Schneier on Security: Tagged air travel

Entries Tagged "air travel"

Page 38 of 46

Sloppy CIA Tradecraft

CIA agents exposed due to their use of frequent-flier miles and other mistakes:

The man and woman were pretending to be American business executives on international assignments, so they did what globe-trotting executives do. While traveling abroad they used their frequent-flier cards as often as possible to gain credits toward free flights.

In fact, the pair were covert operatives working for the CIA. Thanks to their diligent use of frequent-flier programs, Italian prosecutors have been able to reconstruct much of their itinerary during 2003, including trips to Brussels, Venice, London, Vienna and Oslo.

[…]

Aides to former CIA Director Porter Goss have used the word “horrified” to describe Goss’ reaction to the sloppiness of the Milan operation, which Italian police were able to reconstruct through the CIA operatives’ imprudent use of cell phones and other violations of basic CIA “tradecraft.”

I’m not sure how collecting frequent-flier miles is a problem, though. Assuming they’re traveling under the cover of being business executives, it makes sense for them to act just like other business executives.

It’s not like there’s no other way to reconstruct their travel.

Posted on July 26, 2006 at 1:22 PM • View Comments

Patrick Smith on Airline Security

Patrick Smith writes the “Ask the Pilot” column for Salon. He’s written two very good posts on airline security, one about how Israel’s system won’t work in the U.S., and the other about profiling:

…here’s a more useful quiz:

In 1985, Air India Flight 182 was blown up over the Atlantic by:
a. Muslim male extremists mostly between the ages of 17 and 40
b. Bill O’Reilly
c. The Mormon Tabernacle Choir
d. Indian Sikh extremists, in retaliation for the Indian Army’s attack on the Golden Temple shrine in Amritsar

In 1986, who attempted to smuggle three pounds of explosives onto an El Al jetliner bound from London to Tel Aviv?
a. Muslim male extremists mostly between the ages of 17 and 40
b. Michael Smerconish
c. Bob Mould
d. A pregnant Irishwoman named Anne Murphy

In 1962, in the first-ever successful sabotage of a commercial jet, a Continental Airlines 707 was blown up with dynamite over Missouri by:
a. Muslim male extremists mostly between the ages of 17 and 40
b. Ann Coulter
c. Henry Rollins
d. Thomas Doty, a 34-year-old American passenger, as part of an insurance scam

In 1994, who nearly succeeded in skyjacking a DC-10 and crashing it into the Federal Express Corp. headquarters?
a. Muslim male extremists mostly between the ages of 17 and 40
b. Michelle Malkin
c. Charlie Rose
d. Auburn Calloway, an off-duty FedEx employee and resident of Memphis, Tenn.

In 1974, who stormed a Delta Air Lines DC-9 at Baltimore-Washington Airport, intending to crash it into the White House, and shot both pilots?
a. Muslim male extremists mostly between the ages of 17 and 40
b. Joe Scarborough
c. Spalding Gray
d. Samuel Byck, an unemployed tire salesman from Philadelphia

The answer, in all cases, is D.

Racial profiling doesn’t work against terrorism, because terrorists don’t fit any racial profile.

Posted on June 19, 2006 at 7:22 AM • View Comments

Aircraft Locator a "Terrorist's Dream"

The movie plots keep coming and coming. Here’s my nomination for dumb movie plot of this week:

Skies ‘now terrorist’s dream’

Australia’s proposed new aviation tracking system would make it easier for terrorists to locate aircraft, aviation campaigner Dick Smith said today.

Mr Smith said a plan by Airservices Australia to replace radar tracking of planes with the Automatic Dependent Surveillance Broadcast (ADS B) system would allow terrorists to track every aircraft in the sky.

“Government policy using conventional radar makes it almost impossible for a terrorist or a criminal to locate the position and identity of an aircraft,” Mr Smith said.

“With ADS B it’s the opposite because all you need to track every aircraft is a small, non-directional aerial, worth $5.”

Under the present system, a terrorist can locate the position of an aircraft by looking up. And if a terrorist is smart enough to perform this intelligence-gathering exercise near an airport, he can locate the position of aircraft that are low to the ground, and easier to shoot at with missiles. Why are we worrying about telling terrorists where all the high-altitude hard-to-hit planes are?

Now I can invent a movie plot that has the terrorists needing to shoot down a particular plane because this or that famous personage is on it, but that’s a bit much.

Posted on May 29, 2006 at 12:00 PM • View Comments

El Al Doesn't Trust the TSA

They want to do security themselves at Newark Airport, as they already do at four other U.S. airports.

No other airline has such an arrangement with U.S. officials, authorities acknowledged. At the four other airports, El Al has installed its own security software at bomb-detection machines, which authorities said is more sensitive than that used by American carriers.

Posted on May 23, 2006 at 3:30 PM • View Comments

Smart Profiling from the DHS

About time:

Here’s how it works: Select TSA employees will be trained to identify suspicious individuals who raise red flags by exhibiting unusual or anxious behavior, which can be as simple as changes in mannerisms, excessive sweating on a cool day, or changes in the pitch of a person’s voice. Racial or ethnic factors are not a criterion for singling out people, TSA officials say. Those who are identified as suspicious will be examined more thoroughly; for some, the agency will bring in local police to conduct face-to-face interviews and perhaps run the person’s name against national criminal databases and determine whether any threat exists. If such inquiries turn up other issues countries with terrorist connections, police officers can pursue the questioning or alert Federal counterterrorism agents. And of course the full retinue of baggage x-rays, magnetometers and other checks for weapons will continue.

Posted on May 23, 2006 at 6:20 AM • View Comments

Security Risks of Airline Passenger Data

Reporter finds an old British Airways boarding pass, and proceeds to use it to find everything else about the person:

We logged on to the BA website, bought a ticket in Broer’s name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details – including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

Using this information and surfing publicly available databases, we were able – within 15 minutes – to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.)

Notice the economic pressures:

“The problem here is that a commercial organisation is being given the task of collecting data on behalf of a foreign government, for which it gets no financial reward, and which offers no business benefit in return,” says Laurie. “Naturally, in such a case, they will seek to minimise their costs, which they do by handing the problem off to the passengers themselves. This has the neat side-effect of also handing off liability for data errors.”

Posted on May 9, 2006 at 1:17 PM • View Comments

The DHS Secretly Shares European Passenger Data in Violation of Agreement

From the ACLU:

In 2003, the United States and the European Union reached an agreement under which the EU would share Passenger Name Record (PNR) data with the U.S., despite the lack of privacy laws in the United States adequate to ensure Europeans’ privacy. In return, DHS agreed that the passenger data would not be used for any purpose other than preventing acts of terrorism or other serious crimes. It is now clear that DHS did not abide by that agreement.

Posted on May 8, 2006 at 6:34 AM • View Comments

Assault Weapon that Passes Through X-Ray Machines

Here’s an assault weapon that passes through X-ray machine scanners.

Posted on May 3, 2006 at 7:52 AM • View Comments

The Security Risk of Special Cases

In Beyond Fear, I wrote about the inherent security risks of exceptions to a security policy. Here’s an example, from airport security in Ireland.

Police officers are permitted to bypass airport security at the Dublin Airport. They flash their ID, and walk around the checkpoints.

A female member of the airport search unit is undergoing re-training after the incident in which a Department of Transport inspector passed unchecked through security screening.

It is understood that the department official was waved through security checks having flashed an official badge. The inspector immediately notified airport authorities of a failure in vetting procedures. Only gardai are permitted to pass unchecked through security.

There are two ways this failure could have happened. One, security person could have thought that Department of Transportation officials have the same privileges as police officers. And two, the security person could have thought she was being shown a police ID.

This could have just as easily been a bad guy showing a fake police ID. My guess is that the security people don’t check them all that carefully.

The meta-point is that exceptions to security are themselves security vulnerabilities. As soon as you create a system by which some people can bypass airport security checkpoints, you invite the bad guys to try and use that system. There are reasons why you might want to create those alternate paths through security, of course, but the trade-offs should be well thought out.

Posted on April 26, 2006 at 6:05 AM • View Comments

Software Failure Causes Airport Evacuation

Last month I wrote about airport passenger screening, and mentioned that the X-ray equipment inserts “test” bags into the stream in order to keep screeners more alert. That system failed pretty badly earlier this week at Atlanta’s Hartsfield-Jackson Airport, when a false alarm resulted in a two-hour evacuation of the entire airport.

The screening system injects test images onto the screen. Normally the software flashes the words “This is a test” on the screen after a brief delay, but this time the software failed to indicate that. The screener noticed the image (of a “suspicious device,” according to CNN) and, per procedure, screeners manually checked the bags on the conveyor belt for it. They couldn’t find it, of course, but they evacuated the airport and spent two hours vainly searching for it.

Hartsfield-Jackson is the country’s busiest passenger airport. It’s Delta’s hub city. The delays were felt across the country for the rest of the day.

Okay, so what went wrong here? Clearly the software failed. Just as clearly the screener procedures didn’t fail—everyone did what they were supposed to do.

What is less obvious is that the system failed. It failed, because it was not designed to fail well. A small failure—in this case, a software glitch in a single X-ray machine—cascaded in such a way as to shut down the entire airport. This kind of failure magnification is common in poorly designed security systems. Better would be for there to be individual X-ray machines at the gates—I’ve seen this design at several European airports—so that when there’s a problem the effects are restricted to that gate.

Of course, this distributed security solution would be more expensive. But I’m willing to bet it would be cheaper overall, taking into account the cost of occasionally clearing out an airport.

Posted on April 21, 2006 at 12:49 PM • View Comments

←Previous 1 … 36 37 38 39 40 … 46 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.