NOWHERETOHIDE.ORG

NOWHERETOHIDE.ORG completes ISO/IEC 27001:2005 Lead Auditor (TPECS) competency

The British Standards Institute (BSI) issued ISO/IEC 27001:2005 Lead Auditor (TPECS) certificate to Chuck Georgo today. ISO/IEC 27001

ISO/IEC 27001 is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

NOWHERETOHIDE will be publishing a series of blog posts over the next few weeks to help educate organizations about the standard, its criteria, and strategies for achieving compliance.

It is important to understand that ISO/IEC certification is not a one-off exercise. To maintain the certificate the organization will need to both review and monitor the information security management system on an on-going basis.

Security, Privacy, and Innovative Law Enforcement Information Sharing: Covering the bases

So it’s no great revelation that public safety has benefited greatly from public private partnerships, and I’m cool with that, especially when we are dealing with technology that saves lives. However, a press release hit my email inbox today that made me think of the risks to security and privacy when we implement innovative technologies.

Before I get into the story it, let me be v-e-r-y clear…I am NOT here to debate the effectiveness or morality of red-light/speed enforcement systems, nor am I here to cast dispersions on any of the organizations involved in the press release…this blog posting is strictly about using the Gatso press release to emphasize a point about security and privacy – when we engage in innovative law enforcement technology solutions, we need to take extra care to adequately address the security and privacy of personally identifiable information.

Here’s the press release from Gatso-USA:

GATSO USA Forms Unique, Strategic Partnership with Nlets

Earlier this month, GATSO USA was approved as a strategic partner by the Board of Directors of the National Law Enforcement Telecommunications System (Nlets). Nlets is….general narrative about NLETS was deleted. The approval of GATSO is an exciting first for the photo-enforcement industry.

Nlets will be hosting GATSO’s back office and server operations within the Nlets infrastructure. GATSO will have access to registered owner information for all 50 states plus additional provinces in Canada. The strategic relationship has been described as a “win-win” for both organizations.

From Nlets’ perspective, there are key benefits to providing GATSO with hosted service. Most importantly, it virtually guarantees personal data security. Due to this extra step of storing personal data behind the DMV walls of Nlets, the public can be assured that security breaches — such as the recent incident with PlayStation users — are avoided.

From GATSO’s perspective, hosting the system with Nlets will provide a ruggedized, robust connection to comprehensive registered owner information — without the security issues faced by other vendors in this industry. Nlets was created over 40 years ago…more stuff about NLETS was deleted).

The main points I took away from this press release were:

1. Nlets is going to host the back-end server technology that GATSO needs to look up vehicle registration information of red-light runners;
2. Gatso is going to have access to vehicle registration information for all vehicles/owners in ALL 50 states in the U.S. and (some) provinces in Canada; and
3. And, because it’s behind Nlets firewalls, security is not an issue.

Again, please don’t call me a party-pooper as I am a huge advocate for finding innovative ways to use technology to make law enforcement’s job easier. However, I am also painfully aware (as many of you are) of the many security and privacy related missteps that have happened over the last few years with technology efforts that meant well, but didn’t do enough to make sure that they covered the bases for security and privacy matters. These efforts either had accidental leakage of personal information, left holes in their security posture that enables direct attacks, or created opportunities for nefarious evil-doers with legitimate access to use that access to sensitive information for other than honorable purposes.

After I read the press release, I thought that it would be a good case-study for the topic of this blog – it involved innovative use of technolgy for law enforcement, a psuedo-government agency (Nlets), two foreign-owned private companies, and LOTS of PII sharing – some might even say it had all the makings of a Will Smith movie. 🙂

To help set the stage, here are a few facts I found online:

• Gatso-USA is a foreign company, registered in New York State, operating out of Delaware; its parent company is a Dutch company, GATSOmeter BVGatso.
• Gatso does not appear to vet all of the red-light/speed violations itself; it uses another company – Redflex Traffic Systems to help with that (Redflex is not mentioned in the press release).
• Redflex seems to be a U.S. company, but it has a (foreign) parent company based in South Melbourne, Australia.
• Finally, there are no-sworn officers involved in violation processing. Red-light/speed enforcement cameras are not operated by law enforcement agencies; they outsource that to Gatso, who installs and operates the systems for local jurisdictions (with Redflex) for free, (Gatso/Redflex is given a piece of the fine for each violation).

There are no real surprises here either; there are many foreign companies that provide good law enforcement technologies to jurisdications across the U.S., and outsourcing traffic violations is not new…BUT what is new here is that a sort-of-government agency (Nlets), has now provided two civilian companies (with foreign connections) access to Personally Identifiable Information (PII) (vehicle registrations) for the entire U.S. and parts of Canada…should we be worried?

Maybe; maybe not. Here are nine questions I would ask:

1. Personnel Security: Will Nlets have a documented process to vet the U.S. and overseas Gatso and Redflex staff who will have access to this information through direct or VPN access to Nlets systems?
2. Data Security: Will Gatso or Redflex maintain working/test copies of any of the registration information outside of the Nlets firewall? If so, are there documented ways to make sure this information is protected outside the firewall?
3. Data Access: Will Gatso/Redflex have access to the entire registration record? or, will access be limited to certain fields?
4. Code Security: Will any of the code development or code maintenance be done overseas in the Netherlands or Australia? If so, will all developers be vetted?
5. Network Security: Will overseas developers/site suport staff have access to the data behind Nlets firewalls? What extra precautions will be taken to protect Nltes systems/networks from abuse/attack?
6. Code Security: Will Nlets conduct any security testing on code loaded on the servers behind their firewalls?
7. Stakeholder Support: Have all 50 U.S. states, and provinces in Canada, been made aware of this new information sharing relationship? Do they understand all of the nuances of the relationship? And, are they satisfied that their constituents personal information will be protected?
8. Audit/Logging: Will all queries to vehicle registration information logged? Is someone checking the logs? How will Nlets know if abuses of authorized access are taking place?
9. Public Acceptance: How do states inform their constituents that their personal vehicle registration information is being made available to foreign owned company? Will they care?

How these questions are answered will determine whether or not we should worry…

Did I miss any other important questions?

Beyond this particular press release and blog posting, I suggest that you consider asking these kinds of questions whenever your agency is considering opening/connecting its data systems to outside organizations or private companies—it may just prevent your agency from becoming a headline on tonights news, like St. Louis –> St. Louis Police Department computer hacked in cyber-attack .

The bottom-line is that whenever you take advantage of opportunities to apply innovative technologies to public safety, make sure that you cover ALL the bases to protect your sensitve data and PII from leakage, direct attacks, or misuse and abuse.

As always, your thoughts and comments are welcome.

r/Chuck

Eastern Maryland: Free “State of-the-Threats for the Hospitality “Industry”

A free InfraGard Maryland training seminar:

Date and Time: Monday, October 4, 2010, 8:30am-1:00pm in Ocean City

Location: Holiday Inn, Oceanfront @ 67th Street, 6600 Coastal Hwy., Ocean City, MD 21842

AN AUTHORITATIVE “NEED_TO_KNOW” ON THE STATE-OF-THE-THREATS MATRIX FOR THE HOSPITALITY INDUSTRY – with Lessons Learned from Mumbai & BEYOND

Jointly presented by the Federal Bureau of Investigation (FBI) and InfraGard’s Maryland Chapter, with the U.S. Department of Homeland Security (DHS), the Maryland Coordination & Analysis Center (MCAC) and Eastern Maryland Regional Information Center.

Speakers

Major General Kalugin, The former Chief of KGB Foreign Counter-Intelligence whose job it was to penetrate all hostile intelligence and security forces worldwide. Now one of Russia’s “Most Wanted,” General Kalugin just celebrated his 7th year as a U.S. Citizen. He is the ultimate insider, whose fascinating autobiography, SPYMASTER*, documents secrets from his 32-year career.

Carl D. “Dave” Dalton, Former 29-year veteran LAPD, a sought-after source in the Security Industry for executive protection, high-profile/high-risk event security, emergency & disaster preparedness, Mr. Dalton has weathered unimaginable events: from the LA 1984 Summer Olympics and first-ever Papal visit in 1987, to the 1992 LA Riots; the Northridge Earthquake; firestorms, floods, and mudslides; epic structural fires; and major crime scenes. Heavily involved in the community in various key Security & Emergency Preparedness roles, he was personally invited by the Government of the People’s Republic of China to help prepare the Chinese National Police and Military to provide security for the 2008 Beijing Summer Olympics.

Darryl Kramer, Public-Private Sector Partnership Coordinator, Department of Homeland Security’s Office of Intelligence & Analysis. Mr. Kramer draws on a deeply informed and credentialed background in military and other sectors to bring a substantial breadth of understanding and resourcefulness in speaking to a State of the Threats Briefing and overview of the DHS Public-Private Sector partnering program – how it works, & how businesses can benefit.

Registration & Attendance: This invaluable event is FREE to Attend

REGISTER NOW at http://secureeastmd.eventbrite.com

Web ‘superbug’ threatens Chinese national security – Stuxnet SCADA Attack

Caught this article in Times of India  (PTI, Sep 27, 2010, 01.29pm) website today…funny it didn’t make any of the U.S. cyber security sites…here’s a couple snippets…

“A sophisticated malicious computer software, is attempting to infiltrate factory computers in China’s key industries, threatening the country’s national security, cyber experts have warned.”

“Called Stuxnet, the worm was first discovered in mid-June and was specially written to attack Siemens supervisory control and data (SCADA) systems commonly used to control and monitor industrial facilities – from traffic lights and oil rigs to power and nuclear plants, the state-run Global Times daily reported quoting experts.”

“Globally, the worm has been found to target Siemens systems mostly in India, Indonesia and Pakistan, but the heaviest infiltration appears to be in Iran, the report said. According to Wang, there might be large financial groups and nations behind the malicious software.”

“Eugene Kaspersky, co-founder of security firm Kaspersky said the Stuxnet worm could prove that “we have now entered the age of cyber-warfare. – He believes that Stuxnet is a working – and fearsome – prototype of a cyber-weapon that will lead to the creation of a new arms race in the world.”

Read more: Web ‘superbug’ threatens Chinese national security – The Times of India http://timesofindia.indiatimes.com/tech/news/internet/Web-superbug-threatens-Chinese-national-security/articleshow/6635680.cms#ixzz10lUJux3C

Maryland InfraGard Presents: “Need to Know” Security/Threats Awareness Event

This event, generously hosted by DCS Corp, one of Southern MD’s most engaged community stakeholders, is being jointly produced by the Maryland InfraGard Chapter, the Southern Maryland Industrial Security Awareness Group, the U.S. Department of Homeland Security, the Maryland Coordination & Analytic Center (MCAC) and Southern MD Regional Information Center (RIC), in cooperation with regional authorities.

• DATE: September 21, 2010
• TIME: 8:00 am – 1:00 pm
• LOCATION: DCS Corp, 46641 Corporate Drive, Lexington Park, MD (There is plenty of free parking available.)

REGISTRATION: You must be registered to attend. Go to http://securesouthmd.eventbrite.com. The Deadline to register is Friday, September 17th. Admission is FREE and open to U.S. Citizens (bring valid photo ID).

SPEAKERS:

Ex-KGB Major General (ret.) Oleg Danilovich Kalugin — former Chief of KGB Foreign Counter-Intelligence whose job it was to penetrate all hostile intelligence and security forces worldwide. Now one of Russia’s “Most Wanted,” General Kalugin just celebrated his 7th year as a U.S. Citizen. He is the ultimate insider, whose fascinating autobiography, SPYMASTER*, documents secrets from his 32-year career.

* Pre-Order your autographed copy of SPYMASTER by September 17 – a limited number of copies are available for personal inscription — an historic takeaway and remarkable value at $20. Proceeds benefit InfraGard Maryland Members Alliance, a MD chartered 501(c)(3) nonprofit, in its mission of public-private partnering for critical infrastructure protection, and programs like these. Ordering & payment details are on the registration site, or contact M. L. Kingsley at MLKingsley@msn.com to arrange your personally inscribed copy. Subject to supply, copies will also be available for purchase by cash or check at the 9/21 event.

Noted Cyber Guru Dr. Gary Warner — voted Nation’s top Cyber-blogger – See http://garwarner.blogspot.com/ “Cyber Crime and Doing Time” – Dr. Warner is the Director of cutting-edge Computer Forensics Research at the University of Alabama, Birmingham.

Plus, representatives from InfraGard, the FBI, MCAC, and RICs will speak on reporting suspicious activity, information sharing ventures and private sector partnerships.

This jointly presented forum represents an unparalleled gathering of public safety, law enforcement & intelligence authorities, to teach the crucial lessons of situational awareness, promote learning and sharing between essential stakeholders using a collaborative process to improve intelligence sharing and, ultimately, to increase our collective ability to predict, prevent, and preempt terrorist activity and manage the consequences of a diverse number of threats.

For more information about InfraGard, and to join, go to www.infragard.net and/or www.infragardmembers.org, or contact Special Agent Lauren Schuler, FBI Baltimore’s InfraGard Coordinator, at 410-265-8080 or Lauren.F.Schuler@infragard.org.

We hope to see you there!

FREE Computer Security Workshop for Maryland Businesses

Can YOU answer the following questions?

1. What happens to my business if my sensitive business information falls someone else’s possession?
2. What would it cost me to be without some or all of my sensitive business information?
3. Could I recreate lost sensitive business information and what would cost?
4. What would be the implications to my business if I could no longer trust accuracy or completeness of my sensitive business information?

If you can’t answer these questions, then you need this workshop sponsored by the Maryland InfraGard Chapter (IMMA) and the Small Busness Adminstration!!

The NIST Computer Security Division has developed a workshop to the small business owner increase information system security.

Learn how to define information security (IS) for your organization.

Hear examples of common types of threats and understand how determine the extent to which your organization should proactively address threats.

Learn common Best Practices and procedures to operate securely.

Hear a basic explanation of current technologies used in reducing vulnerabilities and learn of resources freely available to organization.

For additional information visit:

Date:  August 20, 2010

   Session I from 8:00 am – 12:00 pm*

   Session II from 1:00 pm – 5:00 pm*

     *50 seats per Session

Location: Baltimore City Community College, 710 East Lombard Street, Room 30, Baltimore, MD

Registration Fee: FREE

Register Online: http://cybersecuritymd.eventbrite.com 

Parking is available nearby at 701 Lombard St. or 55 Market Place, Baltimore, MD for

$13.00 per day.

Questions about registration ?

E-mail Lauren.F.Schuler@infragard.org or call 443-436-7725.

Questions about the class content?

See http://csrc.nist.gov/groups/SMA/sbc/ or contact Richard Kissel at rkissel@nist.gov .

Having trouble convincing the boss to spend on Security and Privacy protection? Read on…

The Poneman Institute, considered the pre-eminent research center dedicated to privacy, data protection and information security policy, released its 2009 Ponemon Institute “Cost of a Data Breach” Study on January 29, 2010.

In the report, they published the results of their fifth annual study on the costs of data breaches for U.S.-based companies. They surveyed 45 companies represnting 15 various industry sectors–significant contributors were financial, retail, services and healthcare companies.

Numbers-wise, the companies they interviewed lost between 5,000 and 101,000 records, at a cost range between $750,000 and $31 million.

What was really interesting was that the average per-record cost of the loss was determined to be $204.00–and how many records does your law enforcement/public safety agency hold?

Some factors they considered in computing the cost of the breach included:

• Direct costs – communications costs, investigations and forensics costs and legal costs
• Indirect costs – lost business, public relations, and new customer acquisition costs

The report also lists a number of causes for the data breaches, such as:

• 82% of all breaches involved organizations that had experienced more than one data breach
• 42% of all breaches studied involved errors made by a third party
• 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices
• 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).

You can download the full report here: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf

Thoughts and comments welcomed…r/Chuck

Data.gov CONOP – Five ideas posted to “Evolving Data.gov with You”

Following up on my comments and thoughts about the Open Government Directive and Data.gov effort, i just posted five ideas on the “Evolving Data.gov with You“ website and thought i would cross-post them on my blog as well…enjoy! r/Chuck

1. Funding – Data.gov cannot be another unfunded federal mandate

Federal agencies are already trying their best to respond to a stream of unfunded mandates. Requiring federal agencies to a) expose their raw data as a service and b) collect, analyze, and respond to public comments requires resources. The requirement to make data accessible to (through) Data.gov should be formally established as a component of one of the Federal strategic planning and performance management frameworks (GPRA, OMB PART, PMA) and each agency should be funded (resourced) to help ensure agency commitment towards the Data.gov effort. Without direct linkage to a planning framework and allocation of dedicated resources, success of Data.gov will vary considerably across the federal government.

2. Strategy – Revise CONOP to address the value to American citizens

As currently written, the CONOP only addresses internal activities (means) and doesn’t identify the outcomes (ends) that would result from successful implementation of Data.gov. In paragraph 1 the CONOP states “Data.gov is a flagship Administration initiative intended to allow the public to easily find, access, understand, and use data that are generated by the Federal government.”, yet there is no discussion about “what data” the “public” wants or needs to know about.

The examples given in the document are anecdotal at best and (in my opinion) do not reflect what the average citizen will want to see–all apologies to Aneesh Chopra and Vivek Kundra, but I do not believe (as they spoke in the December 8th webcast) that citizens really care much about things like average airline delay times, visa application wait times, or who visited the Whitehouse yesterday.

In paragraph 1.3 the CONOP states “An important value proposition of Data.gov is that it allows members of the public to leverage Federal data for robust discovery of information, knowledge and innovation,” yet these terms are not defined–what are they to mean to the average citizen (public)? I would suggest the Data.gov effort begin with a dialogue of the ‘public’ they envision using the data feeds on Data.gov; a few questions I would recommend they ask include:

1. What issues about federal agency performance is important to them?
2. What specific questions do they have about those issues?
3. In what format(s) would they like to see the data?

I would also suggest stratifying the “public” into the different categories of potential users, for example:

1. General taxpayer public, non-government employee
2. Government employee seeking data to do their job
3. Government agency with oversight responsibility
4. Commercial/non-profit organization providing voluntary oversight
5. Press, news media, blogs, and mash-ups using data to generate ‘buzz’

3. Key Partnerships – Engage Congress to participate in Data.gov

To some, Data.gov can be viewed as an end-run around the many congressional committees who have official responsibility for oversight of federal agency performance. Aside from general concepts of government transparency, Data.gov could (should) be a very valuable resource to our legislators.

Towards that end, I recommend that Data.gov open a dialogue with Congress to help ensure that Data.gov addresses the data needs of these oversight committees so that Senators and Congressmen alike can make better informed decisions that ultimately affect agency responsibilities, staffing, performance expectations, and funding.

4. Data Quality – Need process for assuring ‘good data’ on Data.gov

On Page 9 of the CONOP, the example of Forbes’ use of Federal data to develop the list of “America’s Safest Cities” brings to light a significant risk associated with providing ‘raw data’ for public consumption. As you are aware, much of the crime data used for that survey is drawn from the Uniformed Crime Reporting effort of the FBI.

As self-reported on the “Crime in the United States” website, “Figures used in this Report are submitted voluntarily by law enforcement agencies throughout the country. Individuals using these tabulations are cautioned against drawing conclusions by making direct comparisons between cities. Comparisons lead to simplistic and/or incomplete analyses that often create misleading perceptions adversely affecting communities and their residents.”

Because Data.gov seeks to make raw data available to a broad set of potential users; How will Data.gov address the issue of data quality within the feeds provided through Data.gov? Currently, federal agency Annual Performance Reports required under the Government Performance and Results Act (GPRA) of 1993 require some assurance of data accuracy of the data reported; will there be a similar process for federal agency data made accessible through Data.gov? If not, what measures will be put in-place to ensure that conclusions drawn from the Data.gov data sources reflect the risks associated with ‘raw’ data? And, how will we know that the data made available through Data.gov is accurate and up-to-date?

5. Measuring success of Data.gov – a suggested (simple) framework

The OMB Open Government Directive published on December 8, 2009 includes what are (in my opinion) some undefined terms and very unrealistic expectations and deadlines for federal agency compliance with the directive. It also did not include any method for assessing progress towards the spirit and intent of the stated objectives.

I would like to offer a simple framework that the Data.gov effort can use to work (collaboratively) with federal agencies to help achieve the objectives laid out in the directive. The framework includes the following five questions:

1. Are we are clear about the performance questions that we want to answer with data to be made available from each of the contributing federal agencies?
2. Have we identified the availability of the desired data and have we appropriately addressed security and privacy risks or concerns related to making that data available through Data.gov?
3. Do we understand the burden (level of effort) required to make each of the desired data streams available through Data.gov and is the funding available (either internally or externally) to make the effort a success?
4. Do we understand how the various data consumer groups (the ‘public’) will want to see or access the data and does the infrastructure exist to make the data available in the desired format?
5. Do we (Data.gov and the federal agency involved) have a documented and agreed to strategy that prepares us to digest and respond to public feedback, ideas for innovation, etc., received as a result of making data available through Data.gov?

I would recommend this framework be included in the next version of the Data.gov CONOP so as to provide a way for everyone involved to a) measure progress towards the objectives of the OMB directive and b) provide a tool for facilitating the dialogue with federal agencies and Congress that will be required to make Data.gov a success.

The Birds and Bees of Online Safety: What mama should have told you…

Remember what your mother told you?…wear your mittens, look both ways before you cross the street, don’t swim until 30 minutes after you eat, cigarettes are bad for you, use a condom…” Well, today’s mothers should also be telling you to “be safe” when you surf the internet.

What does it mean to practice safe web surfing?  Here are seven points I adapted from a poster that my colleagues at the NewYork City Metro InfraGard chapter developed to comunicate what you should do to practice “safe web surfing.” 

1. Use passwords that have at least eight characters, and mix it up a bit–lowercase, uppercase, numbers and special symbols. Here’s an example: rather than “amysmith” as a password, use “@mySm1th”…get it?  For more information on strong passwords, click here: Strong Passwords.  To generate r-e-a-l-l-y strong passwords, use this tool: Password Generator
2. Contrary to what you’ve heard before, write your passwords down and store them (somewhere other than under the keyboard on your desk).  There is a greater chance that an easy to remember password will be cracked than there is for someone to break into your house or office and steal that sticky you wrote them down on.  Bruce Scheiner talks about this in his blog here: Write Down your Passwords
3. Use virus scanning and spyware software–Microsoft has a free one available.  Also, make sure your virus scanning software is turned ON and that it’s signature files are up-to-date.
4. Only open email attachments from people you know.  No matter how enticing they appear to be…Free Cell Phone…Make Your (whatever) Bigger (or Smaller)…Verify Your Bank Account! …DO NOT open the attachment.
5. Do NOT click on any web links in emails from people you do not know–if there’s a web address you want to go to, type web address directly into your browser–www.goodsite.commay actually take you to a malicous website.
6. Parents can use the administrative capabilities of Microsoft Windows to lockdown sites/domains you don;t want you kids to visit. See instructions for doing this here: Block a Website
7. Be very careful downloading and installing toolbars from non-reputable sources. They might offer you all kinds of need smiley faces and cool tools, but they could also be stealing your personal information and doing other nefarious things.  Here’s one article that talks about a fake toolbar for a very well known website: Dangerous Toolbar

Let me know if you have other ideas I should add to this list…comments and thoughts welcomed..r/Chuck

Chuck Georgo
chuck@nowheretohide.org

It’s 2pm on Sunday: Do you know where your data is?

It seems the Los Alamos National Laboratory (LANL)  is  in the news again. Just when you’d think they addressed the vulnerabilities that Wen Ho Lee exploited back in 1999 (Lee has his own Wikipedia page now), they got slammed again in 2006 when local police found a thumb-drive with classified information on it at local residence involved in a local narcotics investigation.  Well now the U.S. Government Accountability Office (GAO) just release an audit report of LANL that reported:

LANL has implemented measures to enhance its information security controls, but significant weaknesses remain in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network. The laboratory’s classified computer network had vulnerabilities in several critical areas, including (1) uniquely identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance.

While LANL got slammed for losing information on its  “classified” network…what about all of the unclassified information that’s floating around out there? I feel it is just as important to make sure all of the sensitive but unclassified case information, organization proprietary information, or intelligence data that contains Personally Identifiable Information (PII) is protected as well–would you want to be the person explaining to their boss what data was just lost on that USB drive you left at the airport restaurant?

While I was at the International Association of Chiefs of Police Conference in Denver last month, I ran across a security item that really caught my eye–it was a standard, run of the mill 4GB USB thumb drive, but this one was unique–it had a built in PIN keypad, encrypted all data with AES encryption, and you didn’t have to plug it in to the computer first before unlocking it.  I got to thinking…if every law enforcement officer and intelligence analyst who had a legal, bonafied reason for copying sensitive data  onto portable media like CD-ROMs, SD cards, or unsecured thumb drives had one of these, they could sleep better at night knowing that the information on the thumb drive wouldn’t be compromised if it were lost or stolen, or than an unauthorized person who happend to get access to the drive couldn’t stick it in their computer and access the information it holds.

The item is called the Classified Secure Flash Drive. It’s a 4GB thumb drive with a built in 5-key keypad for entering a 1-10 digit PIN.  There is NO software required on the desktop/laptop to create or enter the PIN and all data on it is secured with 256 bit AES encryption. Those of you who know me know that I do not want to become another big IT vendor; however, I have decided to make these (and other innovative, niche technologies) available to agencies through NOWHERETOHIDE.ORG.  For Federal agencies; the manufacturer has developed a FIPS 140-2 compliant version with a built in 10-key keypad; they are in the midst of the validation process now.