The United States Computer Emergency Readiness Team (US-CERT) will be dropping support for Short Message Service SMS in favor of email alerts going forward. Is this a sign of the times? Is texting getting too long in the tooth, and are citizens looking for other more multi-media rich content? The following letter was distributed today advising of the discontinuance of the popular service via SMS. This makes me wonder if Text to 911 hasn’t missed the boat with only about 20% of the PSAPs being deployed with the functionality. Should they be focusing on multimedia and omnichannel communications from the public?

US-CERT to Discontinue SMS Text Messages US-CERT will be discontinuing SMS text messages (wireless alerts) this month. To ensure you continue receiving the latest information about security topics and threats, please update your subscriber profile to include an email address. Alternatively, subscribe here using your email address. If you’re receiving this notification via email, you do not need to take any action. As we approach October, National Cyber Security Awareness Month, consider sharing the following link with friends and family so that they can stay current on risks potentially affecting their systems and data: https://www.us-cert.gov/ncas. At the bottom of every US-CERT.gov webpage is a link to subscribe to email alerts. Affected topics: National Cyber Awareness System Mailing Lists Alerts Bulletins Tips Current Activity Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Alerts Advisories Announcements Year in Review Monitor Newsletter Critical Infrastructure Cyber Community Voluntary Program (C3VP) C3VP Updates Please contact info@us-cert.gov with any questions or concerns. Thank you. United States Computer Emergency Readiness Team (US-CERT)

An audio version of this Blog is available on YouTube via Spreaker

With any innovation, comes the opportunity for additional technology. At times, the technology is a welcome addition, while at other times it’s merely an opportunity for marketing. Take the mobile telephone market for example. In an October 2015 article by ABI Research, they stated that they expect that “global revenues for mobile accessories will reach US$81.5 billion in 2015 and is forecast to grow to $101 billion in 2020 at a compound annual growth rate (CAGR) of 4.3%.” protective cases topped the market followed by chargers, screen protectors and finally headsets.

In 1969, 911 eliminated the challenge of knowing the local telephone number of the police, fire, or ambulance service in an emergency. More than a decade later, Caller ID was added to identify who was calling. Access to the Selective Router and the billing database, containing the address of the call was now party of the E911 system, and worked well. This ‘Enhanced 911’ model worked well, and E-911 service began rolling out across the entire country.

THE MOBILITY MONSTER

All was well with public safety and their shiny new E911 system, until the mobility monster reared its ugly head. Mobility is the enemy of 911. It breaks the simple model of a phone number relating to a specific location or address. Cellular telephones, and business VoIP systems, allow users to be located anywhere network connectivity is available. From this an entire new market was born, “The Enterprise 911 Solution Provider”. Both CPE and Cloud based solutions can be purchased, and monthly services can be established for users on the system. These services supposedly track movement, and update the appropriate public safety databases with required information. And, as with any opportunity, comes the opportunity to be sold a bag of magic beans.

Understanding how 911 works, in its simplest form, will allow an administrator to procure the appropriate solution for their business environment.

MYTH 1: I need 911 service on every device
While it’s true that every device needs direct access 911, having a 911 record (a.k.a. phone number) for each device is not required. The phone number sent to the 911 center will trigger a specific address record to display on their computer terminal. What is important, is that each telephone device sends a caller ID that is relevant to their location, so dispatchers see the appropriate address.

What they don’t want you to know:
Their billable is the telephone number, and they will give you every reason in the world to get you to put as many of those in the database. While some reasons may have merit, most reasons are there to scare you based on your lack of understanding.

MYTH 2: 911 Needs to call back the specific device that dialed 911
It is critical that 911 dispatchers can re-establish a connection in the event of the call to 911 getting disconnected. More information may be required, a clarification on the address may be needed to get responders to the right location, or important instructions may be given to assist while help is arriving. Who needs to get that call, though, is up for debate.

With On-Site Notification, a responsible party can be made aware of a 911 call event, and then be able to handle any additional information requests. They can be a trained person who has access to all information and provide better coordination with emergency responders. And they are in the best position to direct any local personnel that may be qualified to assist while waiting for help to arrive.

What they rather you don’t realize:
Being able to call every station directly, means a phone number on the device in the 911 database, and again, recurring billing, or a ‘gateway device’ in the path of the call.

MYTH 3: 911 is better provided in ‘the Cloud’ or as a ‘Hosted Service’
The cloud is a wonderful place. It is the answer to the ultimate question of Life, the Universe, and Everything, no . . . wait . . . that was 42. It is still a very cool place though, and provides a lot of benefit. And while 911 can live in the cloud, the question remains if you need, or want it too, in your implementation. The cloud buys you a single point of access for emergency services across your network, but of the network is down, so it E911. The cloud gets you to every 911 center in the US and Canada, but you need to access the cloud via SIP or a 10-digit phone number. The Cloud can provide notification and email alerts, but the cloud is external to your facility so it may not be available in an urgent situation where a phone system on premises may serve your needs better. The decision is up to you, based on your needs and concerns.

What they don’t want you to know:
Again, if a 911 provider billable is a telephone number, don’t let them force your need for the cloud to have an entry for every device. The cloud can easily operate on a building or zone level.

MYTH 4: If I buy a system it will send Public Safety detailed information
If it were only true, but it isn’t because of this one reason. 911 is a voice call. The 911 network is a voice network. There is NO DATA CHANNEL, there is no pathway for anything but voice. 911 can receive caller ID, and then reference a database for static information that was put there before the call was made.

What you need to understand:
The 911 database contains records for each phone number, we know this already from the previous myths. In that record, there is a single 40-character free form field that can be populated with specific location text. You thought Twitter was tough with 140 characters, try to be specific with 40 or LESS!

MYTH 5: You are NOT part of the solution
When it comes right down to it, not only are you a critical part of the solution, you are the one that is most important part of the solution. YOU understand the layouts of your buildings, YOU can coordinate resources inside your facility to render the best assistance possible, and YOU are able to provide access to the other tools that already exist that can provide the valuable situational awareness that can be correlated and given to 1st responders when they arrive on site.

What they don’t want you to know:
All the information provided here, because this removes the vail of secrecy that guards the profits these companies make from fear uncertainty and doubt.

Using an external provider may be the right thing for your company, it comes down to the use case and requirements. And while sometimes you can get by with the functionality built into the system, if you do need a partner, make sure they are DevConnect Tested and Approved for the release and version of your system, and carry the DevConnect Partner or SELECT Product Partner logo.

If you are making an educated decision, and implementing 911 to a level that is effective, you are in line with the law, and good to go, in my book. Just beware of predatory tactics and the proverbial wolf in sheep’s clothing.

<SHAMELESS PLUG>

Please check out APN – The Avaya Podcast Network

</SHAMELESS PLUG>

Why is it that sometimes the most simple things, take the longest to implement? It is not technology, it is not innovation, it is not patent lawsuits. Is it the almighty $$ or Euro as it may be? One has to wonder sometimes. in 2012, Tim Kenyon of Conveyant Systems, and I presented a new concept to the FCC called Over The Top 911. It was an innovative way of providing MLTS data to PSAPs over a secondary internet channel, in parallel with the call.

Just 2 years ago, at the NENA Public Safety show in Denver, Colorado, a colleague of mine and I demonstrated iLOC8 (i-Locate) a version of this same technology that could be deployed at PSAPs to collect rich multi-media as well as discrete caller location from the millions of cell phones calling 911 each day. A demo of that technology can be seen here:

EENA, the European Emergency Number Association, NENA’s European cousin, reminds us today that in June 2016, Google updated all Android smartphones in the world with Advanced Mobile Location (AML), a technology that allows emergency services to accurately locate a caller in danger. Fast forward a year later, the service has been activated in many countries with many lives saved as a result (see here).

In the past months, EENA has been traveling around Europe to raise awareness of AML in as many countries as possible. All these meetings brought up a recurring question that EENA had to reply to: “So, what about Apple?”. For months, EENA has tried to establish contact with Apple to work on a solution that automatically provides accurate location derived from iPhones to emergency services and rescuers. Unfortunately, with no result.

Emergency services themselves, as well as other stakeholders, are publicly stressing the need for Apple to work on AML. This is the case in Australia, Estonia, Sweden, and Belgium. Belgium announced the launch of AML for Android users on 13 July but indicated that iPhone users should download the “112BE” smartphone app since the service is not available to Apple customers.

Politicians have also stressed the need for AML to be available in all handsets. In an interview with EENA after her visit to the 112 Emergency Response Centre in Tallinn, Member of the European Parliament Kaja Kallas noted that “Currently, AML only works on Android devices. To increase the number of people who can benefit from it, we should make sure that it works on all smartphones.”.

EENA recognizes the efforts of Apple to improve the safety of their customers. The SOS functionality of the Apple Watch can automatically send the location of a caller to a specified contact. Nevertheless, this functionality should be extended to mobile phones, and the location should be sent to emergency services and rescuers as well – the people who primarily need this information. Recent news about the “panic command” on iPhones, including a location function, is also a step in the right direction. But it is not sufficient: accurate location information should be sent during all emergency calls.

As AML is being deployed in more and more countries, iPhone users are put in a disadvantage compared to Android users in the scenario that matters most: an emergency.

EENA calls on Apple to integrate Advanced Mobile Location in their smartphones for the safety of their customers. It is important to highlight once again that AML is an open-source protocol (see ETSI technical report here) and any smartphone manufacturer or operating system provider can integrate it in their products.

EENA remains at the disposal of Apple to work together on a solution that will concretely improve the safety of its customers.

READ MORE – About AML

AML is an open-source protocol that improves the location data transmitted to emergency services. When an emergency call is detected in the user’s phone, accurate location information derived from the handset is transmitted automatically to the emergency services (using GNSS or Wifi) via SMS or HTTPS. The location data is sent directly to the public authority (emergency services) with no third party having access to it.

Useful links:
About AML: here
AML Frequently Asked Questions: here
ETSI technical report on AML: here
Cases of people saved thanks to AML: here
here

C’mon Cupertino – Get on Board for Humanity’s Sake – Let’s use our technology and skills to save a few lives right here in the US, and reduce the costs to deliver discrete and precise information to the PSAPs we have today. With NG911 right around the corner, this fit’s right in.

fletch

An audio version of this blog is available on APN:

https://widget.spreaker.com/player?episode_id=12365458&theme=dark&playlist=show&playlist-continuous=true&autoplay=false&live-autoplay=false&chapters-image=true

Ever since I was a small child, growing up in the 60s and 70s, the future always held in it a device, entity, or artificial being that knew all and saw all. Commonly, it was referred to as “Big Brother”. While there’s no denying that Artificial Intelligence, at a widescale deployment, is on the immediate horizon, it’s quite apparent that elements of that exist today and are quickly becoming embedded in our daily lives.

Thanks to Apple, Siri has been helping me on a daily basis do the most mundane things. Stopping by a colleague’s house while on a recent trip to Santa Clara, “Hey Google:” was the catchphrase of the evening as we all enjoyed this magical box on the kitchen counter answering nearly every question we could throw at it, including, “Hey Google, what’s my name?” for my colleague and his wife who had trained their voices on the app.

Early in July this year, an incident in New Mexico happened where an Amazon ECHO apparently called 911 on it’s own, sort of . When I first read the account, I immediately debunked it knowing that the Amazon Echo doesn’t have the capability of making a phone call over the public switched telephone network. Within a few days, Amazon spokespeople had confirmed this fact, however the story continued, fueled by misquotes, and misunderstood quotes made by the local police department who quickly retracted and corrected some of their initial statements about Alexa initiating a 911 call.

Just as the national news was starting to calm down, Wired Magazine published the story, “An Amazon Echo Cannot Call the Police – But Maybe It Should”, opening Pandora’s proverbial box. Those that are technically savvy may ask why we don’t use technology to automate our lives making processes easier. Those on the opposite end of the spectrum will question privacy invasion capabilities of these devices. Despite valid arguments on both sides of that coin, the problem at hand for public safety officials is the potential volume of calls and false calls that they will receive.

In my days as a police dispatcher in the early 80s, a motor vehicle accident on the highway may end up generating a couple of phone calls and a few shout outs on the CB Radio. Today, with the CTIA saying cellphone saturation is at a record 120.6% for 2016, it’s not uncommon to receive 20 or 30 calls for a single incident such as a motor vehicle accident. Based on this, the sheer number of reports coming in on each incident can cripple even a midsize agency, let alone the vast majority of 911 Public Safety Answering Positions that are staffed with 4 to 6 people or less, when fully staffed.

Based on this, the question at hand is not one of the current capabilities of the technology, rather a questions now become more policy and procedure driven, such as:

• How we make sure that public safety staffing is at a level that has the ability to receive this new influx of emergency, and nonemergency traffic?
• How do we make sure we don’t accidentally TDoS the 911 network by enabling potentially millions of attack points in households across the nation?
• How do we ensure that location information is properly provisioned and utilized, especially if these devices are connected through the IP network and Internet?

Is Big Brother watching? Not likely, at least not today.
Is Little Sister watching? The answer to that might shock you, and the real issue at hand is, if she is, who is she telling?

 https://widget.spreaker.com/widgets.js

Security is one of the critical elements that anyone who operates a network should be concerned with. One industry, in particular, Public Safety, is often thought of as being safe and secure, but in reality, they are as susceptible as their weakest link. 911 center directors in public safety need to be especially concerned with DDoS and Ransomware attacks.  The information contained in their networks is very sensitive and if compromised cold create a national disaster.

In response to events seen this week in the commercial space, I sat down wits with the NENA Director of Public Safety and Government Affairs to discuss this issue. Trey Forgety.

Fletch: Trey, welcome back. Unfortunately, every time we get to talk it’s never good news.

Forgety: That’s right. Today as in the past we’re experiencing some really, really tough issues.

Fletch: this week we have a cyber attack going on, not necessarily a DDoS attack but a Ransomware attack that is affecting commercial businesses and could potentially affect public safety as well.

Forgety: That’s right. Unlike a DDoS attack where someone tries to flood a network with more traffic that it can handle, in a Ransomware attack, they’re trying to deny you access to a computer by encrypting all of the files on the machine’s drive. The attack that we’ve seen today is particularly pernicious because unlike many in the past this one actually doesn’t require anyone to click on a link.

Fletch: That’s a little scary because I can totally understand the “click bait” that’s out there. You’ve just inherited 20 million dollars, click here – and then they use social engineering to basically collect information. How do you execute an attack without getting the user to interact? That’s new.

Forgety: It is sort of new. In this case, a vulnerability and something called the Server Message Block or SMB protocol. It’s a file sharing protocol that’s commonly used by Windows computers. A vulnerability in older versions of SMB that are still enabled on a lot of systems was exposed that can allow attackers to remotely execute code. Now, the good news is that there are mitigations. If you have your machine attached to the networks with a firewall for example and you prevent off network SMB access that’s one way to hopefully shield your network from this type of attack.

Fletch: Now, is that something normal network administration, security administration would have enabled?

Forgety: One would hope so but it’s not the case everywhere. Looking at the networks that I administer personally it was only about a year or two ago that I got to looking at making sure regularly that things like SMB were explicitly blocked. A lot of folks try to fall back on a default deny rule so that everything I haven’t thought of will get denied. That works great but for a lot of things where you know there’s a vulnerability it’s also a good idea to go in and put in a hard rule so that if at some point in the future something changes, somebody changes the default rules or something, you know that that hard rule is always there to protect you. Now I make it a point of anything that doesn’t need to come into my networks from somewhere else in the world, I make sure to go ahead and explicitly block those things at my firewall.

Fletch:  You know, when you look at typical public safety IT department they have a lot of great policing and knowledge but they don’t always have the best IT staff nor do they have access to IT experts. I think that leaves a big chunk of our public safety kind of vulnerable, doesn’t it?

Forgety: You know, it absolutely does. We really have a workforce crisis in the public safety field on cyber security. That’s not unique to public safety, that workforce crisis exists across every sector of our economy. For us, it’s particularly acute because of the sensitivity of the public safety mission and its importance in safety of life. One of the things that I always tell folks is you’ve got to self-educate and you’ve got to get good at taking the basic steps that you can do without having an elite information security team on your side.

Fletch: NENA is very proactive with its member community. You’ve raised the awareness quite a bit over the past couple of years. There was an alert that went out late this afternoon to members letting them know. What did you announce there?

Forgety: First off, I appreciate your recognition because it really has been, both for NENA as an organization and for me personally, an important thing over the past few years to raise the profile of security issues. The step that we took today is sort of a new thing that we’re doing to try and be helpful when we do hear about a major new threat. We issued a memorable late this afternoon that described the type of attack in fairly plain terms and then went on a little bit to talk about what the vulnerability is. I think most importantly we provided our members with five concrete actions that they can take right away to help protect their networks.

Fletch:  What were those actions?

Forgety: The first thing is local PSAP or county IT administrators need to download the Microsoft patch for this vulnerability. They’re calling it MS17-010. You’re going to want an IT admin to test this patch to make sure you’re not breaking anything, knocking systems offline before you deploy it to everything. Nonetheless, it is something that needs to get patched in a very, very big hurry.

The second thing that we’re advising is that center managers should make sure that they check up on their backup process. They need to make sure that they have onsite and offsite and hopefully one of those is actually offline backups for all of their critical systems. Make sure those are routinely being maintained and periodically go in, verify and test restores for those backups. If you haven’t tested a backup you don’t know that it’s going to work and you can’t rely on it. We’ve seen that demonstrated rather dramatically just in the past year. We’ve seen some major software providers learn that three different backup systems weren’t working the way they thought and in fact, they were going to have to rebuild from scratch.

The third thing that we recommend is that PSAP IT departments consider permanently disabling the service message block or SMB 1.0 and 2.0 protocols along with CIFS or the common internet file system. Those are all sharing protocols that are commonly used on the window systems that have this vulnerability so SMB-1, SMB-2, and CIFS should all be turned off permanently. They still have SMB-3 as an option, that’s the version that is currently being maintained. More than anything, it will also give you higher speeds and better security going forward.

The fourth item, shift supervisors, and this is an important thing for us. A lot of our members are telecommunicators and dispatchers so we wanted to make sure that we have advice that shift supervisors can give to their frontline employees. Our advice is to make sure that front line employees are briefed to report any unusual computer behavior and to make sure they’re exercising added caution whenever they’re clicking links or entering credentials even in systems that they normally access. You want to just make sure that anything that your frontline employees touch from time to time they’re being a little bit extra careful about right now just to make sure you don’t accidentally leak credentials to a potential attacker.

Then the last thing we’re recommending is if you do fall victim to Ransomware whether it’s the current WannaCry attack or any subsequent attack, don’t pay. Don’t pay the ransom unless you absolutely have no other option for recovering your data. First, you should contact your local FBI field office and second notify the National Cyber Security and Communications Integration Center if an attack impacts your 911 service. I’ll give you their phone number here for your listeners. That’s 888-282-0870. Again 888-282-0870. Then as you do that make sure you’re taking steps to preserve log files and anything else that might be helpful in a forensic investigation.

Fletch: Now, fortunately, public safety is used to collecting evidence and documenting everything and that’s what’s really going to help to put an end to this. That’s what the FBI wants, all this detailed log data to help them trace back to the culprits.

Forgety: Absolutely. You know, the sad reality is that in any given case it’s unlikely that the FBI or anybody else is going to find the specific attacker and prosecute them for attacking you directly. But, taken together, correlated log files from across multiple attacks can allow agencies in law enforcement and intelligence to figure out where the attackers are coming from, find out what their common techniques are, and then ultimately go after those attackers where they live. For the long term that’s the most important thing.

Fletch: The obvious question here is, Next Generation-911 is going to provide a plethora of information but in that, you’re connecting with the internet of things. How do we do that in a secure environment to gain the benefits of NextGen without opening up the door to allow these types of attacks, happen more easily? It’s kind of a double-edged sword.

Forgety: It’s absolutely true and that’s something we’ve had to acknowledge from day one. As you move to modern internet era technologies … Just to be clear, we’re not talking about putting 911 on the internet, that’s not what Next Gen 911 is about. We do use common internet technologies. A result of that is that you will have different types of vulnerabilities than what you face today with the telephone system. The good news though is that in addition to having new kinds of vulnerabilities you get access to all sorts of new tools that simply don’t exist in the telephone world to combat those vulnerabilities. At NENA for example in the i3 standard and the NGSX standard, we’ve worked very hard with the vendor and public safety communities to make sure that security mechanisms to protect these life critical systems are built in from the ground up.

Fletch: You bring up a good point, NENA is a standard definition organization, an SDO.

Forgety: That’s right. We’ve actually been the recognized SDO in the public safety field since the early 90s for 911. Our standards are universally adopted for things like ANI and ALI, how that data is transferred, how PSAP transfers occur, and how PSAPs answer calls. Then in 2011, we went from being just the recognized standards body to being both recognized and accredited. NENA got their ANSI accreditation. All that means is that we ran our standards process by The American National Standards Institute and they signed off that that process met their requirements for the minimum due process.

Fletch: NENA and EENA, the European Emergency Number Association, recently issued a joint press release about Next Generation 911 Services. That was a big deal.

Forgety: It was a really big deal. One of the advantages that often goes overlooked of moving to Next Generation-911 is that it brings public safety systems into the global standards realm. The I3 standard for NG-911 was intentionally designed with that in mind. We’ve worked very closely with EENA over the years to make sure that their standards for Next Generation-112 are aligned. They won’t be exactly the same because how they do things in Europe is a little different but they’ll be very well aligned with the I3 standard. What we announced earlier this year was that we were going to renew that effort and work even harder to drive global standardization in the NG-911 world.

Fletch: You also recently had the Canadian CRTC adopt the NENA i3 standard as their direction forward as they build out Next Generation north of the border.

Forgety: That’s right. In Canada the CRTC has recognized i3 as the standard for NG-911.

Fletch: What about to the south? What’s happening in South and Central America? I haven’t really heard much about Next Generation. People ask about it, but I haven’t heard of any real standards work down there.

Forgety: We’re not aware of any separate standards work going on in Central and South America but we do make available our standards developers and our standards work on a relatively free basis for others to develop into compatible systems. When it comes time for Central and South America to start looking at NG-911 all of that existing body of work will be there so that they can bring themselves into harmony with the global standards process.

Fletch: Also the ASEAN market. I’ve talked to a few people, a great group of folks that are currently attending George Washington University that also attended the recent 911 Goes to Washington conference. They were very interested in rolling out multimedia services over in Thailand. What they said to me is why should I go reinvent the wheel? Which totally makes sense.

Forgety: Absolutely, that’s what we’re hoping everyone around the world will do and so far what they seem to be doing.

Fletch: You are the official NENA hacker, and you got to go present at the DEF CON conference this year.

Forgety: As a matter of fact attacks like this and denial of service and so forth came up quite a bit. In fact, we were … Well, not us directly but the Dark Tangent, a guy by the name of Jeff Moss, the founder of DEF CON tweeted out months before the conference last year that he wanted a position on NG-911. I think that is a testament to how much these systems are making it into the popular consciousness, both in public safety and in the information security community. We’re hopeful that with some renewed effort on our part that we can get NG-911 in front of the Infosec community even more frequently.

Fletch:  Again, it’s the security side of this because if you look at any network unprotected it scares the hell out of me and what could potentially happen. It’s not necessarily the use case of the network, I think that accentuates the importance of it but it’s the security blanket that you’re going to wrap around this. That’s where the work really needs to be put in. It’s great to see you raising awareness and getting the industry focused on wrapping that blanket around public safety. Multimedia, multimodal communications, hey, that’s what the world does today, right? My daughter just came home from college today. I talked to her all day long, not once did I speak to her on a phone. We chatted, we face timed, we did everything but make a phone call. I mean, that’s tomorrow, that’s what’s happening. You can’t ignore it any further. We’ve got to move public safety into that mode. Phone calls are going to go away, I believe.

Forgety: That’s absolutely right and as they do we’ve got to secure what comes next. We’re going to continue working very hard to do just that.

Listen to “NENA advises of Ransom-ware vulnerability for PSAPs” on Spreaker.https://widget.spreaker.com/widgets.js

If you are interested, a complete audio version of this interview in it’s entirety is available  here:  TiPS – NENA’s Trey Forgety on Ransomeware