Spyware, viruses, & security forum: NEWS - October 26, 2012

Bruce Scheier @ his Schneier on Security Blog:

I have a hard time getting worked up about this story:

' I have X'd out any information that you could use to change my reservation. But it's all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.

What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don't check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.'

What a dumb way to design the system. It would be easier -- and far more secure -- if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of PreCheck passengers to send through regular screening. Why go through the trouble of encoding it in the barcode and then reading it?

And -- of course -- this means that you can still print your own boarding pass.

Continued : http://www.schneier.com/blog/archives/2012/10/hacking_tsa_pre.html

Related:
Security scare after airline boarding passes reveal how passengers will be screened
TSA fails again with adjustable boarding passes

Chinese officials decided to block their citizens' access to The New York Times, both the English and the Chinese versions of the websites, in reaction to a text about the Chinese prime minister's hidden estate published yesterday.

The Chinese government also decided to ban all mentions of The Times or of the prime minister, Wen Jiabao, on Sina Weibo, the most popular micro blogging service in China and local homologue of Twitter.

This comes as no surprise, as it isn't the first time China restricts users' access to a news portal when an article doesn't fit the local administration norm.

China has in place one of the most sophisticated Internet censorship systems in the world - the Great Firewall of China - with an army of people screening Internet content to adapt and delete it if it goes against the government. Some articles are entirely rewritten and made to fit regional standards. They have firewalls to block content by denying access to certain IP addresses and, when necessary, they may even engage in DNS poisoning to redirect web requests to other web pages more suited for Chinese eyes.

Continued : http://www.hotforsecurity.com/blog/the-new-york-times-website-blocked-in-china-4082.html

Also: China Blocks New York Times in Response to Article About PM's Wealth [NYT]

There's something of a hoo-hah in the world of British politics today, after a senior government official advised users of social networks such as Facebook on how to protect their privacy.

Nothing controversial there, you might think. Until you realise that the advice from Andy Smith, an internet security chief at the Cabinet Office, was that you should lie about your real name and date of birth.

The BBC reports, that Smith told a parliamentary internet conference that providing fake details to social networking sites was:

"..a very sensible thing to do.. When you put information on the internet do not use your real name, your real date of birth. When you are putting information on social networking sites don't put real combinations of information, because it can be used against you."

Opposition Labour MP Helen Goodman told the BBC that she was outraged by the advice, and claimed that such behaviour could lead to more crime, not less:

"This is the kind of behaviour that, in the end, promotes crime. It is exactly what we don't want. We want more security online. It's anonymity which facilitates cyber-bullying, the abuse of children. I was genuinely shocked that a public official could say such a thing."

So, what do we think here on Naked Security?

Continued (with video) here: http://nakedsecurity.sophos.com/2012/10/25/lie-on-facebook/

.. Systems

The U.S. Department of Homeland Security is warning that a witches brew of recent events make it increasingly likely that politically or ideologically motivated hackers may launch digital attacks against industrial control systems. The alert was issued the same day that security researchers published information about an undocumented software backdoor in industrial control systems sold by hundreds different manufacturers and widely used in power plants, military environments and nautical ships.

The information about the backdoor was published by industrial control systems (ICS) security vendor Digital Bond, which detailed how a component used in industrial control systems sold by 261 manufacturers contains a functionality that will grant remote access to anyone who knows the proper command syntax and inner workings of the device, leaving systems that are connected to the public open to malicious tampering.

In an interview with Ars Technica, Reid Wightman, a researcher formerly with Digital Bond and now at security firm ioActive, said there was "absolutely no authentication needed to perform this privileged command." Of the two specific programmable logic controllers (PLCs) Wightman tested, both allowed him to issue commands that halted the devices' process control.

Continued: http://krebsonsecurity.com/2012/10/dhs-warns-of-hacktivist-threat-against-industrial-control-systems/