Monday, March 02, 2009

How Firewalls Work

If you have been using the Internet for any length of time, and especially if you work at a larger company and browse the Web while you are at work, you have probably heard the term firewall used. For example, you often hear people in companies say things like, "I can't use that site because they won't let it through the firewall."

If you have a fast Internet connection into your home (either a DSL connection or a cable modem), you may have found yourself hearing about firewalls for your home network as well. It turns out that a small home network has many of the same security issues that a large corporate network does. You can use a firewall to protect your home network and family from offensive Web sites and potential hackers.

Basically, a firewall is a barrier to keep destructive forces away from your property. In fact, that's why its called a firewall. Its job is similar to a physical firewall that keeps a fire from spreading from one area to the next. As you read through this article, you will learn more about firewalls, how they work and what kinds of threats they can protect you from.

Friday, February 27, 2009

Install and Use a Firewall Program

This section describes a firewall, its importance to your home computer strategy, and a way to think about the job you need to do. We’re going to depart from our “computer-is-like-a-house-and-the-things-in-it” analogy to use another that you are probably also familiar with: an office building.

Have you ever visited a business where you first stopped at the reception desk to interact with a security guard? That guard’s job is to assess everybody who wishes to enter or leave the building to decide if they should continue on or be stopped. The guard keeps the unwanted out and permits only appropriate people and objects to enter and leave the business’s premises.

Let’s dig deeper into this analogy. When someone enters a building, the security guard usually greets them. If they have an appropriate identification badge, they show it to the guard or swipe it through a reader. If all is OK, they pass through the guard’s checkpoint. However, if something’s wrong or if they are a visitor, they must first stop at the guard desk.

The guard asks whom they wish to see. The guard may also ask for identification such as a driver’s license or their company ID. The guard reviews the list of expected guests to see if this person is approved to visit the party in question. If the guard decides everything is all right, the visitor may pass. The visitor usually signs a logbook with their name, the company they represent, whom they are seeing, and the time of day.

On a computer, the firewall acts much like a guard when it looks at network traffic destined for or received from another computer. The firewall determines if that traffic should continue on to its destination or be stopped. The firewall “guard” is important because it keeps the unwanted out and permits only appropriate traffic to enter and leave the computer.

To do this job, the firewall has to look at every piece of information – every packet – that tries to enter or leave a computer. Each packet is labeled with where it came from and where it wants to go. Some packets are allowed to go anywhere (the employee with the ID badge) while others can only go to specific places (visitors for a specific person). If the firewall allows the packet to proceed (being acceptable according to the rules), it moves the packet on its way to the destination. In most cases, the firewall records where the packet came from, where it’s going, and when it was seen. For people entering a building, this is similar to the ID card system keeping track of who enters or the visitor signing the visitor’s log.

The building’s guard may do a few more tasks before deciding that the person can pass. If the person is a visitor and is not on the visitors list, the guard calls the employee being visited to announce the visitor’s arrival and to ask if they may pass. If the employee accepts the visitor, they may proceed. The guard may also give the visitor a badge that identifies them as a visitor. That badge may limit where in the building they can go and indicate if they need to be escorted. Finally, no matter whether the person is a visitor or an employee, the guard may inspect their briefcase or computer case before they pass.

The firewall can also check whether a given packet should pass, allowing the computer’s user to respond to unanticipated network traffic (just as the guard does with the unexpected visitor). Individual packets can be allowed to pass, or the firewall can be changed to allow all future packets of the same type to pass. Some firewalls have advanced capabilities that make it possible to direct packets to a different destination and perhaps even have their contents concealed inside other packets (similar to the visitor being escorted). Finally, firewalls can filter packets based not only on their point of origin or destination, but also on their content (inspecting the briefcase or computer case before being allowed to pass).

Back to the office building, when employees leave the building, they may also have to swipe their ID card to show that they’ve left. A visitor signs out and returns their temporary badge. Both may be subject to having their possessions inspected before being allowed to leave.

Firewalls can also recognize and record when a computer-to-computer connection ends. If the connection was temporary (like a visitor), the firewall rules can change to deny future similar connections until the system’s user authorizes them (just as visitors must re-identify themselves and be re-approved by an employee). Finally, outgoing connections can also be filtered according to content (again, similar to inspecting possessions at the exit).

What does this all mean? It means that with a firewall, you can control which packets are allowed to enter your home computer and which are allowed to leave. That’s the easy part.

The hard part is deciding the details about the packets that are allowed to enter and exit your home computer. If your firewall supports content filtering, you also need to learn which content to allow and which not to allow. To help you get a handle on this harder task, let’s return to our security guard analogy.

Imagine that you are that security guard and it’s your first day on the job. You have to decide who’s allowed in, who’s allowed out, and what people can bring into and take out of the building. How do you do this?

One strategy is to be very conservative: let no one in or out and let no possessions in or out. This is very simple, very easy to achieve, but not particularly helpful to the business if none of its employees or visitors can get in or out. Nor is it helpful if they can’t bring anything with them. With this type of strategy, your tenure as a security guard may be short-lived.

If you try this, you quickly learn that you need to change your strategy to allow people in and out only if they have acceptable identification and possessions using some agreed-to criteria. Add the requirement that if you don’t meet the precise criteria for admittance, you don’t get in.

With most firewalls, you can do the same thing. You can program your firewall to let nothing in and nothing out. Period. This is a deny-all firewall strategy and it does work, though it effectively disconnects you from the Internet. It is impractical for most home computers.

You can do what the security guard did: review each packet (employee or visitor) to see where it’s coming from and where it’s going. Some firewall products let you easily review each packet so that you can decide what to do with it. When you are shopping for a firewall, look for this review feature because it can be quite helpful. Practically speaking, it isn’t easy to decide which traffic is all right and which is not all right. Any feature that makes this job easier helps you achieve your goal of securing your home computer.

Just like the security guard who learns that anybody with a company photo ID is allowed to pass, you too can create firewall rules that allow traffic to pass without reviewing each packet each time. For example, you may choose to allow your Internet browsers to visit any web site. This rule would define the source of that traffic to be your browsers (Netscape Navigator and Microsoft Internet Explorer, for example) and the destination location to be any web server. This means that anybody using your home computer could visit any Internet web site, as long as that web server used the well-known standard locations.

Now that you have an idea of what your firewall security guard is trying to do, you need a method for gathering information and programming your firewall. Here is a set of steps to use to do just that:

  1. The Program test: What’s the program that wants to make a connection to the Internet? Although many programs may need to make the same type of connection to the same Internet destination, you need to know the name of each. Avoid general rules that allow all programs to make a connection. This often results in unwanted and unchecked behavior.
  2. The Location test: What’s the Internet location of the computer system to which your computer wants to connect? Locations consist of an address and a port number. Sometimes a program is allowed to connect to any Internet location, such as a web browser connecting to any web server. Again, you want to limit programs so that they only connect to specific locations where possible.
  3. The Allowed test: Is this connection allowed or denied? Your firewall rules will contain some of each.
  4. The Temporary test: Is this connection temporary or permanent? For example, if you’re going to connect to this specific location more than five times each time you use the computer, you probably want to make the connection permanent. This means that you ought to add a rule to your firewall rules. If you aren’t going to make this connection often, you should define it as temporary.

With each connection, apply the PLAT tests to get the information you need to build a firewall rule. The answer to the PLAT tests tells you if you need to include a new firewall rule for this new connection. For most firewall programs, you can temporarily allow a connection but avoid making it permanent by not including it in your rules. Where possible, allow only temporary connections.

As you run each program on your home computer, you’ll learn how it uses the Internet. Slowly you’ll begin to build the set of rules that define what traffic is allowed into and out of your computer. By only letting in and out what you approve and denying all else, you will strike a practical balance between allowing everything and allowing nothing in or out.

Along the way, you may come across exceptions to your rules. For example, you might decide that anybody who uses your home computer can visit any web site except a chosen few web sites. This is analogous to the security guard letting every employee pass except a few who need more attention first.

To do this with firewall rules, the exception rules must be listed before the general rules. For example, this means that the web sites whose connections are not allowed must be listed before the rules that allow all connections to any web site.

Why? Most firewall programs search their rules starting from the first through the last. When the firewall finds a rule that matches the packet being examined, the firewall honors it, does what the rule says, and looks no further. For example, if the firewall finds the general rule allowing any web site connections first, it honors this rule and doesn’t look further for rules that might deny such a connection. So, the order of firewall rules is important.

Many firewalls can be programmed to require a password before changing the rules. This extra level of protection safeguards against unwanted changes no matter their source, that is, you, an intruder, or another user. Follow the guidance in Task 6 - Use Strong Passwords when assigning a password to your firewall.

Finally, make a backup of your firewall rules. You’ve probably taken a lot of time to build and tune them to match how your home computer is used. These rules are important to your computer’s security, so back them up using the guidance in Task 5 - Make Backups of Important Files and Folders.

Firewalls come in two general types: hardware and software (programs). The software versions also come in two types: free versions and commercial versions (ones that you purchase). At a minimum, you should use one of the free versions on your home computer. This is especially important if you have a laptop that you connect to your home network as well as a network at a hotel, a conference, or your office.

If you can afford a hardware firewall, you should install one of these too. We’ve recommended this as something to do later. (Firewall programs are Task 4 on our list of recommended actions, and hardware firewalls are Task 8.) The same issues apply to the hardware versions that apply to the software versions. Many can also be password protected against unwanted changes. Search the Internet with your browser to see what’s available and what they cost. The price of hardware firewalls is coming down as the demand grows.

A firewall is your security guard that stands between your home computer and the Internet. It lets you control which traffic your computer accepts. It also controls which of your programs can connect to the Internet. With a firewall, you define which connections between your computer and other computers on the Internet are allowed and which are denied. There are free firewall products that provide the capabilities you need to secure your home computer. Commercial versions have even more features that can further protect your computer.

Use Care When Reading Email with Attachments

We’ve all heard stories about people receiving an item in the mail that in some way caused them harm. We’ve heard of letter bombs and exploding packages, and in 2001, we learned about Anthrax-laden letters. Although their frequency is low, they do make news.

These unsolicited items are sent to unsuspecting recipients. They may contain a return address, a provocative envelope, or something else that encourages its receiver to open it. This technique is called social engineering. Because we are trusting and curious, social engineering is often effective.

In the case of the Anthrax letters addressed to United States senators, the envelopes contained a school’s return address as an inducement to open them. What government official wouldn’t want to serve their constituency by reading and responding to a letter supposedly sent by a class at a school, especially an elementary school? By opening the letter and subsequently spreading its lethal contents, the recipient complied with the wishes of the sender, a key foundation of social engineering. In the pre-Anthrax letter days, a mail handler might have given little thought to the contents of the letter or the validity of the return address. Those days are behind us.

You probably receive lots of mail each day, much of it unsolicited and containing unfamiliar but plausible return addresses. Some of this mail uses social engineering to tell you of a contest that you may have won or the details of a product that you might like. The sender is trying to encourage you to open the letter, read its contents, and interact with them in some way that is financially beneficial – to them. Even today, many of us open letters to learn what we’ve won or what fantastic deal awaits us. Since there are few consequences, there’s no harm in opening them.

Email-borne viruses and worms operate much the same way, except there are consequences, sometimes significant ones. Malicious email often contains a return address of someone we know and often has a provocative Subject line. This is social engineering at its finest – something we want to read from someone we know.

Email viruses and worms are fairly common. If you’ve not received one, chances are you will. Here are steps you can use to help you decide what to do with every email message with an attachment that you receive. You should only read a message that passes all of these tests.

  1. The Know test: Is the email from someone that you know?
  2. The Received test: Have you received email from this sender before?
  3. The Expect test: Were you expecting email with an attachment from this sender?
  4. The Sense test: Does email from the sender with the contents as described in the Subject line and the name of the attachment(s) make sense? For example, would you expect the sender – let’s say your Mother – to send you an email message with the Subject line “Here you have, ;o)” that contains a message with attachment – let’s say AnnaKournikova.jpg.vbs? A message like that probably doesn’t make sense. In fact, it happens to be an instance of the Anna Kournikova worm, and reading it can damage your system.
  5. The Virus test: Does this email contain a virus? To determine this, you need to install and use an anti-virus program. That task is described in Task 1 - Install and Use Anti-Virus Programs.

You should apply these five tests – KRESV – to every piece of email with an attachment that you receive. If any test fails, toss that email. If they all pass, then you still need to exercise care and watch for unexpected results as you read it.

Now, given the KRESV tests, imagine that you want to send email with an attachment to someone with whom you’ve never corresponded – what should you do? Here’s a set of steps to follow to begin an email dialogue with someone.

  1. Since the recipient doesn’t already Know you, you need to send them an introductory email. It must not contain an attachment. Basically, you’re introducing yourself and asking their permission to send email with an attachment that they may otherwise be suspicious of. Tell them who you are, what you’d like to do, and ask for permission to continue.
  2. This introductory email qualifies as the mail Received from you.
  3. Hopefully, they’ll respond; and if they do, honor their wishes. If they choose not to receive email with an attachment from you, don’t send one. If you never hear from them, try your introductory email one more time.
  4. If they accept your offer to receive email with an attachment, send it off. They will Know you and will have Received email from you before. They will also Expect this email with an attachment, so you’ve satisfied the first three requirements of the KRESV tests.
  5. Whatever you send should make Sense to them. Don’t use a provocative Subject line or any other social engineering practice to encourage them to read your email.
  6. Check the attachments for Viruses. This is again based on having virus-checking programs, and we’ll discuss that later.

The KRESV tests help you focus on the most important issues when sending and receiving email with attachments. Use it every time you send email, but be aware that there is no foolproof scheme for working with email, or security in general. You still need to exercise care. While an anti-virus program alerts you to many viruses that may find their way to your home computer, there will always be a lag between when a virus is discovered and when anti-virus program vendors provide the new virus signature. This means that you shouldn’t rely entirely on your anti-virus programs. You must continue to exercise care when reading email.

Keep Your System Patched

If one of your appliances broke, you’d probably try to have it repaired. You’d call a repairperson whom you hope could do the job. You’d get an estimate and then you’d either get it fixed or replace it. Your goal is to somehow restore the functions that the appliance provides.

What do you do when a software “appliance” – a program – or the operating system itself breaks? How do you restore the functions that they provide? Do you know whom to call or even where to look to determine what to do next?

Most vendors provide patches that are supposed to fix bugs in their products. Frequently these patches do what they’re supposed to do. However, sometimes a patch fixes one problem but causes another. For example, did you ever have a repairperson fix an appliance but in the process, they scratched the floor or damaged a countertop during their visit? For a computer, the repair cycle might have to be repeated until a patch completely fixes a problem.

Vendors often provide free patches on their web sites. When you purchase programs, it’s a good idea to see if and how the vendor supplies patches, and if and how they provide a way to ask questions about their products. Just as appliance vendors often sell extended warranties for their products, some software vendors may also sell support for theirs.

Have you ever received a recall notice for your car or another product you’ve purchased? Vendors send these notices to product owners when a safety-related problem has been discovered. Registering your purchase through the warranty card gives the vendor the information they need to contact you if there is a recall.

Program vendors also provide a recall-like service. You can receive patch notices through email by subscribing to mailing lists operated by the programs’ vendors. Through this type of service, you can learn about problems with your computer even before you discover them and, hopefully, before intruders have the chance to exploit them. Consult the vendor’s web site to see how to get email notices about patches as soon as they’re available.

Some vendors have gone beyond mailing lists. They provide programs bundled with their systems that automatically contact their web sites looking for patches specifically for your home computer. These automatic updates tell you when patches are available, download them, and even install them. You can tailor the update features to do only want you want, such as just telling you something new is waiting but doing nothing more.

While the patching process is getting easier, even to the point where it can be completely automated, it is not yet foolproof. In some cases, installing a patch can cause another seemingly unrelated program to break. The challenge is to do as much homework as you can to learn what a patch is supposed to do and what problems it might cause once you’ve installed it.

This is a hard job. Often, the vendors don’t tell you about problems their patches can cause. Why? Because it is simply impossible to test all possible programs with all possible patches to discover unexpected side effects. Imagine doing that job and then continuing to do that for each new program and patch that comes along. Vendors rely on their customers to tell them when something unexpected happens once a patch is installed. So, if this happens to you, let them know.

Imagine then that you’ve either found a patch on the vendor’s site or you’ve received notice that a patch is available. What do you do next? Follow the steps below to evaluate a patch before you install it:

  1. The Affected test: Does this patch affect one of the programs on your computer? If it doesn’t affect your computer, you’re done. Whew!
  2. The Break test: Can you tell from the vendor’s web site or the patch’s description if installing it breaks something else that you care about? If installation does break something, then you have to decide how to proceed. Try notifying the vendor of the program that might break to learn what their strategy is for addressing this problem. Also, use your web browser to learn if anyone else has experienced this problem and what he or she did about it.
  3. The Undo test: Can you undo the patch? That is, can you restore your computer to the way it was before you installed the patch? Currently, vendors are building most patches with an uninstall feature that enables you to remove a patch that has unwanted consequences. In addition, some computers also come with features that help you restore them to a previously known and working state should there be a problem. You need to know what your computer provides so that you can undo a patch if necessary.

Recall from the Introduction that intruders exploit vulnerabilities to gain access to home computers. How do intruders find out about these vulnerabilities? In many cases, they read the same vendor mailing lists and use the same automatic notification schemes that you use. This means that you need to evaluate and install patches on your home computer as soon as they’re available. The longer a vulnerability is known, the greater the chances are that an intruder will find it on your home computer and exploit it. With the ABU tests, you can quickly evaluate and install patches to keep intruders off your home computer.

One last thing: patches are usually distributed as programs. This means that you need to use the DCAL steps described in Task 7 - Use Care When Downloading and Installing Programs before loading and installing a patch. Intruders often take advantage of vulnerabilities wherever they may be. In many cases, the vulnerabilities they exploit may have patches, but those patches were not installed. For your home computer, make time to keep your programs patched wherever possible. If you can’t patch a program, shop around for an equivalent program and use it until the original program is fixed or you’ve abandoned it in favor of something more reliable.

You can spend money on maintenance where you get patches for programs, but that’s usually not necessary. Since most vendors provide free patches, mailing lists, and automatic updates, keeping your computer patched usually only costs you time.

Install and Use Anti-Virus Programs

If someone rang your doorbell and wanted to come into your living space to sell you something or to use your telephone, you’d need to make a decision whether or not to let them in. If they were a neighbor or someone you knew, you’d probably let them in. If you didn’t know them but believed their story and found them to be otherwise acceptable, say they were neat and clean and not threatening, you’d probably also let them in, but you’d watch them closely while they were in your space.

What are you doing here? You are profiling this person and then deciding what to do based on that profile. It’s your responsibility to be concerned about who enters your living space. Further, if you have children, you’ve probably also taught them how to deal with strangers who come to your door.

Anti-virus programs work much the same way. These programs look at the contents of each file, searching for specific patterns that match a profile – called a virus signature – of something known to be harmful. For each file that matches a signature, the anti-virus program typically provides several options on how to respond, such as removing the offending patterns or destroying the file.

To understand how anti-virus programs work, think about scam artists – people who visit your home to try to get you to buy a phony product or service, or to let them in. Once inside, they may try to steal your valuables or try to harm you in some way.

There are a variety of ways you might find out about a specific scam artist lurking in your neighborhood. Perhaps you see a television report or read a newspaper article about them. They might include pictures and excerpts of the story the scam artist uses to scam their victims. The news report gives you a profile of someone you need to be on the lookout for. You watch for that person until either the story fades away or you hear that they’ve been caught.

Anti-virus programs work much the same way. When the anti-virus program vendors learn about a new virus, they provide an updated set of virus signatures that include that new one. Through features provided by the updated anti-virus program, your home computer also automatically learns of this new virus and begins checking each file for it, along with checking for all the older viruses. However, unlike scam artists, viruses never completely fade away. Their signatures remain part of the master version of all virus signatures.

Suppose a scam artist was at your front door. What would you do? Perhaps you’d not encourage them to come in nor buy their product but, at the same time, you’d try not to upset them. You’d politely listen to their story and then send them on their way. After you closed the door, you may call the police or the telephone number given in the report that initially brought them to your attention.

With viruses, you often have the chance to react to them when they’ve been discovered on your home computer. Depending upon the specific characteristics of the virus, you might be able to clean the infected file. Or you might be forced to destroy the file and load a new copy from your backups or original distribution media. Your options depend upon your choice of anti-virus program and the virus that’s been detected.

In your living space, you look at those who come to your door and you look at what you receive in the mail. These are two of the ways that items can get into your living space, so you examine them, sometimes closely, sometimes not.

Viruses can reach your computer in many ways, through floppy disks, CD-ROMs, email, web sites, and downloaded files. All need to be checked for viruses each time you use them. In other words, when you insert a floppy disk into the drive, check it for viruses. When you receive email, check it for viruses (remember to use the KRESV tests described in Task 3 - Use Care When Reading Email with Attachments). When you download a file from the Internet, check it for viruses before using it. Your anti-virus program may let you specify all of these as places to check for viruses each time you operate on them. Your anti-virus program may also do this automatically. All you need to do is to open or run the file to cause it to be checked.

Just as you walk around your living space to see if everything is OK, you also need to “walk” around your home computer to see if there are any viruses lurking about. Most anti-virus programs let you schedule periodic exams of all files on your home computer on a regular basis, daily for example. If you leave your computer turned on over night, think about scheduling a full-system review during that time.

Some anti-virus programs have more advanced features that extend their recognition capabilities beyond virus signatures. Sometimes a file won’t match any of the known signatures, but it may have some of the characteristics of a virus. This is comparable to getting that “there’s something not quite right here, so I’m not going to let them in” feeling as you greet someone at your door. These heuristic tests, as they’re called, help you to keep up with new viruses that aren’t yet defined in your list of virus signatures.

An anti-virus program is frequently an add-on to your home computer, though your newly purchased computer might include a trial version. At some point, say after 60 days, you must purchase it to continue using it. To decide whether to make that purchase or to look elsewhere, use these steps for evaluating anti-virus programs:

  1. The Demand test: Can you check a file on demand, for example, when you want to send an attachment as part of the KRESV tests?
  2. The Update test: Can you update the virus signatures automatically? Daily is best.
  3. The Respond test: What are all the ways that you can respond to an infected file? Can the virus checker clean a file?
  4. The Check test: Can you check every file that gets to your home computer, no matter how it gets there, and can those checks be automated?
  5. The Heuristics test: Does the virus checker do heuristics tests? How are these defined?

These tests – the DURCH tests – help you compare anti-virus programs. Once you’ve made your selection, install it and use all of its capabilities all of the time.

Intruders are the most successful in attacking all computers – not just home computers – when they use viruses and worms. Installing an anti-virus program and keeping it up to date is among the best defenses for your home computer. If your financial resources are limited, they are better spent purchasing a commercial anti-virus program than anything else.

Assigning Inmates to Prison

Assigning Inmates to Prison

Prison classification is a method of assessing inmate risks that balance security requirements with program needs. Newly admitted inmates are transported from county jails to one of 11 prison receiving centers where the risk assessment process begins. There are two reception centers for females, two for male youth, and seven for adult males. Upon admission, processing and evaluation of offenders begins. They are put through a series of evaluations, including medical and mental health screenings. Prison classification specialists develop an individual profile of each inmate that includes the offender’s crime, social background, education, job skills and work history, health, and criminal record, including prior prison sentences. Based on this information, the offender is assigned to the most appropriate custody classification and prison.

From this initial classification, inmate behavior and continuing risk assessments by prison staff will determine the inmate’s progression through the various custody levels to minimum custody and eventual release. Prison managers assign inmates to work, rehabilitative self improvement programs, and treatment. As inmates serve their sentences, the inmates who comply with prison rules, do assigned work, and participate in corrective programs, may progress toward minimum custody. Inmates who violate prison rules are punished and may be classified for a more restrictive custody classification and a more secure prison. Inmates are then required to demonstrate responsible and improved behavior over time to progress from this status to less restrictive custody classifications and prisons.

Inmate Custody Levels
Inmates may be classified and assigned to the following custodial levels; close, medium, minimum I, minimum II and minimum III. The classification levels are in descending order of perceived public safety risks presented by the inmate. Inmates in close custody present the highest risk while inmates in minimum III generally present the least risk. Within this mix of custodial assignments, inmates also may be subject to various control statuses. The control statuses include maximum, death row, intensive, safekeeper, disciplinary, administrative and protective. Each of these control statuses further restricts inmate freedoms and privileges. Assignment and removal of inmates from these statuses is generally at the discretion of higher level classification authorities in the Division of Prisons. The imposition of these additional custody control measures are generally for the purpose of maintaining order in the prison, protecting staff safety or providing for inmate safety.

Prison Security Levels
Prisons are classified and designated by security level. The security levels used by the Division of Prisons are close, medium, and minimum. Specific cell areas within close security institutions may be designated by the Director of Prisons as maximum security. Security levels are determined by the design and unique features of the prison, the level of staffing, and the operating procedures. Maximum security is the most restrictive level of confinement and minimum security is the least restrictive. The prison security level is an indicator of the extent to which an offender who is assigned to that facility is separated from the civilian community.

Maximum security units are comprised of cells with sliding cell doors that are remotely operated from a secure control station. Maximum security units are designated by the Director of Prisons at selected close security prisons. These units are utilized to confine the most dangerous inmates who are a severe threat to public safety, correctional staff, and other inmates. Inmates confined in a maximum security unit typically are in their cell 23 hours a day. During the other hour they may be allowed to shower and exercise in the cellblock or an exterior cage. All inmate movement is strictly controlled with the use of physical restraints and correctional officer escort.

Polk Youth Institution
Polk Youth Institution
Butner, NC
Close security

Close security prisons typically are comprised of single cells and divided into cellblocks, which may be in one building or multiple buildings. Cell doors generally are remotely controlled from a secure control station. Each cell is equipped with its own combination plumbing fixture, which includes a sink and toilet. The perimeter barrier is designed with a double fence with armed watch towers or armed roving patrols. Inmate movement is restricted and supervised by correctional staff. Inmates are allowed out of their cells to work or attend corrective programs inside the facility.
Medium security prisons typically are comprised of secure dormitories that provide housing for up to 50 inmates each. Each dormitory contains a group toilet and shower area as well as sinks. Inmates sleep in a military style double bunk and have an adjacent metal locker for storage of uniforms, undergarments, shoes, etc. Each dormitory is locked at night with a correctional officer providing direct supervision of the inmates and sleeping area. The prison usually has a double fence perimeter with armed watch towers or armed roving patrols. There is less supervision and control over the internal movement of inmates than in a close security prison.

Wayne Correctional Center
Wayne Correctional Center
Goldsboro, NC
Medium security

Some medium security prisons may be designed with dry cells as the method of inmate housing. Dry cells contain no toilet fixture. Most inmate work and self improvement programs are within the prison, although selected medium custody inmates are worked outside of the prison under armed supervision of trained correctional officers. These inmate work assignments support prison farm operations or highway maintenance for the Department of Transportation. Each medium security prison typically has a single cell unit for the punishment of inmates who violate prison rules.

Durham Correction Center
Durham Correctional Center
Durham NC
Minimum security

Minimum security prisons are comprised of non-secure dormitories which are routinely patrolled by correctional officers. Like the medium security dorm, it has it’s own group toilet and shower area adjacent to the sleeping quarters that contain double bunks and lockers. The prison generally has a single perimeter fence which is inspected on a regular basis, but has no armed watch towers or roving patrol. There is less supervision and control over inmates in the dormitories and less supervision of inmate movement within the prison than at a medium facility. Inmates assigned to minimum security prisons generally pose the least risk to public safety.
Minimum custody inmates at minimum security prisons usually participate in community based work assignments such as the Governor’s Community Work Program, road maintenance with Department of Transportation employee supervision, or work release with civilian employers. Also, inmates may participate in prerelease transition programs with Community Volunteers and family sponsors. The proper security designation of facilities combined with appropriate offender classification and assignment provide the foundation for safe and secure prison management and operational efficiency.

Friday, August 04, 2006

Radio Frequency Identification

Radio Frequency Identification (RFID) is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. An RFID tag is an object that can be attached to or incorporated into a product, animal, or person for the purpose of identification using radio waves. Chip-based RFID tags contain silicon chips and antennas. Passive tags require no internal power source, whereas active tags require a power source.History of RFID tags

An RFID tag used for electronic toll collection
An RFID tag used for electronic toll collection

In 1945 Léon Theremin invented an espionage tool for the Soviet government which retransmitted incident radio waves with audio information. Soundwaves vibrated a diaphragm which slightly altered the shape of the resonator, which modulated the reflected radio frequency. Even though this device was a passive covert listening device, not an identification tag, it has been attributed as the first known device and a predecessor to RFID technology. The technology used in RFID has been around since the early 1920s according to one source (although the same source states that RFID systems have been around just since the late 1960s) [1][2].

A more similar technology, the IFF transponder, was invented by the British in 1939 [1], and was routinely used by the allies in World War II to identify airplanes as friend or foe.

Another early work exploring RFID is the landmark 1948 paper by Harry Stockman, titled "Communication by Means of Reflected Power" (Proceedings of the IRE, pp 1196–1204, October 1948). Stockman predicted that "...considerable research and development work has to be done before the remaining basic problems in reflected-power communication are solved, and before the field of useful applications is explored."

Mario Cardullo claims that his U.S. Patent 3,713,148 in 1973 was the first true ancestor of modern RFID; a passive radio transponder with memory. [2] The first demonstration of today's reflected power (backscatter) RFID tags was done at the Los Alamos Scientific Laboratory in 1973. [3]

Types of RFID tags

RFID cards are also known as "proximity" or "proxy" cards and come in three general varieties: passive, semi-passive (also known as semi-active), or active.


Passive RFID tags have no internal power supply. The minute electrical current induced in the antenna by the incoming radio frequency signal provides just enough power for the CMOS integrated circuit (IC) in the tag to power up and transmit a response. Most passive tags signal by backscattering the carrier signal from the reader. This means that the aerial (antenna) has to be designed to both collect power from the incoming signal and also to transmit the outbound backscatter signal. The response of a passive RFID tag is not just an ID number (GUID); the tag chip can contain nonvolatile EEPROM for storing data. Lack of an onboard power supply means that the device can be quite small: commercially available products exist that can be embedded under the skin. As of 2006, the smallest such devices measured 0.15 mm × 0.15 mm, and are thinner than a sheet of paper (7.5 micrometers).[4] The lowest cost EPC RFID tags, which are standard chosen by Wal-Mart, DOD, Target, Tesco in the UK and Metro AG in Germany, are available today at a price of 5 cents each. The addition of the antenna creates a tag that varies from the size of a postage stamp to the size of a post card. Passive tags have practical read distances ranging from about 10 cm (4 in.) (ISO 14443) up to a few meters (EPC and ISO 18000-6) depending on the chosen radio frequency and antenna design/size. Due to their simplicity in design they are also suitable for manufacture with a printing process for the antennas. Passive RFID tags do not require batteries, can be much smaller, and have an unlimited life span. Non-silicon tags made from polymer semiconductors are currently being developed by several companies globally. Simple laboratory printed polymer tags operating at 13.56 MHz were demonstrated in 2005 by both PolyIC (Germany) and Philips (The Netherlands). If successfully commercialized, polymer tags will be roll printable, like a magazine, and much less expensive than silicon-based tags. The end game for most item level tagging over the next few decades is that RFID tags will be wholly printed - the same way a barcode is today - and be virtually free, like a barcode.


Semi-passive RFID tags are very similar to passive tags except for the addition of a small battery. This battery allows the tag IC to be constantly powered, which removes the need for the aerial to be designed to collect power from the incoming signal. Aerials can therefore be optimized for the backscattering signal. Semi-passive RFID tags are thus faster in response, though less reliable and powerful than active tags. Semi-passive tags offer benefits in environments where there is a lot of metal or fluids, which typically scatter the RF field and can cause non-reads with passive tags. As semi-passive tags are pre-energized, they can be read more reliably in these more difficult environments.


Unlike passive RFID tags, active RFID tags have their own internal power source which is used to power any ICs that generate the outgoing signal. Active tags are typically much more reliable (e.g. fewer errors) than passive tags due to the ability for active tags to conduct a "session" with a reader. Active tags, due to their onboard power supply, also transmit at higher power levels than passive tags, allowing them to be more effective in "RF challenged" environments like water (including humans/cattle, which are mostly water), metal (shipping containers, vehicles), or at longer distances. Many active tags have practical ranges of hundreds of meters, and a battery life of up to 10 years. Some active RFID tags include sensors such as temperature logging which have been used in concrete maturity monitoring or to monitor the temperature of perishable goods. Other sensors that have been married with active RFID include humidity, shock/vibration, light, radiation, temperature and atmospherics like ethylene. Active tags typically have much longer range (approximately 300 feet) and larger memories than passive tags, as well as the ability to store additional information sent by the transceiver. The United States Department of Defense has successfully used active tags to reduce logistics costs and improve supply chain visibility for more than 15 years. At present, the smallest active tags are about the size of a coin and sell for a few dollars.

The RFID system

An RFID system may consist of several components: tags, tag readers, edge servers, middleware, and application software.

The purpose of an RFID system is to enable data to be transmitted by a mobile device, called a tag, which is read by an RFID reader and processed according to the needs of a particular application. The data transmitted by the tag may provide identification or location information, or specifics about the product tagged, such as price, color, date of purchase, etc. The use of RFID in tracking and access applications first appeared in 1932, to identify aircraft as friendly or unfriendly ("identify friend or foe" (IFF). RFID quickly gained attention because of its ability to track moving objects. As the technology is refined, more pervasive and possibly invasive uses for RFID tags are in the works.

In a typical RFID system, individual objects are equipped with a small, inexpensive tag. The tag contains a transponder with a digital memory chip that is given a unique electronic product code. The interrogator, an antenna packaged with a transceiver and decoder, emits a signal activating the RFID tag so it can read and write data to it. When an RFID tag passes through the electromagnetic zone, it detects the reader's activation signal. The reader decodes the data encoded in the tag's integrated circuit (silicon chip) and the data is passed to the host computer. The application software on the host processes the data, often employing Physical Markup Language (PML).

Take the example of books in a library. Security gates can detect whether or not a book has been properly checked out of the library. When users return items, the security bit is re-set and the item record in the Integrated library system is automatically updated. In some RFID solutions, a return receipt can be generated. At this point, materials can be roughly sorted into bins by the return equipment. Inventory wands provide a finer detail of sorting. This tool can be used to put books into shelf-ready order.

Current usage

Transport payments
  • In the UK, systems for prepaying for unlimited public transport have been devised, making use of RFID technology. The design is embedded in a creditcard-like pass, that when scanned reveals details of whether the pass is valid, and for how long the pass will remain valid. The first company to implement this is the NCT company of Nottingham City, where the general public affectionately refer to them as "beep cards". It has since then been implemented with great success in London, where "Oyster cards" allow for pay-as-you-go travel as well as passes valid for various lengths of time and in various areas.
  • In Hong Kong, mass transit is paid for almost exclusively paid for with the use of an RFID technology, called the Octopus Card. Originally it was launched in September 1997 exclusively for transit fare collection, but has grown to be similar to a cash card, and can be used in vending machines, fast-food restaurants and supermarkets. The card itself can be recharged with cash at add-value machines or over the counter in shops, and can be successfully read several centimetres from the reader.
  • "Navigo" passes for the Paris public transport system (RATP) also use RFID technology.
  • RFID tags are used for electronic toll collection at toll booths with Georgia's Cruise Card, California's FasTrak, Illinois' I-Pass, the expanding eastern states' E-ZPass system (including Massachusetts's Fast Lane), Florida's SunPass, North Texas NTTA and Houston HCTRA EZ Tag, The "Cross-Israel Highway" (Highway 6), Philippines South Luzon Expressway E-Pass, Brisbane's Queensland Motorway E-Toll System in Australia, Autopista del Sol (Sun's Highway), Autopista Central (Central Highway), Autopista Los Libertadores, Costanera Norte, Vespucio Norte Express and Vespucio Sur urban Highways and every forthcoming urban highway (in a "Free Flow" modality) concessioned to private investors in Chile and all highways in Portugal (Via Verde, the first system in the world to span the entire network of tolls) and France (Liber-T system). The tags, which are usually the active type, are read remotely as vehicles pass through the booths, and tag information is used to debit the toll from a prepaid account. The system helps to speed traffic through toll plazas as it records the date, time, and billing data for the RFID vehicle tag.
Product Tracking
  • The Canadian Cattle Identification Agency began using RFID tags as a replacement for barcode tags. The tags are required to identify a bovine's herd of origin and this is used for trace-back when a packing plant condemns a carcass. Currently CCIA tags are used in Wisconsin and by US farmers on a voluntary basis. The USDA is currently developing its own program.
RFID tags used in libraries: square book tag, round CD/DVD tag and rectangular VHS tag.
RFID tags used in libraries: square book tag, round CD/DVD tag and rectangular VHS tag.
  • High-frequency RFID tags are used in library book or bookstore tracking, pallet tracking, building access control, airline baggage tracking, and apparel and pharmaceutical item tracking. High-frequency tags are widely used in identification badges, replacing earlier magnetic stripe cards. These badges need only be held within a certain distance of the reader to authenticate the holder. The American Express Blue credit card now includes a high-frequency RFID tag.
  • UHF RFID tags are commonly used commercially in case, pallet, and shipping container tracking, and truck and trailer tracking in shipping yards.
  • Microwave RFID tags are used in long range access control for vehicles.
  • Since the 1990's, RFIDs are used in the car keys, as theft protection. Without correct RFID the car will not start.
  • In January 2003, Michelin began testing RFID transponders embedded into tires. After a testing period that is expected to last 18 months, the manufacturer will offer RFID-enabled tires to car makers. Their primary purpose is tire-tracking in compliance with the United States Transportation, Recall, Enhancement, Accountability and Documentation Act (TREAD Act).
  • Starting with the 2004 model year, a Smart Key/Smart Start option became available to the Toyota Prius. Since then, Toyota has been introducing the feature on various models around the world under both the Toyota and Lexus brands, including the Toyota Avalon (2005 model year), Toyota Camry (2007 model year), and the Lexus GS (2006 model year). The key uses an active RFID circuit which allows the car to acknowledge the key's presence within approximately 3 feet of the sensor. The driver can open the doors and start the car while the key remains in a purse or pocket.
  • In August 2004, the Ohio Department of Rehabilitation and Correction (ODRH) approved a $415,000 contract to evaluate the personnel tracking technology of Alanco Technologies. Inmates will wear wristwatch-sized transmitters that can detect if prisoners have been trying to remove them and send an alert to prison computers. This project is not the first such rollout of tracking chips in US prisons. Facilities in Michigan, California and Illinois already employ the technology.

RFID in inventory systems

An advanced automatic identification technology such as the Auto-ID system based on the Radio Frequency Identification (RFID) technology has two values for inventory systems. First, the visibility provided by this technology allows an accurate knowledge on the inventory level by eliminating the discrepancy between inventory record and physical inventory. Second, the RFID technology can prevent or reduce the sources of errors. Benefits of using RFID include the reduction of labour costs, the simplification of business processes and the reduction of inventory inaccuracies.

RFID mandates

Wal-Mart and the United States Department of Defense have published requirements that their vendors place RFID tags on all shipments to improve supply chain management [5]. Due to the size of these two organizations, their RFID mandates impact thousands of companies worldwide. The deadlines have been extended several times because many vendors face significant difficulties implementing RFID systems. In practice, the successful read rates currently run only 80%, due to radio wave attenuation caused by the products and packaging. In time it is expected that even small companies will be able to place RFID tags on their outbound shipments.

Since January, 2005, Wal-Mart has required its top 100 suppliers to apply RFID labels to all shipments. To meet this requirement, vendors use RFID printer/encoders to label cases and pallets that require EPC tags for Wal-Mart. These smart labels are produced by embedding RFID inlays inside the label material, and then printing bar code and other visible information on the surface of the label.

Human implants

Hand with the planned location of the RFID chip
Hand with the planned location of the RFID chip
Just after the operation to insert the RFID tag was completed
Just after the operation to insert the RFID tag was completed

Implantable RFID chips designed for animal tagging are now being used in humans. An early experiment with RFID implants was conducted by British professor of cybernetics Kevin Warwick, who implanted a chip in his arm in 1998. Night clubs in Barcelona, Spain and in Rotterdam, The Netherlands, use an implantable chip to identify their VIP customers, who in turn use it to pay for drinks [6].

In 2004, the Mexican Attorney General's office implanted 18 of its staff members with the Verichip to control access to a secure data room. (This number has been variously mis-reported as 160 or 180 staff members, though the correct number is actually 18. [7])

Many books published about RFID are aimed at medium to large businesses implimenting RFID technology to track shipments or livestock; however, until the publication of RFID Toys [8] by Amal Graafstra in 2006 little information was available for the enthusiast. Shortly after the book's publication, the Seattle Center On Contemporary Art [9] hosted a live implant proceedure proformed on Phillip Beynon, a student from Vancouver Canada.

Security experts are warning against using RFID for authenticating people due to the risk of Identity Theft. For instance a Mafia Fraud Attack would make it possible for an attacker to steal the identity of a person in real-time. Due to the resource-constraints of RFIDs it is virtually impossible to protect against such attack models as this would require complex distance-binding protocols.


A fingerprint is an impression normally made by ink or contaminants transferred from the peaks of friction skin ridges to a relatively smooth surface such as a fingerprint card. These ridges are sometimes known as "dermal ridges" or "dermal papillae". The term fingerprint normally refers to impressions transferred from the pad on the last joint of fingers and thumbs, though fingerprint cards also typically record portions of lower joint areas of the fingers (which are also used to effect identifications). Friction skin ridges are not unique to humans, however, and some species of primate also have friction skin ridges on "fingers" and paws in configurations sometimes similar to human friction ridge skin. Some New World monkeys also have friction ridge skin on their tails, possibly associated with use of their tails for gripping during climbing, and the knuckle-walking great apes have friction ridge skin on the dorsal surfaces of their fingers. Friction skin ridges on humans are commonly believed to provide traction for grasping objects. In the over 100 years that fingerprints have been examined and compared, no two areas of friction ridge skin on any two fingers or palms (including between identical twins) have been found to have the same friction ridge characteristics.

Fingerprint identification

Fingerprint identification (sometimes referred to as dactyloscopy) is the process of comparing questioned and known friction skin ridge impressions (see Minutiae) from fingers, palms, and toes to determine if the impressions are from the same finger (or palm, toe, etc.). The flexibility of friction ridge skin means that no two finger or palm prints are ever exactly alike (never identical in every detail), even two impressions recorded immediately after each other. Fingerprint identification (also referred to as individualization) occurs when an expert (or an expert computer system operating under threshold scoring rules) determines that two friction ridge impressions originated from the same finger or palm (or toe, sole) to the exclusion of all others.

Latent prints

Although the word latent means hidden or invisible, in modern usage for forensic science the term latent prints means any chance or accidental impression left by friction ridge skin on a surface, regardless of whether it is visible or invisible at the time of deposition. Electronic, chemical and physical processing techniques permit visualization of invisible latent print residue whether it is from natural secretions of the eccrine glands present on friction ridge skin (which produce palmar sweat, but no oils), or whether the impression is in a contaminate such as oil, blood, paint, ink, etc.

Patent prints

These are prints which are obvious to the human eye and are caused by a transfer of foreign material on the finger, onto a surface. Because they are already visible they need no enhancement, and are photographed instead of being lifted. Where possible, the item containing the print is taken away and looked at by forensic scientists.

Plastic prints

A plastic print is a friction ridge impression from a finger or palm (or toe/foot) deposited in a material that retains the shape of the ridge detail. Commonly encountered examples are melted candle wax, putty removed from the perimeter of window panes and thick grease deposits on car parts. Such prints are already visible and need no enhancement, but investigators must not overlook the potential that invisible latent prints deposited by accomplices may also be on such surfaces. After photographically recording such prints, attempts should be made to visualize other non-plastic impressions deposited in natural finger/palm secretions (eccrine gland secretions) or contaminates.

Classifying fingerprints

There are three basic fingerprint patterns: Arch, Loop and Whorl. There are also more complex classification systems that further break down patterns to plain arches or tented arches. Loops may be radial or ulnar, depending on the side of the hand the tail points towards. Whorls also have sub-group classifications including plain whorls, accidental whorls, double loop whorls, and central pocket loop whorls.