New Perspective on Airline Security

In these post-September 11 days, when we think of airline security, we tend to think about screening passengers for weapons and using technologies such as CAPPS (the Computer Assisted Passenger Pre-screening System) to determine a threat assessment for each passenger. However, on a recent flight to Chicago, as I watched the people around me break out their laptops and plug into their MP3 and DVD players as soon as we reached cruising altitude, it occurred to me that there are many types of security with which the airlines (and those of us who fly on them) should be concerned.


I considered the fact that in the case under my seat, I had a Tablet PC, an iPAQ 4155 and a mobile phone. All duly turned off and stowed away during takeoff and landing, per the flight attendant’s instructions. But then, I tend to be pretty compliant regarding laws and regulations. What about all those other electronic devices on the plane?


We’re told that the reason we can’t use our gadgets and toys until we reach cruising altitude is because they might interfere with the airplane’s navigation controls. Now there’s a scary thought, if you take a moment to actually think about. If my laptop can interfere with flight controls during takeoff and landing, isn’t there a possibility that it could do the same during level flight? I was told by an Australian acquaintance recently that their airlines prohibit use of computers at any time during a flight. If it’s not safe for them to turn on the laptop after the seatbelt light goes off, why is it safe for us?


And do you really believe that everybody on the plane remembers to turn off their cell phones and the wireless transmitters on their handhelds (if they even know how) every time during takeoff and landing? Is the fourteen year old listening to the radio through her earphones and not paying any attention to the flight attendant going to cause my plane to crash on approach to the runway? 


Makes you wonder if those devices really pose the threat we’re told they do. If so, should they even be allowed in the cabin at all?


But things may get even more complicated soon. Some airlines have already begun offering high speed Internet access during flight. Lufthansa was one of the first, at $19.99 to $29.99 per flight, or $9.99 for half an hour. The service will undoubtedly become more common over the next few years (unless, of course, ‘Net-connected airplanes start falling out of the sky for no reason). I’m just as excited as the next guy about the prospect of surfing the Web or VPNing back to the home network from 30,000 feet, but I can’t help but wonder what new challenges and problems this will bring. Now, in addition to worrying about our seat-mates reading our computer screens from the side, will we need to worry about being hacked by the guy over in 17A?


Technology is advancing quickly – perhaps more quickly than we can keep up with it. It certainly gives you something to think about as you stare out the window at the tops of the clouds.

Security and the Pocket PC

I love my Pocket PC. That wasn’t always the case. I’ve always WANTED to love them, always loved the concept of the handheld computer, but for the longest time I just couldn’t. I bought a couple, always with high hopes — but found myself abandoning them after a month or so. I liked the functionality: calendar, contacts, copies of my e-mail, ability to read and work on Word or Excel documents. But the old PPCs reminded me of the problem that police officers had with the sophisticated PR-24 sidehandle baton back when I was a cop. It was a great gadget, but it never seemed to be with me when I really needed it.


That’s because, like the sidehandle baton, my old Casio PPC was portable but not portable ENOUGH to be comfortable. It measured 5 x 3 1/4 by 3/4 inches. Tiny for a functional computer, but too big and weighty to really, comfortably carry in a pocket. The other problem was lack of connectivity. It was neat that I could go to a Web site with Pocket IE — but I had to have the PPC in its cradle to do so. That meant it was sitting right next to my desktop computer. So I might as well use my desktop’s Web browser rather than try to surf on the tiny screen. Sure, I could buy an add-on card to give me wi-fi capabilities, but that would add even more to the size and weight of the device. If I wasn’t sure I was going to need a computer, I mostly didn’t bother to take it with me. And if I WAS sure I was going to need a computer, it was almost as easy to take the laptop and get much more functionality. I admired the little computer, but I wasn’t in love.


Then I found the iPAQ 4155 and here I am, head over heels. It’s truly tiny — I can put it in a pocket or on my belt and barely notice it’s there. And it has built-in 802.11b wireless that works like a dream and still keeps the SD card slot open for an additional 512MB of memory. I don’t leave home without it.


But wireless connectivity — along with the fact that I take it with me more — means I have to think about something that was less of a concern with the old Casio: security. That includes physical security (all portable devices are vulnerable to loss or theft), data security and network security. Luckily, there are a number of good software packages that can add multiple layers of security to the PPC. I discuss some of the methods for securing a Pocket PC in my article at http://www.windowsecurity.com/articles/Securing-Pocket-PC.html. Don’t leave home without them.

Blaming the Victims of Security Breaches

The “blame the victim” mentality is prevalent in many facets of society today. Cities pass ordinances that make it an offense to leave things of value in view inside your vehicle, lest some just-in-time thief be tempted and break in to take it. Victims of motor vehicle burglaries are astonished, when they report the crime, to find themselves receiving a ticket.


Blaming the victim is an attitude that’s seeping into the computer security arena, as well, in several different forms. I recently read an article by a fellow security expert that “if you leave something unlocked, you invite crime.” [my emphasis]. That sounds a little like the old (and thankfully, pretty much abandoned) idea that a rape victim whose dress was a little short was “asking for it.” I’ve heard and read similar statements on numerous occasions, with some going so far as to say that computer users who don’t have all the OS patches installed, AV updates and properly configured firewalls installed “deserve what they get.” Ouch!


Sure, we all need to take responsibility for protecting ourselves and doing our parts to protect our networks and The Network. But let’s get real about who bears the BLAME for DoS and other attacks, viruses and worms, etc. — that’s the person(s) who launched them.


Another popular variant on the “blame anybody except the person who did it” theme is to bash the software vendor for not creating a perfectly secure OS or application. Well, guess what? There’s no such animal, and never will be.


Back in my “previous life,” when I was teaching defense tactics to embryonic cops at the police academy, one important block of instruction was weapon retention. A disturbingly high number of police officers are killed each year with their own guns, and it’s essential to know how to defend against an attempt to take yours away from you. However, there were always a couple of kids in each class who knew it all, and discounted weapon retention training because they were going to use so-called “security holsters.” These are holsters designed to make it more difficult to get the gun out, to help thwart just such an incident. The problem was that, when many of these folks got to the range for firearms training, they couldn’t draw and fire their weapons in an acceptable amount of time. Oops!


Does that security holsters are useless? No – but it does illustrate an important point that carries over to my current incarnation as a network security author, trainer and consultant: security and accessibility are always on opposite ends of a continuum, and the more you have of one, the less you have of the other. A good security holster can provide an extra measure of protection – if you practice faithfully to burn the moves required to draw your weapon into muscle memory (standard theory is that it takes about 3000 initial reps to do that, plus ongoing, regular practice to maintain it). However, there is no 100% secure holster (just as there is no 100% secure piece of software) and if there were, you (authorized users) wouldn’t be able to get to your weapon (data) yourself.


I believe we can educate users on how to make themselves safer from hackers, crackers and network attackers without painting them as being somehow complicit in the crime if they do get victimized. And I think we can encourage software vendors to do all they can to make their code secure without making them out to be bigger villains than the real bad guys.

Computer Security for Kids

There seems to be an assumption, at least on the parts of less tech-savvy parents, that all kids are computer whizzes. After all, the parents often have to call on their teenagers or pre-teens to figure out how to operate their own computers. In many cases, it’s true that today’s youngsters, who literally grew up with computers, are able to pick up on technology faster. But that leads to another assumption: that because the kids know how to use the computers, they also know something about protecting themselves and their systems. And that is not necessarily true.


I think there is a security gap here; schools are teaching computer literacy but they aren’t necessarily teaching computer security to the extent and as early as they need to. That leaves a lot of kids out there on the ‘Net without the knowledge they need, exposing a lot of systems to viruses, attacks, and more. It’s sort of like teaching the kids how to operate a car in driver’s ed, but not teaching them anything about driver safety.


We computer book authors, trainers and speakers haven’t been paying a lot of attention to the younger set, either. Many of our tech books are a little on the dry side, even for adults. Given the attention spans of members of the MTV generation, many of them aren’t going to be interested unless we specifically target them. Recently I got a look at a book that does just that.


“Always Use Protection: A Teen’s Guide to Safe Computing” by Dan Appleman (published by Apress) impressed me as much by the author’s writing style as anything else. All the information in the book is available elsewhere, but his presentation is such that I think kids just might read it. I don’t know how old the author is, but it’s obvious that he is actually involved with teenagers and knows their language and what they’re doing on their computers. He neither talks down to them nor over their heads.


He covers many of the most common scams, explains concepts such as computer forensics and identity theft without getting bogged down in technical jargon or legalese, and describes both the dangers (malicious code, viruses, email scams and attacks) and preventative technologies (firewalls, anti-virus, security updates, good password practices) in a straightforward manner. The book is divided into logical sections: Protecting Your Machine, Protecting Your Privacy, and Protecting Yourself. It’s actually a good introduction to computer security at a very high level for new computer users of any age.

Stormy Weather and The Cost of Security

It’s been a crazy couple of weeks, first last week with Tom off to TechEd (representing us both this time — to all those I missed out on seeing, my regrets and hopes that next year I’ll get a chance to be there too) me holding down the fort here. Then this week we’ve been battling Mother Nature, with the Dallas-Ft. Worth area being pounded by storms almost every night. We spent one evening couped up in our “safe room,” a small bathroom in the middle of the house downstairs, with tornado sirens going off around us and two very confused cats wondering what was going on. The next night, high winds had a live power line on our street dancing and sparking, and we lost our electricity. We were lucky, though — there were over 200,000 people in the area who were without power for days instead of hours.


All of this started me thinking about how most of us, even we “security experts,” tend to take chances in at least some areas of our lives. I have my service packs installed on my computer, anti-virus running, an ISA server on the perimeter of the network — but we haven’t ever gotten around to having that underground tornado shelter put in or installing that generator. Why not? Well, we’ve had some close calls (like Tuesday night) but we’ve never been devastated by a twister. It’s not so much the cost in money as the cost in time that’s the problem — we have work to do, and storm shelters and generators aren’t our field of expertise.


The experience made me stop and think with a bit more sympathy toward all those net admins and individual computer users out there who just haven’t gotten around to taking the steps that they need to take to protect their networks or systems. After all, they have jobs to do too, without adding security to the mix.


And that’s why we need to work to build security into the operating systems and applications — even if it causes some access problems, even if some people get upset about the inconvenience those built-in security measures can cause. If our house had come with a tornado shelter, we certainly would have used it this week. If a generator had been included when we bought the house, we might have grumbled about the inconvenience of buying fuel for it and having to learn how to use it, but we certainly would have appreciated it yesterday when our air conditioning, refrigerator, even [shudder] our computers were all rendered temporarily useless by the power outage.


Security comes with a price tag that’s measured in more than dollars, and it just doesn’t seem like a very high priority when you have “more important” things to do — until you need it, that is. In that moment, the cost seems pretty minimal.

Securing the Vote

The push has been on in the U.S. since the 2000 elections to replace old paper and punchcard ballots with electronic voting systems, but as the 2004 elections draw closer, serious questions are being raised about the security of the new systems, many of which include no paper trail and no way for voters to verify that their votes were recorded correctly.


It’s interesting that, in many cases, it’s those who make their livings working with computers who are most worried about the idea of voting by computer. On the other hand, maybe that’s not strange at all. We’ve seen, time after time, just how easily electronic systems of all types can be compromised and how easily things can go wrong and results can be skewed even when there is no intentional breach of security.


http://www.computerworld.com/governmenttopics/government/story/0,10801,92995,00.html

Somebody Missing in the Builders and Titans Report?

Today on CNN.com, I clicked the link to read Time Magazine’s “Builders and Titans” report, which purports to be a list of those business people who have created successful businesses and/or championed established ones and have had a significant influence on shaping society.


In going down the list of 20, I saw a number of names that are familiar to those in our field: Michael Dell, Steve Jobs, Carly Fiorina. What I didn’t see was any mention of Bill Gates. Oh, well, I guess the World’s Largest Software Company doesn’t quality as “successful,” having only made him a multi-billionaire.


Sure, we know how popular it is to hate B.G. and bash Microsoft, but regardless of whether or not you like him and/or the company, how can you deny that it’s a successful business or that its software has not had a significant influence on society? After all, Time is the magazine that once named Adolf Hitler as Man of the Year. Personal popularity is obviously not (supposed to be) an issue.

Biometrics Conference

Biometric security has been a source of contention on many levels. On the surface, it sounds like the perfect solution to the problem of identity theft. After all, there are a number of physiological traits that are more or less unique to individual human beings. And those prone to forgetting passwords or leaving their smart cards at home aren’t apt to leave the house without their fingerprints or forget their retinal patterns.


However (there’s always a “however”), nothing is perfect and biometrics is no exception. Privacy advocates object to the somewhat invasion nature of some biometric scanning technology and, even more troubling, some security experts warn that biometric identification is not nearly as fool-proof as it’s hyped to be (especially by the makers of biometric security devices).


It has been demonstrated (most popularly by Japanese engineering professor Matsumoto a couple of years ago at the University of Yokohama) that most fingerprint scanners can be fooled by fake fingers made of gelatin. Facial recognition software has a high rate of false negatives and false positives. Iris scanners’ results can be skewed by tears or even long eyelashes.


Nonetheless, the push for biometric identification moves forward. In many states in the U.S., fingerprints are required for driver’s licensing, and the U.K. is developing new standards for passports and other identification documents that will include biometrics. The question no longer seems to be whether biometrics will be used for confirming our identities, but how biometric technology can be made more accurate.


If you’re interested in the field of biometrics and what’s being done to perfect this imperfect technology, you might want to attend the Biometric Consortium’s September conference in Arlington, VA. It’s open to the public, and likely to include some eye-opening information about the future of biometrics. See http://www.biometrics.org/bc2004/index.htm for more info.

802.11i: Its time is coming

It looks as if this summer the IEEE will finally approve the standards for 802.11i. That’s the wireless security standard that is based on RSN, which uses AES (the protocol formerly known as Rinjdael) and a 128 bit encryption key to provide better security. WPA, another new wireless security standard adopted by the Wi-Fi Alliance, can be implemented by upgrading the client software for many current wireless devices. Deploying RSN is a bit more complicated, since it will require hardware devices with significantly more processing power.


It’s been a long time coming, but we look forward to the demise of WEP – with its well-documented security flaws – and new, more secure technologies to replace it. Wireless security has to be a number one priority as wireless networking becomes more and more popular, and thus, securing wireless transmissions becomes more and more of a problem.


Next month, I’ll have an article on Windowsecurity.com about 802.11i, how WPA2 and RSN work, and what it all means for existing wi-fi networks.

ALF article

The article on Application Layer Filtering (ALF) that I wrote for Windowsecurity.com has just been reprinted by SecurityProNews over at http://securitypronews.com/2004/0505.html. There is a lot of interest in ALF these days, and no wonder — the ability to filter at the application layer not only helps prevent attacks that exploit application layer protocols, but is also a key element in filtering for spam at the firewall, which takes some of the load off your mail server or spam filtering server (of course, you have to be very careful about how you configure content filtering for spam at the firewall, to reduce the possibility of false positives. The most effective spam filtering methods use a multi-layered approach).