Tag Archives: TSA

TSA Issues New Pipeline Security Directive

After not doing anything over the last twenty years to protect the cybersecurity of pipelines, the TSA decided they needed to do something – anything – so that they have the appearance of responding the problem.

If you get the sense that I am not impressed, you are correct.

So what do pipeline operators have to do now?

The first thing, which I suspect that operators are not thrilled about, is that they now have to report both confirmed and POTENTIAL cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

One requirement that probably won’t be too painful is that they are required to designate a cybersecurity coordinator and that person needs to be available 24/7.

They also have to review their current security practices and report risks, gaps and remediation measures to the TSA and CISA within 30 days. What makes this a bit toothless is that there is no guidance in how to conduct this risk assessment.

The Secretary of Homeland Security, Alejandro N Mayorkas said that DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.

I would rather they treat these organizations like businesses that they are regulating and hold them accountable for their horrible security (reminder: the auditor of an audit that Colonial paid for a few years ago said their security was so bad that an 8th grader could hack them). Partners are cozy. Way too cozy. Credit: Bleeping Computer

Nothing in this order requires them to fix any issues, fix them in a particular amount of time or adhere to any standards. Even the electric industry has standards. Credit: Metacurity

While this is designed to give the appearance that the government is doing something, that something is, in reality, not very much.

Security News for the Week Ending April 10, 2020

Remember that Real-ID Deadline we Were Worried About

Since planes seem to be flying with less passengers than flight crew members these days – if they fly at all – the gov has decided to make some security changes.   In addition to the fact that they are allowing you to bring a 12 ounce bottle of hand sanitizer onto the flight, they are allowing people to fly with EXPIRED drivers licenses since DMV offices are closed in almost every state.  They can be expired up to the later of one year or 60 days past the end of the pandemic emergency.  The DMVs were saying that, given the number of licenses that they had to re-issue to comply with Real ID, the October 1, 2020 date was going to be impossible to meet – before the pandemic.  Now that date would require a miracle – assuming we even know when DMV offices will reopen.  Of course, since no one is flying right now, it is sort of a moot point for the moment.  Several House members wrote to DHS pointing that fact out, but as of today, other than saying that you can use an expired license, they haven’t said anything about Real ID.  I am reasonably confident that they will delay enforcement.  Again.  For the umpteenth time.  Source: CNN

Hacker Takes on Elastic Search Scorched Earth Policy

A hacker or hackers have decided to make a point that putting servers on the Internet with no password is not exactly a bright strategy.

To reinforce that point, the hacker is wandering around the Internet, finding unprotected servers and wiping all the data from.  As of earlier this week, that amounts to around 15,000 servers.  It is unknown whether these servers are active or abandoned or whether the owner has a backup, but hopefully the point will be made and people will start securing their servers.  Source: ZDNet

Russia one-ups China – Steals Internet Traffic for 200 Networks for an Hour

Russia does not want to feel unloved.  Therefore, it stole all of the Internet traffic for 200 or so content delivery networks such as Facebook, Google, Amazon and others for an hour.  After vacuuming in all that data, it spit it back out to the rightful destination, so other than the connection being slow, the users were unaware.  I am sure it was just an accident.  Of course, if Russia wanted to, it could have rerouted all that data and just thrown it in the trash.  The good news is that there is a new spec for BGP routing security and there are a few tests going on right now as some companies begin to implement it.  In ten years or so (if we are lucky), when it is fully implemented, these attacks won’t work.  Source: ZDNet

Microsoft Pays for Its Past Sins

A couple of weeks ago it was reported that the owner of the domain corp.com was putting the domain up for sale.  This was an issue because for years Microsoft used Corp.com as the example domain for setting up Active Directory and thousands of companies used that example for real.  This week Microsoft bought the domain which was for sale for $1.7 million.  Microsoft didn’t say how much they paid, but the really had no option because if a bad guy bought it, the passwords of tens of thousands of companies employees would be at risk.  Credit: Bleeping Computer

What Do You Get for $7.55 Billion?

This year the TSA’s performance is better than last year.

Last year, it has been reported, TSA checkpoints failed to detect contraband 95% of the time.

That means for $7+ billion, TSA agents only stopped 5% of the stuff that was not supposed to be allowed on board.

This year, according to reports, the number is in the neighborhood of 80% failure, meaning that the bad guys have a 4 out 5 chance of getting contraband on board.

That makes me feel safer, for sure.

The briefing, before the House Committee on Homeland Security, was classified. I think the bad guys understand that their odds are good in getting stuff through the checkpoints.  The reason the hearing was classified, no doubt, is they probably discussed what types of things were least likely to be detected and techniques that they used.

This year, instead of using specially trained red teams during the test, they used secretaries and clerks.  You would think that might improve the odds of getting caught, but apparently not.

Rep. Mike Rogers told TSA administrator David Pekoske that “this agency that you run is badly broken”.

That would qualify as an understatement.

Of course, none of this is news to those of us in security.

Going back to when Mary Schiavo was the Inspector General of the Department of Transportation, corruption, fraud, incompetence and abuse in the DoT was being exposed.  Schiavo had over 150 convictions during her 6 years as IG.

TSA “red teams” have been trying to sneak stuff through checkpoints for 15 years.  In 2015, the TSA screeners failed in 67 out of 70 tests, according to leaked reports.

This years is a tad bit better, but still, the odds of getting contraband through – including guns and explosives – is insanely high.

It might also be useful to understand that the so-called “9/11” security fee that is added to every airplane ticket has been mostly diverted to other purposes and is not used to pay for or improve security or buy new screening devices.

Because the 9/11 fee is being diverted to items like building the border wall, security at airports is being degraded.  DHS Viper teams that use dogs to secure transportation facilities are being cut from 31 teams to 8 teams, for example.

I think I am going to drive on my next trip – it might be safer.

Information for this post came from ABC.

TSA Rolls Out New Screening Rule

Earlier this summer, TSA banned laptops and other large electronics on flights into the United States from certain countries.  Almost as quickly, they removed those bans – likely due to feedback from the airlines who were concerned that travelers would use video conferencing instead of flying.

Later this summer, TSA started a pilot program at a few airports that implemented enhanced scanning of electronics.

Now they are beginning the roll out of the program nationwide between now and early 2018.

Here is how the program will work.  Passengers will be required to take ALL electronics larger than a cell phone out of their carry on bags and place them in a tray by themselves with nothing underneath them and nothing on top of them.

This includes game consoles, cameras, iPads and other large electronics.

Because of these new rules and the anticipated delays at screening locations, TSA is recommending that passengers arrive at the airport 90 minutes before their flight rather than 60 minutes before.

It is not clear if these rules will apply to TSA Precheck passengers.

Information for this post came from Security Today.

DHS Considering Laptop and Tablet Ban on All Flights From Europe to US

Multiple sources are reporting that Homeland Security is considering banning all laptops and tablets from all cabins on all flights from Europe.

An announcement is expected tomorrow and I will update this post if an announcement is made.

DHS is saying today that no final decision has been made.

While we don’t know what DHS will do, here are my thoughts:

  1. It is HIGHLY likely that terrorists have figured out how to make bombs that can be hidden inside laptops and other larger electronic devices.
  2. Since airlines are not responsible for broken or stolen laptops and other electronic equipment in checked baggage, that puts travelers between a rock and a hard place.
  3. Stolen laptops and electronics represent a major security risk to corporations and individuals.
  4. ALL companies and users should encrypt ALL mobile devices to reduce the risk of having to declare a breach when an unencrypted laptop is missing from checked luggage.  The only state that was thought to require a breach declaration for encrypted data was Tennessee and they changed their law last month to clarify that was not the case.
  5. Regarding broken laptops (and when I say laptops I mean laptops, tablets, drones, cameras and other electronic equipment), there are a couple of issues.  First, consider insurance.  It is possible that you may be able to add coverage to your homeowners or renters policy but beware of policy deductibles.  For businesses, they are likely to be self insured.
  6. If you are going on a trip and electronics (and the data stored on them) are important, you should consider a disaster preparedness/incident response plan to deal with what occurs if your electronics don’t arrive or are broken.
  7. ASSUMING this happens, this is the best gift ever for the video conferencing business since 9/11.  The airlines didn’t recover from the lost business from 9/11 for years.  If this happens, this will just accelerate the decline of business travel.

One more thing to consider.  Given that Lithium Ion batteries – the type used in laptops – were responsible for more than 30 in flight cabin fire incidents in 2016 that flight attendants were able to put out with halon fire extinguishers, putting those devices in baggage may represent a safety issue. The FAA’s Fire Safety Branch says that the fire suppression systems used in cargo holds is ineffective at putting out lithium ion fires caused by the types of batteries in laptops, based on their tests in 2015.

Stay tuned for more details.

Information from this post came from the Daily Beast.

Follow Up To TSA Master Key Fail

In a classic TSA response, the TSA says that this is no big deal.

First, here is what they said in 2003 when they introduced them:

TSA official Ken Lauterstein described them as part of the agency’s efforts to develop “practical solutions that contribute toward our goal of providing world-class security and world-class customer service.”

Now, however the TSA says that the ability to create your own TSA master key does not threaten aviation security.  That statement is probably true.

Then they say that these products are “peace of mind”, not part of security.  Well they are half right.  Those devices are not part of THEIR security.  They should not be a part of anyone’s peace of mind, however.

Here is the real kicker, however:

In addition, the reported availability of keys to unauthorized persons causes no loss of physical security to bags while they are under TSA control.

So the fact that that copies of the TSA master key are out in the wild does not reduce security? Do ya want to explain that?  The TSA does not bother to explain.

That being said, researchers being researchers, they asked whether the TSA keys been posted before and the answer is YES.  Back in 2008, high res photos were published to 7 TSA master keys.  That photo is still out there (see photo).

My suggestion – just use regular Master padlocks (the little ones are available on Amazon in a 4 pack for $8 and change).  If the TSA decides that they need to break in at least you will know it and you will be out $2.

Information for this post came from the Intercept.