Entries Tagged "DHS"

Page 11 of 39

Loaded Gun Slips Past TSA

I’m not really worried about mistakes like this. Sure, a gun slips through occasionally, and a knife slips through even more often. (I’m sure the TSA doesn’t catch 100% of all bombs in tests, either.) But these items are caught by the TSA often enough, and when the TSA does catch someone, they’re going to call the police and totally ruin his day. A terrorist can’t build a plot around succeeding.

It’s things like liquids that are the real problem. Because there are no consequences to trying—the bottle of water just gets thrown into the trash—a terrorist can repeatedly try until he succeeds in slipping it through.

I asked then-TSA Administrator Kip Hawley about this in 2007. He didn’t answer.

Posted on January 14, 2011 at 11:03 AMView Comments

The Security Threat of Forged Law-Enforcement Credentials

Here’s a U.S. Army threat assessment of forged law-enforcement credentials.

The authors bought a bunch of fake badges:

Between November 2009 and March 2010, undercover investigators were able to purchase nearly perfect counterfeit badges for all of the Department of Defense’s military criminal investigative organizations to include the Army Criminal Investigation Command (Army CID), Naval Criminal Investigative Service (NCIS), Air Force Office of Special Investigations (AFOSI), and the Marine Corps Criminal Investigation Division (USMC CID). Also, purchased was the badge for the Defense Criminal Investigative Service (DCIS).

Also available for purchase were counterfeit badges of 42 other federal law enforcement agencies including the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), Alcohol, Tobacco and Firearms (ATF), Secret Service, and the US Marshals Service.

Of the other federal law enforcement agency badges available, the investigators found exact reproductions of the badges issued to Federal Air Marshals, Transportation Security Administration (TSA) Screeners, TSA Inspectors, and Special Agents of the TSA Office of Inspector General.

Average price: $60.

Then, they tried using them:

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area.

[…]

Once being granted access to the military installation or federal facility, the investigators proceeded to areas that were designed as “Restricted Area” or “Authorized Personnel Only” and were able to wander around without being challenged by employees or security personnel. On one military installation, investigators were able to go to the police station and request local background checks on several fictitious names. All that was required was displaying the fraudulent badge and credentials to a police officer working the communications desk.

The authors didn’t try it getting through airport security, but they mentioned a 2000 GAO report where investigators did:

The investigation found that investigators were 100% successful in penetrating 19 federal sites and 2 commercial airports by claiming to be law enforcement officers and entering the facilities unchecked by security where they could have carried weapons, listening devices, explosives, chemical/biological agents and other such materials.

Websites are listed in the report, if you want to buy your own fake badge and carry a gun onto an airplane.

I’ve written about this general problem before:

When faced with a badge, most people assume it’s legitimate. And even if they wanted to verify the badge, there’s no real way for them to do so.

The only solution, if this counts as one, is to move to real-time verification. A credit card used to be a credential; it gave the bearer certain privileges. But the problem of forged and stolen credit cards was so pervasive that the industry moved to a system where now the card is mostly a pointer to a database. Your passport, when you present it to the customs official in your home country, is basically the same thing. I’d like to be able to photograph a law-enforcement badge with my camera, send it to some police website, and get back a real-time verification—with picture—that the officer is legit.

Of course, that opens up an entire new set of database security issues, but I think they’re more manageable than what we have now.

Posted on January 13, 2011 at 8:00 AMView Comments

TSA Inspecting Thermoses

This is new:

Adm. James Winnefeld told The Associated Press Friday that the Transportation Security Administration is “always trying to think ahead.” Winnefeld is the head of the U.S. Northern Command, which is charged with protecting the homeland.

TSA officials had said Thursday that in coming days, passengers flying within and to the U.S. may notice additional security measures related to insulated beverage containers such as thermoses.

Winnefeld says officials responsible for homeland security are always a bit more alert over the holiday season. He says there has been a lot of chatter online about potential terror activity, but nothing specific.

Posted on December 29, 2010 at 11:09 AMView Comments

Interview with TSA Administrator John Pistole

He’s more realistic than one normally hears:

So if they get through all those defenses, they get to Reagan [National Airport] over here, and they’ve got an underwear bomb, they got a body cavity bomb—what’s reasonable to expect TSA to do? Hopefully our behavior detection people will see somebody sweating, or they’re dancing on their shoes or something, or they’re fiddling with something. Our explosives specialists, they’ll do something – they do hand swabs at random, unpredictably. If that doesn’t work then they go through (the enhanced scanner). And these machines give the best opportunity to detect a non-metallic device, but they’re not foolproof.

[…]

We’re not in the risk elimination business. The only way you can eliminate car accidents from happening is by not driving. OK, that’s not acceptable. The only way you can eliminate the risk of planes blowing up is nobody flies.

He still ducks some of the hard questions.

I am reminded my own interview from 2007 with then-TSA Administrator Kip Hawley.

Posted on December 22, 2010 at 12:27 PMView Comments

Adam Shostack on TSA Threat Modeling

Good commentary:

I’ve said before and I’ll say again, there are lots of possible approaches to threat modeling, and they all involve tradeoffs. I’ve commented that much of the problem is the unmeetable demands TSA labors under, and suggested fixes. If TSA is trading planned responses to Congress for effective security, I think Congress ought to be asking better questions. I’ll suggest “how do you model future threats?” as an excellent place to start.

Continuing on from there, an effective systematic approach would involve diagramming the air transport system, and ensuring that everyone and everything who gets to the plane without being authorized to be on the flight deck goes through reasonable and minimal searches under the Constitution, which are used solely for flight security. Right now, there’s discrepancies in catering and other servicing of the planes, there’s issues with cargo screening, etc.

These issues are getting exposed by the red teaming which happens, but that doesn’t lead to a systematic set of balanced defenses.

As long as the President is asking “Is this effective against the kind of threat that we saw in the Christmas Day bombing?” we’ll know that the right threat models aren’t making it to the top.

Posted on December 22, 2010 at 7:15 AMView Comments

Hiding PETN from Full-Body Scanners

From the Journal of Transporation Security, “An evaluation of airport x-ray backscatter units based on image characteristics,” by Leon Kaufman and Joseph W. Carlson:

Abstract:

Little information exists on the performance of x-ray backscatter machines now being deployed through UK, US and other airports. We implement a Monte Carlo simulation using as input what is known about the x-ray spectra used for imaging, device specifications and available images to estimate penetration and exposure to the body from the x-ray beam, and sensitivity to dangerous contraband materials. We show that the body is exposed throughout to the incident x-rays, and that although images can be made at the exposure levels claimed (under 100 nanoGrey per view), detection of contraband can be foiled in these systems. Because front and back views are obtained, low Z materials can only be reliable detected if they are packed outside the sides of the body or with hard edges, while high Z materials are well seen when placed in front or back of the body, but not to the sides. Even if exposure were to be increased significantly, normal anatomy would make a dangerous amount of plastic explosive with tapered edges difficult if not impossible to detect.

From the paper:

It is very likely that a large (15-20 cm in diameter), irregularly-shaped, cm-thick pancake with beveled edges, taped to the abdomen, would be invisible to this technology, ironically, because of its large volume, since it is easily confused with normal anatomy. Thus, a third of a kilo of PETN, easily picked up in a competent pat down, would be missed by backscatter “high technology”. Forty grams of PETN, a purportedly dangerous amount, would fit in a 1.25 mm-thick pancake of the dimensions simulated here and be virtually invisible. Packed in a compact mode, say, a 1 cm×4 cm×5 cm brick, it would be detected.

EDITED TO ADD (1/12): Stephen Colbert on the issue.

Posted on December 17, 2010 at 2:13 PMView Comments

New TSA Security Test

I experienced a new TSA security check at Phoenix Airport last Thursday. The agent took my over-three-ounce bottle of saline, put a drop of it on a white cardboard strip, and then put a drop of another liquid on top of that. Nothing changed color, and she let me go.

Anyone know what the test is, and what it’s testing for?

Posted on December 10, 2010 at 2:11 PMView Comments

Sane Comments on Terrorism

From Michael Leiter, the director of the National Counterterrorism Center:

Ultimately, Leiter said, it’ll be the “quiet, confident resilience” of Americans after a terrorist attack that will “illustrate ultimately the futility of terrorism.” That doesn’t mean not to hit back: Leiter quickly added that “we will hold those accountable [and] we will be ready to respond to those attacks.” But it does mean recognizing, he said, that “we help define the success of an attack by our reaction to that attack.”

Sure, I’ve been saying this since forever. But I think this is the most senior government person who has said this.

EDITED TO ADD (12/8): There are enough essays with this sentiment that I’m going to stop blogging about it. Here’s what I have saved up.

Roger Cohen, “The Real Threat to America“:

So I give thanks this week for the Fourth Amendment: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

I give thanks for Benjamin Franklin’s words after the 1787 Constitutional Convention describing the results of its deliberations: “A Republic, if you can keep it.”

To keep it, push back against enhanced patting, Chertoff’s naked-screening and the sinister drumbeat of fear.

Christopher Hitchens, Don’t Be an Ass About Airport Security.”

Tom Engelhardt, “The National Security State Cops a Feel.”

Evan DeFilippis, “A Nude Awakening—TSA and Privacy“:

If we have both the right to privacy and the right to travel, then TSA´s newest procedures cannot conceivably be considered legal. The TSA´s regulations blatantly compromise the former at the expense of the latter, and as time goes on we will soon forget what it meant to have those rights.

EDITED TO ADD (12/8): Also, this great comic.

Posted on December 8, 2010 at 7:10 AMView Comments

1 9 10 11 12 13 39

Sidebar photo of Bruce Schneier by Joe MacInnis.