TSA News roundup

Finally some humor from Lucas Cantor:

abitmuch.jpg


and another:

tsa-touch-their-balls.jpg

"Proof" that E-Passports Lead to ID Theft

A couple of things caught Stuart Schechter’s eye about the spam to which this image was attached, but what jumped out at me was the name on the criminal’s passport: Frank Moss, former deputy assistant secretary of state for passport services, now of Identity Matters, LLC.

And poor Frank was working so hard to claim that e-passports wouldn’t lead to impersonation or ID thefts.

I’m sorry that someone is impersonating Frank and using his passport to try to drain funds, but we told him that this would happen.

passport.png

Lazy Sunday, Lazy Linking

Hey, remember when blogging was new and people would sometimes post links instead of making “the $variable Daily” out of tweets?  Well even though I’m newschool with the security doesn’t mean I can’t kick it oldschool every so often.  So here are some links I thought you might enjoy, probably worth discussion and review even if I don’t have time to blog about how I think about the topics discussed in the context of Information Security.

GUNNAR PETERSON GIVES GOOD PDF

First, in case you haven’t read Gunnar’s article “Reference Monitor For The Internet Of Things (.pdf)” in the latest IQT Quarterly, you really should.  Gunnar smart, Alex head hurt.

CHECKLISTS, KNOWLEDGE AND EXPLODING AIRBUS ENGINES

The Daily Speculations Blog has an interesting link/blog/discussion about the recent Quantas Airbus problems.   What caught me especially was this point – “Over-riding systematic considerations in favour of discretionary controls”. The actual interview they link to is here.

SOMETHING NICELY DONE DISCUSSING PRO’S & CON’S OF BEHAVIORAL ECONOMICS

Here’s an article in FundStrategy webzine called “DefiesLogic” that discusses behavioral economics, biases, market actors and so forth. Ben Hunt (the author) seems a little down on (or at least wants to curb the enthusiasm over) Behavioral Economics.  I’m OK identifying the limitations of any applied tool.

NOT RELATED – GOOGLE CHROME

The “computer guy” part of me finds Google Chrome to be interesting.  The “security management / risk guy” in me thinks the platform has  fascinating potential.  Here’s the TechCrunch review of the new laptops.

ABSOLUTELY NOTHING TO DO WITH INFOSEC BUT I LAUGHED

Awkward Pregnancy Photos.

The TSA’s Approach to Threat Modeling

“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said.

“But at this point, TSA in consultation with counterterrorism experts have indicated to me that the procedures that they have been putting in place are the only ones right now that they consider to be effective against the kind of threat that we saw in the Christmas Day bombing.” (“Obama: TSA pat-downs frustrating but necessary“)

I’ve spent the last several years developing tools, techniques, methodologies and processes for software threat modeling. I’ve taught thousands of people more effective ways to threat model. I’ve released tools for threat modeling, and even a game to help people learn to threat model. (I should note here that I am not speaking for my employer, and I’m now focused on other problems at work.) However, while I worked on software threat modeling, not terror threat modeling, the President’s statement concerns me. Normally, he’s a precise speaker, and so when he says “effective against the kind of threat that we saw in the Christmas Day bombing,” I worry.

In particular, the statement betrays a horrific backwards bias. The right question to ask is “will this mitigation protect the system against the attack and predictable improvements?” The answer is obviously “no.” TSA has smart people working there, why are they letting that be the headline question?

The problems are obvious. For example, in a Flyertalk thread, Connie asks: “If drug mules swallow drugs and fly, can’t terrorists swallow explosive devices?” and see also “New threat to travellers from al-Qaeda ‘keister bomb’.”

Half of getting the right answer is asking the right questions. If the question the President is hearing is “what can we do to protect against the threat that we saw in the Christmas day bombing (attempt)” then there are three possible interpretations. First is that the right question is being asked at a technical level, and the wrong question is being asked at the top. Second, the wrong questions are being asked up and down the line. Third is that the wrong question is being asked at the top, but it’s the right question for a TSA Administrator who wants to be able to testify before Congress that “everything possible was done.”

I’ve said before and I’ll say again, there are lots of possible approaches to threat modeling, and they all involve tradeoffs. I’ve commented that much of the problem is the unmeetable demands TSA labors under, and suggested fixes. If TSA is trading planned responses to Congress for effective security, I think Congress ought to be asking better questions. I’ll suggest “how do you model future threats?” as an excellent place to start.

Continuing on from there, an effective systematic approach would involve diagramming the air transport system, and ensuring that everyone and everything who gets to the plane without being authorized to be on the flight deck goes through reasonable and minimal searches under the Constitution, which are used solely for flight security. Right now, there’s discrepancies in catering and other servicing of the planes, there’s issues with cargo screening, etc.

These issues are getting exposed by the red teaming which happens, but that doesn’t lead to a systematic set of balanced defenses.

As long as the President is asking “Is this effective against the kind of threat that we saw in the Christmas Day bombing?” we’ll know that the right threat models aren’t making it to the top.

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology
Gaithersburg, MD USA
April 5-6, 2011

Call for Participation

The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant security vulnerabilities are often caused by security designers’ failure to account for human factors. Despite growing attention to the issue, these problems are likely to continue until the underlying development processes address usable security.

See http://www.thei3p.org/events/sausage2011.html for more details.

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology
Gaithersburg, MD USA
April 5-6, 2011

Call for Participation

The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant security vulnerabilities are often caused by security designers’ failure to account for human factors. Despite growing attention to the issue, these problems are likely to continue until the underlying development processes address usable security.

See http://www.thei3p.org/events/sausage2011.html for more details.

Navigation