Page 500

Hacking TSA PreCheck

I have a hard time getting worked up about this story:

I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.

What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.

What a dumb way to design the system. It would be easier—and far more secure—if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of PreCheck passengers to send through regular screening. Why go through the trouble of encoding it in the barcode and then reading it?

And—of course—this means that you can still print your own boarding pass.

On the other hand, I think the PreCheck level of airport screening is what everyone should get, and that the no-fly list and the photo ID check add nothing to security. So I don’t feel any less safe because of this vulnerability.

Still, I am surprised. Is this the same in other countries? Lots of countries scan my boarding pass before allowing me through security: France, the Netherlands, the UK, Japan, even Uruguay at Montevideo Airport when I flew out of there yesterday. I always assumed that those systems were connected to the airlines’ reservation databases. Does anyone know?

Tags: , , , , , , ,

Posted on October 26, 2012 at 6:46 AMView Comments

The Risks of Trusting Experts

I’m not sure what to think about this story:

Six Italian scientists and an ex-government official have been sentenced to six years in prison over the 2009 deadly earthquake in L’Aquila.

A regional court found them guilty of multiple manslaughter.

Prosecutors said the defendants gave a falsely reassuring statement before the quake, while the defence maintained there was no way to predict major quakes.

The 6.3 magnitude quake devastated the city and killed 309 people.

These were all members of the National Commission for the Forecast and Prevention of Major Risks, and some of Italy’s most prominent and internationally respected seismologists and geological experts. Basically, the problem was that they failed to hedge their bets against the earthquake. In a press conference just before the earthquake, they incorrectly assured locals that there was no danger. This, according to the court, was equivalent to manslaughter.

No, it doesn’t make any sense.

David Rothery, of the UK’s Open University, said earthquakes were “inherently unpredictable”.

“The best estimate at the time was that the low-level seismicity was not likely to herald a bigger quake, but there are no certainties in this game,” he said.

Even the defendants were confused:

Another, Enzo Boschi, described himself as “dejected” and “desperate” after the verdict was read.

“I thought I would have been acquitted. I still don’t understand what I was convicted of.”

I do. He was convicted because the public wanted revenge—and the scientists were their most obvious targets.

Needless to say, this is having a chilling effect on scientists talking to the public. Enzo Boschi, president of Italy’s National Institute of Geophysics and Volcanology (INGV) in Rome, said: “When people, when journalists, asked my opinion about things, I used to tell them, but no more. Scientists have to shut up.” Also, as part of their conviction, those scientists are prohibited from ever holding public office again.

From a security perspective, this seems like the worst possible outcome. The last thing we want of our experts is for them to refuse to give us the benefits of their expertise.

To be fair, the verdict isn’t final. There are always appeals in Italy, and at least one level of appeal is certain in this case. Everything might be overturned, but I’m sure the chilling effect will remain, regardless.

As someone who constantly makes predictions about security that could potentially affect the livelihood and lives of those who listen to them, this really made me stop and think. Could I be arrested, or sued, for telling people that this particular security product is effective when in fact it is not? I am forever minimizing the risks of terrorism in general and airplane terrorism in particular. Sooner or later, there will be another terrorist event. Will that make me guilty of manslaughter as well? Italy is a long way away, but everything I write on the Internet reaches there.

Oddly enough, there is a large of amount of case law in this area, with weathermen as the target. This twopart article, “Bad Weather? Then Sue the Weatherman,” is fascinating.

EDITED TO ADD (11/13): Here is an article in “New Scientist” that gives the prosecutor’s side of things. According to the prosecutor, this case was not about prediction. It was about communication. It wasn’t about the odds of the quake, it was about how those odds were communicated to the public.

Tags:

Posted on October 25, 2012 at 6:27 AMView Comments

Risks of Data Portability

Peter Swire and Yianni Lagos have pre-published a law journal article on the risks of data portability. It specifically addresses an EU data protection regulation, but the security discussion is more general.

…Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person’s data. Previous access requests by individuals were limited in scope and format. By contrast, when an individual’s lifetime of data must be exported ‘without hindrance,’ then one moment of identity fraud can turn into a lifetime breach of personal data.

They have a point. If you’re going to allow users to download all of their data with one command, you might want to double- and triple-check that command. Otherwise it’s going to become an attack vector for identity theft and other malfeasance.

Tags: , , , ,

Posted on October 24, 2012 at 1:27 PMView Comments

Stoking Cyber Fears

A lot of the debate around President Obama’s cybsersecurity initiative centers on how much of a burden it would be on industry, and how that should be financed. As important as that debate is, it obscures some of the larger issues surrounding cyberwar, cyberterrorism, and cybersecurity in general.

It’s difficult to have any serious policy discussion amongst the fear mongering. Secretary Panetta’s recent comments are just the latest; search the Internet for “cyber 9/11,” “cyber Pearl-Harbor,” “cyber Katrina,” or—my favorite—”cyber Armageddon.”

There’s an enormous amount of money and power that results from pushing cyberwar and cyberterrorism: power within the military, the Department of Homeland Security, and the Justice Department; and lucrative government contracts supporting those organizations. As long as cyber remains a prefix that scares, it’ll continue to be used as a bugaboo.

But while scare stories are more movie-plot than actual threat, there are real risks. The government is continually poked and probed in cyberspace, from attackers ranging from kids playing politics to sophisticated national intelligence gathering operations. Hackers can do damage, although nothing like the cyberterrorism rhetoric would lead you to believe. Cybercrime continues to rise, and still poses real risks to those of us who work, shop, and play on the Internet. And cyberdefense needs to be part of our military strategy.

Industry has definitely not done enough to protect our nation’s critical infrastructure, and federal government may need more involvement. This should come as no surprise; the economic externalities in cybersecurity are so great that even the freest free market would fail.

For example, the owner of a chemical plant will protect that plant from cyber attack up to the value of that plant to the owner; the residual risk to the community around the plant will remain. Politics will color how government involvement looks: market incentives, regulation, or outright government takeover of some aspects of cybersecurity.

None of this requires heavy-handed regulation. Over the past few years we’ve heard calls for the military to better control Internet protocols; for the United States to be able to “kill” all or part of the Internet, or to cut itself off from the greater Internet; for increased government surveillance; and for limits on anonymity. All of those would be dangerous, and would make us less secure. The world’s first military cyberweapon, Stuxnet, was used by the United States and Israel against Iran.

In all of this government posturing about cybersecurity, the biggest risk is a cyber-war arms race; and that’s where remarks like Panetta’s lead us. Increased government spending on cyberweapons and cyberdefense, and an increased militarization of cyberspace, is both expensive and destabilizing. Fears lead to weapons buildups, and weapons beg to be used.

I would like to see less fear mongering, and more reasoned discussion about the actual threats and reasonable countermeasures. Pushing the fear button benefits no one.

This essay originally appeared in the New York Times “Room for Debate” blog. Here are the other essays on the topic.

Tags: , , , , , , , , ,

Posted on October 19, 2012 at 7:45 AMView Comments

Analysis of How Bitcoin Is Actually Used

Quantitative Analysis of the Full Bitcoin Transaction Graph,” by Dorit Ron and Adi Shamir:

Abstract. The Bitcoin scheme is a rare example of a large scale global payment system in which all the transactions are publicly accessible (but in an anonymous way). We downloaded the full history of this scheme, and analyzed many statistical properties of its associated transaction graph. In this paper we answer for the rst time a variety of interesting questions about the typical behavior of account owners, how they acquire and how they spend their Bitcoins, the balance of Bitcoins they keep in their accounts, and how they move Bitcoins between their various accounts in order to better protect their privacy. In addition, we isolated all the large transactions in the system, and discovered that almost all of them are closely related to a single large transaction that took place in November 2010, even though the associated users apparently tried to hide this fact with many strange looking long chains and fork-merge structures in the transaction graph.

The paper has been submitted to the 2013 Financial Cryptography conference.

EDITED TO ADD (10/30): Some commentary.

Tags: ,

Posted on October 18, 2012 at 6:11 AMView Comments

Genetic Privacy

New report from the Presidential Commission for the Study of Bioethical Issues.

It’s called “Privacy and Progress in Whole Genome Sequencing.” The Commission described the rapid advances underway in the field of genome sequencing, but also noted growing concerns about privacy and security. The report lists twelve recommendations to improve current practices and to help safeguard privacy and security, including using deidentification wherever possible.

Here are four news articles.

Tags: ,

Posted on October 17, 2012 at 6:23 AMView Comments

Studying Zero-Day Attacks

Interesting paper: “Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World,” by Leyla Bilge and Tudor Dumitras:

Abstract: Little is known about the duration and prevalence of zeroday attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing, while remaining undetected. Unfortunately, these serious threats are difficult to analyze, because, in general, data is not available until after an attack is discovered. Moreover, zero-day attacks are rare events that are unlikely to be observed in honeypots or in lab experiments.

In this paper, we describe a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. We identify 18 vulnerabilities exploited before disclosure, of which 11 were not previously known to have been employed in zero-day attacks. We also find that a typical zero-day attack lasts 312 days on average and that, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to 5 orders of magnitude.

Tags: , ,

Posted on October 16, 2012 at 6:12 AMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.