Schneier on Security
A blog covering security and security technology.
« Digital Cameras Have Unique Fingerprints |
| New Directions in Malware »
April 26, 2006
The Security Risk of Special Cases
In Beyond Fear, I wrote about the inherent security risks of exceptions to a security policy. Here's an example, from airport security in Ireland.
Police officers are permitted to bypass airport security at the Dublin Airport. They flash their ID, and walk around the checkpoints.
A female member of the airport search unit is undergoing re-training after the incident in which a Department of Transport inspector passed unchecked through security screening.
It is understood that the department official was waved through security checks having flashed an official badge. The inspector immediately notified airport authorities of a failure in vetting procedures. Only gardai are permitted to pass unchecked through security.
There are two ways this failure could have happened. One, security person could have thought that Department of Transportation officials have the same privileges as police officers. And two, the security person could have thought she was being shown a police ID.
This could have just as easily been a bad guy showing a fake police ID. My guess is that the security people don't check them all that carefully.
The meta-point is that exceptions to security are themselves security vulnerabilities. As soon as you create a system by which some people can bypass airport security checkpoints, you invite the bad guys to try and use that system. There are reasons why you might want to create those alternate paths through security, of course, but the trade-offs should be well thought out.
Posted on April 26, 2006 at 6:05 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
In this case, I think the tradeoff was well thought out... requiring police (or firefighters, or medics, or heads of state, etc.) to go through regular security is just lunacy. The problem is rather that authentification is difficult. Badges typically don't work well because there's too many different kinds, people would have to be trained to distinguish fakes from real ones for every type, that's simply not feasible. Usually such a system degenerated to "if they show some plausibly-looking badge, they will be fine".
So often these articles refer to "re-training". What is that exactly? Does it involve fingernails?
Only local PD, fire, etc. need to use this type of exception (in response to an emergency). There is no need for an 'out of town' police officer to bypass screening. Heads of state should not be responding to emergencies and should be held to the same rules as normal citizens.
Almost every security system has exceptions. Firewalls let in packets going to the web server on port 80 and that sort of thing.
If someone is going to be allowed to bypass normal procedures then there should be methods in place that are just as strong to deal with them. A badge is cheap, a photo ID that will pass casual inspection is just a little more.
In Dublin airport there is seperate screening for staff with airside passes, and since they don't have to queue with the normal passangers there shouldn't be large queues. There's no real reason for anyone to have an exception.
This seems easy to solve. No one bypasses security. Police don't have to take their shoes off, but they should have to be recognized by security before passing a security checkpoint.
The time tested tradition of people knowing their coworkers no longer seems good enough. The turnover rates for lame jobs is pretty high and there's a fear that someone who was laid off yesterday could wake up the next day as a terrorist. Giving all of the security staff a daily briefing on changes in staff, as well as a book of photos for validation seems like a relatively simple solution.
If there really must be a way to sell technology for every problem, a RFID tag on the badge could be used to bring up their profile and status on a terminal for the quick verification line.
Whether or not there is a hardware sale involved, the security people can confirm that the individual is authorized before letting him continue walking through. If there were a need for people unknown to the system to bypass the security checkpoint (ie, fire fighters, paramedics or local police), they should do so escorted by airport police.
Training is often a CYA tactic. It allows the organization to say that the individual was not following policy whenever there is a problem. It's not uncommon for police departments to employ this tactic to distance themselves from the consequences of the orders they give to their officers. The reality of the situation is that most people are not going to question their boss's boss's boss when it seems like they should be allowed to bypass security. If the person was recognized by the screener as staff, that likely factored into the belief that they were acting appropriately.
"this type of exception (in response to an emergency). "
Everybody should be checked regardless, otherwise what's to stop an insider creating an emegency to get his buddies through with the payload that can then be used at a later date?
"a RFID tag on the badge could be used to bring up their profile and status on a terminal"
Or for a terorist to identify them on a buss or other place, follow them home kidnap their family and use then use the poor bod as a mule etc.
The solution to the problem is not simple, just about all solutions have defects that can fairly easily be exploited by a knowledgable person.
At some point all security systems have weaknesses ie Birth Certificates authenticate a birth not identity but in the UK and other places they can be used to prove who you are for a passport etc, that is then used as an Identity card, which gets you a photo drivers licence, both of which can then be used to get a bank account and credit card. The bank account gets you a flat to rent, paying your local tax gets you a vote on the "electoral register", which can then be used to prove where you live... All you need to become a new person is a little patience and one document only (ie the birth cert) that can be easily obtained as a copy...
The joy of the new ID Card DB the UK Government is going to implement is that it will actually make the job of an insider a lot lot easier...
Like I said, RFID is only useful if you need to sell technology. Isn't the movie "Hostage" based on the threat you mention? How often does this happen in real life? It's possible, but unlikely. It also assumes that a police officer is willing to participate in mass murder for the negligible chance that a terrorist group would let his family go. In the real world, they'd be killed either way. It simply doesn't make any sense for a group of people interested in indiscriminate mass murder to leave witnesses behind.
RFID is irrelevant in this context. How many terrorists are running around with RFID readers? For the sake of illustration, can we agree that it's approximately 0, with small margin of error? How many people, including terrorists, would be able to recognize that the guy wearing the police uniform is a police officer? Again, for the sake of illustration, I'd suggest everyone could do that. The exact same threat and probability exists independent of using RFID.
Some people are claiming that RFID is a great boon to security. If that's really true, and the opponents are just paranoid, I think it would be a good idea for the police to lead by example.
Insiders are always going to be able to do something that would cause a security measure to fail. The goal of real world security systems is to prevent outsiders from being able to make the system fail. Also, they try to screen the outsiders as well as possible before letting them become insiders.
Everybody should be checked regardless
Once upon a time (late 2001 / early 2002) a friend of mine, who was in the air two days a week, got to watch a guy in an army uniform go through the whole process - boots off, metal detector, same as everyone else.
When he got to the other side they gave him back his rifle and he took over for the guy going off duty. While it's not like this soaked up hours of a screener's time, it seems less efficient than it might be.
remember the exception in Silence of the Lambs: injured security guards are above suspicion...
that was certainly an example of an emergency created to exploit the exception
Our prisons show the fallacy of letting 'trusted' people with badges bypass scrutiny. When all other means of getting drugs into prisons have been foiled, then all the drugs coming in are coming in through the guards.
We've already had air marshals caught smuggling, so it would be idiocy to trust any of them.
By scrutinizing everyone, we entirely avoid the problem of authentication.
Letting 'important people' bypass scrutiny is idiocy. One of the marks of high status is proving you can violate the rules without being punished, or even caught, and to high-status people breaking the rules is a real giggle. The 'trusted' people -- security, police, firefighters, and also maintenance and housekeeping -- who can bypass security will get a giggle out of getting away with their violations.
The trouble with exempting high-status people, and their belongings, is that this creates a deliberate blind spot. Anyone wanting to slip a bomb into airliner luggage would want to make sure the luggage carrying the bomb was covered by 'diplomatic pouch'.
And, yes, police should be forced to take off their shoes, otherwise they will know there is one place they'll never be searched, and some will take advantage of this. (Chemical detectors won't help, since diamonds don't have a smell.)
> Almost every security system has exceptions. Firewalls let in packets going
> to the web server on port 80 and that sort of thing.
That's not an exception. You're (intentionally or otherwise) confusing the firewall terminology with the more general security terminology.
The port 80 packets still pass through the firewall, and they are still examined by the firewall rules. They're passing through the security system.
This is like having a router set up outside the firewall that passes all traffic destined to www.blah.foo to the web server directly, and all other traffic through the firewall. The web server traffic, in this case, never passes through the firewall.
It can make sense to have a different individual *queue* for police and emergency responders (where ordinary folks don't line up). However, any measures that you apply to the general populace you should apply to the emergency responders as well (bomb screening, weapons check, whatever).
>> The reality of the situation is that most people are not going to question their boss's boss's boss when it seems like they should be allowed to bypass security.
This is why most people are not qualified to work in security.
It's fairly easy to go buy and wear a police uniform, (yes, it's a felony, but this is presumably a high-stakes game in play.) It's very easy to flash a badge at someone and wear a neatly tailored business suit.
What we teach our people:
-- police officers, unless it is an emergency and especially if they are in plainclothes, will not mind showing you an agency-issued photo ID -- and if it is an emergency, immediately offer to help and go with the officer after notifying someone else of the situation
-- EMS personnel and firefighters travel not only in uniform but in packs, and by looking around you should be able to see their fire / EMS rig with a unit ID painted on the side (as their vehicles are more tightly controlled than their uniforms)
How useful this is at a security checkpoint is a good question, but there should be good procedures and the airport operations team should be well aware that outside PD/fire/EMS is on scene. (I will add, reluctantly, that fire trucks and ambulances will be parked in the 'correct' places, and that incorrect placement will crank up the index of suspicion.)
Checkpoints are not good at stopping precision attacks. To pretented that they are is dangerously niave.
"Training is often a CYA tactic."
I, agree. If we can't do any better than this let's just cut some expen$es.
Emergency and Police personnel should be checked in via the employee entrance when they go on shift.
Most airports in the US of any size have their own security team, and their own fire station. During an emergency, people go out, but don't come in unless it's a massive scale sort of situation, and then the units are sent directly out onto the field (incoming fire engines are admitted through a special gate).
In the case of a medical incident, at any largish airport there will probably already be paramedics or at least EMTs standing by (probably also the fire personnel). They stay on the secure side of the airport, drive around the terminal via the access roads, and make entrance through the locked service doors from the field.
There should be no reason for emergency and security personnel to go through the normal security lines.
I think this is a proper form of exception to the rule, as personnel needing special treatment are sent to a different location, where the people there are trained to deal with such a special situation.
And if a mass-casualty event occurs in the airport, that part of the airport should be isolatable, evacuated, and then those passengers who can still make flights allowed in through other security gates (normal security gates).
-Woody (volunteer firefighter)
"- EMS personnel and firefighters travel not only in uniform but in packs, and by looking around you should be able to see their fire / EMS rig with a unit ID painted on the side (as their vehicles are more tightly controlled than their uniforms)"
Yep, we do. Although I live in a more rural area just outside of Silicone Valley, so the response in different. But in an airport, the Fire/EMS personnel should all arrive with specific uniforms, and there should be about 4 of them (at least) for a medical call. Mainly because it's easiest to dispatch the on-grounds fire station (whose engine lives in the secure zone) to the scene of the medical.
But the "grounds" of an airport are probably the weakest link that I've seen. The FD has access to both the secure and non-secure sides, as usually does the GenAv side of the airport, and all the Cargo terminals, and the air tourism companies....
There are a lot of avenues from the public roads around the airport to the airport grounds. But making it to a plane from those grounds is much harder.
Although if you did it right, a team of 4 could easily purchase EMS gear, an ambulance, and probably drive right onto the field if they did it right. And then drive right up to the main terminal (via the proper access roads on the tarmac). And then walk into the terminal, and make a beeline in some other direction.
They could at least make entrance to the terminal, but I don't know if they could actually exit the terminal via the route that they came in on, without raising a lot of mental alarm bells (no badges/access codes to get from the secure-customer zone to the secure-employee zone).
Police and other uniformed exceptions should only be allowed to bypass when the guard KNOWS them and RECOGNIZES them AND that uniformed person arrives on a predicted schedule.
Emergency responders RESPONDING to an EMERGENCY must be escorted by official security personal who will be recognized by the guards.
That doesn't solve the problem of the on-schedule mule, or myiad other movie-plot scenarios.
I think the best option is to have a separate security line for staff. The problem isn't keeping guns out for those who are permitted to carry; the problem is keeping anything else they're carrying out that they shouldn't be.
As for emergencies, I think someone previously talked about basically "segregating" the emergencies-- you turn the emergency zone into an insecure zone (but with no one in or out), and the re-sweep it back to the security point after the emergency is cleared. This is, of course, if you're not just practicing security theater...
"Everybody should be checked regardless, otherwise what's to stop an insider creating an emegency to get his buddies through with the payload that can then be used at a later date?"
This may be true, but it's not nearly as obvious as you make it sound.
To determine the best course of action, you need to estimate the expected cost (in lives or otherwise) of attacks carried out using this method. You also need to estimate the cost (ditto) of slower emergency response caused by checking everybody. If the latter is greater than the former (I consider this likely; how many people, on average, die of airport heart attacks compared to air-travel terrorism?) then it is not better to screen everybody regardless.
Of course, the Current Unpleasantness seems to have caused our Great Leaders to completely forget the idea of tradeoffs, so don't expect to see anybody with the means to decide things to actually follow this process.
This is the same sort of "special rule" that caused the Rep Cynthia McKinney ruckus in Congress some weeks back. She reacted, let us say, badly when Capitol Police stopped her at a checkpoint. You see, everybody on the Hill gets screened, except for Members of Congress, or people that Hill copspresume are Members.
"This is the same sort of 'special rule' that caused the Rep Cynthia McKinney ruckus in Congress some weeks back. She reacted, let us say, badly when Capitol Police stopped her at a checkpoint. You see, everybody on the Hill gets screened, except for Members of Congress, or people that Hill copspresume are Members."
I remember reading that the members wear special lapel pins, which presumably are pretty easily faked.
Why would one see trouble of impersonating as police, firefigher or paramedic to get trough a simple screening? To get something in to the airplane yes, but what? Sounds kinda complicated to me and I still believe that bad guys like to keep it simple...
Anyway, there's a more fundamental problem here. To begin with, you have one security screen for random people, and a pass-through for police officers. To use this, you need to show valid police ID (yours).
If you can't trust your own security force to the degree that you have to subject people you KNOW are policemen to the same screening as everyone else, then your problem is so fundamental that it really it's worth screening at all - because you can't trust the screeners either.
I remember reading that the members wear special lapel pins, which presumably are pretty easily faked.
According to the reports I've read, members of congress do, in fact, have lapel pins. However, they generally don't wear them. Capitol police are supposed to be able to recognize all members of congress, anyway. There aren't that many of them.
There's 435 members in congress doing only two years term, I hope that officers have better things to do than to memorize faces... And besides, best answer to question "Dont you know who I am" is "ID please". :)
Airport security screening isn't supposed to detect mules. It's supposed to find weapons. If the individual in question is allowed to carry weapons onto a plane (as a police officer is), there is no point in sending them through security screening.
> There's 435 members in congress doing only two year's term
Not to mention the fact that if you have a group of hundreds of people, it should not be trusted group.
By that I mean to say, you'd have to assume that it is possible to find someone in that group that can be coerced through some means to perform counter to the best interested of the whole (we have plenty of historical examples here). There's a new movie plot for you, Bruce, kidnap a representative's family and make them wear an IED into the House and blow it up. Out of 435 members, it's certainly not impossible to coerce one...
If the House of Representatives is considered a security area, everyone going into the area ought to be screened, period. The existence of the pins is simply to cater to the ego whims of congress.
>> Although if you did it right, a team of 4 could easily purchase EMS gear, an ambulance, and probably drive right onto the field if they did it right. And then drive right up to the main terminal (via the proper access roads on the tarmac). And then walk into the terminal, and make a beeline in some other direction.
My comments were in general, not just targeted at airports. However, I would hope that the secured gate wouldn't let them in without a quick verification call to Dispatch.
Then again, if I really wanted to get on the tarmac with a team of four and anything they could carry, I'd fly a light plane out of a rural field and "taxi" to the wrong side of a major airport.
(After the security contest, my "Shhhh! The terrorist might think of that!" fuses have completely burned out and may never be replaced.)
>> Emergency responders RESPONDING to an EMERGENCY must be escorted by official security personal who will be recognized by the guards.
I don't know what kind of budget your agency has, but in my world we may have only one or two security officers for a 2,000+ employee site. During an emergency, they're already going to have their hands full, probably at the scene of the emergency. So if anyone is at the gate, lobby, desk, etc. it's probably going to be the least experienced officer, a temp, or J. Random Employee suddenly drafted to "watch the door for a minute, can you?"
Besides, how will the official security personnel recognize the emergency responders as legitimate? Volunteer emergency services add a whole new layer of security issues, I might add . . .
Suspending security for emergencies is foolhardy for the simple reason that an emergency can be arranged, staged simply to suspend security.
As a simple example, somebody collapses, making a medical emergency. A guy in ordinary clothes rushes up, says "I'm a doctor", and passes right through. Immediately a number of guys wearing the same style of pants and smocks with cloth badges sewed on, carrying large equipment boxes, say "Let me through", and pass through.
Nobody knows who these people are (the identification) nor whether they should be there (the authorization), so authentication isn't even an issue: something happened and security collapsed and a bunch of strangers get through and we don't know what's going on.
The reason? Because this occasion is seen as important, meaning the screening has long been unimportant. Any break in the tedious monotony is actually welcomed.
Never lose sight of the human factors.
But having special access is a sign of importance. That is why member of Congress are waived around. There is no functional reason like there is for law enforcement at metal detectors. An armed officer will set off the sensor to no avail as they are permitted access armed. However, there must be procedures to verify their veracity. Unfortunately, many police take affront at having their identification questioned or examined. For all the officers that take offense at being questioned, how many fake officers try to pass? Soon the security personnel adjust to not cause offense by checking to closely to keep things pleasant. If you wish to cause trouble, just put a new, zealous guard on the gate. You'll be amazed at how many people get upset at being checked. It also, reveals how lax the security checks had become.
As long as the "important" people insist on being exempt from real checks, there will be weak security.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.