Tag Archives: Security Theater

Snakeoil Security

This is a really good article about how poor  security products can appear to work, but actually increase the problem:

http://ha.ckers.org/blog/20100904/the-effect-of-snakeoil-security/ *

The article also links to a good article about the ACUTrust product (which no longer exists) http://ha.ckers.org/acutrust/ – which contains the following quote

“like most systems that use cryptography it is not a vulnerable algorithm, but the system that uses it is”

This really does bear repeating as many times as possible. Just because a product claims to use cryptography – most will claim to be using AES256 – doesn’t mean they’re using it in a way that makes the system secure. Cryptography is all too often a security panacea, a ‘buzzword’ that makes the user feel like they’re safe, but the importance is, as always, in the implementation.

One of the best examples of this sort of failure I’ve seen recently is this http://gizmodo.com/5602445/the-200-biometric-lock-versus-a-paperclip. The incredibly secure biometrics in the lock mean nothing if the manual lock can be opened with a paperclip. Adding a stronger mechanism to a weaker one does not strengthen the system.

So why does this sort of failure happen so frequently? It really happens because security practitioners, as well as the people who buy security products, often don’t see the big picture. Security is about people, and what people will do (or not do) to the systems that they are presented with. A classic example is enforcing a strict ‘strong’ password policy that means that users write down their password, and stick it to the monitor so they don’t forget it.

Security isn’t really about products, or technologies – those can be enablers, but it is about seeing where the weaknesses are, understanding the risks, and taking what measures are possible to ensure those risks are minimised. Buying into ‘hot’ products is not a reasonable investment if you don’t understand what you are buying and why you’re buying it.

I personally am coming to believe that the greatest failure of security over the last 20 years is that we have failed to understand that we are securing (for and against) people not technologies, and people do the strangest things.

Andrew Lee
AVIEN CEO / CTO K7 Computing

* Thanks to @securityninja for the original link

Airport security and Defense in Depth

I know this Blog is devoted primarily to computer security, specifically emphasizing Malware issues. I’d like you to indulge me for a small side trip to another area of security that impacts most of us, and hopefully this will fire some stray neurons and perhaps give ideas and insight to how we do business.

This all started during one of my latest business trips. We’re told flying is a privilege, not a right, or necessity. I, like so many business travelers, get annoyed being treated as a criminal because I have the audacity to travel by air for business needs. So, let me get things right, I pay for the privilege of being treated as a potential terrorist because in the course of conducting commerce, my employer sees a business need for me to fly to my destination? I also have the honor of paying $25 to check a bag so I can have the luxury of clean clothes when I arrive at my destination? Now I have the honor of sitting next to someone whose weight is such that the seat back tray can not come completely down, while he’s overlapping my already too tight seat, forcing me into the aisle/ wall? Now, my noise-canceling ear buds are worth every penny I paid, but where can I get odor blocking nose buds to block the garlic and other odors emanating from my seatmate? Add in maintenance or weather flight delays, running to gates, layovers longer than three hours, and suddenly I’m not feeling so privileged, and am understanding why fewer people are flying.

It was about this point in my flight when I started playing the old game of “what if”. In this case, what if I owned a domestic airline? How would I address security while making the customer feel more comfortable? I think rather naturally, my first thought went to my seat-mate, and I thought, if you need a seatbelt extender, you need to buy a second seat. Sorry if this offends anyone, and I know they’re shrinking seat size to fit more people on already increasingly full flights, and people of average sizes are cramped but I’m thinking he had to be as uncomfortable as I was, and a second seat (while increased expense to him) would have alleviated that issue rather handily. Next and probably the most revealing thing came when I tried opening my baggie of “Mini Pretzels”. That baggie of airline supplied snacks did not want to open, and I was reduced to using my teeth to get a tear started. Now normally I’d reach into my pocket and pull out my Leatherman Brand multi-tool, and use the knife blade to cut open the bag, but due to security, it was in my checked baggage. Here we go I can hear the cries now, “what kind of uncivilized fool carries a knife in this day and age?”, “Typical Yank, needs his knife and gun”, etc. Well, according to my education, it’s uncivilized and unsanitary to use your mouth to open packages. If memory serves right, Miss Manners said something about the practice lacking proper etiquette. I was taught early it was simple tools like the knife that elevated us above animals, and made our behaviors less animalistic.

Proceeding on the line of thought, I thought about why these rules were in place. The answer came down to preventing skyjacking and making the flying public feel more secure in their flight. Well now, here I am in my element, SECURITY. So let’s take a look at the security and vulnerabilities of modern aircraft. As many have written previously, the flight deck is the weakest point of any aircraft. Like others before me I thought of the isolation of the bridge and flight crew, separate entry points, toilet facilities, rest facilities, etc.

Then a light bulb went off. The weak point isn’t the flight deck, but like in most security issues the personnel. The flight crew itself is the weak point. They are the ones who are directly attacked to gain control of the aircraft. So if we remove them (and flight controls) the aircraft is secure against any kind of take-over attack, right? So who flies the planes? Simple, the same people.

The fact is, most modern aircraft already fly from near take-off to landing by computer, add to this the advances on remotely manned aircraft (such as the ‘unmanned’ drones in the warzones), and the U.S. Air Force openly talking about unmanned fighters in the not so distant future, why not in commercial aircraft? I realize some people are not going to be comfortable without a face they can put “in control”, so it maybe necessary for the short term to have a flight trained deck officer with a manual override capability on each flight. However, as people become more accustomed to the technology, this need will go away. The manual override will need to be designed so that the on-board crew can not activate it themselves, unless some critical event occurs and the aircraft loses communications with the ground, or a ground controller agrees making a two-key type system.

Now, with no flight deck, box cutters, guns, or even bomb threats have no value. There’s no one to take control from. That being the case, there is no need for everyone to be treated as a criminal and go through metal detectors, have our bags scanned and searched, or even go through the full body scanners. The only legitimate threat is explosives, and the destruction of the aircraft.

Looking from a skyjacker/ terrorist point of view, they already know that after 9/11, passengers will not allow an aircraft to be taken over and used as a weapon again. That’s why we’re already seeing attacks like the shoe and underwear bombers. This threat can be addressed by a more cost effective low tech manner, namely well trained K-9s. Think of it, no more security lines, one (or more) dog team behind the baggage check to sniff checked baggage, and several roaming the facility and at congestion points and boarding gates.

So a quick recap, less security officers would be needed, less flight crews, pilots could work from central facilities (like the military drone operators do), enabling them to work 8 hour shifts with less pilot fatigue, and errors like overshooting airports due to pilot inattention. Pilots may even be able to monitor multiple simultaneous flights, if not, at least, moving from one flight to the next is under 5 minutes. Giving increased turn around time. Some will question the wisdom of not checking for knives and firearms. I ask you to use logic and not emotions. Most murderers want to get away; they’re not going on a killing binge on an aircraft where they are already a prisoner with no escape route. As for mass murder/ suicide, other passengers will not be defenseless, and will be able to stop an evil doer before it gets out of hand.

What about explosive decompression? The well educated know this is simply Hollywood hype and not a threat to a modern aircraft from a firearm.

I do believe this to be technically feasible. However I don’t think this will ever happen. Simply because it’s a real security solution, not security theater. Governments will lose control of some power over the traveling public. People will lose jobs, Unions will lose members (and the resulting income and power), and this does not play to people’s fears and emotions, nor provide a visual “security blanket”. Finally, like any security solution, it’s not perfect, but for once a real security solution, that would produce solid results at reduced costs and increased liberties.

Now I know this is already long, but to tie it to the computer security world, how many of our efforts are security theater, rather than actually addressing the root security issue? How many times do we have to put in a layer to provide a feeling of security with out being beneficial and inadvertently impacting our customers? Just something to think about next time we’re asked to “do something”, and if anyone from the airline wants to implement my ideas, I’d welcome it.

Ken Bechtel
Team Anti-Virus
Virus Researcher and Security pontificator