A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Security Theater’ tag

Everything is a Big Ol’ Conspiracy

without comments

Can anything occur this day and age without people claiming that it’s part of a conspiracy? Almost immediately after the shooting in Las Vegas, before any investigation had a chance to even begin, people were claiming that the event was part of some conspiracy. As with most conspiracy theories, this conspiracy theory is based on spurious evidence. So far the dumbest “evidence” that “doesn’t add up” is news that the shooter used the freight elevator at Mandalay Bay:

Law enforcement sources told CBS News that Las Vegas shooter Stephen Paddock is believed to have used the freight elevator at the Mandalay Bay hotel casino in the days leading up to last week’s deadly attack.

It wasn’t clear what Paddock used the freight elevator for or how often he used it.

How could the shooter have accessed a restricted freight elevator without help from the inside? Obviously this is proof that he had help!

Anybody who claims that doesn’t realize just how poor building security generally is. I’ve used freight elevators on numerous occasions, including in casinos, without authorization. They’re usually “hidden” behind a nondescript door or one with a sign that says “Employees Only.” In almost every case the door is unlocked and the elevator lacks any form of access control. If the owners of the building are really concerned about security, there might be cameras that aren’t monitored by anybody facing the freight elevator doors although even that’s pretty rare.

Another way of gaining access to a freight elevator is to ask the person working at the front desk if you can use it to haul up a bunch of luggage. As it turns out, the person at the front desk who is tasked with making the customer happy will often let you use the freight elevator if it makes you happy. Humans are often wonderfully helpful creatures.

So I’m sorry to report that using a freight elevator isn’t evidence that “doesn’t add up.” It adds ups quite cleanly. Although I suspect that access control on freight elevators will become more common now that this information has been released.

Written by Christopher Burg

October 12th, 2017 at 10:00 am

Assume All Source Code is Open Source

without comments

Let’s pretend that you’re a fool and believe that security through obscurity works. Because of your foolish belief you sought closed source security software. Since potential adversaries can’t see the source code, they can’t find vulnerabilities in it to attack you with, right? Not so much. Just because software is closed source doesn’t mean nobody is allowed to see the source code. HP recently granted Russia permission to review the source code of one of its security software packages:

Last year, Hewlett Packard Enterprise (HPE) allowed a Russian defense agency to analyze the source code of a cybersecurity software used by the Pentagon, Reuters reports. The software, a product called ArcSight, is an important piece of cyber defense for the Army, Air Force and Navy and works by alerting users to suspicious activity — such as a high number of failed login attempts — that might be a sign of an ongoing cyber attack. The review of the software was done by a company called Echelon for Russia’s Federal Service for Technical and Export Control as HPE was seeking to sell the software in the country. While such reviews are common for outside companies looking to market these types of products in Russia, this one could have helped Russian officials find weaknesses in the software that could aid in attacks on US military cyber networks.

I don’t subscribe to the belief that open source software is inherently more secure (however, I do believe open source software offers several advantages over closed source software that are unrelated to security). I think the numerous critical vulnerabilities discovered in OpenSSL put that belief to bed. However, I also don’t believe that closed source software is inherently more secure. Just because a developer doesn’t share its source code with everybody doesn’t mean it doesn’t share its source code with third parties. In the case of HP, one of the third parties granted access to its source code was an adversary of one of its customers.

If you’re purchasing software from a third party, you have no control over who it shares its source code with. So if you believe in security through obscurity, closed source software won’t offer you any advantage, perceived or otherwise.

Written by Christopher Burg

October 6th, 2017 at 10:00 am

Posted in Technology

Tagged with ,

But Wait, There’s More

without comments

Equifax already displayed a staggering level of incompetence but like a Billy Mays commercial there’s more:

The official Equifax Twitter account encouraged people to visit a knock-off website that mocks the company’s security practices instead of the site the company created to warn of a massive data breach. That recent breach exposed personal details for as many as 143 million US consumers.

In a tweet on Tuesday afternoon, an Equifax representative using the name Tim wrote: “Hi! For more information about the product and enrollment, please visit: securityequifax2017.com.” The message came in response to a question about free credit monitoring Equifax is offering victims. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. A security researcher created the imposter site to demonstrate how easy it is to confuse a legitimate name with a bogus one. The Equifax tweet suggests that even company representatives can be easily fooled. The tweet was deleted late Wednesday morning, more than 18 hours after it went live.

It’s almost as if large credit agencies like Equifax aren’t held accountable for screwing up and therefore aren’t motivated to do an effective job. Weird.

Statists continue to claim that government is necessary to deliver justice when large corporations like this screw up. However, I’m still waiting to see the government do anything more than give a corporation like this a minor slap on the wrist for fuck ups of this magnitude. Hell, I’m still waiting to see the government give Equifax a stern talking to over this series of amateur mistakes. As far as I can tell, government seems exists primarily to protect large corporations like this from competitors that would currently be tearing it apart if there was a free market.

Written by Christopher Burg

September 22nd, 2017 at 10:30 am

Plan Ahead

without comments

Planning ahead can save you a great deal of grief, frustration, and money:

Two things are true of all festivals: the security is super tight and the booze is very expensive.

[…]

One guy from New York named Alex found an ingenious way to get past these two road blocks. Three weeks before the Electric Zoo festival in New York City, Alex travelled to the Randall’s Island where the event is located with a bottle of Vodka in arm.

He filled a reusable bottle with the Vodka and using a small shovel that he brought with him, Alex and his friends buried the bottle of booze in the ground a long time before the festival crew arrived to construct the stages for the event.

Alex is a real American hero (I know this story could be fake but I want it to be true so I’m going to believe it is).

On a more serious note, this tactic could also work for smuggling weapons into outdoor festivals. I wonder how many security providers have considered such a threat model. It’s also a difficult threat model to defend against since a security team would have to run metal detectors across the entire grounds and that would only offer protection against metallic weapons.

Written by Christopher Burg

September 14th, 2017 at 10:00 am

The TSA Continues Its 95 Precent Failure Rate

without comments

Two years ago we learned that the Transportation Security Administration (TSA) failed 95 percent of red team exercises. With such an abysmal record the agency must have been spending the last two years furiously improving its security screening processes, right? If the Minneapolis-St. Paul International Airport (MSP) is any indication, the TSA hasn’t improved its processes at all:

Last Thursday, what’s referred to as the “Red Team” in town from Washington D.C., posed as passengers and attempted to sneak items through security that should easily be caught.

In most cases, they succeeded in getting the banned items though. 17 out of 18 tries by the undercover federal agents saw explosive materials, fake weapons or drugs pass through TSA screening undetected.

Two sources said that the tests carried out Thursday were eventually stopped after the failure rate reached 95 percent.

It’s pretty sad when the exercise has to be stopped because the failure rate was only a hair’s breadth away from 100 percent.

I’m sure a spokesperson for the MSP TSA will have a list of excuses to try to explain away the 95 percent failure rating. But there’s no arguing that a 95 percent failure rating is touch to distinguish from having no security at all. If the TSA were abolished today and replaced with nothing the only real difference would be that air travelers wouldn’t have to show up at the airport two hours early just to get through the security line and the taxpayers would save a lot of money. Of course the TSA wouldn’t be replaced with nothing, it would be replaced with private security, which would be a significant improvement. Unlike the TSA, which has faced no repercussions for its ongoing 95 percent failure rating, private security firms can be held accountable and are therefore motivated to improve.

Written by Christopher Burg

July 6th, 2017 at 10:00 am

Not Surprising for an Agency with a 95 Precent Failure Rate

without comments

Almost two years ago it was revealed that the Transportation Security Agency (TSA) missed a whopping 95 precent of restricted items. You would think that such a damning report would have lead to a top to bottom rework of the agency’s practices. But the TSA is a government agency, which means it doesn’t suffer consequences for failing, unlike market actors, and therefore has no motivation to improve. That’s what, two years later, we still get to read stories like this:

An off-duty policewoman flew from Los Angeles international airport (LAX) to Taiwan with a gun in her hand luggage.

The weapon was not detected during security screening and Noell Grant only realised she was carrying it as she changed planes in Taipei.

At one point I noted that the TSA exists solely to provide warm and fuzzy feelings to passengers who are too ignorant to realize that the agency isn’t securing anything. But as these stories continue to role out even ignorant fools are likely becoming aware of the fact that the TSA is just as ineffective as every other government agency. When that realization sets in the warm and fuzzy feelings of ignorance vanish, which means the agency serves no purpose whatsoever. The TSA should be completely abolished tomorrow.

Written by Christopher Burg

April 21st, 2017 at 10:00 am

Watch a Dying Business Thrash Desperately

without comments

I will go so far as to say that Let’s Encrypt revolutionized the Transport Layer Security (TLS) certificate market. While there were some free sources of certificates, the general rule remained that you had to pay if you wanted to implement a secure connection for you website. Then Let’s Encrypt was released. Now anybody can implement a secure connection for their website for free. On top of that, Let’s Encrypt greatly simplified the process of managing certificates. So it’s no surprise that certificate vendors are feeling the squeeze and responding desperately:

The fact that Let’s Encrypt is now being used to make phishing sites look legit is a total burn for us, and a potential house fire for users who rely on simple cues like the green padlock for assurance. According to certificate reseller The SSL Store, “between January 1st, 2016 and March 6th, 2017, Let’s Encrypt has issued a total of 15,270 SSL certificates containing the word ‘PayPal.'”

Keep in mind that the SSL Store is a provider of those incredibly overpriced certificates, so Let’s Encrypt’s mission isn’t necessarily in their interests. Even still, their post points out that the “vast majority of this issuance has occurred since November — since then Let’s Encrypt has issued nearly 100 ‘PayPal’ certificates per day.” Based on a random sample, SSL Store said, 96.7 percent of these certificates were intended for use on phishing sites.

The reseller added that, while their analysis has focused on fake PayPal sites, the firm’s findings have spotted other SSL phishing fakers, including Bank of America, Apple IDs, and Google.

The SSL Store paints a frightening picture. But the picture requires ignoring two facts.

First, TLS doesn’t verify if a website is legitimate. TLS verifies that the URL you’re connecting to matches the name in the certificate provided by the server and that the certificate was issued by a trusted authority. For example, if you connect to https://paypaltotallyascam.com, TLS will verify that the URL in the certificate is for https://paypaltotallyascam.com and that the certificate was issued by a trusted authority. However, TLS is not magical and cannot determine whether the site is a scam or not.

Second, you can’t even pull a certificate with Let’s Encrypt unless you have a registered URL. So why is Let’s Encrypt getting all of the blame but not the Domain Name System (DNS) registrar that allowed the domain to be registered in the first place? Because DNS registrars aren’t a threat to The SSL Store’s business model, Let’s Encrypt is.

This report by The SSL Store is nothing more than the desperate thrashings of a dying business model.

Written by Christopher Burg

April 4th, 2017 at 10:30 am

More Security Theater at the TSA

with one comment

The Transportation Security Administration (TSA) has a sordid record when it comes to airport security. Since airport security is the agency’s primary job and it hasn’t been doing an effective job at providing security you might expect it to, you know, try to improve its capabilities. Instead the agency has been doubling down on security theater. But the best part is that the agency realizes that its efforts are theater:

If you’ve ever suspected that the TSA’s airport behavior screening (where it looks for visual signs of lying or stress) was just another example of ineffective security theater, you now have some science to back up your hunches. Thanks to a lawsuit, the ACLU has obtained TSA files showing that the organization has pushed and even expanded its “behavior detection” program despite a lack of supporting evidence. While the TSA maintains that it can detect signs of shady activity through fidgeting, shifty eyes and other visual cues, studies in its files suggest just the opposite — you’d have just as much success by choosing at random. And those are in controlled conditions, not a busy airport where anxiety and stress are par for the course.

The TSA hasn’t thwarted a single terrorist attack since it was founded. It hasn’t even done anything noteworthy in the field of security. The only thing the agency has managed to do is bolster the profits of bottled water manufacturers by stealing air travelers’ water and forcing them to buy more inside of “secure” areas. Yet this agency continues to exist. It continues to exist because the government that established it believes stealing your money and giving it to one of its entirely ineffective agency is fiscally responsible.

The next time some statist dipshit tells you that taxes aren’t high enough remind them that a ton of tax money is being irresponsibly dumped into agencies like the TSA.

Written by Christopher Burg

February 9th, 2017 at 11:00 am

Denial of Service Attacks are Cheap to Perform

without comments

How expensive is it to perform a denial of service attack in the real world? More often than not the cost is nearly free. The trick is to exploit the target’s own security concerns:

A flight in America was delayed and almost diverted on Tuesday after a passenger changed the name of their wi-fi device to ‘Samsung Galaxy Note 7’.

An entire flight was screwed up by simply changing the SSID of a device.

Why did this simply trick cause any trouble whatsoever? Because the flight crew was more concerned about enforcing the rules than actual security. There was no evidence of a Galaxy Note 7 being onboard. Since anybody can change their device’s SSID to anything they want the presence of the SSID “Samsung Galaxy Note 7” shouldn’t have been enough to cause any issues. But the flight crew allowed that, at best, flimsy evidence to spur them into a hunt for the device.

This is why performing denial of service attacks in the real world is often very cheap. Staffers, such as flight crew, seldom have any real security training so they tend to overreact. They’re trying to cover their asses (and I don’t mean that as an insult, if they don’t cover their asses they very well could lose their job), which means you have an easy exploit sitting there for you.

Written by Christopher Burg

December 23rd, 2016 at 10:30 am

TSA Warning About Slave ID Deadline

with one comment

Minnesota is one of the few remaining states that has told the federal government where to stick its REAL Slave ID requirements. If you do live in Minnesota and you really want an official Slave ID you can pay an extra $15 and go through the additional hassle necessary to convert your drivers license but it’s not required.

While it’s been known that the Transportation Security Administration (TSA) would begin requiring Slave IDs to board aircraft the exact deadline has remained unknown. Soon the TSA at the Minneapolis International Airport will post signs indicating that the deadline will be January 22, 2018:

MINNEAPOLIS (KMSP) – Signs will soon be posted at Minneapolis-St. Paul International Airport with a warning that your current Minnesota driver’s license won’t be enough to pass through security in 2018.

Starting Jan. 22, 2018, you will need an alternate ID to fly if you have a standard driver’s license or ID card issued by any of the following states: Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina or Washington. Alternate forms of ID include a passport, military ID, or permanent resident card. You can find a full list of accepted ID at https://www.tsa.gov/travel/security-screening/identification

If you live in Minnesota and wish to travel on an airplane you should consider getting a passport. In fact, if you live in the United Police States of America you should consider getting a passport just so you have the option to leave this forsaken Orwellian nation.

I hope the Minnesota government continues to push against the Slave ID requirements but I fear that they’re going to kowtow to their federal masters before the deadline.

Written by Christopher Burg

December 16th, 2016 at 11:00 am