Entries Tagged "homeland security"

Page 10 of 37

Loaded Gun Slips Past TSA

I’m not really worried about mistakes like this. Sure, a gun slips through occasionally, and a knife slips through even more often. (I’m sure the TSA doesn’t catch 100% of all bombs in tests, either.) But these items are caught by the TSA often enough, and when the TSA does catch someone, they’re going to call the police and totally ruin his day. A terrorist can’t build a plot around succeeding.

It’s things like liquids that are the real problem. Because there are no consequences to trying—the bottle of water just gets thrown into the trash—a terrorist can repeatedly try until he succeeds in slipping it through.

I asked then-TSA Administrator Kip Hawley about this in 2007. He didn’t answer.

Posted on January 14, 2011 at 11:03 AMView Comments

Surviving a Terrorist's Nuclear Attack

Interesting reading, mostly for the probable effects of a terrorist-sized nuclear bomb.

A terrorist bomb is likely to be relatively small—possibly only a fraction of the Hiroshima bomb’s explosive power—and likely exploded at ground level. This means that the area totally destroyed by the explosion is likely to be much smaller than the area exposed to lesser damage or to fallout radiation (this nuclear weapons effects calculator from the Federation of Atomic Scientists will let you see the effect of different sized bombs burst at different heights). Because of this, Homeland Security people in the Obama Administration have been encouraging a duck-and-cover approach, followed by advice to “shelter in place” against fallout rather than trying to evacuate the area.

Posted on January 14, 2011 at 7:07 AMView Comments

The Security Threat of Forged Law-Enforcement Credentials

Here’s a U.S. Army threat assessment of forged law-enforcement credentials.

The authors bought a bunch of fake badges:

Between November 2009 and March 2010, undercover investigators were able to purchase nearly perfect counterfeit badges for all of the Department of Defense’s military criminal investigative organizations to include the Army Criminal Investigation Command (Army CID), Naval Criminal Investigative Service (NCIS), Air Force Office of Special Investigations (AFOSI), and the Marine Corps Criminal Investigation Division (USMC CID). Also, purchased was the badge for the Defense Criminal Investigative Service (DCIS).

Also available for purchase were counterfeit badges of 42 other federal law enforcement agencies including the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), Alcohol, Tobacco and Firearms (ATF), Secret Service, and the US Marshals Service.

Of the other federal law enforcement agency badges available, the investigators found exact reproductions of the badges issued to Federal Air Marshals, Transportation Security Administration (TSA) Screeners, TSA Inspectors, and Special Agents of the TSA Office of Inspector General.

Average price: $60.

Then, they tried using them:

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area.

[…]

Once being granted access to the military installation or federal facility, the investigators proceeded to areas that were designed as “Restricted Area” or “Authorized Personnel Only” and were able to wander around without being challenged by employees or security personnel. On one military installation, investigators were able to go to the police station and request local background checks on several fictitious names. All that was required was displaying the fraudulent badge and credentials to a police officer working the communications desk.

The authors didn’t try it getting through airport security, but they mentioned a 2000 GAO report where investigators did:

The investigation found that investigators were 100% successful in penetrating 19 federal sites and 2 commercial airports by claiming to be law enforcement officers and entering the facilities unchecked by security where they could have carried weapons, listening devices, explosives, chemical/biological agents and other such materials.

Websites are listed in the report, if you want to buy your own fake badge and carry a gun onto an airplane.

I’ve written about this general problem before:

When faced with a badge, most people assume it’s legitimate. And even if they wanted to verify the badge, there’s no real way for them to do so.

The only solution, if this counts as one, is to move to real-time verification. A credit card used to be a credential; it gave the bearer certain privileges. But the problem of forged and stolen credit cards was so pervasive that the industry moved to a system where now the card is mostly a pointer to a database. Your passport, when you present it to the customs official in your home country, is basically the same thing. I’d like to be able to photograph a law-enforcement badge with my camera, send it to some police website, and get back a real-time verification—with picture—that the officer is legit.

Of course, that opens up an entire new set of database security issues, but I think they’re more manageable than what we have now.

Posted on January 13, 2011 at 8:00 AMView Comments

TSA Inspecting Thermoses

This is new:

Adm. James Winnefeld told The Associated Press Friday that the Transportation Security Administration is “always trying to think ahead.” Winnefeld is the head of the U.S. Northern Command, which is charged with protecting the homeland.

TSA officials had said Thursday that in coming days, passengers flying within and to the U.S. may notice additional security measures related to insulated beverage containers such as thermoses.

Winnefeld says officials responsible for homeland security are always a bit more alert over the holiday season. He says there has been a lot of chatter online about potential terror activity, but nothing specific.

Posted on December 29, 2010 at 11:09 AMView Comments

Adam Shostack on TSA Threat Modeling

Good commentary:

I’ve said before and I’ll say again, there are lots of possible approaches to threat modeling, and they all involve tradeoffs. I’ve commented that much of the problem is the unmeetable demands TSA labors under, and suggested fixes. If TSA is trading planned responses to Congress for effective security, I think Congress ought to be asking better questions. I’ll suggest “how do you model future threats?” as an excellent place to start.

Continuing on from there, an effective systematic approach would involve diagramming the air transport system, and ensuring that everyone and everything who gets to the plane without being authorized to be on the flight deck goes through reasonable and minimal searches under the Constitution, which are used solely for flight security. Right now, there’s discrepancies in catering and other servicing of the planes, there’s issues with cargo screening, etc.

These issues are getting exposed by the red teaming which happens, but that doesn’t lead to a systematic set of balanced defenses.

As long as the President is asking “Is this effective against the kind of threat that we saw in the Christmas Day bombing?” we’ll know that the right threat models aren’t making it to the top.

Posted on December 22, 2010 at 7:15 AMView Comments

Hiding PETN from Full-Body Scanners

From the Journal of Transporation Security, “An evaluation of airport x-ray backscatter units based on image characteristics,” by Leon Kaufman and Joseph W. Carlson:

Abstract:

Little information exists on the performance of x-ray backscatter machines now being deployed through UK, US and other airports. We implement a Monte Carlo simulation using as input what is known about the x-ray spectra used for imaging, device specifications and available images to estimate penetration and exposure to the body from the x-ray beam, and sensitivity to dangerous contraband materials. We show that the body is exposed throughout to the incident x-rays, and that although images can be made at the exposure levels claimed (under 100 nanoGrey per view), detection of contraband can be foiled in these systems. Because front and back views are obtained, low Z materials can only be reliable detected if they are packed outside the sides of the body or with hard edges, while high Z materials are well seen when placed in front or back of the body, but not to the sides. Even if exposure were to be increased significantly, normal anatomy would make a dangerous amount of plastic explosive with tapered edges difficult if not impossible to detect.

From the paper:

It is very likely that a large (15-20 cm in diameter), irregularly-shaped, cm-thick pancake with beveled edges, taped to the abdomen, would be invisible to this technology, ironically, because of its large volume, since it is easily confused with normal anatomy. Thus, a third of a kilo of PETN, easily picked up in a competent pat down, would be missed by backscatter “high technology”. Forty grams of PETN, a purportedly dangerous amount, would fit in a 1.25 mm-thick pancake of the dimensions simulated here and be virtually invisible. Packed in a compact mode, say, a 1 cm×4 cm×5 cm brick, it would be detected.

EDITED TO ADD (1/12): Stephen Colbert on the issue.

Posted on December 17, 2010 at 2:13 PMView Comments

New TSA Security Test

I experienced a new TSA security check at Phoenix Airport last Thursday. The agent took my over-three-ounce bottle of saline, put a drop of it on a white cardboard strip, and then put a drop of another liquid on top of that. Nothing changed color, and she let me go.

Anyone know what the test is, and what it’s testing for?

Posted on December 10, 2010 at 2:11 PMView Comments

Never Let the Terrorists Know How We're Storing Road Salt

This seems not to be a joke:

The American Civil Liberties Union has filed a lawsuit against the state after it refused to release the construction plans for a barn used to store road salt, on the basis that doing so would be a security risk.

[…]

Chiaffarano filed an OPRA request for the state’s building plans, but was denied her request as the state cited a 2002 executive order by Gov. James McGreevey.

The order, issued in the wake of the Sept. 11 terrorist attacks on the World Trade Center and the Pentagon, allows the state to decline the release of public records that would compromise the state’s ability to “protect and defend the state and its citizens against acts of sabotage or terrorism.”

Lisa Ryan, spokeswoman for the Department of Community Affairs, declined to comment on the pending lawsuit.

Posted on December 8, 2010 at 2:27 PMView Comments

1 8 9 10 11 12 37

Sidebar photo of Bruce Schneier by Joe MacInnis.