London security to use 1980s software to police Olympics
March 19, 2012
London's Metropolitan Police Service said this morning that it will use software designed in the 80s to help coordinate the command and communications of its policing operations during the 2012 Summer London Olympic Games in the United Kingdom.
Better known as MetOps, the software in question is currently installed in the force's special operations room (SOR), the central control room providing communications support during more than 500 major incidents and events each year, according to a report by London's police into the riots of August of last year.
MetOps, a messaging and recording system wasn't designed for dynamic incident management, and it means that commanders and police officers have no method to view in real-time the latest situation during an evolving incident, the report says.
The aging MetOps software also system means that it isn't linked directly to the other programs used in the force's central communications center known as the computer aided dispatch (CAD) system.
"This can result in the central communications centre being totally unaware of what is being dealt with within SOR, and conversely SOR being unaware of what is being dealt with through the CAD system," says the report.
The system's serious limitations contributed to a number of issues during the August 2011 riots, the report found, including the inability to monitor key incidents, slow communication with commanders on the ground, the lack of capability to hand over command to the oncoming team and the total inability to log key decisions for future review.
"These significant limitations coupled with the sheer scale of various tasks around the flow of information, communication and coordination of resources posed an immense challenge for those within SOR, particularly on August 8, 2011" the document says.
The process of replacing MetOps is under way and the force has also proposed some temporary solutions, including a new GIS system which is being trialled to assist with the coordination of resources. The Met is also considering adopting software currently used with live crime investigations for SOR.
The questions that are raised now is why did London's police wait until the last minute when they had a whole year to evaluate, plan and design modern software that would have prevented last year's riots. And one of the other question that is being asked now is: will the new software be ready in time for the Olympics which are less than four months from now? And it can take up to a year to fully test drive such complex software once it's available.
The Met's report also highlights the use of CCTV during disturbances. While the document says CCTV proved to be critical to the investigation of offences committed during the riots, it also says that there were significant challenges because of the sheer volume of footage, an estimated 200,000 hours, that had to be thoroughly examined.
The police's response to social media is also examined in the report, which notes that a digital communications steering group has been set up by the Met in response to its struggle to monitor social media in real time during the riots. The group wants to use social media to help the police understand what is going on in the community.
In other internet security news
The U.S. Department of Homeland Security has officially shut down and disabled a domain name registered outside of the United States by individuals who are not American citizens, and who registered with a Canadian registrar.
However, what's truly unique about this particular case is that the U.S. authorities didn't get the domain's registrar to seize the domain. Instead, they ordered Verisign, which manages all .com domains and had them void the DNS root records for the domain, essentially rendering it useless and non-operational.
And the domain in question --bodog.com-- has been in trouble in the past more than once. Bodog happens to be a big name in online gambling everywhere and as such, it became an attractive target for many who are seeking to stop U.S. citizens gambling online.
When we typed bodog.com in a browser today, it brought us to a page that said the U.S. Department of Homeland Security and the DoJ have seized the domain and rendered it useless.
It was set up and run by Canadian billionaire Calvin Ayre. He, and three others involved with the site, have been indicted on several counts and could be extradited to the United States if the authorities can catch them, and they most likely will.
The indictment filed accuses the four individuals of violation of Maryland laws. The site spent a lot of time and effort talking about the money it made outside of the U.S., and took particular offence to the hiring of advertisers to promote internet gambling on a wide scale, according to court documents.
"Sports betting is illegal in Maryland and a few other states, and federal law prohibits bookmakers from breaking that law simply because they are located outside the U.S.," said attorney Rod Rosenstein in a statement.
The indictment in question claims that Bodog paid out over $100 million in winnings to U.S. gamblers, in violation of U.S. laws. The company is also accused of spending $42 million to promote the site in various U.S. states, including Maryland.
The move came after an undercover investigation by the FBI, and with the help of a whistleblower who used to work at Bodog.
And Calvin Ayre isn't a sympathetic character at all. He knew full well the laws of the various countries and states he marketed his website in, and certainly had the technological capability to at least make the attempt to block residents of countries in which online gambling is illegal from accessing his website, but instead decided to do nothing.
"I see this as abuse of the U.S. criminal justice system for the commercial gain of large corporations. But it is clear that the online gaming industry is legal under international law," Ayre said in a blog posting.
By going to the root manager of all .com domains and having the records void, in effect bypassing the domain registrar entirely, the DHS has sent the web a very clear and loud message-- anything hosted in the U.S., registered in the U.S., or using a domain whose root is controlled by a U.S. corporation is subject to American law. End of the story.
Expect to see a big push from non-American internet service providers of all stripes and colors capitalizing on this event to make "not hosted in America" a major selling point. Indeed, it already is. If your website relies on a .com, .net, .org or other American-controlled domain, and you are not an American company, it may be time to revisit that strategy. All of a sudden, .com domains may have depreciated in value a bit with this event.
In other internet security news
Google is once again under the nagative spotlight after a Stanford scientist discovered that the company and other advertising firms have tampered with the privacy settings of millions of Apple Safari users.
Google, Vibrant Media Inc, WPP PLC's Media Innovation Group LLC and Gannett Co.'s PointRoll all used code that "actually tricked" Safari into allowing users to have their own online browsing habits tracked.
Apple's Safari blocks most tracking by default with exceptions for websites that, for example, require interaction from a user – such as the filling in of an online form.
Google claimed in a statement that the WSJ had "mischaraterized" the code used by the ad companies. "We used known Safari functionality to provide features that signed-in Google users had enabled," the Chocolate Factory said. "It's important to stress that these advertising cookies do not collect personal information."
But lawmakers in the U.S. have once again expressed their worries about Google's data-handling behavior. A letter sent to the Federal Trade Commission penned by three Congressmen on Friday demanded to know what - if anything - the regulator planned to do in response to Google's latest privacy mistake.
Meanwhile, Apple has said that it was "working to put a stop" to the functionality that allowed Google and others to bypass the browser's privacy settings.
Google has since disabled the code, which installed a temporary cookie on the smartphones or iMac computers of Safari users. Google has embedded code into some of its ads that fooled the Apple browser into thinking that a form was being submitted to Google when it wasn't.
And as could be expected, Microsoft didn't waste any time at sending yet another slap in the face at its competitor. Microsoft said in a blog post: "If you find this type of behavior alarming and want to protect your confidential information and privacy while you’re online, there are alternatives for you. Windows Internet Explorer is the browser that respects your privacy. Through unique built in features like Tracking Protection and other privacy features in IE9, you are in control of who is tracking your actions online. Not Google. Not advertisers. Just you."
On March 1st, Google will be removing most of its privacy policies into one terms-of-service document, in part to help the company cross-pollinate its ads on products such as YouTube and others.
In other internet security news
A new security hole was discovered in Google Wallet by The Smartphone Champ, and unlike Thursday's efforts which required root access to the phone and some rather harsh brute force, this security flaw simply involves asking the phone to reset the application data.
Doing that deletes the stored PIN (personal identification number) but not the credit card details themselves, so a new PIN can be entered by the hacker and new credit card transactions instantly become possible.
Google has apparently responded with a statement to this, providing a phone number (855-492-5538) which you can call if you're planning to pass the mobile handset to a friend, or worse, in the event that your phone is stolen.
Google will then disable the prepaid card and its NFC feature to prevent the phone from being used to pay for items using NFC technology.
It's easy to see how this situation has come about, although a bit more difficult to fully understand why Google didn't detect this security flaw earlier.
The Android application manager allows a user to clear app caches, then delete all information belonging to a specific application, as well as uninstalling the mobile app, and we already know that the Google Wallet app actually writes the user's PIN in a stored file, so deleting the data wipes the PIN altogether.
However, the credit card details themselves aren't stored in the phone's filesystem. Instead, they're stored safely in the Secure Element, so they don't get deleted when the application data is removed.
Run the Google Wallet after removing its data, and it assumes it's being run for the first time, and dutifully asks the user to create a PIN. Then ask it to add a prepaid card and it happily finds one already installed in the Secure Element and readies it for its use.
The message read: "Although we are considerably disappointed of the working conditions at Foxconn, we are not hacking a company for such a reason and, although we are slightly interested in the existence of an iPhone 5, we are not hacking for that reason either."
And it continued: "We hack for the cyberspace who share a few common viewpoints and philosophies. We enjoy exposing governments and corporations, but the more prominent reason, is the hilarity that ensues when compromising and destroying an infrastructure. How unethical right?"
Internet-Security.ca tried to contact Foxconn’s Shenzhen headquarters in China for confirmation but had not heard back at the time we posted this.
But according to their Twitter feed, the hackers gained access to Foxconn’s network via an outdated security vulnerability in a version of Internet Explorer which was extensively being used internally by the company.
The information posted online includes mail server log-in and username credentials, as well as various log-ins for procurement sites and intranets which Swagg Security claimed “could allow individuals to make fraudulent orders under big companies' names such as Apple, Microsoft, IBM, Intel, Dell, HP and a few more”.
Source: London's Metropolitan Police Service.
You can link to the Internet Security web site as much as you like.