Monday, November 18, 2013

#08: France, CERN, and physical/personal security, and everything else

245 pageviews?!  What the hell?  I leave for holiday and come back, and it blows up!  Welcome to any new readers!! I promise to not disappoint. :D

I have been gone on holiday with my cruise group last month.  I had the utmost pleasure to visit the European Center for Nuclear Research or CERN.  This trip was one memory that will stick my mind for as long as I live.  Not just seeing the incredibly massive 15m long, 40 tonne (all Metric baby!) superconducting segments that ran the entire 17Km length of the LHC, but we also got to take an unexpected trip to the CMS, which was one of the two experiments that found enough sigma to confirm the Higgs Boson.  If you're interested, the Major Technicality podcast (@majortechnicality, or www.facebook.com/majortechnicality) will have it posted very soon.

One thing I did want to mention about my trip to CERN was the security controls in place.  Much of the main campus in Geneva was open, and they gave us pretty much carte blanche to visit the hallways, but to be quiet about it.  I was so enamored by the pure science of what was going on that I did not give the idea of physical or personal much of a thought.

There were no cameras, no access badges. Offices had locks, but the main campus appeared to be a recycled building from before the Cold War and the office sizes definitely had that feel.  I believed that everyone I looked in on as I walked by their office was comtemplating the very nature of the universe, or examining data to find that one thing, the one iota of information that would get them the next Nobel.  I hope I was not wrong.  Fantastic place.

My point was that a 'college' town like Geneva was incredibly "American" in it's attitudes.  Young people with their heads in their mobile devices (more Android than Apple oddly enough), and it just felt different, but no less safe.  I still carried my wallet in my front pocket, as I do in America, only out of habit.  I enjoyed the airports. No TSA, no body scanners... but in place of that, gentlemen with automatic rifles and paramilitary gear patrolled the airport.  It's interesting, we've spent billions of dollars "securing" our airports, inventing the DHS and TSA, when in fact, they are spending a fraction of that amount in Europe, and are arguably just as safe or safer even...

The heaviest security I saw was at the ATLAS project.  Cameras everywhere, badge access everywhere, including in the elevator, and the area just before you got into the experiment required an iris scan to get into the heart of of the machine. And the area with the iris scanner had a revolving door man trap operated by the control room.  When I asked our guide, who's name was 'Gerd' (hey Gerd!!!) he said that was to ensure that only necessary people could access the area, but also to protect people from the high energy radiation that gets kicked out by the ATLAS experiment.

I guess when we think of physical security, we often use it as a term to keep people out of sensitive areas, but security can be used as a protective mechanism, which I don't see that all that often.

Wireless security... Holy cow, I could not believe all the easy access to WPS enabled wifi.  If I lived in Geneva or Paris, I never would have needed to have bought Internet access.  Dozens of WPS enabled Wifi that could be easily cracked by Reaver.  All I needed was a few hours, and I'd have free, unfettered Internet. Which would have been a damn sight better than what we did have when we were able.  Hotels charge a lot for wifi, and my Verizon International data failed.  I need to get a hold of a good overseas phone that will at least allow me to access Google Maps...  But we travel over there so infrequently, doesn't really make much sense...

Well, now that I'm back from holiday, I really want to make this podcast deal happen.  Yes, I know everyone seems to have one, and "What's gonna make your podcast awesomer than everyone elses?"  Simple truth: it won't be.  I'm learning.  Hell, learning security is hard, but to learn rudimentary sound (video?) editing, as well as the bells and whistles of content creation (web page design, advertising/marketing, setup of interviews, etc) will be the real challenge.  Sitting down, spitting drivel into a microphone is easy.  I mean, look at all the talking heads on TV...  I'm at least 80% smarter than those people.  I just want to do a simple 30-40 minutes once a week (twice if I'm lucky), something really off the cuff, some security stories, and talk about security concepts I'm working on.  I'm dabbling with Python, and reading the Metasploit book written by @HackingDave (Dave Kennedy) and others, as well as doing my Pentester Academy stuff.  It's a full life.  But I would really like to do something that is mine.  I listen to enough podcasts that I realize I can't do much worse than the other folks.  And besides, even if no one listens, I'll be doing something I like.  I think "Adrift in the Security Sea Podcast" is too wordy.  I'll probably need to use an acronym to shorten it... like the A.S.S. Podcast... oh... well, guess that is off the table.  Well, it's a work in progress... I found some royalty-free music, worked on an intro... I just need to figure a few other things out...

Oh, went through a great class last Friday that discussed detecting malware in your network.  The folks over at @Mi2security, Michael Gough and Ian Robertson, showcased how the creation of a Master File Record, using file hashing, along with their brand new software Sniper Forensics Toolkit to reduce the ability for malware to take hold in a system.  It looks very promising, and I am going to try it at my home in the next few days.  Going to the class got you a 3 host license to try the software.  No Linux client yet, but they are diligently working on that.

Take care, and I'll update this post with the Major Technicality when it gets posted.  Take care... And tell your friends.