brad followed up that note with an excellent post on his blog recommending a step by step process to deal with the problem.

Thanks, Brad!

The thought never crossed my mind until my colleague Jack Crail sent me a link to this short CBS News video that outlines little-known security risks lurking in the background – hard drives in digital copier containing thousands of pages of sensitive information.

A companion print article highlighted a short study of four copiers detailed in the video:

The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders.

On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.

The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

But it wasn’t until hitting "print" on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

Who knows how much of your personal information is floating out in never-never land on copier hard drives you may not have even known about?