Disaster Recovery Distance – Gasoline and Hurricane Sandy


Almost one week after the hurricane Sandy disaster and this is the scene within at least a 50 mile radius north of Manhattan.  New Jersey which was hit harder is probably much worse considering gas rationing is now in effect.

December 2007 Posting

On December 19th, of 2007 InfoSecAlways posted a blog article on Disaster Recovery Alternate Site Distances.   In that posting was sited the recommended distance in preparing for a hurricane.  The external study suggested an 85 mile radius.  InfoSecAlways suggested increasing that distance to 210 miles.  If Sandy was only a category 1 hurricane and the Tri-state area is affected as far north as Bridgeport CT the 85 mile is absolutely not acceptable.  Even gas is hard to get within that 85 mile radius.

One item that was not discussed in the previous blog article was gasoline.  For the past 4 days now this is the same picture everywhere at least 50 miles north of Manhattan.  This station in particular has had a gas tank delivery every day for the past 3 days.  Each night the station runs out of gas late in the evening.  In New Jersey and Staten Island there are stories about gas being siphoned from tanks and generators being stolen.  The situation appears to get worse daily and the lines even longer.

A gasoline crisis affects both individuals and corporations.  Employees will not show up to work out of fear of theft or running out of gas.  This is especially true if they have power issues that require a generator.  Individuals will be forced to deal with personal items and work becomes secondary.   If a business operates as a supply chain, taxi, or delivery organization, which is dependent on transportation, it may be very difficult to operate due to lack of gas or increased traffic as a result of lines.

What to do?

Unfortunately gas is an absolute requirement for both individuals and corporations to operate effectively.  Individuals should know several different items that can help in the event of a disaster.

Siphoning gas is difficult on most new cars.  These cars contain a siphon screen that prevents hoses from going into the tank.  In dire situations removing the fuel filter allows access to the gas.  Remember lawn mowers and other house hold items may have gas if needed.

Generators and gas tanks will get stolen.  Staying is a disaster zone is not recommended even within a few days after the disaster.  Wait at the alternate location for several days until power is restored, supply chains can provide food, and any other immediate crisis has been resolved.

On the other hand corporations will need to provide an alternate means of connectivity for office and technology based jobs.  Use a good mobile provider that can bring a generator to the corporate office or enable the business to connect at a remote location.  Organizations like Agility Recovery are experts at providing these services and other mobile solutions.

Corporations that require gasoline to operate the business should have conducted the proper analysis and considered the supply of gasoline a mission critical process.  As a result these businesses must purchase a series of large tanks and should consider owning their own gas stations with back up supply chains in place.  These gas supply tanks and stations must be protected with the proper physical security mechanisms such as anti-siphon devices on tanks and secure fencing perimeters around the gas stations.

Recommended Distance

Gas is a critical resource and the effects during a hurricane can be substantial since it is required for heat, food, transportation, and much more.  Based on hurricane Sandy the distance required to provide a solid gasoline supply chain is around a 100 mile radius from the center point of the storm.  Both employees and corporations need to consider the type of disaster and its radius.  The radius should be considered for all resources and the supply chain for those resources.  Otherwise things may come to a halt when there is no gas left to buy at the station.

Advertisements

OwNd by EXIF – Understand What You Leave Behind


Who are you, Where are you, What are your habits?  It’s no secret these days that your entire life is tracked one way or another, especially if you live in the US.  Your bank knows how much you pay for electricity, what foods you eat, and where you buy gas.  The search engines and social media sites know what you are looking for, what you like, and what your friends like.  And if you were not aware, those photos posted all over the internet provide detail about where you are at a particular time.

Forensic evidence analysis of logs and metadata provide the authorities and criminals everything they need to know.  Look at the CBS local news article from earlier this year that is linked below.  It explains how a suspected member of Anonymous sent a photo to the FBI, which ultimately led to an arrest.

http://houston.cbslocal.com/2012/04/13/anonymous-hacker-busted-by-fbi/

What about your kid’s photos?  Look at this example posted by the FBI in 2011.

http://www.fbi.gov/news/stories/2011/december/cyber_122211

Masquerading IP addresses, eliminating log traces, scrubbing tags, and hiding metadata, these are all key skills every hacker or concerned parent must understand.  These skills are not new to those in the hacker community. EXIF news postings have been around for years, however with all the new avenues of media and mobile devices anyone can be caught off guard.  Therefore, caution leaving unknown tracks and understand what your kids may be posting online.

In terms of EXIF there are tools such as Pixelgarde that can change or remove geo tags on your Android and IOS devices. 

http://pixelgarde.com/

Also most mobile phones have features to disable the GPS tracking, but sometimes these features are also used for tracking stolen devices.

Test Your Anti-Virus or Re-Install


On strategic risk assessments not testing the anti-virus signatures before being deployed should be considered a vulnerability.  Many of my customers believe this is ridiculous and not practical, however I report it anyway.   Whatever the case, the organization has the decision to accept the risk, as I am only there to point it out.  There is a great example published where a routine update caused serious problems forcing customers to have to re-install the operating system.

 http://news.yahoo.com/s/zd/20071206/tc_zd/221141;_ylt=AhIN_X.SMrgYGlzdK7zmNe8E1vAI

So you decide.  Should Anti-virus software be tested before deployment.

Data Leak! What Not to Do!


The other day I performed an external penetration test and obtained access using a default password (which is common) that was not changed.  Afterwards I began looking up statistics on passwords and here is one of the links that was listed on a regular Google search.

http://staff.washington.edu/krl/stats/pwc/

Amazing that someone would to this day post such information out on a public website.  Nice to know if this was my next external penetration target.  Wait it gets better!  Looking at the URL it was only obvious there had to be more so instead of going to the /pwc directory I modified the URL to go back one, which led me to these:

http://staff.washington.edu/krl/stats/ 

http://depts.washington.edu/ast/projects.old/

http://depts.washington.edu/ast/projects.old/pwedit.html

Thanks Ken for showing us all a perfect example of “What NOT to Do”! I especially enjoy the mention of the following:

  • Home directories /rc, /cg, /mailer

  • The mail server statistics that show me what appear to be system names and the number of entries in the etc/passwd file.

  • The large directory listing with a plethora of information

  • The nice picture of your license

  • A password hash U:4001     A:2B314469   N:noyd       P:MWlJQdaJvoxaE    G:15       C:6

Ken

Ken 

So why did I post this?

Two reasons.  One, I have a blog. Two because sometimes the best lesson you can learn is by seeing the mistakes of others.  Of course I plan to send an email to Ken and show him this blog entry.  If there is any follow-up to the story I will post another message.

Broken Links


Please at any time why’ll browsing this blog you notice a link is not working leave a comment or send an email.  Yesterday I noticed the policy whitepaper link is not working at Foundstone.  I am currently working with McAfee to try and figure out where the document moved or to get it uploaded back on the site.  My apologies, but in the future if you notice a problem with a link please point it out and I will update the site ASAP.  There is nothing more frustrating than broken links on a user’s website or blog.