Threat Level: green Handler on Duty: John Bambenek

SANS ISC: InfoSec Handlers Diary Blog - How this weekend's attempted Terrorist attack relates to IT. InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

How this weekend's attempted Terrorist attack relates to IT.

Published: 2009-12-28
Last Updated: 2009-12-28 16:08:41 UTC
by Joel Esler (Version: 4)
5 comment(s)

In case you were spending time with your family this weekend and not watching the news, there was an attempted Terrorist attack on a flight from Amsterdam to Detroit, USA on December 25th.  From what I understand this "terrorist" was on the flight, and as the plane was getting ready to land, tried to ignite something in his lap to catch the plane on fire, or cause it to explode.  (DHS is looking into which one it was supposed to be).

As a result, the US Gov't (and several foreign Gov'ts) stepped up security.  Adding more Air Marshalls, increasing security screening at checkpoints, explosive sniffing dogs, and not allowing people to use PED's during portions of the flight.  (PED = Portable Electronic Devices).

So, how does this relate to Information Security?

#1) Stepping up the security that didn't work in the first place

It's not enough to ramp up the security that obviously didn't work.  This suspect was able to get on board, with some type of incendiary device.  (Notice I said "Incendiary device", not PED.  I don't know why Gov't regulators and Airlines insist on punishing things like DVD players and iPhones, (etc) when something bad happens.)  In the normal reactionary mode, you would say "how did 'x' device get on board the plane and why didn't we catch it?"  Obviously, it's impossible to look for everything that people will invent to circumvent security policy, it's impossible to make your air travel 100% safe.  Anytime you have that many people that want to do that many bad things, there is a way that the "Bad guys" will find a way to do something "Bad".  It's inevitable.  The answer is compensating controls.  Ramping up more of the same isn't going to do it.  But doing additional things that are different that focus on different areas will help.  You can't lock down port 80 because there are too many attack vectors.  But you can force people through a proxy and keep them from doing bad things using tools like Websense, (etc).  But all of that doesn't matter if you allow external proxies and can SSH out of the network.  If you lock down one area, you have to lock down them all.  At the end of the day, how much trust do you have in your users?  Some, none?

#2) Playing the Blame Game.

Oh, it was PED's.  Oh, it was because we let the suspect out of their seat to retrieve something from the overhead bin.  Oh, it's because this person is running a non-standard configuration of IIS.  Oh, it's because this person is running Firefox instead of IE.  Stop blaming and fix the problem.  Don't sit in a meeting and say "Oh, well, it's because he was running that evil Mozilla and not our precious IE, that's how we got hacked!"  Don't blame the tool, blame the person for not patching the tool.  How can you get Firefox to update?  How can you keep people from installing it in the first place?  It's not about placing blame, it's about finding what went wrong and fixing the problem in a way that YOU CAN CONTROL.  Not allowing people to get up during a flight isn't going to work, because people are going to NEED to get up on a flight.  Not allowing people to use their iPods on flights isn't going to work, because people are going to do it anyway.  The big question is, what is the device the guy had and tried to ignite, and how did it get on the plane?

#3) Incorrect allowances.

In the words of the comedian Louis Black "...you can't bring a lighter on board the plane, but you can bring matches.  You can bring matches..  That's what is wrong with this country, your brain can't cope with that kind of logic."  We don't allow you to bring a lighter on board, to you know, ignite things with, but you can bring matches on board.  I know I'll catch flack from the Smokers who are reading this, and I understand, but listen..  you can't smoke on a plane anyway.  There is no need for anyone to have anything that ignites past security.  "So how do we smoke in the airport", well..  1) Don't.  2) Quit, (Yes, you can do it, I did) or 3) I am sure we can figure out some kind of electronic ignition device that we place in the smoking rooms in the airports.  All of today's modern technology, and we can't figure out how to NOT let people carry something that causes FLAME on a plane.  Allowing people to bypass one security control by compensating with an equally damaging one kinda defeats the purpose doesn't it?  You don't allow people to run Firefox, but you allow them to run Safari.  You don't allow people to run OSX because you "can't control it" (yes I've heard this), but you allow people to run Linux.  Poor examples, and I welcome more if you'd like, but you get my point.

From my armchair quarterbacking spot, how did the flame get on the plane?  How did the device get on the plane?  What was the device?  

From Reuters:  Information on the explosive device:

"The device consisted of a six-inch (15-cm) packet of powder and a syringe containing a liquid, which were sewn into the suspect's underwear, according to media reports."

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

 

Keywords:
5 comment(s)
Diary Archives