Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: How this weekend's attempted Terrorist attack relates to IT. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
How this weekend's attempted Terrorist attack relates to IT.

In case you were spending time with your family this weekend and not watching the news, there was an attempted Terrorist attack on a flight from Amsterdam to Detroit, USA on December 25th.  From what I understand this "terrorist" was on the flight, and as the plane was getting ready to land, tried to ignite something in his lap to catch the plane on fire, or cause it to explode.  (DHS is looking into which one it was supposed to be).

As a result, the US Gov't (and several foreign Gov'ts) stepped up security.  Adding more Air Marshalls, increasing security screening at checkpoints, explosive sniffing dogs, and not allowing people to use PED's during portions of the flight.  (PED = Portable Electronic Devices).

So, how does this related to Information Security?

#1) Stepping up the security that didn't work in the first place

It's not enough to ramp up the security that obviously didn't work.  This suspect was able to get on board, with some type of incendiary device.  (Notice I said "Incendiary device", not PED.  I don't know why Gov't regulators and Airlines insist on punishing things like DVD players and iPhones, (etc) when something bad happens.)  In the normal reactionary mode, you would say "how did 'x' device get on board the plane and why didn't we catch it?"  Obviously, it's impossible to look for everything that people will invent to circumvent security policy, it's impossible to make your air travel 100% safe.  Anytime you have that many people that want to do that many bad things, there is a way that the "Bad guys" will find a way to do something "Bad".  It's inevitable.  The answer is compensating controls.  Ramping up more of the same isn't going to do it.  But doing additional things that are different that focus on different areas will help.  You can't lock down port 80 because there are too many attack vectors.  But you can force people through a proxy and keep them from doing bad things using tools like Websense, (etc).  But all of that doesn't matter if you allow external proxies and can SSH out of the network.  If you lock down one area, you have to lock down them all.

#2) Playing the Blame Game.

Oh, it was PED's.  Oh, it was because we let the suspect out of their seat to retrieve something from the overhead bin.  Oh, it's because this person is running a non-standard configuration of IIS.  Oh, it's because this person is running Firefox instead of IE.  Stop blaming and fix the problem.  Don't sit in a meeting and say "Oh, well, it's because he was running that evil Mozilla and not our precious IE, that's how we got hacked!"  Don't blame the tool, blame the person for not patching the tool.  How can you get Firefox to update?  How can you keep people from installing it in the first place?  It's not about placing blame, it's about finding what went wrong and fixing the problem in a way that YOU CAN CONTROL.  Not allowing people to get up during a flight isn't going to work, because people are going to NEED to get up on a flight.  Not allowing people to use their iPods on flights isn't going to work, because people are going to do it anyway.  The big question is, what is the device the guy had and tried to ignite, and how did it get on the plane?

#3) Incorrect allowances.

In the words of the comedian Louis Black "...you can't bring a lighter on board the plane, but you can bring matches.  You can bring matches..  That's what is wrong with this country, your brain can't cope with that kind of logic."  We don't allow you to bring a lighter on board, to you know, ignite things with, but you can bring matches on board.  I know I'll catch flack from the Smokers who are reading this, and I understand, but listen..  you can't smoke on a plane anyway.  There is no need for anyone to have anything that ignites past security.  "So how do we smoke in the airport", well..  1) Don't.  2) Quit, (Yes, you can do it, I did) or 3) I am sure we can figure out some kind of electronic ignition device that we place in the smoking rooms in the airports.  All of today's modern technology, and we can't figure out how to NOT let people carry something that causes FLAME on a plane.  Allowing people to bypass one security control by compensating with an equally damaging one kinda defeats the purpose doesn't it?  You don't allow people to run Firefox, but you allow them to run Safari.  You don't allow people to run OSX because you "can't control it" (yes I've heard this), but you allow people to run Linux.  Poor examples, and I welcome more if you'd like, but you get my point.

From my armchair quarterbacking spot, how did the flame get on the plane?  How did the device get on the plane?  What was the device?  

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

 

Joel

454 Posts
ISC Handler
I really enjoyed points #1 and #2...

As far as the lighter vs. matches thing goes, I think the idea there is that a lighter can contain more flammable material than that of a match stick. It is not to deny access to the ability to strike a flame, but to deny access to extremely flammable material like lighter fluid (or anything else you can put in a lighter).

Besides, if someone smuggles a stick of dynamite onto a plane don't you think you have bigger things to worry about than whether or not they have a match/lighter with which to ignite it? There are many other ways, smaller than either a lighter or a book of matches, to create a spark. It's the flammable/explosive material that is of greatest concern.
Anonymous
I'd give airline security a solid B+. </sarc>

Honestly, it's a joke. High pita factor, little real security. At most, they should check my sidearm when I board to make sure I'm loaded with frangible ammo.

Anonymous
On the lighters versus matches thing: Nothing to do with how dangerous any item is. Everything to do with how easy or difficult it is to detect the item.

Most lighters are easy to catch in a patdown and by an xray image. Matches are much more difficult to detect either with patdowns or x-rays.

So they ban what they have a chance of seeing.

And it's every bit as (in)effective as signature-based antivirus is.
peter

17 Posts
To correct some facts, "common lighters" are allowed on carry-on baggage (i.e. not "torch" style lighters) as well as one pack of safety matches (i.e. not strike-anywhere matches). See this TSA page for details - http://www.tsa.gov/travelers/airtravel/assistant/editorial_multi_image_with_table_0099.shtm

Notice the point about confiscating 22,000 lighters per day prior to the new rule. I assume the Lewis Black quote came before Aug 2007.

Here is the full list of prohibited items - http://www.tsa.gov/travelers/airtravel/prohibited/permitted-prohibited-items.shtm
peter
4 Posts
The somewhat ironic thing is the lighter ban was instituted after the attempted "shoe bombing," where the bomber attempted (unsuccessfully) to light the fuse with a match.

Another irony is that fear of terrorism never made me consider not flying, but the security theater we now have to go through *has*. I've had one bad experience too many with badge-heavy, wanna-be cop TSA agents. My next trip is going to be on Amtrak.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!