Security odds and ends

In like a lion, out like a lamb: Roger wraps up March with paint-on wireless security, new SANS certification programs, and a reading list

I'm having a strange moment of inner peace. I'm without a rant. Often my column is full of vinegar over some false security product claim, some incorrectly-held security belief, or some strange, insecure maneuver made by a recent client of mine. This week, it's all daisies and rainbows: I want to share a few cool security tidbits instead.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

A few months ago, while giving a security presentation along with Symantec's senior vice president to a group of business leaders, I was approached by Pete Hernandez, a salesman from Emsec Systems. He told me about two cool products they are developing and selling for the wireless security world. These products recently started generating media buzz again and resparked my interest.

Emsec is headquartered in Hampton, VA, right down the street from Langley Air Force Base, the home base for spy planes, robotic warriors, and secret devices of all types. It's full of top-secret material and ripe for wireless spies.

Emsec's newest star product is an anti-EMI paint (really a polymer coating) that blocks most EMI and wireless emissions from entering or leaving a room, confined space, or box. You apply the coating, and you end up with an instant "cone of silence". Emsec originally developed the anti-EMI coating to shield small electronic avionic housing devices, radio control units, and transceivers, but it can now be applied to nearly any room for any anti-EMI or anti-wireless application.

What was once a military-only option has spread out to commercial companies. Robert Boyd, vice president and director of technology for Emsec says that "most of our commercial clients are DoD-related. But nonmilitary corporate espionage is becoming a bigger problem in our society, and CEOs are paying attention."

Emsec's coating blocks EMI and wireless transmissions in the 100 KHz to 18 GHz range up to 60 or more dBM (decibels per meter), including 802.11 transmissions, RF signatures, cell phones, Blackberries, monitors, cables, and printers. If your company is concerned about EMI or wireless transmissions, you might want to give Emsec a call. Prices run from $3-$4 per square foot, or about the same price you might pay for carpet.

An even cooler related product sold by Emsec's parent company, Unitech, is a "paint-on" antenna. It's the opposite of stopping EMI: Unitech can "paint" an antenna on nearly any material, including walls, fabrics, and double-curved surfaces. Unitech is experimenting with prototypes involving soldiers' ballistic helmets with the antenna fabricated in. In the future, soldiers may be wearing their transmitting and receiving antennas for battlefield transmissions, GPS device tracking, and live, real-time battle picture updates.

It kind of humbles me when I think about how I struggle to get 802.11i working at home with my open source firmware kit.

Another wonderful announcement is the fact that SANS has developed certification exams to test developers' understanding of security and secure code practices. The GIAC Secure Software Programmer has four different language platforms choices -- .NET/ASP, C/C++, Java/J2EE, and Perl/PHP.

This is wonderful news. Among the security world's biggest problems is that most programmers don't care about security, and security people usually don't program. That's one of the major reasons why most programs contain many security vulnerabilities.

While certification tests don't mean you're an expert in a particular subject, they do test your minimal knowledge. As the holder of more than 50 computer certifications, I know that every time I study for a new cert, I learn something I didn't know before. I applaud SANS for its leadership. Along with all the Secure Design Lifecycle courses being taught this year, I think there is finally a maturing set of education options for programmers. Find out more about the new SANS certification exams and learning material at

Lastly, I often get asked what online security news sources I subscribe to. My favorites include:

*anything from

*the Patch Management mailing list

*InfoWorld (of course)

*Bugtraq (

*Vulnerability Watch (

*Full Disclosure (

*Dshield (


*Secunia (


Another favorite computer news source, not strictly security-related but always full of interesting stories, is The Register. It's got a British flair and slant to the news stories, and I don't always understand the jargon. But the reporting is topically informative, and it's only fair payback for all the stuff we Americans force on everyone else.

Well, that's all for now. I must get back to communing with nature.