Demystifying Mail Threats: What really can hurt you?

The most common method of training for potential security threats is to identify and focus on the “worst-case scenario.” Doing so gets the full scope of the threat on the table so everyone understands how significant the situation can be. What this doesn’t do is mentally prepare those involved when the scenario isn’t the worst case.  If the only answer you have is to call 911 then every problem only has a 911 solution.  While this may work well on paper it does not assist with security issues that fall within the middle of the scale. 

Most Likely Scenario: False Positive or Hoax

False positives happen all the time and, for the most part, cause minimal disruption.  Sure, they are costly and take time, but normally they are managed in real-time, at the lowest level possible and do serve to keep an organization awake and aware of possible threats. 

Hoax threats take another tone altogether.  Hoaxes are “intended” to waste time, money, and if done properly, expose an organization’s response procedures to those who intend further harm.  Most organizations don’t have the ability to keep or maintain security professionals on their staff so hoax threats become full-blown events. 

The art of Emergency Management (EM) comes with the proper allocation of efforts against appropriate threats. Pre-planning for when that threat arrives removes the “We found it, what’s next?” question.  Several effective, low-cost preventive measures include: soliciting advice from EM professionals on protective buttressing for explosive threats, establishing pre-set decontamination sites for chemical or biological events, or simply installation of cameras that allow first responders to see the threat before arriving on site.

Engage EM professionals within your organization and if you don’t have any reach out and see what is available.  RaySecur’s EM leaders will answer your questions and assist with a smart way to secure your organization and people while keeping costs and inconvenience to a minimum.

USPS Drops Size Allocations for Collection Bins

USPS Seemingly Small Size Standards Change Is Actually Extremely Significant

     In direct response to recent pressures regarding mail-borne threats, the United States Postal Service (USPS) reduced the acceptable size of mail deposited in blue collection boxes.  Acknowledging that the majority of mail hazards are deposited in USPS collection boxes, this change will affect future threats in several ways.  Obviously, mail items will become smaller and more compact. As a result, more small packages are needed to move the same amount of contraband, driving the need for ever-more sophisticated detection capabilities.  The overall effect is an increased requirement for technology that can detect at lower levels than previously required.

     The size change is intended to reduce threats from packages from unknown and possibly nefarious chains of custody.  Previously accepted sizes, approximately 4”x8”x12” are now reduced to 1/8 the size. The maximum allowable weight is now only 10 ounces, roughly 25% less than in previously accepted mail. According to the new requirements, “Customers who need to mail packages with postage stamps that are larger than one-half inch thick or heavier than 10 ounces must conduct the transaction in person at a Post Office retail counter.

     This directive was sent out in a postal bulletin, to employees, by the USPS without advertising to the public:  ”Effective October 1, 2019, mail pieces bearing stamps for postage that are more than one-half inch thick or weigh more than 10 ounces will be prohibited from entering the mail stream through collection boxes, building mail chutes, and Post Office mail slots.”

What you need to know from the USPS:

·        Carriers have been instructed not to accept packages that do not fit the restricted criteria, even in face-to-face transactions (these transactions must occur at a Post Office Retail location).

·        Items that cannot be returned immediately are to be isolated and returned to sender via surface transportation only.

For additional information on this and other emerging threats contact:  will@raysecur.com                     USPS Link: https://about.usps.com/postal-bulletin/2019/pb22529/pb22529.pdf

What if there is no return address shown?

The supervisor, manager, or postmaster will contact the addressee by phone and describe the mailpiece to the addressee, providing the city and state of the postmark, if possible. The addressee should be asked: a. Are you expecting the package? b. If yes, does this mailpiece contain anything liquid, fragile, perishable, or potentially hazardous such as lithium batteries or perfume?

If the addressee is expecting the mailpiece and confirms that it does not contain anything liquid, fragile, perishable, or potentially hazardous, the supervisor, manager, or post-master must:

-Identify the mailpiece via a $0.00 PVI, meter strip, or AVSEC stamp.

-Cancel the postage (if not already canceled).

-Apply Label 127, Surface Transportation Only, and transport the mailpiece via surface transportation only. The supervisor, manager, or postmaster must contact the Inspection Service if the addressee:

-Has no phone number that can be identified by using directory assistance, the phone book, or Internet;

Is not expecting the package; or

-Cannot confirm that the mailpiece does not contain anything liquid, fragile, perishable, or potentially hazardous.

Warshipping

RaySecur Security Advisory: WARSHIPPING – IT and Network Vulnerabilities through the Mail

Aside from conventional mail threats to an organization’s personnel and infrastructure via CBRNE (chemical, biological, radiological, nuclear, and explosive) mail vulnerabilities also pose a serious risk to IT and cyber assets.  Recent testing by IBM has highlighted a practice known as “warshipping” where miniature electronic devices are hidden in small packages and envelopes to enable remote access to secure WIFI networks once inside the building.  These threats bridge the gap between physical security and cybersecurity and are designed to exploit one of the easiest means of entry into buildings – access through the mail.  With no shortage of introduction methods, it is up to the ingenuity of the attacker.  One example of this is shipping to an individual on parental leave to introduce a package into an organization that may sit unopened for months without raising alarm.  The only limiting factor of these devices is the battery power required to keep them operating.

News Link: https://www.helpnetsecurity.com/2019/08/07/warshipping/

What you need to know:

·        Small electronic cellular, Bluetooth and WIFI devices hidden in objects and packaging designed to enter your facility through the mail

·        Once inside your building, these systems act as mobile WIFI, LTE or Bluetooth gateways that allow remote users to gain access to on-site networks and communication systems

·        Active mail screening is the primary means of defense as other means of deterrence shut down or block normal facility required functions

·        MailSecur mmWave scanning technology provides the most comprehensive solution to detect and mitigate these threats.

For additional information on this and other emerging threats contact:  will@raysecur.com

RaySecur™ has developed a breakthrough based on millimeter wave technology, capable of detecting and confirming powders, solids, liquids and all forms of CBREs (chemical, biological, radiological, and explosive composites) inside envelopes and small packages. Certified by the U.S. Department of Homeland Security the technology provides dynamic, real-time 3D imaging capable of detecting even a single drop of liquid, in a safe and compact desktop-size scanner.  https://www.linkedin.com/company/raysecur/

False Positives: More Common Than You Think

Earlier this month when Facebook’s Sarin nerve agent threat hit the news it highlighted a reality often overlooked when planning for emergencies: the most common end state of an emergency situation is that of a false alarm.  By the end of the day, the apparent nerve agent threat was deemed a false positive.  In most cases, such situations can be de-escalated by stopping, taking a breath, and ensuring that the indications of a threat are self-consistent with all of the evidence at hand.  Once an organization’s emergency response plan is activated, the most important goal for all involved is to return to normal operations.

False alarms and false positives are the most common reason that emergency action or response plans are initiated.  But what happens when something is initiated and there is no clear and definite endpoint to the emergency?  The answer is ambiguous unless there is a holistic understanding of the threat and those involved in making decisions are fully-informed of the best possible way to return to organizational normalcy.  Facebook, from the outside looking in, missed the mark on this point.  Sarin is not the most likely conclusion even when an identification system produces it as an answer.  If it looks like a duck, walks like a duck, quacks like a duck but one system says it’s a dog; what is the most likely correct conclusion?

Simply stated, chemical identification systems are only as good as the library they reference.  Nearly all chemical detectors compare their measurements of a sample with a database or library that looks for similarities between the measurement and a precursor, or even whole compounds, that make up a threat.  In the case of sarin, which is produced all over the world, no two batches test exactly the same.  Facebook’s response was most likely, a false positive because their detector simply identified a compound that fell within the parameters of Sarin in the library they have.  Events that resemble this happen every day, in every country and in every location that chemical identification efforts take place.  Until a better method of identification is invented the best option is to ensure human involvement to confirm plausibility and verify legitimate threats while de-escalating and weeding out false positives at an appropriate point in the decision cycle.

Adding technical expertise to an organizational response plan inserts a checks and balances capability to the threat management plan. It increases the speed at which companies recover and decreases the amount of lost revenue.  This essentially places a facilitator inside of larger units to ensure the “correct” answer gets to the right people as quickly as possible.  Unfortunately, most identification systems are not effectively tied to someone that has a complete understanding of the possible threats their users face.   For organizations to be truly successful in the emergency management arena requires expert human involvement to consider all of the relevant factors to arrive at the correct decision; so that while one system might say it’s a dog, if it has wings, feathers, webbed feet, quacks, and is swimming in a pond it must be a duck!