Smart Phone Hotel Room Key – A Hack Waiting to Happen?

You know the old bit about how security is about trade-offs (convenience for a bit of your privacy) as soon as I saw this headline alarm bells started to flash about possible exploit of the smart-phone hotel room key option. That’s because data stored in smart-phones has become notoriously unsecured, therefore, in the name of convenience you could potentially be rendering access to hotel room burglars. Any time you hear that new high tech solution has been implemented for your convenience take it with a grain of salt. Time and time again we’ve seen how new software is written and implemented circumventing traditional low-tech solutions that took years (even decades) of security innovations to get to where it is at. I’m not saying that this is not a promising innovation, old hotel room keys have had their issues (personal data stored on magnetic stripe, including credit card info used to create clones), but users must ensure that proper safeguards would be put in place to prevent unauthorized entry  to your hotel room using your stolen data.

Smartphones to be used as hotel room keys:


Corporate Security Is a Force for Good

By Francisco Mateo

As a security manager at a major multinational organization, I’ve learned to embrace my profound responsibility to provide assistance in an extremely important mission; that of protecting staff and clients from a growing list of perils. However, convincing people you barely know to accept protection measures, that at face value may appear to run counter to their well-being, is no walk in the park. I can assure you of that, and that is what we must do every day. Yes, it’s a thank-less job, as many of my colleague would affirm; which is why we command pay equal to executives of the same level. At a profound level some of us also aspire to more lofty rewards, mainly knowing that we have direct input into keeping people safe while they travel; work in hostile environments and leverage the supply chain to bring safe products to consumers.  As I stated initially this is a task that gets evermore complex. It is one area of our daily duties that requires our focus and recognition of seemingly unknown threats as well as the know how to device swift countermeasures.

The evidence is plain to see.  Just think back to the tainted milk crisis in China which began in 2008.  After thousands of babies were hospitalized with kidney failure, the Chinese government declared a public health crisis that sparked a global recall of all powder milk products produced in China. The initial response understated the far reaching impact that the use of melamine, a carcinogenic substance, would have on food products.  China is to remain the world’s manufacturing hub, but their lack of controls over the use of dangerous raw materials is bound to continue as long as demand outstrips production output. For that reason consumer product companies have a duty of care to remain vigilant when sourcing raw materials or outsourcing manufacturing of consumer products.  We in the corporate security function can contribute our investigation skills by applying this know how to the due diligence process. We should not accept a third-party manufacturer’s claims of having the capacity to deliver products in time and to our quality specifications at face value. We must dig deeper into their safety records, production methods, compliance with international regulatory standards and even the moral compass that drives the operation to determine the likelihood that sham methods and corner-cutting could lead to tainted products that would put consumer’s health at risk.

Another area of concern to which corporate security has been active participant is combating counterfeit products. An off-shoot of the global economic growth, these seedy illicit business practices are the underbelly of globalization.  Aided by improved communications link, cheap transport and flexible (or simply corrupt) customs organizations, counterfeiters have blanketed many major markets with their cheap products. In some areas counterfeit products compete head to head with legitimate brands, eroding market share at fast clips. Beyond the downright theft of intellectual property, we know that counterfeiter’s illicit practices put the public safety and security at risk. Simply put they’re not in the business of delivering safe products to market, neither do they respond to the sovereign need of controlling which products cross national borders as well as paying the tariffs that should go to ensuring consumer safety. Furthermore, profits from counterfeit product sales have been known to go to terrorist organizations in furtherance of their deadly operations all over the world. Here too corporate security has a prime role to play liaising with law enforcement and customs official to disrupt the flow of counterfeit products in the supply chain. We are also educating our internal constituents to adopt unique marking and packaging technology to facilitate awareness among consumers to easily identify knockoff products. In a nutshell we can be the catalyst that makes this entire process come full circle.

Sometimes our advance risk scenario planning would project us into obscure areas, often only discussed in academic circles. Such is the case of bio-hacking, or the tinkering with the basic building blocks of life by many biology students and enthusiast worldwide—using cheap synthetic DNA and lab equipment bought inexpensively on the internet. Five years ago this wasn’t even on our radars, but the advent of cheap technology, the decoding of the genome, disposable lab equipment being bought and sold freely and bit of crowd-sourcing could lead to accidental or intentional development and release of deadly toxins.  In the past biological testing and engineering was conducted in heavily regulated and controlled government and university labs, thus bio-security (Biosecurity denotes policies and procedures designed to prevent the deliberate theft, diversion, or malicious use of high-consequence pathogens and toxins) remained the sole purview of government agencies.  Today with the growing DIY crowd experimenting with DNA from labs at home and other non-regulated facilities, there has been an increase emphasis on tracking this activity in order to keep people with nefarious intent away from these technologies. But there is also a high risk that gone-hoe hobbyists (even with benign purpose in mind) in the process of mixing or swapping genes would create deadly toxins without regards to obvious hazards to themselves and others.  Many of us are responsible for the protection of lab facilities, which is why we should be concerned about both the potential unauthorized removal of equipment and substances to further these independent (clandestine) research activities. Likewise, we should be concerned about the unauthorized used of these lab facilities in the same way. Corporate security should assist setting strict access control systems and procedures to ensure only authorized use of labs and equipment. Beyond this we should be considering sensors that would detect and alert us to the introduction or use of dangerous substances. All in all this is an emerging area of research we should remain aware of.

Some areas of business life have become difficult to manage especially when changes could come as fast as lighting, of course, I’m talking about business travel. To be specific I’m talking about disruption to travel due to natural or man-made disasters. It is often unpredictable and its impact could be widespread. Recently we’ve seen an increase in these Black Swan events, the winter storm and ash clouds in Europe as well as a number of high profile airline employee union strikes come to mind. All these events have in common the fact that hundreds of thousands of travelers were left stranded far from their final destinations. This in effect has also thrown a monkey wrench on company’s ability to make business travel plan on the fly.  Many in the corporate security function already track business traveler destinations as part of our value added service. Besides the jurisprudence that has been chiseled out around the issue of a company’s duty of care to guarantee employee safety while on business travel, there are no set standards of what companies should do. In the absence of such guidelines many practices have been developed. Employee tracking has become invaluable in light of the growing perils. Traveler destination data is often overlaid with open source intelligence to get early warning, which allows the security officer to alert travelers in a potential hot-zone. Furthermore, if the employee travel plans are disrupted due to any of the aforementioned hazards, alternative plans are arranged. If travel crisis strikes, emergency evacuations could be also be arranged. Advances in computing technology have also allowed us to tap quantitative models of both natural and man-made incident data to provide more predictive incident monitoring, which we can use to leverage prevention. In essence, the more we know about a particular destination the best prepared we are to guide travelers whether to go or not.  It is a task we take extremely serious, since a wrong call means that lives could be at stake.

From Antiquity to the Contemporary periods, works of art make up an important part of our shared human experience. The sum trust of our humanities, elegantly displayed in museums, galleries and private collections the world over. But in our modern times it is not this human genius that is in vogue. No, what we’ve experienced is the opposite, the dark side of our humanity that only sees value, summed up in monetary profits, when they lay eyes on the greatest work of arts known to human kind.  The trend in art theft is truly appalling. Art thieves have become more brazen in their hits, striking in broad daylight. In the past we’ve witnessed certain sophistication in the schemes employed by art thieves. Today, they’ve mostly exploited holes in museums and art gallery’s physical security array. A quick cost/benefit analysis comparing the value of paintings and other work of arts versus the security measures available at the time of the thefts would reveal the pyrrhic victory of the latter. Yes, it is true that many of the endowments that financially anchor these institutions have been reeling, with lower contributions due to the global financial crisis.  It’s likely that many essential services have been scaled back in cost cutting measures. Security practitioners can play a decisive role here, volunteering time and contributing our know how by conducting risk assessment (Analyzing foot-traffic flow data, behavioral analysis, contractor and employee screening, etc.) to determine vulnerabilities and recommending security countermeasures that can be delivered at lower cost. The same “lean security” principles applied to corporate security operations can add tremendous value to keeping art works safe and sound for all to enjoy.

As we look over the horizon, the perils would continue to get more complex. A recent commentator put it this way “”we are living in a world of cascading and intertwined threats…” in reference to the way risk is compounded and overlaps, paving the way to catastrophic failures. Whether man-made or natural, our risk scenarios are evolving, thus it is time for trained professionals to step up to plate and help organized solutions for the good of our society. In the age of corporate social responsibility, we security practitioners within major industries should be doing more to contribute our knowledge and leveraging resources to make our societies more resilient to shocks.

Clever Criminal Tactics, Matched By Investigator’s Wit

The explosion of communication technology has sparked many clever criminal tactics in recent times. From common criminal elements to syndicated criminal organizations have been early adaptors of cutting edge technology to leverage their illicit activities by directly exploiting the technology for gains or using it as a tool to further other criminal schemes—mobile phones comes immediately to mind.  Truth-be-told criminals have shown a propensity to adapt to technological advances faster than law enforcement organizations. The evolution of mobile networks from analog to digital has given way a number of platforms (SMS, e-mail, etc.) loosely connected and not-so-well guarded global data networks, which have been manipulated for illicit activities.

Public and private Investigators around the world have been forced to come-up to speed; often learning on the fly and adapting to these criminal tactics. One popular way many investigators have been able to trace communication leading to illicit or criminal activities is through the cell phone triangulation. Investigations that relay on a person’s exact location at the moment a criminal act is committed require access to cell towers, which must be obtained from mobile phone service providers—many jurisdictions require a court order to avoid running a fowl of due process laws.  Criminals are also aware that their activities can be traced in this way, so they actively try to thwart these efforts by using disposal SIM cards and other schemes.  Most recently criminals have also try to create alibis by false flagging SMS messages.  Police agencies are aware of these tactics and have made this information standard knowledge to look for during crime scenes investigation. How long before other criminal elements attempt to cover their tracks through this clever stratagem….

Text Messages on Rise as Alibis:

Are Crisis Management Plans Strategically Important? Just Ask BP

As a professional I’ve seen the high level of planning dedicated to crisis management at a multinational corporation, which is why I’m completely baffled by the response to the oil spill in the Gulf of Mexico.  I have watched, in disbelief, long enough to know this environmental tragedy was foreseeable and could’ve been at best averted and at the very least planned for minimum impact when disaster struck.

I have learned recently that when responding to a crisis many companies make one fundamental mistake, which is focusing on their expertise (what they know best). There are, however, other elements that impact a relationship genuinely based on trust.  Amazingly the companies involved in this mess have managed to botch their alleged expertise on managing off-shore drilling and its collateral impact to employee safety and the fragile ecosystems around their extraction operations.

I don’t portend to come across as an expert on the field of Crisis Management, but I’ve been through the wringer enough times to pin point a number of mistakes.  The real experts seem to be in agreement that the response has been marked by a series of mistakes—akin to a comedy of errors:

BP spill response tars reputation