hackers

Remember Cody Brocious? He's the Mozilla software developer who presented research last month at the Black Hat security conference about an alleged vulnerability on a certain type of Onity lock used on hotel room doors around the world? (If not, the quick recap: Brocious claims to have developed an open-source piece of hardware that can be plugged into a lock's DC port, read its memory and open the door.)

Well, Onity has responded to Brocious's claims in a statement sent to Security Director News: "At the Black Hat conference on Tuesday July 24, a hacker presented alleged vulnerabilities of certain models of Onity hotel locks," the statement begins.

"Onity understands the hacking methods to be unreliable, and complex to implement."

It's true Brocious's method is unreliable. He admits it. In a demo for Forbes magazine, he only got one out of three doors to open using his hack. In an interview with SC Magazine (embedded below) that it was because of a bug in the implementation, and a problem he has no plans to fix for reasons of safety.

However, the last part of Onity's statement directly contradicts what Brocious claims. "It would be a matter of minutes to put this together from parts you can get off the internet or from RadioShack," Brocious said the interview.

Onity's statement continues, seeming to admit that a vulnerability exists, though in the guise of just placating fears: "However, to alleviate any concerns, we are developing a firmware upgrade for the affected lock-type. The upgrade will be made available after thorough testing to address any potential security concerns that you may have. Onity places the highest priority on the safety and security provided by its products."

They better get on it. Brocious claimed he held nothing back in the research he revealed to the public, so if he's right people could be developing these little devices for nefarious purposes right now. "At the end of the day, I felt getting the information out there was valuable," he said in the SC Magazine interview. "We will most likely see in-the-wild attacks, as sad as that is. We will see people using this for malicious purposes."

Here's the interview with SC Magazine:

Securing our nation's mass transit systems seems like a nearly impossible task and there's certainly no silver bullet for protecting the traveling public. A new report issued by the Government Accountability Office in July found that there are a number of promising explosives detection technologies out there, but also noted there are serious limitations that need to be addressed for proper deployment in a rail environment.

The report found that handheld, desktop, and kit-based trace detection systems, x-ray imaging systems, as well as the use of canines, are all technologies that have demonstrated good detection capabilities, but did not recommend any of these technologies specifically.

One of the concerns in securing ground transportation is passenger flow. It's fairly understood that passengers on New York's subway system, for example, are not going to tolerate major interruptions of their commute. Therefore, the government needs to find technologies that can detect explosives, but do not impede on passenger flow. For this, the GAO recommends the development of a concept of operations that "would help balance security with the need to maintain the efficient and free flowing movement of people. A concept of operations could include a response plan for how rail employees should react to an alarm when a particular technology detects an explosive."

The GAO also reported that in implementing these technologies and policies there are possibly too many organizations involved in this effort:

While there is a shared responsibility for securing the passenger rail environment, the federal government, including TSA, and passenger rail operators have differing roles, which could complicate decisions to fund and implement explosives detection technologies. For example, TSA provides guidance and some funding for passenger rail security, but rail operators themselves provide day-to-day-security of their systems.

TSA seems to be taking a bigger role in securing surface transportation. Secretary Napolitano recently announced the agency (and its new head) will focus more of its efforts on securing mass transit. It recently launched a national "See Something, Say Something" campaign, but no specifics on the technology side.

I'm not sure if this article is amusing or just pathetic, but apparently the agency that is charged with our national security has a hard time keeping tabs on its own weapons.

Agents and officers of the U.S. Department of Homeland Security reported that 289 of their handguns, shotguns or automatic rifles had been lost or stolen between 2005 and 2008

Actually, that didn't seem too bad to me, especially over the course of three years, but I found some of the ways that officers lost weapons to be fairly amusing. Apparently, weapons were left in places ranging from fast-food restaurant restrooms to bowling alleys to clothing stores.

I can just imagine how some of those conversations went down:

Boss: Where's your weapon, officer?
Officer: Um, I can't find it.
Boss: What do you mean you can't find it?
Officer: Well, I went bowling with the kids last night and must have left my gun on the scoring table because it was really interfering with my follow through.
Boss: Well, these things happen. Go get yourself another one.

I think that's funny (although it could be due to the cold medicine), but DHS isn't laughing.

"Although some reported losses were beyond the officers' control, most losses occurred because officers did not properly secure firearms," said DHS Inspector General Richard Skinner in a 23-page report dated Jan. 25. "The Department of Homeland Security, through its components, did not adequately safeguard and control its firearms."

But this issue apparently isn't just relegated to DHS.

While the report was embarrassing for DHS, other unidentified federal law enforcement agencies fared worse. Skinner said the Justice Department and the Government Accountability Office, Congress's audit arm, found similar problems among 18 agencies assessed between 2003 and 2007.

I'm guessing a lot of these folks are military or former law enforcement officers (or at least have been trained and certified to carry guns) so they should know how to keep track of their weapons, right? Perhaps it is true that those government jobs make you soft.