While technologists continue to engage in the perpetual spiraling cat and mouse game between finding and patching security holes and staying on top of the “ultra-sophisticated” attack and defense tactics, some choose to avoid the game altogether. When one side recognizes that the other holds a superior technological or resource advantage, such as the State vs. individual or a small group, often the weaker side chooses instead to focus on low tech vs. high tech means to accomplish their objectives.

I have been intrigued ever since hearing the story of how prisoners in Sau Paulo, Brazil were using carrier pigeons to transport cell phones in and out of the prison. In July 2009, prison Guards at the Danilo Pinheiro prison near Sorocaba, Brazil intercepted an exhausted pigeon as it approached. The tired bird was carrying a backpack. Inside the backpack was a cellphone and a piece of paper with the name of the inmate who was waiting for the phone.  [1]

In yet another Brazilian prison, guards found two carrier pigeons inside the bag of a visitor. Carrier pigeons typically fly home.If you take them to another location, they will make their way back to their home base. The pigeons were likely to be used to send equipment or messages out of the prison.[2]

Other reported stories include:

• 2003-The Daily Times of Pakistan, quoting intelligence sources, said flocks of pigeons are being used by Afghan and Pakistani drug traffickers to carry heroin from Afghanistan to Pakistan, where the traffickers are mostly based. Interestingly, the Taliban have allegedly banned the ownership of pigeons.[3]

• 2006-MOSCOW. — Russian prosecutors say it appears criminals in the Astrakhan region are using carrier pigeons to deliver drugs to prison inmates.

• As early as the 1920’s, drug traffickers in the El Paso-Juarez area used flocks of pigeons, (and dogs), to easily transport drugs across the border.

• Reuters was set up in 1851 by Paul Julius Reuter, a German-born immigrant. He opened an office in the City of London which transmitted stock quotations between London and Paris via the new Calais-Dover cable. Two years earlier he had used pigeons to fly prices between Aachen and Brussels.[4]

• Birds were used throughout World Wars I and II to deliver messages to avoid the risk of radio intercepts.  The French even awarded the homing pigeon, named Cher Ami, a heroic service medal for its flying service during World War I.  (Last time I was in France, I ordered pigeon from the dinner menu just to try it…but I digress.)

The history of pigeons used for messaging goes way back.  Some say the earliest account was Noah’s use of a dove as a carrier pigeon.  Records show the Egyptians and the Persians used them more than 3000 years ago to send messages.  Pigeon racing, where pigeons race each other over long distances, is still a practiced “sport” today. [5]

So what are the characteristics of a carrier pigeon?  How far can they fly? And how much can they carry?

Typically a Rock Pigeon is used as a carrier, although other breeds can be used as well.  Pigeons have an innate ability to find their way home.  No one knows for sure how they navigate (electromagnetic, vision, sense of smell, or a combo of them all) but they are good at it.  Typically they will fly home.  So they are taken to another location and released, finding their way to their home perch.  Some reports indicate that pigeons can be trained to fly round trip, from home to a single destination, and then fly back to their home food source.   There are no reports of pigeons trained to find multiple locations. Distances of 500 miles in a day are typical for pigeon races.  Pigeons can travel up to 50 miles per hour (depending on wind and weather) and can make the approximate 10 hour trip before nightfall.  One of the longest racing records was 1,100 miles. But the average city pigeon flies only about 12 miles per day.  The average weight of a pigeon is 10-16 oz.  Pigeons are usually trained to carry 2.5 oz packages.  But the cell phones in the Brazilian prison photos weigh approximately 7 oz, perhaps partly explaining why the birds were exhausted.  Sometimes birds are used to run two round trip missions per day.  It seems that a roundtrip range of 100 miles could be done twice a day without too much trouble, depending again on weather and load.

So if one wanted to build a “pigeon network”,  what might one look like?  One could construct a hub and spoke network of pigeon nodes, using each pigeon for a specific linear route.   Need your message to fly North instead of West?  At the node, transfer the contents of the delivery between pigeons and send out another bird.  (Or send duplicates to mitigate against falcon attacks.) Or extend your linear range with hubs located along a particular route.  How do you know when your bird arrives?  In pigeon racing, one method used to trigger the clocks is to equip the bird with an RFID leg bracelet. When the bird arrives at its final destination, the bracelet is read by the RFID scanner and a message is sent to the owner, indicating the bird has landed.  In South Africa, an IT company wishing to poke fun at the slow speeds of the network, equipped a carrier pigeon with a 4GB memory stick and had it fly 60 miles to its destination. [6] The bird was reportedly faster than the local line carrying the same amount of data.  Is it possible to send encrypted memory devices on the backs of pigeons over long distances?  Sure is.  Fascinating isn’t it?   Low tech never really went away, it’s just not as sexy as say…Twitter.   But it still works.  And expect to see a lot more of it.

Bon Appetit

[1] “Nation & World | Prison guards intercept carrier pigeon with a cellphone | Seattle Times Newspaper,” http://seattletimes.nwsource.com/html/nationworld/2009417088_pigeonphone04.html [2] “YouTube – Carrier pigeons take drugs and phones into Brazilian jail,” http://www.youtube.com/watch?v=J-mDEtz9mRI [3] “NewsLibrary Search Results,” http://nl.newsbank.com/nl-search/we/Archives?p_product=WT&p_theme=wt&p_action=search&p_maxdocs=200&p_text_search-0=carrier%20AND%20pigeons&s_dispstring=carrier%20pigeons%20AND%20date(04/01/2003%20to%2005/01/2003)&p_field_date-0=YMD_date&p_params_date-0=date:B,E&p_text_date-0=04/01/2003%20to%2005/01/2003)&p_perpage=10&p_sort=YMD_date:D&xcal_useweights=no [4] May 5, 2007.  The Guardian. [5] “Racing Pigeon Digest,” http://www.racingpigeondigest.com/archives/articles/1 [6] “BBC NEWS | Africa | SA pigeon ‘faster than broadband’,” http://news.bbc.co.uk/2/hi/africa/8248056.stm

You can download this post as a PDF.

Jeff Carr, a Cyber Security Guru and author of “Inside Cyber Warfare,” has put out a call for Intelligence professionals willing to volunteer portions of their time to support the US Intel Community.   I have reposted Jeff’s message below.  I have worked with Jeff and he is legitimate.  I recommend you check it out.  You can follow his Twitter or email him if interested.

Links are below.

—————————————————————————————————————————————-

What if DARPA’s Red Balloons Were Dots That Needed Connecting?

Last Updated on Wednesday, 13 January 2010 05:53 Written by Jeffreycarr Sunday, 10 January 2010 11:04

“Our goal in entering this (DARPA) challenge is to understand how to mobilize the vast resources of the human network to face challenges and explore the opportunities that come with living in such a connected world.”

- Riley Crane, Post-doctorate Fellow, MIT Media Lab team

In sum, the U.S. government had the information — scattered throughout the system — to potentially uncover this plot and disrupt the attack.  Rather than a failure to collect or share intelligence, this was a failure to connect and understand the intelligence that we already had.

- Barack H. Obama, President, United States of America

I know that a lot of you feel the same way I do. You’re thinking how can I help fix this problem? And, let’s face it, it’s a pretty big friggin’ problem; not only in terms of what’s at stake but also in its longevity as a thorn in the side of intelligence analysts since…, well, forever. I’ve been thinking about this off and on ever since the President’s remarks and today, on my way home from seeing a movie with my wife, I thought about those red balloons and what might be possible if we leveraged Twitter to harness some of the best creative minds in the country to volunteer their particular skill set to help solve this problem on an as-needed basis.

Just from my work with Project Grey Goose, I’ve come to know lots of talented individuals in varying disciplines who I’m sure would be happy to join an on-call list to volunteer at least some of their work week if their specialty was needed. Perhaps their employers would even agree to pay them for the effort, similar to what Microsoft does for its annual Day of Caring.

I don’t think there’s a larger pool of intellectual talent anywhere in the world than in the United States. Let’s follow MIT’s lead and mobilize via the Social Web, organize it via a wiki, sketch out possibilities on a virtual white board, bring in talent as-needed, and come up with some solutions for the ODNI to apply. Let’s make it a permanent revolving resource so support is always available. And best of all, there are no budgetary issues, no bureaucratic obstacles, no BAAs that take two years to go from white paper to Phase II trials, etc. Just the work, and the best people in the country to do it – now, and for free.

Follow @greyballoons on Twitter to show your willingness to participate, and spread the word. If the idea catches on (let’s say a minimum of 1000 follows), then perhaps DNI Blair will give his endorsement and a new resource will become available to the hard-working individuals inside the IC that are tasked with the day-to-day challenge of meeting the President’s order to fix what has contributed to this intelligence failure.

Update: 11 Jan 2010 - As of 1026 Pacific time, over 50 exceptionally talented individuals have signed on via Twitter and e-mail. If you aren’t on Twitter but want to offer your services to the @greyballoons project, feel free to use email instead.

Update: 12 Jan 2010; 0400 Pacific: 101 participants and counting. 86 from Twitter and 15 via email. Thanks everybody. Please keep spreading the word.

Update: 13 Jan 2010; 0452 Pacific: 146 participants and counting. 103 from Twitter and 43 via email.

From Eagle Intelligence—

Wishing you a Happy 2010 New Year !

Cisco released its annual security report this week. The report covers a range of cyber security trends ranging from spam, to bots, to malware. They also devote a few pages to the criminal business models that generate profits from illicit activity. Worth a read.

The link is here.

Not surprisingly, as computer use grows around the world, the trends are all upward for more malware, more spam, more fraud.

One of the solutions hightlighted in the Cisco report is user education.
“Previous Cisco security reports have emphasized that “user education” is an essential component to security. Users should be expected to take measures to protect their online identity and to be aware of the risks that accompany their use of technology.”

While true, it’s simply not enough. Businesses need to raise security higher on their own priority lists in order provide their customers with “as secure as possible” environments.

I had an account at a regional bank that highlighted their focus on security (secure access to accounts, privacy, etc.) They even charged extra for it. One day I received an email allegedly from the bank that led me to their web page. It had the account login script on the page. Upon further inspection, the web page was coming from a server and location that didn’t belong to the bank. Looked like a phishing site to me.

So I called the bank and asked for their security department. “We don’t have a security department,” he said. I asked who I should talk to if I did have a security problem. He said, “You need to talk to Jim, our IT guy.” I was feeling much less comfortable by now.

Jim (not his real name) called me back and after discussing the situation with him, told me the site was legitimate. They had outsourced all their marketing efforts to a 3rd party company and allowed their main website to be routed from an untrusted source. I asked him why, in the age of so much internet crime, would they choose to create a vulnerable point for their customers–particularly their elderly customers. He was a nice guy. Very polite. But I’m not sure if he understood the risks. Clearly marketing hadn’t.

My account is now closed.

The two pillars of trust and reputation are hard to build.  Securing the “client’s  visit” (physical and virtual) is required if you want those pillars to stay up.

Dear Bank CEO: Jim’s a good guy. Jim needs help. This isn’t an IT problem, it’s your responsibility.

Thanks to the Internet and global telecommunications networks, small businesses can participate in supply chains that span the globe. But with the rapid increase in online fraud and exploits, supply chains can also be exploited.  Where’s the weak link?  Is it you?

In October, the National Cyber Security Alliance published a survey of 1500 small businesses on Cyber Security practices and attitudes.

Here are some highlights:

• 75% of small businesses use the Internet to communicate with customers
• 38% use the Internet for Procurement
• 34% use the Internet to manage their database
• 92% think they are generally safe from hackers, viruses, malware, or cyber breaches.  Yes 92%!
• 62% have a wireless router at the office
• 23% do not have a password on their router

So using rough figures, (62% X 23% X 1500 SB) = 214 small businesses with open routers accessible to anyone driving by and peaking in.  Assuming the survey represents the total population, then roughly 14% of small businesses admit to having no security on their routers.  I hope my personal data isn’t in your database!

Exploits are increasing. If you’re part of a supply chain now and you’re the weak link, not only do you risk liability for compliance related issues but you also risk being replaced in the supply chain. The easiest thing to do is to replace you with another.

On a somewhat bright note, 58% of respondents said Cyber Security is a cost of doing business.  I believe this number will go much higher as small businesses realize the consequences of operating with no security—or false security.

Summary survey and full survey are attached.

NCSA SB Study Factsheet

FullSMBStudy2009 FINAL

It’s been on the todo list for a long time but today we officially launch Eagle’s new web site.  Attempting to keep a static web page up to date in a real-time information world just doesn’t make sense anymore.  Our aim is to keep clients up to date through this site while reducing the number of emails.  We’re certain you’ll be pleased with less email.

Have a Happy Thanksgiving.