Calguns.net  

Home My iTrader Join the NRA Donate to CGSSA Sponsors CGN Google Search
CA Semiauto Ban(AW)ID Flowchart CA Handgun Ban ID Flowchart CA Shotgun Ban ID Flowchart
Go Back   Calguns.net > SPECIALTY FORUMS > Calguns LEOs
Register FAQ Members List Calendar Mark Forums Read

Calguns LEOs LEOs; chat, kibitz and relax. Non-LEOs; have a questions for a cop? Ask it here, in a CIVIL manner.

Reply
 
Thread Tools Display Modes
  #1  
Old 07-14-2012, 7:37 AM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default Computer Security

Any LEA's here using 2-Factor Authentication
SmartCards, Biometrics

Any possibly using AFIS in conjunction with 2-factor

I'd like to know what your using if you are.
Reply With Quote
  #2  
Old 07-15-2012, 12:26 AM
Falconis Falconis is offline
Senior Member
 
Join Date: Feb 2008
Posts: 1,691
iTrader: 1 / 100%
Default

why?
Reply With Quote
  #3  
Old 07-15-2012, 8:30 PM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default

Clets to mobile
FBI via DOJ requirement
If your running clets in your mobile you are required to have 2-factor authentication on the MDT
Currently FBI/DOJ classifies an MDT as physically secure, Effective I think July 2013, they dont, therefore requiring 2-factor, leaving actually little time to become compliant.
Reply With Quote
  #4  
Old 07-16-2012, 5:59 AM
nickbackouris's Avatar
nickbackouris nickbackouris is offline
Member
 
Join Date: Nov 2011
Posts: 206
iTrader: 2 / 100%
Default

I'm a beat cop, and I'm computer savvy, but I have absolutley no clue what you are talking about. Sounds like you should be asking someone in our radio shop or in the tech garage.
Reply With Quote
  #5  
Old 07-16-2012, 6:24 AM
jaysen jaysen is offline
Member
 
Join Date: Apr 2011
Posts: 320
iTrader: 15 / 100%
Default

We use panny CF-29's without any physical authentication cards. I believe everything in ours is virtualized via vpn/sprint air cards... with individual doj assigned neumonics per MDC...
Reply With Quote
  #6  
Old 07-16-2012, 9:15 AM
code33 code33 is offline
Senior Member
 
Join Date: Nov 2004
Location: SF Bay Area
Posts: 968
iTrader: 54 / 100%
Default

Not yet.
The date is actually September 30, 2013.
Check with your CAD/Mobile software vendor to see which devices are supported.

This is a lot more technical that what your every day street cop needs to know or works on other than in addition to having to enter a password, swiping a finger or another security mechanism will have to be done.

The DOJ CLETS PPP's is mandating two-factor authentication:
Two-factor authentication shall be used where at least one factor meets the Advanced Authentication standards identified in the FBI’s CJIS Security Policy section 5.6.2.2.

FBI’s CJIS Security Policy section 5.6.2.2:
Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or “Risk-based Authentication” that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions.

http://www.oregon.gov/OSP/CJIS/docs/...92011.pdf?ga=t

Section 5.6.2.2.1 has details.
__________________
Disclaimer:
I am not a lawyer. Nothing in my posts should be considered legal advice.

Got ORI?

Front Sight Diamond Member
Reply With Quote
  #7  
Old 07-16-2012, 10:52 AM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default

there ya go
thanks code33
Reply With Quote
  #8  
Old 07-16-2012, 10:57 AM
POLICESTATE's Avatar
POLICESTATE POLICESTATE is offline
I need a LIFE!!
 
Join Date: Apr 2009
Location: Wylie, TEXAS
Posts: 18,205
iTrader: 25 / 100%
Default

Robust authentication system, but where is the encryption? I would assume it's all done in some sort of VPN environment?

Quote:
Originally Posted by code33 View Post
Not yet.
The date is actually September 30, 2013.
Check with your CAD/Mobile software vendor to see which devices are supported.

This is a lot more technical that what your every day street cop needs to know or works on other than in addition to having to enter a password, swiping a finger or another security mechanism will have to be done.

The DOJ CLETS PPP's is mandating two-factor authentication:
Two-factor authentication shall be used where at least one factor meets the Advanced Authentication standards identified in the FBI’s CJIS Security Policy section 5.6.2.2.

FBI’s CJIS Security Policy section 5.6.2.2:
Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or “Risk-based Authentication” that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions.

http://www.oregon.gov/OSP/CJIS/docs/...92011.pdf?ga=t

Section 5.6.2.2.1 has details.
__________________
If you want a picture of the future, imagine a boot stamping on a human face — forever.


Government Official Lies
. F r e e d o m . D i e s .
Reply With Quote
  #9  
Old 07-16-2012, 11:08 AM
code33 code33 is offline
Senior Member
 
Join Date: Nov 2004
Location: SF Bay Area
Posts: 968
iTrader: 54 / 100%
Default

Encryption requirements are in another section of the PPP's. Google "DOJ CLETS PPP" to read all about it.

Up until several years ago, CLETS outlined the security requirements in their policy. Then they changed made it a requirement to follow FBI CJIS policy. Easier to do that than to keep on updating what they had, I suppose.
__________________
Disclaimer:
I am not a lawyer. Nothing in my posts should be considered legal advice.

Got ORI?

Front Sight Diamond Member

Last edited by code33; 07-16-2012 at 11:11 AM..
Reply With Quote
  #10  
Old 07-16-2012, 11:10 AM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default

code33, who is your MDT vendor
jaysen, your going to need 2-factor
ulitmately, to anyone wondering, in laymens terms, your going to need something physical in addition to a password, a token, smartcard, thumbprint, etc..
2-factor is; what you know (pin/password), combined with what you have (token/smartcard/something physical)

if anyone is currently using 2-factor, I'd like to know who your MDT vendor is, and what 2-factor method you are using, along with the hardware and software being used for that, I'm also interested in anyone using AFIS in the field.
Reply With Quote
  #11  
Old 07-16-2012, 7:42 PM
epilepticninja's Avatar
epilepticninja epilepticninja is offline
Veteran Member
 
Join Date: Aug 2010
Location: AZ & CA
Posts: 4,102
iTrader: 7 / 100%
Default

Back in the day, my only access to CLETS was via a dispatcher...
__________________
#noleftistsallowed
Reply With Quote
  #12  
Old 07-16-2012, 8:49 PM
socalblue socalblue is offline
Senior Member
 
Join Date: Feb 2010
Posts: 815
iTrader: 1 / 100%
Default

From the folks I have spoken with recently PKI, software based tokens or lastly USB based token seem to be the most attractive.

Very few mobile systems have the proper hardware to support either a smart card or fingerprint reader. A USB based token works for most but one they cost $$, are easily lost/broken.

Software based secondary authentication tokens or PKI certs can be auto pushed/updated on the mobile units as part of normal maintenance.

It would not surprise me to see this requirement pushed of due to local agency budget constraints &/or technical issues with existing mobile equipment.
Reply With Quote
  #13  
Old 07-16-2012, 8:51 PM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default

Quote:
Originally Posted by epilepticninja View Post
Back in the day, my only access to CLETS was via a dispatcher...
If only....
Reply With Quote
  #14  
Old 07-16-2012, 8:53 PM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default

It wouldn't surprise me for it to be pushed either
It doesn't seem very many agencies are doing it yet
Reply With Quote
  #15  
Old 07-17-2012, 4:46 AM
tyrist tyrist is offline
Veteran Member
 
Join Date: Jun 2007
Posts: 4,566
iTrader: 0 / 0%
Default

Hardware is dell. Software is Northrop Grumman.
Reply With Quote
  #16  
Old 07-17-2012, 7:15 AM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default

Can you elaborate a bit tyrist
Reply With Quote
  #17  
Old 07-17-2012, 3:23 PM
tyrist tyrist is offline
Veteran Member
 
Join Date: Jun 2007
Posts: 4,566
iTrader: 0 / 0%
Default

Quote:
Originally Posted by Tripper View Post
Can you elaborate a bit tyrist
What else did you want to know?
Reply With Quote
  #18  
Old 07-17-2012, 3:48 PM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default

Do you use 2-factor?
What type?
Doses dell provide the hardware for the 2-factor, or do they provide the computer that some other device attaches to?
Reply With Quote
  #19  
Old 07-17-2012, 5:33 PM
garplay garplay is offline
Junior Member
 
Join Date: Jun 2011
Posts: 90
iTrader: 0 / 0%
Default

IANALEO, but I am a serious computer security expert...

This option:
Quote:
or “Risk-based Authentication” that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions.
is, to put bluntly, bull**** fake 2-factor authentication. If whatever authentication system deployed doesn't include either a physical device, paper cards, an app on your phone (where the access is not from the phone), etc, its not a real 2-factor system.
Reply With Quote
  #20  
Old 07-17-2012, 6:22 PM
sl4ck3r sl4ck3r is offline
Member
 
Join Date: Aug 2011
Location: Austin, TX previously Pleasanton, CA
Posts: 391
iTrader: 6 / 100%
Default

Quote:
Originally Posted by garplay View Post
IANALEO, but I am a serious computer security expert...

This option:


is, to put bluntly, bull**** fake 2-factor authentication. If whatever authentication system deployed doesn't include either a physical device, paper cards, an app on your phone (where the access is not from the phone), etc, its not a real 2-factor system.
like hes saying. something you know + something you have.
Reply With Quote
  #21  
Old 07-17-2012, 8:39 PM
code33 code33 is offline
Senior Member
 
Join Date: Nov 2004
Location: SF Bay Area
Posts: 968
iTrader: 54 / 100%
Default

what?

Quote:
Originally Posted by garplay View Post
IANALEO
__________________
Disclaimer:
I am not a lawyer. Nothing in my posts should be considered legal advice.

Got ORI?

Front Sight Diamond Member
Reply With Quote
  #22  
Old 07-17-2012, 8:52 PM
socalblue socalblue is offline
Senior Member
 
Join Date: Feb 2010
Posts: 815
iTrader: 1 / 100%
Default

Quote:
Originally Posted by Tripper View Post
Originally Posted by epilepticninja
Back in the day, my only access to CLETS was via a dispatcher...If only....
When I first started we still had the typewriter that created the paper strips that were sent to CLETS ....
Reply With Quote
  #23  
Old 07-17-2012, 9:58 PM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default

Quote:
Originally Posted by garplay View Post
IANALEO, but I am a serious computer security expert...

This option:


is, to put bluntly, bull**** fake 2-factor authentication. If whatever authentication system deployed doesn't include either a physical device, paper cards, an app on your phone (where the access is not from the phone), etc, its not a real 2-factor system.
And your recommendation of hardware/software is???
Reply With Quote
  #24  
Old 07-19-2012, 8:11 AM
garplay garplay is offline
Junior Member
 
Join Date: Jun 2011
Posts: 90
iTrader: 0 / 0%
Default

Quote:
Originally Posted by Tripper View Post
And your recommendation of hardware/software is???
IANALEO -> I am Not a Law Enforcement Officer

I'm a computer security researcher.

I haven't looked into what specific offerings are in the area for your specific application, but I have looked at the area in general.

All commercial solutions that I know of are vulnerable to session hijacking, which is why the ideal solution (which does not exist in commercial practice) is public key based transaction-authentication tokens, where the user doesn't authenticate the login but authenticates the individual transaction request. (There have been some prototypes, e.g. the ZTIC from IBM, but nothing in production AFAIK.)

But as the right solution doesn't exist, and all the real almost-right solutions are effectively equivelent in security, I'd focus on usability and ubiquity: As long as it is real 2-factor, pick the one which meets the requirements and is easiest to set up, and pick the one everyone else uses so that you can't be blamed if something goes wrong. [1]

I'd probably go with RSA SecurID tokens because of their ubiquity, and they are horribly bad on the UI but no worse than the competition and, critically, you can provide people with software tokens that run on the mobile phone, so they don't have to deal with half-a-dozen dongles sitting on their keychain.


[1] Not kidding. A lot of security engineering is not making the system secure, but making sure you, as the person in charge of security, can't get blamed when it fails. Just as nobody got fired for buying IBM, nobody has gotten fired for using SecurIDs, even when the chinese hacked them.
Reply With Quote
  #25  
Old 07-19-2012, 10:11 PM
tyrist tyrist is offline
Veteran Member
 
Join Date: Jun 2007
Posts: 4,566
iTrader: 0 / 0%
Default

Quote:
Originally Posted by Tripper View Post
Do you use 2-factor?
What type?
Doses dell provide the hardware for the 2-factor, or do they provide the computer that some other device attaches to?
Dell just provides the computer. We have smart cards and passwords. Use of agency hardware is required to access the database.
Reply With Quote
  #26  
Old 07-19-2012, 10:56 PM
BigDogatPlay's Avatar
BigDogatPlay BigDogatPlay is offline
Calguns Addict
 
Join Date: Jun 2007
Location: Beautiful progressive Sonoma County
Posts: 7,386
iTrader: 13 / 100%
Default

I'm not in the LEO business any longer but do operations stuff in high tech now. We access our enterprise apps worldwide through VPN using an RSA virtual token to control access. It works very well, and does save a bunch of money over the physical tokens we used to use. The token on the machine is tied to the individual user in our case.

Not sure how that would work in a fleet deployment where in field equipment might not be issued on a one to one basis to officers, but I'm betting there is a solution for it.
__________________
-- Rifle, Pistol, Shotgun

Not a lawyer, just a former LEO proud to have served.

Quote:
Americans have the right and advantage of being armed - unlike the citizens of other countries whose governments are afraid to trust the people with arms. -- James Madison
Reply With Quote
  #27  
Old 07-20-2012, 9:25 AM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default

@tyrist, what vendor for the smartcard, is it an extra device plugged in via USB that you plug the smart card into, or is the card reader built in to the MDT?
Reply With Quote
  #28  
Old 07-20-2012, 9:21 PM
tyrist tyrist is offline
Veteran Member
 
Join Date: Jun 2007
Posts: 4,566
iTrader: 0 / 0%
Default

http://shop2.sprint.com/assets/pdfs/...udies/LAPD.pdf
Reply With Quote
  #29  
Old 07-20-2012, 10:56 PM
socalblue socalblue is offline
Senior Member
 
Join Date: Feb 2010
Posts: 815
iTrader: 1 / 100%
Default

Quote:
Originally Posted by tyrist View Post
Bio-metric devices, esp an easily hackable bluetooth device, is a joke. Fingerprint scans are reduced to an unchanging numerical value. Bluetooth encryption can be broken by readily available tools.

Better than nothing but there are far superior solutions. The issues are cost, field support & ease of use.
Reply With Quote
  #30  
Old 07-20-2012, 11:10 PM
tyrist tyrist is offline
Veteran Member
 
Join Date: Jun 2007
Posts: 4,566
iTrader: 0 / 0%
Default

Quote:
Originally Posted by socalblue View Post
Bio-metric devices, esp an easily hackable bluetooth device, is a joke. Fingerprint scans are reduced to an unchanging numerical value. Bluetooth encryption can be broken by readily available tools.

Better than nothing but there are far superior solutions. The issues are cost, field support & ease of use.
The finger print devices are not for security. They are for suspects.
Reply With Quote
  #31  
Old 07-21-2012, 7:54 AM
Tripper's Avatar
Tripper Tripper is offline
Calguns Addict
 
Join Date: Jan 2011
Location: Central Coast-Salinas
Posts: 7,753
iTrader: 102 / 100%
Default

what is the hard/software for the smartcard?

how are you liking the fingerprinting in the field? how often do you actually use it to identify, and under what conditions? do you have the option of choosing any finger, or do you have to choose 1 of 2 or 3?
Reply With Quote
  #32  
Old 07-22-2012, 3:39 PM
tyrist tyrist is offline
Veteran Member
 
Join Date: Jun 2007
Posts: 4,566
iTrader: 0 / 0%
Default

Quote:
Originally Posted by Tripper View Post
what is the hard/software for the smartcard?

how are you liking the fingerprinting in the field? how often do you actually use it to identify, and under what conditions? do you have the option of choosing any finger, or do you have to choose 1 of 2 or 3?
Finger print scanner in the field is great. You scan their index finger and their county arrest record pops right up so they can't dodge their warrants or supervision status.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -8. The time now is 12:36 AM.




Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Proudly hosted by GeoVario the Premier 2A host.
Calguns.net, the 'Calguns' name and all associated variants and logos are ® Trademark and © Copyright 2002-2018, Calguns.net an Incorporated Company All Rights Reserved.
Calguns.net and The Calguns Foundation have no affiliation and are in no way related to each other.
All opinions, statements and remarks made by Calguns.net on this web site and elsewhere are solely attributable to Calguns.net.