Tag Archives: TSA

Security News for the Week Ending April 10, 2020

Remember that Real-ID Deadline we Were Worried About

Since planes seem to be flying with less passengers than flight crew members these days – if they fly at all – the gov has decided to make some security changes.   In addition to the fact that they are allowing you to bring a 12 ounce bottle of hand sanitizer onto the flight, they are allowing people to fly with EXPIRED drivers licenses since DMV offices are closed in almost every state.  They can be expired up to the later of one year or 60 days past the end of the pandemic emergency.  The DMVs were saying that, given the number of licenses that they had to re-issue to comply with Real ID, the October 1, 2020 date was going to be impossible to meet – before the pandemic.  Now that date would require a miracle – assuming we even know when DMV offices will reopen.  Of course, since no one is flying right now, it is sort of a moot point for the moment.  Several House members wrote to DHS pointing that fact out, but as of today, other than saying that you can use an expired license, they haven’t said anything about Real ID.  I am reasonably confident that they will delay enforcement.  Again.  For the umpteenth time.  Source: CNN

Hacker Takes on Elastic Search Scorched Earth Policy

A hacker or hackers have decided to make a point that putting servers on the Internet with no password is not exactly a bright strategy.

To reinforce that point, the hacker is wandering around the Internet, finding unprotected servers and wiping all the data from.  As of earlier this week, that amounts to around 15,000 servers.  It is unknown whether these servers are active or abandoned or whether the owner has a backup, but hopefully the point will be made and people will start securing their servers.  Source: ZDNet

Russia one-ups China – Steals Internet Traffic for 200 Networks for an Hour

Russia does not want to feel unloved.  Therefore, it stole all of the Internet traffic for 200 or so content delivery networks such as Facebook, Google, Amazon and others for an hour.  After vacuuming in all that data, it spit it back out to the rightful destination, so other than the connection being slow, the users were unaware.  I am sure it was just an accident.  Of course, if Russia wanted to, it could have rerouted all that data and just thrown it in the trash.  The good news is that there is a new spec for BGP routing security and there are a few tests going on right now as some companies begin to implement it.  In ten years or so (if we are lucky), when it is fully implemented, these attacks won’t work.  Source: ZDNet

Microsoft Pays for Its Past Sins

A couple of weeks ago it was reported that the owner of the domain corp.com was putting the domain up for sale.  This was an issue because for years Microsoft used Corp.com as the example domain for setting up Active Directory and thousands of companies used that example for real.  This week Microsoft bought the domain which was for sale for $1.7 million.  Microsoft didn’t say how much they paid, but the really had no option because if a bad guy bought it, the passwords of tens of thousands of companies employees would be at risk.  Credit: Bleeping Computer

What Do You Get for $7.55 Billion?

This year the TSA’s performance is better than last year.

Last year, it has been reported, TSA checkpoints failed to detect contraband 95% of the time.

That means for $7+ billion, TSA agents only stopped 5% of the stuff that was not supposed to be allowed on board.

This year, according to reports, the number is in the neighborhood of 80% failure, meaning that the bad guys have a 4 out 5 chance of getting contraband on board.

That makes me feel safer, for sure.

The briefing, before the House Committee on Homeland Security, was classified. I think the bad guys understand that their odds are good in getting stuff through the checkpoints.  The reason the hearing was classified, no doubt, is they probably discussed what types of things were least likely to be detected and techniques that they used.

This year, instead of using specially trained red teams during the test, they used secretaries and clerks.  You would think that might improve the odds of getting caught, but apparently not.

Rep. Mike Rogers told TSA administrator David Pekoske that “this agency that you run is badly broken”.

That would qualify as an understatement.

Of course, none of this is news to those of us in security.

Going back to when Mary Schiavo was the Inspector General of the Department of Transportation, corruption, fraud, incompetence and abuse in the DoT was being exposed.  Schiavo had over 150 convictions during her 6 years as IG.

TSA “red teams” have been trying to sneak stuff through checkpoints for 15 years.  In 2015, the TSA screeners failed in 67 out of 70 tests, according to leaked reports.

This years is a tad bit better, but still, the odds of getting contraband through – including guns and explosives – is insanely high.

It might also be useful to understand that the so-called “9/11” security fee that is added to every airplane ticket has been mostly diverted to other purposes and is not used to pay for or improve security or buy new screening devices.

Because the 9/11 fee is being diverted to items like building the border wall, security at airports is being degraded.  DHS Viper teams that use dogs to secure transportation facilities are being cut from 31 teams to 8 teams, for example.

I think I am going to drive on my next trip – it might be safer.

Information for this post came from ABC.

TSA Rolls Out New Screening Rule

Earlier this summer, TSA banned laptops and other large electronics on flights into the United States from certain countries.  Almost as quickly, they removed those bans – likely due to feedback from the airlines who were concerned that travelers would use video conferencing instead of flying.

Later this summer, TSA started a pilot program at a few airports that implemented enhanced scanning of electronics.

Now they are beginning the roll out of the program nationwide between now and early 2018.

Here is how the program will work.  Passengers will be required to take ALL electronics larger than a cell phone out of their carry on bags and place them in a tray by themselves with nothing underneath them and nothing on top of them.

This includes game consoles, cameras, iPads and other large electronics.

Because of these new rules and the anticipated delays at screening locations, TSA is recommending that passengers arrive at the airport 90 minutes before their flight rather than 60 minutes before.

It is not clear if these rules will apply to TSA Precheck passengers.

Information for this post came from Security Today.

DHS Considering Laptop and Tablet Ban on All Flights From Europe to US

Multiple sources are reporting that Homeland Security is considering banning all laptops and tablets from all cabins on all flights from Europe.

An announcement is expected tomorrow and I will update this post if an announcement is made.

DHS is saying today that no final decision has been made.

While we don’t know what DHS will do, here are my thoughts:

  1. It is HIGHLY likely that terrorists have figured out how to make bombs that can be hidden inside laptops and other larger electronic devices.
  2. Since airlines are not responsible for broken or stolen laptops and other electronic equipment in checked baggage, that puts travelers between a rock and a hard place.
  3. Stolen laptops and electronics represent a major security risk to corporations and individuals.
  4. ALL companies and users should encrypt ALL mobile devices to reduce the risk of having to declare a breach when an unencrypted laptop is missing from checked luggage.  The only state that was thought to require a breach declaration for encrypted data was Tennessee and they changed their law last month to clarify that was not the case.
  5. Regarding broken laptops (and when I say laptops I mean laptops, tablets, drones, cameras and other electronic equipment), there are a couple of issues.  First, consider insurance.  It is possible that you may be able to add coverage to your homeowners or renters policy but beware of policy deductibles.  For businesses, they are likely to be self insured.
  6. If you are going on a trip and electronics (and the data stored on them) are important, you should consider a disaster preparedness/incident response plan to deal with what occurs if your electronics don’t arrive or are broken.
  7. ASSUMING this happens, this is the best gift ever for the video conferencing business since 9/11.  The airlines didn’t recover from the lost business from 9/11 for years.  If this happens, this will just accelerate the decline of business travel.

One more thing to consider.  Given that Lithium Ion batteries – the type used in laptops – were responsible for more than 30 in flight cabin fire incidents in 2016 that flight attendants were able to put out with halon fire extinguishers, putting those devices in baggage may represent a safety issue. The FAA’s Fire Safety Branch says that the fire suppression systems used in cargo holds is ineffective at putting out lithium ion fires caused by the types of batteries in laptops, based on their tests in 2015.

Stay tuned for more details.

Information from this post came from the Daily Beast.

Follow Up To TSA Master Key Fail

In a classic TSA response, the TSA says that this is no big deal.

First, here is what they said in 2003 when they introduced them:

TSA official Ken Lauterstein described them as part of the agency’s efforts to develop “practical solutions that contribute toward our goal of providing world-class security and world-class customer service.”

Now, however the TSA says that the ability to create your own TSA master key does not threaten aviation security.  That statement is probably true.

Then they say that these products are “peace of mind”, not part of security.  Well they are half right.  Those devices are not part of THEIR security.  They should not be a part of anyone’s peace of mind, however.

Here is the real kicker, however:

In addition, the reported availability of keys to unauthorized persons causes no loss of physical security to bags while they are under TSA control.

So the fact that that copies of the TSA master key are out in the wild does not reduce security? Do ya want to explain that?  The TSA does not bother to explain.

That being said, researchers being researchers, they asked whether the TSA keys been posted before and the answer is YES.  Back in 2008, high res photos were published to 7 TSA master keys.  That photo is still out there (see photo).

My suggestion – just use regular Master padlocks (the little ones are available on Amazon in a 4 pack for $8 and change).  If the TSA decides that they need to break in at least you will know it and you will be out $2.

Information for this post came from the Intercept.

TSA Fails To Detect Contraband 95% Of The Time

ABC News reported what we already knew and as Bruce Schneier aptly said – the TSA is security theatre.  All show and not much substance.  Homeland Security “Red Teams” were successful 67 out of 70 times at getting mock weapons and explosives through TSA checkpoints all over the country.

Previously, TSA “fails” had been cast as limited to a few airports such as O’Hare, but apparently, according to data leaked to ABC News, the problem is systemic.

The solution:  DHS Director Jeh Johnson “reassigned” acting TSA director Melvin Caraway to some other place inside DHS.

In my opinion, TSA was given a no-win charter.  Take more than 50,000 people, give them minimal training and low pay (salaries start at around $25,000 – less than a supermarket checker makes) and expect them to be successful.  I don’t think that is possible.

If anything comes of this and I am not optimistic anything will, this falls squarely in Congress’ lap.  The whole concept of airline security needs to be re-thought.

One source says that the cost per gun found is $6 million.  I don’t know if that number is correct or not, but it would not surprise me.  The Blaze said the House proposed a 2015 budget for the TSA of $4.6 Billion with 45,000 full time screeners – and that is a reduction.