Stratfor hacked (including credit cards)

A number of large humanitarian organizations use the private intelligence Web site Stratfor to keep up on world events. Yesterday the site was hacked by the group Anonymous (or maybe someone else), who released the business' client list. Supposedly the client credit card database was also compromised and is being used to make donations to non-profit organizations such as the Red Cross. Some preliminary details are here. If your organization subscribes to Stratfor, it would be prudent to check if any fraudulent transactions show up on your credit card in the coming days.

12/25/2011 1500 EST Update - As of a few hours ago, it appears credit card and personal information from the hack are now being posted on the Internet. This is going to come as very unpleasant, post-holiday surprise to the 4,000 plus businesses, organizations, agencies, and individuals impacted.

12/26/2011 Update - If you've ever subscribed to Stratfor or corresponded with someone that works there, it would be wise to check Cryptome's coverage of the hack. There is a staggering amount of personal information being released as a result of this compromise.

Security Theater

Vanity Fair has a great article on "security theater" with insights by two of my favorite security and risk commentators (Bruce Schneier and Paul Slovic). Read the piece and reflect on how it applies to humanitarian security. While it's easy to take potshots at TSA and government airport security practices, it's a lot more difficult to take a critical look at your organization's and your own decisions following a crisis event.

Some questions I always ask myself following such an event include: Are my decisions based more on emotional aftermath versus the reality of the situation? Have I thought about the actual cost of my decisions? Am I perhaps guilty of engaging in security theater? And if so, is that always bad?

Mindfulness paves the path for better coping with future crisis...

U.S. Border Data Searches

Quite some time ago I posted about U.S. Customs and Border Patrol agents examining laptops and cell phones of people entering the United States. U.S. citizen or not, if you fit a profile or raise suspicions, your laptop, cell phone or other electronic device may be searched, its contents copied, or even be held for an indefinite period of time. Usually the Constitution prevents these kinds of things from happening without a warrant or probable cause. But in this post-9/11 world, the federal government says Constitutional privacy protections don't apply at the U.S. border.

You've probably heard the quote, "if you're not doing anything wrong, you don't have anything to hide." To me, this rather trite statement really doesn't hold up to even a small amount of critical thinking. Financial and health records, personal messages, sensitive organization files, and family photos are all examples of digital data that have nothing to do with wrongdoing and everything to do with keeping private.

If the idea of someone going through your laptop bothers you, the folks at the Electronic Frontier Foundation (EFF) just released a handy guide called Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices. This free publication helps you assess concerns and risks and offers straight forward guidance on a rather controversial subject. Anyone traveling to and from the United States, regardless of citizenship, should consider reading it here.

PS - An informed source tells me that prior to his annual Christmas eve journey, Santa Claus will be following EFF recommendations to ensure the naughty and nice list on his laptop stays confidential when he clears customs. Happy holidays...

Securing PCs and Macs - The NSA Way

Most NGO security practitioners I know tend not to be techies and leave computer security to the IT folks. That's a shame, because information security is becoming a necessary concern just about everywhere you go. In my opinion, anyone involved with humanitarian security should have at least a basic awareness of computer-related vulnerabilities and threats. However, this doesn't mean you need to be a techie. A little knowledge and common-sense go a long way in recognizing common vulnerabilities and having intelligent conversations with IT staff.

In the past I've blogged about some of the resources the National Security Agency (NSA) provides the public through its Information Assurance program. Today I want to steer you toward a collection of guides devoted to best practices in securing operating systems. You'll find how-to information for hardening various versions of Mac OS X and Windows. Check out what the NSA has to say about the type of operating system your organization uses. Even if it all doesn't make sense, I bet you'll learn something in the process. At the very least, pass the link on to someone in your IT department. It's a good lead-in to getting together for coffee to start coming up to speed on computer security basics.

Blast from the Past: PMCs in Iraq

Four years ago, quasi-news site Gawker filed a Freedom of Information Act request for records relating to Private Military Company (PMC) activities in Iraq. Over 4,500 pages of declassified documents were obtained that provide an inside look at Blackwater, DynCorp, and Triple Canopy operations in support of the U.S. government between 2005 and 2007. Gawker has now put all of the documents online for viewing. I'll leave it to the reader to draw his or her own conclusions on the "hearts and minds" impact the described actions had; including the potential unintended consequences for humanitarian organizations working in-country at the time.

TSA Friendly Modular Pocket Knife

At a loss for ideas on what to get your favorite globetrotting NGO security professional for the holidays? How about a Switch modular pocket knife. The Switch features a slick design that allows you to add or subtract tools based on your needs. Going somewhere on a plane? Take off the knife blades to stay in the good graces of TSA. A simple turn of a coin allows you to reconfigure the pocket tool to your own specifications with any of included 18 attachments. At $79 they're not Swiss Army Knife inexpensive, but they are oh so high-tech and cool looking. (If Santa is on a budget this year, Switches are currently on sale at Think Geek for $20 off.)

Toward a Common Langauge

I recently was part of a conversation that included the following. "The Kabul focal point really needs to make sure the hibernation plan is updated for the satellite office if AOG activities increase more in the south. Then there's BGAN. We've got HF now and that helps, but if BGAN goes down what are we going to do?"

Depending on your experience and training, the above may make perfect sense or be as clear as mud. As with most professions, the humanitarian safety and security community has come up with its own lingo. There's nothing wrong with that, of course, until it starts to pose problems.

In the past I've posted about the Incident Command System (ICS). This is a management framework that's used by government agencies to deal with wildland fires, disasters, oil spills, terrorist incidents, large gatherings, and other complex events. The origin of ICS can be traced back to a series of catastrophic fires that struck Southern California in 1970. A large number of firefighters died and a project called FIRESCOPE was established to determine the reasons for the fatalities and how to prevent more in the future. Investigators found that the lack of a common language was one several factors that contributed to the deaths. People were using terminology that not everyone understood for issuing orders and describing situations. This, coupled with the human nature of not wanting to appear ignorant by asking for clarification, was putting firefighters, law enforcement, and civilians further in harm's way. One of the project's recommendations was to establish common terms that all responders would understand. This became one of the cornerstones of ICS.

The humanitarian safety and security community could benefit by doing the same. Some initial work can be found in a 2010 paper written by Anna Dick titled "Creating Common NGO Security Terminology: A Comparative Study" (available here). As part of her research Dick took a variety of common humanitarian security terms and compared how 32 organizations defined them; as you might expect, there were differences. She then came up with a proposed set of definitions that could be adopted across the humanitarian space.

This paper is an excellent starting point for further conversation. In addition to being invaluable during a crisis, common terminology provides for more consistent and accurate incident reporting and increased efficiency in day-to-day operations through reduced misunderstandings. It would be nice if InterAction, ECHO, or some other body drove a common terminology initiative forward. (This actually may be more sooner than later, considering the International Organization for Standardization's recent work on ISO 31000, which provides standards for how organizations should manage risk.)

Don't wait for someone else though, this is something you can be doing right now. Come up with a common security lexicon that works for your organization (based on Dick's paper or not). Then get people to start using it. Clear communication pays for itself time after time.

Global Terrorism Database

When performing threat assessments for a country or a region, one of the tools I use to get a basic understanding of terrorist activity is the University of Maryland's Global Terrorism Database. This free resource catalogs over 98,000 terrorist events from all over the world. The incidents span from 1970 to the end of 2010 (with annual updates planned). It's a remarkable collection of open-source incident reports that allow you to browse by country, perpetrator, causalities, attack types, target types (including NGOs) and more. In addition to viewing individual incidents you can create bar, line, and pie charts to get a visual handle on trends. Everything is easy-to-use and quick. It would be nice if the data was updated more frequently, but I'm not complaining. This a great site to visit when you find yourself in an analyst role.

Pondering Power Problem Possibilities

Most people in Western countries take electricity for granted. You flip a switch and the lights come on. Your phone or iPod runs out of juice, no big deal. You just plug it into the wall. If you've done much traveling though, especially visiting field offices, you quickly learn power is something not to be taken for granted. Dirty power and brownouts fry computers and printers. Rationed electricity forces you to schedule when you'll use electronic devices. Natural disasters and government crackdowns shut off power at inopportune times. Many NGOs turn to using diesel generators and power regulation systems to ensure they can operate their offices. But this can be quite costly.

During a crisis, communication is essential. People rely on their cell phones and radios to stay in touch and manage the situation. But what happens if power isn't available for an extended period and the batteries run down? As with any problem, there are a number of possible solutions.

If you have a generator in the office, whether large or small, you can press it into service (just remember a generator requires fuel, and you should have a pretty good idea of how long it will run on your existing fuel stocks).

Solar panels are an option in sunny environments. Small panels are available for charging consumer devices like mobile phones. Some of these products even have built-in batteries that store electricity when the sun isn't shining. (I've had good luck with Solio's products). Large panels that charge lead acid batteries such as those found in cars and trucks are an even better option. Bigger batteries store more juice and can charge more devices, quicker. (You'll need an adapter that converts the direct current of a battery to the alternating current required by a charger.) Rollable panels such as those produced by PowerFilm are portable but are more expensive than rigid panels.

You may have encountered hand-operated crank radios and lights developed by FreePlay; the company has produced a number of different devices for the humanitarian community. They also make a commercial, hand-operated charger for electronic devices. (The hand charger sounds good in theory, but takes a considerable amount of time and effort to fully charge a phone. It's best for getting a few minutes of talk time in. FreePlay used to offer a foot-operated charger that was easier to use, but unfortunately it's no longer listed on their Web site.)

Car chargers for radios and mobile phones plug into the cigarette lighter of a vehicle and provide power from the vehicle's electrical system. There are also inverters available that you plug into a cigarette lighter outlet. These allow you to use an electrical device with the inverter. For example you could plug a laptop computer into the inverter just like you would in an office wall electrical outlet. (Inverters have different power ratings, so be sure the wattage of the device doesn't exceed the maximum wattage of the inverter.)

Finally, one of my favorite power to the people solutions is pedal power. MNS Power offers free plans for building a bicycle power generator. It's not portable, but you can keep electronic devices charged up while getting some exercise and burning off stress in the office.

Remember that different electrical voltages are used throughout the world. Just because you can jam a plug into an outlet doesn't mean your device will run. Pay attention to the voltage and wattage numbers associated with your device and ensure primary and backup power systems will work with them (and not send them to a smoking and burning early grave).