The security week that was: 07/24/09

Cameras in subway trains

Cameras are going everywhere, including the subway. In the last few years, we've seen mobile video surveillance developments, from things like specialty cameras for buses and subway cars like Axis' 209FD-R mini dome camera to full solutions for mass transit security like Nice's SafeRoute system (see SafeRoute PDF download, 1.6 Mb). We've seen the design of wireless networks that could pull the data off buses when they come to a station for service (the typical solution always has been to simply grab hard drives or connect cables to the mobile DVRs). We've seen mass transit organizations look for more and more cameras on buses and sometimes even consider doing audio surveillance on buses. Yes, audio surveillance of passengers really was a consideration in Maryland.

It seems that it's now an idea whose time has come. Like the proliferation of cameras on in public areas, installed by police departments, I think we're about to see an explosion in the number of cameras on buses and trains.

In one example, New York's MTA is moving ahead with this concept by planning to put cameras all throughout one of its subway trains. The goal is to put enough cameras that the entire inside of the subway car is covered by surveillance. By doing one train, the MTA is hoping to be able to keep the cost low and do a pilot project of sorts. Obviously, there is a lot to figure out. Some concerns that come to my mind are 1) dealing with camera tampering, 2) whether cameras are positioned correctly for difference ridership levels, 3) how to get the video off the trains without delays, 4) how well the system can withstand the sometimes damp tunnel environments, and 5) how well the system can deal with constant vibration of rolling down tracks.

The thing I'm most confused about on the New York MTA project is the fact that the city had a project deal with Lockheed Martin to do a similar project, but Lockheed left the job after noting that they couldn't get any cooperation for the project from the MTA and that there were technical problems that couldn't be easily overcome (like outdated MTA communications rooms that didn't have space for any more equipment). How is this project going to be any different?


Hacks, hacks and more hacks
Rough week for smart cards at Black Hat

Cards aren't getting the respect they once had. Used to be, if you thought high security, you pictured a card instead of a key. Then came the hacks on cards. Sometimes they were hacks on access control cards, but more common were hacks on common consumer-type cards -- cards like the U.S. passport card or the mass transit "ticket" cards. That was the story again this week at the Black Hat security conference. It's the kind of conference, like DefCon, where you can often find security researchers demonstrating security weaknesses. This time around the notorious card hack was that a guy has figured out how to hack the smart card system that San Francisco uses for parking meters (in San Fran, you can pay by coinage or by a disposable card pre-loaded with value).

While I'm on the topic of hacks, let's cover some other news. A U.K. man, Gary McKinnon, is moving closer to standing trial in the U.S. for hacking Department of Defense, NASA and military computer networks. The hacks allegedly occurred in 2001. He seems to have exhausted his appeals to British officials and will be extradited to stand trial.

Speaking again of hacking, big retail company TJX (the parent company for T.J. Maxx, Marshalls and HomeGoods) has settled with 41 states over breaches to its credit card payment systems. The settlement is close to $10 million and the money will be split between states and a federal initiative to prevent and investigate data security breaches.