Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Owning Cop Car

Owning Cop Car

Ratings: (0)|Views: 10,606 |Likes:
Published by Korben

More info:

Published by: Korben on May 04, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Officer Accountability
Police chiefs continually worry aboutabuse of authority: brutality; misuse offorce, especially deadly force; over-enforcement of the law; bribery;manufacture of evidence in the name ofefficiency or success; failure to applythe law because of personal interests;and discrimination against particularindividuals or groups.
Digitalmunition presents: Ambiguity:
When information weneed is confusingor unclear, we mustclarify or fill inthe missing piecesbefore proceeding.
Complete, accurate, and up-to-the-minute situational awareness is essential for emergency responders and others who are responsiblefor controlling complex, dynamic systems and high-risk situations. Inadequate or completely absent situational awareness is cited asone of the primary factors in accidents attributed to human error.
In an effort to increase both situationalawareness and accountability in the field manylaw enforcement agencies have moved tocamera and DVR based technology to assist inthe digital archiving of visual and audibleevidence.Some agencies have found the collectionof such evidence so useful they are makingattempts to not only collect data on the perps,but on the officers as well. The recordings canthen be used not only to identify officers thatmay need additional training, but also tohighlight officers that are doing good work. All inall the cameras help protect the interests of bothcommon citizens and the officers sworn toprotect them.Situations in which either a vehicle or itsoccupants need to be monitored for potentialrisk are prime candidates for a DVR basedsolution. Both law enforcement and publictransit fit this profile for obvious reasons, whileschool buses and taxi cabs are also primecandidates for this technology. Installationsophistication can vary where in some cases acentral monitoring package may be employed totrack multiple camera or vehicle instances.Documentation of unsafe drivers or unsafepassengers is obviously one aspect of why anin-vehicle DVR and camera system would beuseful. DVR Data can clearly be collected in alaw enforcement context as well. When usingaudio and video data for law enforcementpurposes the data disposition must follow amore robust documentation process such asChain of Custody.One of the goals of this paper is tohighlight how poor IT design choices canultimately lead to a break in CoC with regard tohow evidence is collected and subsequentlystored. Along side this topic this paper seeks toemphasize the importance in maintainingconfidential data in a compartmentalized andfully vetted environment.When making future IT design choicesplease take into consideration the lessonslearned during the penetration test below.
Due diligence testing is critical
This paper is the result of our desire toshare the experiences we have had with ourcustomers in hopes that others can learn fromthe scenario as a whole. This particular scenariobegan with a simple request for a fairly high levelIT security audit of a local city’s infrastructure.Due to a few operational and personnelchanges the city wanted to make sure it had anaccurate view of the current state of its generalIT infrastructure security. This was necessary toensure a proper hand off and knowledgetransfer would occur in the event of anincreasingly likely staff change.The initial testing followed suit with moststandard vulnerability assessments. Scans weredone against both the private internal citynetwork and at the main ingress points such asthe mail server, VPN server and web server. Aswith most testing a fairly consistent dichotomyof the environment was probed.Due to both customer and equipmentsensitivity it is often not possible to test everydevice in an organization. With this specific testthe IP ranges that were initially provided fortesting did not include the police cruisers thatthe city monitors via Verizon cellular connection. After seeing the initial results from thescans that were conducted against the rest ofthe network we were asked to complete thesame scans against a few extra IP’s. The newranges turned out to be associated with thepolice cars computer gear.The last minute decision to allow us toscan the police vehicle addresses was key todiscovering what was in essence a completelyundocumented and previously non disclosedsecurity vulnerability. Had this choice not beenmade there is a potential that this vulnerabilitymay have been discovered and exploited bysomeone less forgiving. This hardware andsoftware combination is obviously potentiallydeployed elsewhere so the abuse is notlocalized to our specific client. An embedded semi proprietarycommercial solution was used as thecommunications hub inside each cruiser. Thecity ultimately had little control over the internalconfiguration or mechanics of these devices.For the most part the city put a certain level oftrust in the vendor to make sure that there wereno mission critical errors in the setup.Upon completion of the testing one of theengineers at the city was actually quite relievedthat we discovered what we did. He told us thathe had made an attempt to contact the vendorwith some concerns about an unintentionalbridging of the cellular interface with the internalLAN interface. The vendor support teambasically told him it was “impossible” and thathe must be mistaken.We were unable to get a complete story onexactly what caused the misconfiguration butafter some post testing analysis we discoveredthat the firmware versions differed amongdevices. The one we penetrated was actually afirmware beta version or pre-release in testing.
Do you trust your vendorsmarketing materials?
What does your vendorreally know about keepingyour data and assetssecure? Both marketinghype and snake oil areplentiful and they oftenlack robustness whenapplied to a real worldinstallation with actualend users. Have you ever wondered what aspect hasyour vender potentiallyoverlooked?
Choosing a solution provider SHOULD be a daunting task...
The day to day IT operations of this particular city are handled by thesame sort of people that can be found at any other organizationaround the world. Common men and women with a certainlevel of technical aptitude keep most systems running withinthe guidelines of what is considered “best practices”.The design and implementation of back end systemsis often a collaboration of skill and suggestion from both ITstaff and the vendor from which the hardware or softwarewas chosen. In the absence of proper vetting the designphase can often lend itself to sloppy or poor choices.The implementation that ultimately went into these specificpolice cruisers at some point clearly had to hinge on a fine line betweenmarketing buzzwords and true operational needs. It is usually assumedthat if there is a need to outsource a particular technology there is alack of that specific skill-set or technology in house. In this casewe can probably agree that the city in question did not havein house experts on mobile communication gateways.Without the in house expertise there was a need to use athird party solution to service the city police department.We can’t say exactly what drove the choice on this solutionbut we suspect it was price and buzzwords rather than solidresearch and vetting. The table below contains a few of themarketing buzzwords associated with the Utility.com Rocketproduct which was used as the communication gateway.
The Target
20XX Dodge Charger withPolice PackageSafety VisionPatrolRecorder DVR/CameraVerizon Business Cellularinternet connectionUtility.com Rocket MobileCommunication Appliance
Offenders shouldnot go freebecause of lostevidence orbreaks in thechain of custodyKnow where allyour assets areso that Dispatchcan send thebest assets forthe call,anytime day ornightKnow when and where assets were lastreported. Sendthis dataimmediately toyour CentralDispatchProvide officers with betterinformationfaster so theyarrive on scene with a betterunderstanding ofthe situation

Activity (9)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->