Last week Gizmodo and Propublica published a joint investigation1 on Mar-a-Lago Cyber Security, as well as on other Trump-owned hotels and golf courses. They scanned for open networks, unsecured devices, and other common security problems . They found that all the properties have basic security lapses using out of date servers and poorly protected networks. A spokesman for The Trump Organization said they follow cybersecurity best practices, but we don t put much value in generic company statements2.
Since Trump regularly visits Mar-A-Lago, has hosted foreign leaders there, and even observed military airstrikes , it seems like the security of his commercial properties are now a national security issue. To avoid being caught in any legal troubles, the investigators did not attempt to break in to these networks . Which is great because we don t want to see people going to jail but it also means there simply isn t enough data to say if Mar-A-Lago s network is secure or not. For instance, we don t know how if the network is properly segmented (which would insulate against the weak public-facing security measures) or any other configuration specifics .
We could speculate about worst case scenarios, but that seems more self-indulgent than truly useful. Propublica s claim that any half-decent hacker could break into Mar-A-Lago is undoubtedly true . But without knowing more about those networks, it s hard to know if that is a meaningful statement. We don t know who is using the network . Is President Trump using the network (standard govt practices say no3) ?
His advisors ? Their spouses ? What about staff members of foreign governments? Or is it just guests of the clubs and hotels ? That is still bad since the affluent people who can afford memberships likely have access to important business information and valuable contacts . But it s not in the same league as hacking the President.
But we can all learn from the weak security practices that were uncovered in this investigation, and apply that to the management of our own networks . Remember that Mar-A-Lago is primarily a resort (essentially a hotel) and they have to balance security with their guests needs . When you have someone paying tens of thousands of dollars a year to be a member, do you tell them you don t support their ancient devices, or turn on insecure options to keep them happy ? These are typical pressures faced by businesses, which you may also have to deal with on your own network. So, let s take a look at some of the mistakes we can learn from
We picked up signals from the club s wireless networks, three of which were protected with a weak and outmoded form of encryption known as WEP.
WEP (Wired Equivalent Privacy) is an outdated wireless security protocol designed for Wi-Fi networks.
These days, WEP should stand for Worthless Encryption Protocol . Back in 2005, the FBI demonstrated how to break WEP encryption in just 3 minutes4 . Today, there are apps for Android phones that can get you access to a WEP protected network in even less time . You should avoid using WEP at all costs. So why would Mar-A-Lago be using it ? Rich, elite, country club members aren t exactly known for their technical prowess .
This is likely a situation where there is pressure to support legacy devices . If you absolutely have to support aging technology like WEP, set it up on its own network . While this won t protect your guests/users on that network, it will isolate your critical infrastructure (aka, what the employees and admins use). The proper protocol to use on your Wi-Fi network is WPA2 . This will be available as an option on any router made in the last 10 years . You may see variations of WPA2 listed Personal and Enterprise there is a big difference between those.
WPA2 Personal uses a single pre-shared key, which is the method people are most familiar with when it comes to logging into Wi-Fi . With this mode, the admin sets a router password, which is used to create the pre-shared key . Everyone who wants to connect to the network simply types in the same password to connect. The Enterprise version allows every user to have their own credentials to login to the network . This limits the access an attacker can get, as they can only compromise one user at a time instead of the whole network . Enterprise is the more secure version, but it s significantly more difficult to administer .
This is the expert option if you aren t an experienced admin, stick with Personal. With either version of WPA2 you want to use a complex (mixed numbers, letters, and symbols) and long password at least 14 characters (as recommended by the DoD for their own networks5) . Legitimate users login infrequently, so a long password is only a rare annoyance . Short passwords save you a few seconds, but shave years of computational time off an attacker who is trying to brute force the password. Many routers have an option for Wi-Fi Protected Setup this is a misnomer and will make your network less secure6 .
Disable this option.
From our desks in New York, we were also able to determine that the club s website hosts a database with an insecure login page that is not protected by standard internet encryption.
This is a big no-no and I will consider it a personal offense if you do this. If you have a password protected page on the internet you must use HTTPS . There are no exceptions to this rule . HTTP is extremely insecure and if you login over HTTP you are broadcasting your credentials to the local network and the internet . It s the equivalent of shouting a secret through a megaphone.
There is a reason Firefox and Chrome now present big bold warnings if you try to login over HTTP7. Even if the page is on the internet but only used by employees or not publicly listed it is still on the internet . Setting up HTTPS is fairly easy and inexpensive even if you are a network admin who has never configured HTTPS before it will only take about an hour. If you have a local network login page it is also a good idea to use HTTPS . Depending on how your network is configured, and how you are connected, there are considerably less risks is this scenario .
However there are still risks and you should use HTTPS here too . An easy rule: if you see a login page, you better also see HTTPS in the address bar.
At a Trump property in New Jersey, they spotted two open Wi-Fi networks, TrumpMembers and WelcomeToTrumpNationalGolfClub, that did not require a password to join.
This one is tricky . Depending on the type of business you operate, you may have a need for an easily accessible network . In a coffee shop you can have the password available at the register that is a bit more difficult on a sprawling golf course. While a password protected network is technically more secure, that security is mostly an illusion if you can get the password by purchasing a $2 coffee or pretending to be a flustered guest.
If you are running such a network the best way to avoid issues is to make sure guests understand the risk, and that employee s aren t using the network out of laziness . For instance, imagine Trump (or a member of his team) selecting the open network by accident or out of ignorance of the security risks. If you are on an open/public Wi-Fi network, any unencrypted (HTTP) traffic can easily be recorded and viewed by other users on that network . As more and more sites adopt strong HTTPS configurations, there becomes less risk that a user leaks sensitive information this way . However nearly half of data is still communicated over HTTP, so there is still a lot of potential for compromise.
Propublica talked to well-known security expert Robert Graham8, who warned that poorly secured networks are a gateway to bigger issues . Add in network devices that are unsecured, or a poor network layout where an open access-point is connected to more important areas of the network, and now you have real trouble. Remember, attackers are looking to inch their way in . Small flaws are combined until they have big flaws, and access to a device or data . Graham also warned that a series of vulnerabilities could be used to access a microphone or a camera of a device on that network, which could be used to listen in and monitor sensitive communications .
While this is far beyond the skills of an average hacker, it s a realistic threat when you have a President on your network.
- ^ Gizmodo and Propublica published a joint investigation (www.propublica.org)
- ^ but we don t put much value in generic company statements (www.thesslstore.com)
- ^ standard govt practices say no (www.nytimes.com)
- ^ how to break WEP encryption in just 3 minutes (www.zdnet.com)
- ^ as recommended by the DoD for their own networks (assets.documentcloud.org)
- ^ this is a misnomer and will make your network less secure (www.howtogeek.com)
- ^ Firefox and Chrome now present big bold warnings if you try to login over HTTP (www.thesslstore.com)
- ^ Robert Graham (twitter.com)
Looking more like a tall speaker than an authoritarian android, the Cobalt security robot has an exterior made from aluminium and fabric. It is designed to operate in offices and foyers, where it performs basic functions like scanning ID cards, but also uses its sensors to detect possible security threats.
“We wanted to design Cobalt to represent a best-case scenario in which technology supports our daily lives,” said B har. “Technology can provide awareness, and accountability, keeping us safe without feeling authoritarian.”
“Cobalt is a stark contrast to the Hollywood dystopian Robocop it discreetly fits into its environment, provides a platform to grow with our needs, and enhances human ability without replacing the human.”
Both B har and Cobalt stress that the self-driving robot is intended to work alongside humans rather than replace them. With data gathered through its sensors and interpreted by advanced algorithms, Cobalt claims the robot will be able to detect and flag anomalies beyond what would be noticeable to a human guard.
It is able to work around-the-clock, and at smaller buildings where the cost of a human security guard might be prohibitive . It also keeps human security personnel out of situations that might be dangerous. However, humans are not entirely removed from the equation, as robot fleets are supported by a human supervisor who may be working remotely . People in need of assistance have the option to use the Cobalt robot to call the supervisor, who then appears on the screen, giving the machine a literal human face.
“One of the core fundamental values of Cobalt is to enable human-to-machine interactions, said Cobalt CTO and co-founder Erik Schluntz. “The way we do that is designing a robot to interact with and around people.”
“We decided that the robot should not adopt a humanoid personality,” he said. “Instead, it should aesthetically align with the furniture and decor of the office environment.”
The tensile fabric which covers the robot’s sensors, cameras and self-driving mechanism also has the benefit of preventing overheating by increasing airflow. A CNC aluminium element at the head of the robot holds the display, office ID scanner and various buttons .
It can roam fluidly around a space, and is just tall enough to operate around most open-plan office cubicles. It reads environments using a combination of 360-degree and depth cameras, infrared and ultrasonic sensors, and smoke detectors . Algorithms involving machine learning, semantic mapping, novelty detection, and deep neural networks are used to interpret the data.
Some common abnormalities Cobalt suggests the robot would spot are an open window, a loud noise, a gas leak, a suspicious package or an after-hours intruder .
In the case of an incident, the robot begins recording and engages its supervisor.
“Security guards should not put themselves in dangerous situations, nor do they have the ability to know everything that is happening in an office,” said B har. “This is where a robot can be truly effective.”
“With the right sensing abilities, a robot can detect anything happening that is out of the ordinary.”
- ^ Yves B har (www.dezeen.com)
- ^ Fuseproject (www.dezeen.com)
- ^ robot (www.dezeen.com)
- ^ SpaceX (www.dezeen.com)
- ^ B har (fuseproject.com)
- ^ ElliQ robot by Yves B har helps older adults stay connected to the world (www.dezeen.com)
- ^ cribs (www.dezeen.com)
- ^ juicers (www.dezeen.com)
- ^ BMW working with psychologists to help robot cars befriend passengers (www.dezeen.com)
West Mercia Police are appealing to the public for information after it was confirmed that a peregrine falcon had been found dead in a quarry in Clee Hill, Shropshire. The male peregrine had been poisoned.
There have been previous problems in this area with two peregrines poisoned in 2010 and another in 2011. Over the last few years the Shropshire Peregrine Group (SPG) has been organising volunteers to keep an eye on the location.
On the 15 June this year a volunteer reported a dead adult male peregrine at the base of the breeding cliff. The body was recovered by the RSPB and passed to Natural England in order that toxicology tests could be arranged. These have since confirmed the bird was poisoned by diazinon, the same product as in previous incidents.
Peregrines are fully protected under the Wildlife and Countryside Act 1981 and anyone convicted of killing these birds could receive up to six months in prison and/or a fine.
The RSPB and the SPG have offered a reward of 1000 for information leading to the conviction of anyone involved in this incident.
John Turner of the SPG said: This is yet another tragic incident at this site.
The female parent also disappeared and we are concerned she may have also been poisoned. The situation was made even worse as the two chicks in the nest also died with the loss of the parents.
Wildlife Crime Officer for West Mercia Police, Constable Julian Ward said: There have been previous incidents in this area and the illegal use of poison poses a risk to wildlife and to people. We believe somebody in the local community will have information about who is involved and we would urge them to contact police.
Information can be reported to West Mercia Police on 101 quoting reference 649S of the 15/06/2015.