The InfoSec Blog

Former Head Of Airport Security: ‘The TSA Couldn’t Save You From

Posted by Anton Aylward

http://www.businessinsider.com/problems-with-tsa-2013-12

Based on the demonstrated persistence of their enemies, I have a lot of respect for what Israeli security achieves.
Back to Verb vs Noun.

His point about baggage claim is interesting. It strikes me that this is the kind of location serious terrorists, that is the ones who worked
in Europe through the last century, might attack: not just dramatic, but shows how ineffectual airport security really is. And what will the TSA do about such an attack? Inconvenience passengers further.

Full article at
http://www.cracked.com/blog/7-reasons-tsa-sucks-a-security-experts-perspective/

Tagged as: , , , , No Comments

Learning to Counter Threats – Skills or Ethics?

Posted by Anton Aylward

Fellow CISSP  Cragin Shelton made this very pertinent observation and gave me permission to quote him.

The long thread about the appropriateness of learning how to lie (con, `social engineer,' etc.) by practising lying (conning, `social engineering', etc.) is logically identical to innumerable arguments about whether "good guys" (e.g. cops and security folk) should teach, learn, and practice

  •  writing viruses,
  •  picking locks,
  •   penetrating firewall-protected networks,
  •  cracking safes,
  •  initiating and exploiting buffer overflows, or
  •  engaging in any other practice that is useful to and used by the bad guys.

We can't build defenses unless we fully understand the offenses. University professors teaching how to write viruses have had to explain this problem over and over.

Declaring that learning such techniques is a priori a breach of ethics is short-sighted. This discussion should not be about whether white hats should learn by doing. It should be about how to design and carry out responsible learning experiences and exercises. It should be about developing and promoting the culture of responsible, ethical practice. We need to know why, when, how, and who should learn these skills.

We must not pretend that preventing our white hatted, good guy, ethical, patriotic, well-intentioned protégés from learning these skills will somehow ensure that the unethical, immoral, low breed, teen-vandal, criminal, terrorist crowds will eschew such knowledge.

I have grave reservations about teaching such subjects.

How to get a job in security

Posted by Anton Aylward

http://www.wired.com/threatlevel/2012/05/airport-security-id-theft/

I often get hit on by wannabes who want to - as they put it - "break into security" and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. The most often question is about which certification they should get first in order to get a job. Some people seem to view certification as a job ticket because so many job postings have various certifications as a requirement.

What these people are forgetting is that a certification is there to certify you have the experience; you need the experience to get the certification.

If course you could always fake it; there are plenty of diploma mills and no shortage of high profile people who have faked their resumes.

But this goes one step beyond that. This person got a job in security though faking an complete ID with all the supporting documentation:

NEWARK, NJ - DECEMBER 27:  A stranded traveler...

Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.

Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.

He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.

That really inspires confidence in the system, doesn't it?

So what careful vetting and though investigation by the FBI and others uncovered this threat, a threat that could have been practised by a 'sleeper' for a terrorist organization?

Think again:

Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.

Might we suspect a disgruntled ex-lover?

Good policing that, eh? It makes you wonder how many other TSA operatives and supervisors are using fake ID or whose backgrounds and origins have not been adequately investigated.

Oh, right, there are so many of them, that level of investigation is impractical.

Didn't Bruce Schneier say something about the TSA's approach being impractical, being "Security Theatre"?

Enhanced by Zemanta