The Security Week That Was: Aug. 10, 2007

Do I Hear $450?
Auctioning security hacks in Sweden

About a month ago, a Swedish firm launched an online auction site (a.k.a. Wabisabilabi) that claimed to help bring the world "one step closer to zero risk." Now, the interesting thing about this online auction site and it's auspicious claims to be doing things for the good of all is that it doesn't auction off security tools or tips. Instead, Wabisabilabi auctions off security exploits.

Claiming to be a security research marketplace, this site is primarily for software developers interested in spotting security vulnerabilities before hackers get to them. I've mentioned this to a number of IT professionals and without fail, their jaws have dropped and they've said something like, "Well, that's kind of scary."

Indeed it is "kind of scary," and in fact, you don't need much of an imagination to picture hackers signing on as "hackbuyer_3" and bidding on the latest security weakness in Microsoft Vista or the seemingly ubiquitous iPhone. In fact, for those involved in physical security, we're just lucky this hasn't given common crooks and would be attackers an idea to start some sort of physical security auction site where thugs and repeat criminals could shop for things like "high-rise facility access cards" or "alarm codes to 3 local businesses".

Admittedly, WSLabi says that they will be only allowing the site to be used by people who could actually buy the software cracks for positive purposes (perhaps this would be people who wrote the software, or perhaps anti-malware vendors, or security gateway developers), and they add that their team will verify the weakness before it's put up for auction. The goal, they say, is that security researchers will actually be paid appropriately for their work, rather than selling it to persons with ill intentions for additional money. If, of course, they can do this effectively and get the right buyers linked with the right sellers, then I think they're onto something, but if just one mischievous buyer takes advantage of Wabisabilabi, then the deck of cards will tumble.

Now, most of you reading this newsletter are physical security professionals, but clearly there's been a move in our industry such that software is integral into all physical security systems, whether it's recording video surveillance or even managing an alarm system. And with software comes vulnerabilities, and at that level, Microsoft Vista isn't that much different from your integrated access control system. Be vigilant.

Burglar Alarm Policies Make the News
Delaware's state ruling; another Calif. town turns to verified response

Those of you following the burglar alarm business closely may want to notice two stories from the week:

First, Fontana, Calif., announced that it was enacting a verified response policy, and as usual the alarm industry isn't happy. These policies still aren't the norm, and for those of you who make a living delivering and installing these kinds of systems, and, I think, for high-risk businesses and homes that depend on alarms, it's a good thing that these kinds of policies aren't the norm yet. As expected, the city was dealing with a high number of false alarms, and frustration with police response efforts was what pushed the policy onto the public.

Secondly, Delaware became the fifth state to adopt a statewide alarm policy specifying fines, registration and false alarm education. The state hasn't decided exactly how it plans to implement that program, but the move takes the burden off local communities.

Guns and Scams and Hacks
From a mega-heist to a Vegas casino shooting, some weeks are just tough

It was a rough week for casino security. First you had a casino dealer in Washington state pleading guilty to a scam, but the bigger stories were that a CCTV technician allegedly pulled off a massive heist at the Soboba reservation casino, and that Caesar's Palace was the scene of an argument that escalated into a man firing a weapon inside the casino, injuring patrons.

While casinos deal with a lot of cash, banks are increasingly storing money as digits within a complex and (hopefully) highly secure network environment. And, apparently, the bad guys are well aware that money isn't always the green stuff. IT security provider SecureWorks reported this week that they've seen attacks on banks up a full 81 percent in 2007.

Get up to Speed on Municipal Security
Webinar and articles on subject give integrators and end-users the background they need

A week ago we reported on the ABC News poll that Americans were in support of municipal surveillance systems. This week we followed up that report with a look at "The Value of Municipal Security Solutions," by Verint's Mariann McDonagh, who is participating in an upcoming SIW webinar (register here) on the same subject. If you're looking to tackle municipal surveillance solutions, consider the webinar and those two articles to be required homework.

Finally, we close with a look at the most read stories of the week: