PDA

View Full Version : Massive Security Breach



BigDon
2009-Dec-09, 03:11 PM
I'm freakin' speechless.

http://abcnews.go.com/Blotter/massive-tsa-security-breach-agency-secrets/story?id=9280503

Taeolas
2009-Dec-09, 03:14 PM
And once again, "Security through Obscurity" proves that it is neither secure nor obscure.

Hlafordlaes
2009-Dec-09, 03:25 PM
Good grief. When I was involved in a software sale to a local NATO installation, it seemed they had these things under better control. Sensitive information was on computers that were not connected to the internet, had no working USB ports nor floppy or CD drives, no printers, and were behind significant controls and checkpoints. "Normal" office computers outside that area (where our software was going) were also highly limited in function and access.

But the biggest and best firewall of all is proper training. Sounds like TSA is run worse than the Cub Scouts (no offense to the Scouts).

Fazor
2009-Dec-09, 03:28 PM
And the best thing for the news to do? Post the details of the security breech just to make sure everyone knows what's out there. Heh.

I'm not saying don't report it, but a little more vagueness on exactly what information is now out there might have been smart. Oh well. I guess now the CIA can just sit back and watch the P2P networks for the file and who downloads it. :-P

jokergirl
2009-Dec-09, 03:37 PM
And once again, "Security through Obscurity" proves that it is neither secure nor obscure.

Very much agreed. My first thought upon reading the headlines was "I didn't know that kind of thing was supposed to be secret" and because of this I wasn't particularly interested in reading about it until BigDon posted about it here under this rather shocking header.

Why is it so bad that people know about security procedures?

;)

Swift
2009-Dec-09, 03:38 PM
This over-reactive and preemptive moderator would like to remind everyone to please keep politics out of this discussion. Thanks.

BigDon
2009-Dec-09, 03:42 PM
I'll keep an eye out Swift.

I didn't see any yet. But we both know this place. :)

rommel543
2009-Dec-09, 03:50 PM
What I find even worse is that ABC has downloaded the file and has it reposted on their website, with a link to download the file and direct link to the example credentials.

Surprisingly the CIA identification is VERY simple looking. If someone had shown that to me I would have asked what Cracker Jack box they got that out of, and if it came with a Super Spy decoder ring.

flynjack1
2009-Dec-09, 06:21 PM
This is worrisome for the public and for armed law enforcement officers who fly. Nothing good comes from this type of security failure. The press should show some discretion but that would be out of character lately. The press has stayed away from the Flight 296 ATl to Houston flight but jumps on this story with both feet.

Ken G
2009-Dec-09, 06:23 PM
Perhaps some good will come from it now-- new credentials, new policies to replace what is compromised. It's even possible that some of these things were in the works and the leak was intentional, but that requires there be intelligence in the intelligence business and not just the spy novels. I really don't know.

HenrikOlsen
2009-Dec-09, 07:10 PM
Why is it so bad that people know about security procedures?
Because that knowledge can help bad people bypass them.

korjik
2009-Dec-09, 07:26 PM
Considering that NASA (at least JSC does) changes its badges every couple years, I would hope that CIA changes them even quicker.

Also, I wouldnt put too much on what a CIA badge looks like. The important thing is the RFID.

Moose
2009-Dec-09, 07:26 PM
Bad security measures depend on the bad guys not knowing how they work. The best security measures are effective even if you mail the design document to the person/group the security is designed to defeat. If it can't be published today, it's lousy security.

Moose
2009-Dec-09, 07:27 PM
The important thing is the RFID.

RFID is lousy security. See my previous post.

jokergirl
2009-Dec-09, 08:07 PM
Because that knowledge can help bad people bypass them.

Agreeing with Moose here, if you can bypass it because you know it it never was a good security measure to begin with.

;)

korjik
2009-Dec-09, 08:59 PM
RFID is lousy security. See my previous post.

Dont get me wrong, I wasnt implying that it was good. My feeling is that most security is specifically designed to make sure the security people keep their jobs, more than to keep things secure.

I am not implying that the security people are incompetent, just that most security is designed to get in the way of the people who are supposed to be there and that most security is designed to look secure more than be secure.

Moose
2009-Dec-09, 09:31 PM
I am not implying that the security people are incompetent, just that most security is designed to get in the way of the people who are supposed to be there and that most security is designed to look secure more than be secure.

*nod* Rationally speaking, we both should think that's well in tinfoil hat land, but I've been, and I'm pretty sure you've been as well, in the industry long enough to have seen plenty of evidence of intentionally baroque design to justify entire industries centered on support and maintenance.

And if IT weren't so messed up that in all probability you're right, I might still be in that industry.

/ Apologies for feeling unusually jaded tonight (even for me). Odd, because I've had a string of really good news lately.
// The one I'll talk about on the public forum is that I've found out that I've aced both of my state teaching certifications that I have results for so far. Three more to go.

rommel543
2009-Dec-09, 09:36 PM
Honestly if someone REALLY wanted to get around security they would find a way. I couldn't help but think of my recent flight to Florida. When taxiing up to the gate i was looking out the window and could see numerous of "secure" doors propped open with brooms and boxes and people wandering in and out. Some of which really did not look like they belonged there.

clop
2009-Dec-09, 09:38 PM
I'm freakin' speechless.

http://abcnews.go.com/Blotter/massive-tsa-security-breach-agency-secrets/story?id=9280503

I'm speechless that a leading media outlet has made it a big news story and provided the document for everyone to download and read. To me that seems far more irresponsible than the original unintended leak.

clop

korjik
2009-Dec-09, 10:07 PM
But the PEOPLE HAVE A RIGHT TO KNOW!!!!!

:P

Moose
2009-Dec-09, 10:18 PM
I'm speechless that a leading media outlet has made it a big news story and provided the document for everyone to download and read. To me that seems far more irresponsible than the original unintended leak.

I actually approve. Very best thing that can happen to security-by-obscurity. It means they'll stop using it and come up with something that hopefully is reasonably resistant to the light of day.

tdvance
2009-Dec-09, 10:30 PM
Bad security measures depend on the bad guys not knowing how they work. The best security measures are effective even if you mail the design document to the person/group the security is designed to defeat. If it can't be published today, it's lousy security.

That's certainly true with cryptography--because hackers can reverse-engineer the algorithm often. However, it is still bad practice to publish physical security plans, because EVERY SINGLE ONE has holes. I mean, EVERY plan (simple example---can you hide something from a pat down? Of course you can--few people do, though. And there is no super-advanced pat down procedure that can fix that). Till we invent GP hull material and use stepping disks to regulate entry and exit, there will always be holes someone knowledgeable could get through. The physical world is very messy compared to bits and bytes, so the rules are different.

mugaliens
2009-Dec-10, 07:35 AM
This is "news?"

jokergirl
2009-Dec-10, 08:04 AM
According to BBC, they do claim that the document was "outdated". But still, from what I can read in the news about it, it is pretty shoddy security to begin with. There's no excuse and I do hope some criticism and improvement comes from it. (I don't have much hope, though.)

;)

clop
2009-Dec-10, 10:48 AM
I've often thought, as I've watched them stroll, brazenly and unchecked, festooned with guns and metal weapons, through beeping x-ray gates, how easy it would be for a would-be terrorist to dress up as a policeman and get airside without an eyebrow being raised, if the disguise was good and the terrorist had the confidence to pull it off.

It reminds me of a stunt by the satirical "Chaser" team in Australia at the recent APEC summit in Sydney, where one of them dressed up as Osama Bin Laden and sat in the back of an official looking mock-up of a dignatory's limousine, complete with a little bonnet flag, laughably fake permits in the windscreen and suited "security guards" jogging alongside, and was waved through one security checkpoint after another until they found themselves outside President Bush's hotel in the most "secure" area of all. They were arrested of course but my goodness it shows what you can accomplish with a simple confidence trick, even with a $160 million security plan.

Here's the coverage for those who are interested

http://www.youtube.com/watch?v=TdnAaQ0n5-8

and the way it was reported on the BBC

http://www.youtube.com/watch?v=qmZqzvtsoHg&feature=related

clop

DonM435
2009-Dec-10, 03:38 PM
I believe that they used to let real policemen keep their guns during flights. If that were still the case, I don't think that anybody would try to commandeer a flight with a box-cutter. maybe they should offer free tickets to legitimately armed and cleared people.

flynjack1
2009-Dec-10, 07:18 PM
Armed officers still fly(not just FAM's), and the policies they adhere to were not widely known for obviuos reasons.

Fazor
2009-Dec-10, 07:28 PM
I've often thought, as I've watched them stroll, brazenly and unchecked, festooned with guns and metal weapons, through beeping x-ray gates, how easy it would be for a would-be terrorist to dress up as a policeman and get airside without an eyebrow being raised, if the disguise was good and the terrorist had the confidence to pull it off.

clop

Might not be as easy as it seems. AFAIK, even if officers from outside departments are allowed to keep a weapon on their person, they have to go through certain checks; they aren't allowed to just walk by as a normal person, even in uniform.

Therefore you'd have to imitate an airport officer or officer of the appropriate jurisdiction. Not impossible, but I know when I worked, we were a close-knit group. We knew each other, and would instantly recognize a faux officer. Possible? Maybe. Particularly in a large airport.

Easier still if you have a copy of said department's security procedure, so you know when, where, and how to show the fake badge you made that looks like the one on page e37 section 8a. :)

tdvance
2009-Dec-10, 09:42 PM
I believe that they used to let real policemen keep their guns during flights. If that were still the case, I don't think that anybody would try to commandeer a flight with a box-cutter. maybe they should offer free tickets to legitimately armed and cleared people.

That would work--I recently finished Destroyer of Worlds, and one character, considering the history of Earth and the VA Tech shooting, said, gee, why didn't someone shoot the guy when he fired the first shot? Couldn't understand Earth back in the 21st century.

sarongsong
2009-Dec-10, 11:43 PM
...The most sensitive parts of the...manual were apparently redacted in a way that computer savvy individuals easily overcame...:doh:
December 10, 2009
...Our tests...indicate that the TSA may not have been using updated software. If it had, its employees' redaction process may have been more thorough, and that the underlying sensitive text may have been properly deleted...
betanews.com (http://www.betanews.com/article/The-PDF-redaction-problem-TSA-may-have-been-using-old-software/1260466899)

Moose
2009-Dec-11, 12:26 AM
The strength of "leave it to me" programs like Word lies in the fact that anybody can use them. The weakness of "leave it to me" programs like Word lies in the fact that anybody can use them.

Change tracking is a razor-sharp, micro-serrated double-edged sword. Wouldn't be the first time confidential data escaped that way. Won't be the last, either.

tdvance
2009-Dec-11, 01:34 AM
That reminds me of that time some corporate employee put something rather embarrassing (and insulting to this other company) in a Word file, but deleted it before sending the file to another company. Someone at the other company used the "undo" feature to get it back.....

There is a reason government regs are very, very specific on how to redact. e.g. black marker on printout followed by scanning it to make a .pdf file is within the rules. Using a word processor to put a graphic black bar over the text is not.

Celestial Mechanic
2009-Dec-11, 05:40 AM
{Snip!} The press has stayed away from the Flight 296 ATl to Houston flight but jumps on this story with both feet.What story is this? I did a Google search on "Flight 296 ATl to Houston" but that turned up only this post. A search on "Flight 296" turns up the crash of an Air France jet during an airshow, but I don't think that was what you had in mind.

sarongsong
2009-Dec-11, 06:16 AM
What story is this?...Probably AirTran flight 297 from Atlanta to Houston (http://www.mdjonline.com/pages/full_story/push?article-Local+flier-+Execs+botched+AirTran+flight%20&id=5077680-Local+flier-+Execs+botched+AirTran+flight&instance=home_news_special_coverage) - December 10, 2009

NorthernBoy
2009-Dec-11, 06:06 PM
According to BBC, they do claim that the document was "outdated". But still, from what I can read in the news about it, it is pretty shoddy security to begin with. There's no excuse and I do hope some criticism and improvement comes from it. (I don't have much hope, though.)

;)

As someone who travelled regularly from London to New York, the "security" at JFK always struck me as a joke, albeit quite a scary one. The staff there seemed to view having mouthed the required words while chatting to one-another perfectly adequate, and seemed to have no idea of exactly what they were supposed to be doing there.

While queuing there once, I saw a man be directed to go off and be checked over more thoroughly, and after walking a few metres in the right direction, he just decided not to bother and walked off. A minute later someone in security asked what had happened with him, and everyone just shrugged and didn't worry about it.

NorthernBoy
2009-Dec-11, 06:08 PM
This is worrisome for the public and for armed law enforcement officers who fly. Nothing good comes from this type of security failure. The press should show some discretion but that would be out of character lately. The press has stayed away from the Flight 296 ATl to Houston flight but jumps on this story with both feet.

That's probably because there's nothing to report there. A guy with a camera was looking at some photographs and did not turn it off when asked. Snopes has it covered,

http://www.snopes.com/politics/religion/flight297.asp

korjik
2009-Dec-11, 07:04 PM
As someone who travelled regularly from London to New York, the "security" at JFK always struck me as a joke, albeit quite a scary one. The staff there seemed to view having mouthed the required words while chatting to one-another perfectly adequate, and seemed to have no idea of exactly what they were supposed to be doing there.

While queuing there once, I saw a man be directed to go off and be checked over more thoroughly, and after walking a few metres in the right direction, he just decided not to bother and walked off. A minute later someone in security asked what had happened with him, and everyone just shrugged and didn't worry about it.

We had at least one time at IAH where a couple people just walked around the barriers into the secure area. It was recorded on one of the security cams.

clop
2009-Dec-11, 07:50 PM
As someone who travelled regularly from London to New York, the "security" at JFK always struck me as a joke, albeit quite a scary one. The staff there seemed to view having mouthed the required words while chatting to one-another perfectly adequate, and seemed to have no idea of exactly what they were supposed to be doing there.

While queuing there once, I saw a man be directed to go off and be checked over more thoroughly, and after walking a few metres in the right direction, he just decided not to bother and walked off. A minute later someone in security asked what had happened with him, and everyone just shrugged and didn't worry about it.

I once did the exact same thing at Singapore airport. I was herded towards a security check at the end of a hallway, got confused, veered the wrong way, and ended up airside with all my things and no check along with half a dozen other people. Nobody seemed to care.

clop

BigDon
2009-Dec-11, 07:55 PM
I took a wrong turn, with a bunch of temps, while doing business in other parts of the building, and ended up in the money counting room at the San Francisco mint. Three very surprised Asian ladies were the only other people in there and they had to let us out.

korjik
2009-Dec-11, 08:36 PM
I took a wrong turn, with a bunch of temps, while doing business in other parts of the building, and ended up in the money counting room at the San Francisco mint. Three very surprised Asian ladies were the only other people in there and they had to let us out.

How much did you get?

NorthernBoy
2009-Dec-11, 09:52 PM
We had at least one time at IAH where a couple people just walked around the barriers into the secure area. It was recorded on one of the security cams.

Having travelled extensively during the IRA years in London, I am pretty familiar with SOP during high alert periods, how places are shut down, and, especially, how airports screen and stop people slipping through. The overriding impression in Miami (where the barrier to stop you avoiding security was a sternly worded sign telling you to go through security) and New York was that the staff just did not "get it" in terms of understanding what the whole process was for. All too often people substituted authoritarianism and shouting for efficiency and safety.

tdvance
2009-Dec-11, 09:54 PM
As someone who travelled regularly from London to New York, the "security" at JFK always struck me as a joke, albeit quite a scary one. The staff there seemed to view having mouthed the required words while chatting to one-another perfectly adequate, and seemed to have no idea of exactly what they were supposed to be doing there.

While queuing there once, I saw a man be directed to go off and be checked over more thoroughly, and after walking a few metres in the right direction, he just decided not to bother and walked off. A minute later someone in security asked what had happened with him, and everyone just shrugged and didn't worry about it.

speaking of "mouthing the words"--remember before 9/11? They asked two questions of everyone, and you'd better give the right answer or be searched. "Did you pack your own luggage? Was it in your control at all times?" I accidentally said No to the first (very tired), she said, "Careful what you say" and asked again, and I said "yes" and I was passed through. Very helpful.

Mr Terrorist, do you have a bomb? "yes" wait--was that the answer you really wanted to give? "oh, I mean, 'no'". Ok, pass.

NorthernBoy
2009-Dec-11, 10:29 PM
The "welcome" at JFK when landing was always a particular treat. I was pulled off to one side once for extra questioning about my reason for travelling, and was not as quick to answer as the official would have liked (my body clock was telling me it was 04:00 am, I'd had fourteen hours of work before I flew, a few drinks when I got on the plane, and a few coffees before landing as I was sober and hungover at that point), and decided that the best route was to start shouting in my face "Why are you nervous, what have you got to hide?"

The idea that I might be a bit worried that a bully with a gun, who could destroy my job on a whim if I gave the wrong answer obviously never occurred to him as a pretty good reason why I might not be as relaxed as I'd normally be.

I love the US, and its people, but it seems that the worst it has to offer have been rounded up and placed in immigration sometimes. The disjoint between the posters telling us that they are "the face of the nation", and their (only some of them mind, there are good people everywhere) actual demeanour was large.

SolusLupus
2009-Dec-11, 11:20 PM
Heh, I remember that time I took a flight from Korea, about 14 hours long, and then jumped on a connecting flight that was about an hour long.

The security guard practically rolled his eyes up at me when my brain was operating on Tired mode, and said "That flight was only an hour!"

Yes. No international flights could POSSIBLY connect directly to a national flight.

BigDon
2009-Dec-12, 02:19 AM
Having travelled extensively during the IRA years in London, I am pretty familiar with SOP during high alert periods, how places are shut down, and, especially, how airports screen and stop people slipping through.

And here I was thinking you were a Yankee.

NorthernBoy
2009-Dec-12, 08:39 AM
And here I was thinking you were a Yankee.

Oh no, I'm from Newcastle, up North, but now live in Canary Wharf in London.

I've lived in the US a couple of times, but could never pass for a local.