Wednesday, December 09, 2009

Why we call it "security theater"

Several sites today or yesterday reported that confidential portions of the TSA's security and screening procedures have inadvertently been leaked online; because the electronic copies of the documents released in a FOIA request were redacted using a method that could be disabled and removed (leaving the now unredacted text readable) by the recipient of the file. has a mirror of the leaked documents here:

And an explanation of what they did wrong (seriously, it's headslappingly stupid):

And here is a direct link to the identification guide for federal agents who are allowed to bypass security procedures, or carry prohibited items into secure areas (warning, PDF link):

Just as a teaser, here's an excerpt from the article linked above:
The manual was posted as a redacted .pdf document, with sensitive sections blacked out. But the government apparently hasn’t learned from past redaction flubs and merely overlaid black rectangles on the sensitive text in the .pdf, instead of cutting the text itself. Anyone can uncover the hidden text by simply copying and pasting the blacked out portions into another document.

One of the redacted sections, for example, indicates that an armed law enforcement officer in or out of uniform may pass beyond the checkpoint without screening after providing a U.S. government-issued photo ID and “Notice of LEO Flying Armed Document.”

Some commercial airline pilots receive training by the U.S. Marshals Service and are allowed to carry TSA-issued firearms on planes. They can pass through without screening only after presenting “bonafide credentials and aircraft operator photo ID,” the document says.

Foreign dignitaries equivalent to cabinet rank and above, accompanying a spouse, their children under the age of 12, and a State Department escort are exempt from screening.

There are also references to a CIA program called WOMAP, the Worldwide Operational Meet and Assist Program. As part of WOMAP, foreign dignitaries and their escorts — authorized CIA representatives — are exempt from screening, provided they’re approved in advance by TSA’s Office of Intelligence.

Passengers carrying passports from Cuba, Iran, North Korea, Libya, Syria, Sudan, Afghanistan, Lebanon, Somalia, Iraq, Yemen or Algeria are to be designated for selective screening.

Although only a few portions of the document were redacted, the manual contains other tidbits that weren’t redacted, such as a thorough description of diplomatic pouches that are exempt from screening.

A. Diplomatic pouches are exempt from any form of screening. A diplomatic pouch can be a bag, pouch, or container holding diplomatic correspondence, documents, or articles. Although an individual transporting a diplomatic pouch may have diplomatic immunity, that individual and his or her nondiplomatic accessible property and checked baggage must undergo screening and all alarms must be resolved.

B. The diplomatic pouch must have visible external markings in English that state “Diplomatic Pouch” or “Diplomatic Bag”. The pouch must bear an official seal of the sending government or international organization. For example, a seal could be a lead seal attached to a tie that closes the pouch, a printed seal on the fabric of the pouch, or an ink seal impressed on a detachable tag. The pouch must be addressed to an office of the government or international organization whose seal the pouch bears. For unaccompanied pouches tendered as checked baggage, a detachable certificate will be affixed to the outside of the pouch that describes the pouch and certifies the contents as diplomatic materials. The Department of State (DOS) encourages diplomatic couriers to notify the aircraft operator that they are carrying a diplomatic pouch.

C. When a diplomatic pouch is presented by a diplomatic courier to TSA at a screening checkpoint or screening location, the STSO must check that the diplomatic courier is carrying an official or diplomatic passport and a courier document or letter on their person for identification. A courier letter must be on appropriate letterhead stationary and must bear a seal of the sending state, embassy, consulate, or international organization. The courier letter must be signed by the relevant Ambassador or Chief of Mission serving in the United States. The courier document must clearly identify the bearer and his or her status as a diplomatic courier and must contain information sufficient to identify the pouch(es), to include the number of pouches being escorted.
Let me just say, I'm in no way shocked, surprised... even mildly bemused by either the fact that they didn't properly redact the document, or that the un-redacted portions show just how pathetically inadequate and useless our transportation security procedures are.

I have personal experience in this arena.

Now, I've mentioned this before, but I haven't gone into great detail. I think maybe this would be a good time to go a little bit deeper (without violating my NDAs of course).

I'm going to talk about three incidents, that illustrate what we're talking about when we say "security theater", and that the TSA is not only not making us MORE secure; they are almost certainly making us LESS secure.

Seriously guys, if you believe that the TSA does anything to actually help prevent terrorist attacks... Man you're living in a dream world.

... though honestly, I doubt many of my readers are under that illusion.

Look up the bomb screening procedures some time and you'll... I don't know... scream at the idiocy of it maybe?

Ok, so, those three incidents... As I said, I'm still under NDA and don't want to be sued, so I'm going to be very slightly vague, to protect both the guilty parties, and my own ass.

Up until four years ago (I changed jobs to something more stable when I got married), I was a security consultant and contractor; working in physical, electronic, and information security.

One contract I had a few years back (post 9/11) was to test updated security processes and procedures at a major northeastern airport (I'm still under NDA and don't want to be sued).

They had just installed a massive (and expensive) new identity verification and access control system for their staff, retrained everyone etc... and they wanted an audit to see how they were doing.

The first thing we did was run background checks on everyone who wasn't a TSA employee (they didn't allow us to run checks on TSA people). There were about a dozen undisclosed felons working there, some of them violent.

Then we penetration tested the systems, physically and from the network; and ran some social engineering ops against the facility.

You don't even want to know how easy the system was to penetrate electronically; and because of certain union, city, and state rules and practices, there was a very limited set of things we could do to fix it.

The social engineering efforts were pretty much universally successful as well.

The physical audit was even worse. I'm a 6'2" white guy. I walked around "secured" spaces of a major airport for several hours, using the photo ID badge of a small black woman with a muslimish name (I have a sick sense of humor, what can I say). I wasn't challenged or questioned once.

The final test was to see if we could get contraband into secured areas.

The first thing we were easily able to do was bypass all screening processes. Although the TSA is supposed to screen staff and flight crew... let's just say they are extremely lax in doing so.

Staff may access secured areas on the flight side of a terminal dozens of times a day, going back and forth. The TSA doesn't do much checking there, trusting that staff are staff, and have gone through all the required checks etc...

Staff IDs (which included access control) were pathetically easy to obtain, steal, copy, or to manufacture outright if you had the right equipment and software; all of which is easily commercially available.

The ID system included aircrew identification for the major airlines hubbed there, to "expedite screening procedures". Getting aircrew ID was pathetically easy, and again, screening for aircrew was essentially non-existent.

The ID system also included IDs for law enforcement and security staff stationed in the airport. Same story.

And again, with all of this, union, city, state, and federal work rules prevented us from doing anything REAL or USEFUL to change things.

We had 8 guys using obviously non matching IDs for hours a day, for two days. Not one of them was challenged, ever; even on "inspection" of their ids at checkpoints.

To my knowledge, the only people fired or disciplined were the felons.

This next bit comes from before 9/11, but I happen to know the procedures haven't materially changed.

Several years before that, my company was hired to run an independent audit of screening procedures for the civilian security staff at a different, major northeastern airport.

As part of this test, we were co-operating with teh FAA and local law enforcement.

We placed 21 simulated explosive devices or firearms into our carryon baggage, and ran unannounced tests of the screening system.

Now, there is a widely known (in the security community) problem with the way screeners are trained and tested; in that the screener testing is, by federal work rules, standardized.

For example, screeners are trained to identify 7 bomb like objects in baggage, based on how they appear on xray. If an object is clearly bomb like, but doesn't match one of the 7 testing objects, they actually get marked down on the test for identifying it as a potential bomb.

There are a larger number of simulated weapon type objects, and the FBI and TSA periodically add more of them; but the manuals and spcifications are freely available in government documents, because all federal job performance testing standards must be published.

These rules are to ensure "objective" standards are used, to avoid "discrimination".

In our tests, we made our simulated weapons and explosives devices look just like what they were intended to simulate, but NOT like the objects screeners were trained and tested on.

All but one of them passed through security.

Do you know what happened?

The union protested and had the results quashed, because an unannounced test was against the rules, and because the objects we tested with did not match the 7 objects in the official training materials.

Final example.

In 2004, I was traveling for business, from Phoenix to Boston, then to NYC, from NYC to SFO, and then back to Phoenix.

Four flights. Four passes through security.

I carry a very heavily laden laptop bag, with a lot of different tech junk in it, and various TSA safe tools.

When I am working on a day to day basis for myself (and not my current employer), I also have a KelTec P3AT, and a spare mag in there. Concealed, but not exactly deeply hidden.

When I left for my trip, I thought I had removed my KelTec from my laptop bag.

On my trip, my laptop bag was subject to hand search three of my four flights. After all, there is a bunch of stuff that would hit on the screeners equipment as potential issues. I wasn't hand searched every time I went through security, but almost.

They made me turn my laptop on once, and they made me take various stuff out of my bag for closer inspection in all cases.

When I got back to PHX, I was looking for the KelTec to put back into my bag.

I couldn't find it... and I got a sinking feeling.

YEP, it had been in my laptop bag the entire damn trip.

Four trips through security, three hand searches... All with a loaded firearm, and spare mag; and not detected once (including by me actually; rather firmly illustrating that complacency with firearms breeds trouble).

As I've said, there's a reason why actual security professionals call what we do at our airports "security theater".