Entries Tagged "air travel"

Page 5 of 46

Hacker Detained by FBI after Tweeting about Airplane Software Vulnerabilities

This is troubling:

Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.

Yes, the real issue here is the chilling effects on security research. Security researchers who point out security flaws is a good thing, and should be encouraged.

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.

Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still…

Slashdot thread. Hacker News thread.

EDITED TO ADD (4/22): Another article, this one about the debate over disclosing security vulnerabilities.

Posted on April 21, 2015 at 5:26 AMView Comments

The TSA's FAST Personality Screening Program Violates the Fourth Amendment

New law journal article: “A Slow March Towards Thought Crime: How the Department of Homeland Security’s FAST Program Violates the Fourth Amendment,” by Christopher A. Rogers. From the abstract:

FAST is currently designed for deployment at airports, where heightened security threats justify warrantless searches under the administrative search exception to the Fourth Amendment. FAST scans, however, exceed the scope of the administrative search exception. Under this exception, the courts would employ a balancing test, weighing the governmental need for the search versus the invasion of personal privacy of the search, to determine whether FAST scans violate the Fourth Amendment. Although the government has an acute interest in protecting the nation’s air transportation system against terrorism, FAST is not narrowly tailored to that interest because it cannot detect the presence or absence of weapons but instead detects merely a person’s frame of mind. Further, the system is capable of detecting an enormous amount of the scannee’s highly sensitive personal medical information, ranging from detection of arrhythmias and cardiovascular disease, to asthma and respiratory failures, physiological abnormalities, psychiatric conditions, or even a woman’s stage in her ovulation cycle. This personal information warrants heightened protection under the Fourth Amendment. Rather than target all persons who fly on commercial airplanes, the Department of Homeland Security should limit the use of FAST to where it has credible intelligence that a terrorist act may occur and should place those people scanned on prior notice that they will be scanned using FAST.

Posted on March 6, 2015 at 6:28 AMView Comments

Leaked CIA Documents

I haven’t seen much press mention about the leaked CIA documents that have appeared on WikiLeaks this month.

There are three:

These documents are more general than what we’ve seen from Snowden, but—assuming they’re real—these are still national-security leaks. You’d think there would be more news about this, and more reaction from the US government.

Posted on December 29, 2014 at 6:22 AMView Comments

ISIS Threatens US with Terrorism

They’re openly mocking our profiling.

But in several telephone conversations with a Reuters reporter over the past few months, Islamic State fighters had indicated that their leader, Iraqi Abu Bakr al-Baghdadi, had several surprises in store for the West.

They hinted that attacks on American interests or even U.S. soil were possible through sleeper cells in Europe and the United States.

“The West are idiots and fools. They think we are waiting for them to give us visas to go and attack them or that we will attack with our beards or even Islamic outfits,” said one.

“They think they can distinguish us these days ­ they are fools and more than that they don’t know we can play their game in intelligence. They infiltrated us with those who pretend to be Muslims and we have also penetrated them with those who look like them.”

I am reminded of my debate on airport profiling with Sam Harris, particularly my initial response to his writings.

Posted on August 29, 2014 at 6:08 AMView Comments

The Insecurity of Secret IT Systems

We now know a lot about the security of the Rapiscan 522 B x-ray system used to scan carry-on baggage in airports worldwide. Billy Rios, director of threat intelligence at Qualys, got himself one and analyzed it. And he presented his results at the Kaspersky Security Analyst Summit this week.

It’s worse than you might have expected:

It runs on the outdated Windows 98 operating system, stores user credentials in plain text, and includes a feature called Threat Image Projection used to train screeners by injecting .bmp images of contraband, such as a gun or knife, into a passenger carry-on in order to test the screener’s reaction during training sessions. The weak logins could allow a bad guy to project phony images on the X-ray display.

While this is all surprising, it shouldn’t be. These are the same sort of problems we saw in proprietary electronic voting machines, or computerized medical equipment, or computers in automobiles. Basically, whenever an IT system is designed and used in secret – either actual secret or simply away from public scrutiny – the results are pretty awful.

I used to decry secret security systems as “security by obscurity.” I now say it more strongly: “obscurity means insecurity.”

Security is a process. For software, that process is iterative. It involves defenders trying to build a secure system, attackers—criminals, hackers, and researchers—defeating the security, and defenders improving their system. This is how all mass-market software improves its security. It’s the best system we have. And for systems that are kept out of the hands of the public, that process stalls. The result looks like the Rapiscan 522 B x-ray system.

Smart security engineers open their systems to public scrutiny, because that’s how they improve. The truly awful engineers will not only hide their bad designs behind secrecy, but try to belittle any negative security results. Get ready for Rapiscan to claim that the researchers had old software, and the new software has fixed all these problems. Or that they’re only theoretical. Or that the researchers themselves are the problem. We’ve seen it all before.

Posted on February 14, 2014 at 6:50 AMView Comments

Hacking Airline Lounges for Free Meals

I think this is a great hack:

A man bought a first-class ticket and used it to have free meals and drinks at the airport’s VIP lounge almost every day for nearly a year, Kwong Wah Yit Poh reported.

The itinerary for the ticket was found to have been changed more than 300 times within a year, and the owner of the ticket used it to enjoy the facilities at the airport’s VIP lounge in Xi’an in Shaanxi, China.

[…]

When the ticket’s validity was almost up, the passenger cancelled it for a refund.

It’s such a weird occurrence that I’m not even sure it’s worth bothering to defend against.

EDITED TO ADD (2/4): Hacker News thread.

Posted on February 4, 2014 at 6:45 AMView Comments

CSEC Surveillance Analysis of IP and User Data

The most recent story from the Snowden documents is from Canada: it claims the CSEC (Communications Security Establishment Canada) used airport Wi-Fi information to track travelers. That’s not really true. What the top-secret presentation shows is a proof-of-concept project to identify different IP networks, using a database of user IDs found on those networks over time, and then potentially using that data to identify individual users. This is actually far more interesting than simply eavesdropping on airport Wi-Fi sessions. Between Boingo and the cell phone carriers, that’s pretty easy.

The researcher, with the cool-sounding job-title of “tradecraft developer,” started with two weeks’ worth of ID data from a redacted “Canadian Special Source.” (The presentation doesn’t say if they compelled some Internet company to give them the data, or if they eavesdropped on some Internet service and got it surreptitiously.) This was a list of userids seen on those networks at particular times, presumably things like Facebook logins. (Facebook, Google, Yahoo and many others are finally using SSL by default, so this data is now harder to come by.) They also had a database of geographic locations for IP addresses from Quova (now Neustar). The basic question is whether they could determine what sorts of wireless hotspots the IP addresses were.

You’d expect airports to look different from hotels, and those to look different from offices. And, in fact, that’s what the data showed. At an airport network, individual IDs are seen once, and briefly. At hotels, individual IDs are seen over a few days. At an office, IDs are generally seen from 9:00 AM to 5:00 PM, Monday through Friday. And so on.

Pretty basic so far. Where it gets interesting his how this kind of dataset can be used. The presentation suggests two applications. The first is the obvious one. If you know the ID of some surveillance target, you can set an alarm when that target visits an airport or a hotel. The presentation points out that “targets/enemies still target air travel and hotels”; but more realistically, this can be used to know when a target is traveling.

The second application suggested is to identify a particular person whom you know visited a particular geographical area on a series of dates/times. The example in the presentation is a kidnapper. He is based in a rural area, so he can’t risk making his ransom calls from that area. Instead, he drives to an urban area to make those calls. He either uses a burner phone or a pay phone, so he can’t be identified that way. But if you assume that he has some sort of smart phone in his pocket that identifies itself over the Internet, you might be able to find him in that dataset. That is, he might be the only ID that appears in that geographical location around the same time as the ransom calls and at no other times.

The results from testing that second application were successful, but slow. The presentation sounds encouraging, stating that something called Collaborative Analysis Research Environment (CARE) is being trialed “with NSA launch assist”: presumably technology, money, or both. CARE reduces the run-time “from 2+ hours to several seconds.” This was in May 2012, so it’s probably all up and running by now. We don’t know if this particular research project was ever turned into an operational program, but the CSEC, the NSA, and the rest of the Five Eyes intelligence agencies have a lot of interesting uses for this kind of data.

Since the Snowden documents have been reported on last June, the primary focus of the stories has been the collection of data. There has been very little reporting about how this data is analyzed and used. The exception is the story on the cell phone location database, which has some pretty fascinating analytical programs attached to it. I think the types of analysis done on this data are at least as important as its collection, and likely more disturbing to the average person. These sorts of analysis are being done with all of the data collected. Different databases are being correlated for all sorts of purposes. When I get back to the source documents, these are exactly the sorts of things I will be looking for. And when we think of the harms to society of ubiquitous surveillance, this is what we should be thinking about.

EDITED TO ADD (2/3): Microsoft has done the same research.

EDITED TO ADD (2/4): And Microsoft patented it.

Posted on February 3, 2014 at 5:09 AMView Comments

Evading Airport Security

The news is reporting about Evan Booth, who builds weaponry out of items you can buy after airport security. It’s clever stuff.

It’s not new, though. People have been explaining how to evade airport security for years.

Back in 2006, I—and others—explained how to print your own boarding pass and evade the photo-ID check, a trick that still seems to work. In 2008, I demonstrated carrying two large bottles of liquid through airport security. Here’s a paper about stabbing people with stuff you can take through airport security. And here’s a German video of someone building a bomb out of components he snuck through a full-body scanner. There’s lots more if you start poking around the Internet.

So, what’s the moral here? It’s not like the terrorists don’t know about these tricks. They’re no surprise to the TSA, either. If airport security is so porous, why aren’t there more terrorist attacks? Why aren’t the terrorists using these, and other, techniques to attack planes every month?

I think the answer is simple: airplane terrorism isn’t a big risk. There are very few actual terrorists, and plots are much more difficult to execute than the tactics of the attack itself. It’s the same reason why I don’t care very much about the various TSA mistakes that are regularly reported.

Posted on December 4, 2013 at 6:28 AMView Comments

1 3 4 5 6 7 46

Sidebar photo of Bruce Schneier by Joe MacInnis.