Salmonella and US Security

One of the lessons of 9/11 was supposed to be greater centralized management of intelligence to improve security in America. It would seem that the salmonella outbreak is proving how well the US government has learned and adapted to the challenge.

The the Associated Press reports that fingers are pointing all over the place, and the industries losing money want answers:

One agency probably zeroed in on tomatoes too early, the committee concluded, while a second failed to tap industry and states’ expertise in trying to trace the source of the contamination.

To the chairman, Rep. John Dingell, D-Mich., the case reminded him of “a Keystone Kops situation.” An investigation that should have taken hours or days instead has stretched on for weeks and months, he said.

This is just the detection side of things. Imagine if a TSA-like approach is used from now on for prevention…

Several lawmakers said the fact that no single agency is in charge may be part of the problem. The CDC is responsible for identifying the pathogen and the type of food that has been contaminated; the FDA is supposed to trace the outbreak to its source.

A single agency? Surely people can figure out how to collaborate? That is the message from outside the government as well:

Thomas Stenzel, president of the United Fresh Produce Association, suggested that public health officials might want to tap outside sources.

“We’re not asking to run the investigation, but there’s an abundance of knowledge in the industry that can help protect public health,” he said.

Not sure I would trust the UFPA, given how tasteless and uniform-looking the tomatoes are in America. Even so, they should certainly be allowed to assist with investigations. Collaboration is good. Compliance and governance is good. Too bad people have such a hard time working together on this.

Separately, the FDA rejected the Mexican government’s assertion that U.S. investigators had erred in identifying irrigation water at a Mexican pepper farm as a possible source of contamination. Mexican authorities said Thursday the sample their U.S. counterparts called “a smoking gun” came from a tank that had not been used to irrigate crops for more than two months.

Have to keep all this in mind the next time I speak about using centralized management and correlation tools. Federation of information is probably the better answer for massive data-sets spanning organizational boundaries.

Toronto airline kiosks breached

Just in case you thought it was safe to put your credit card into an airline kiosk, The Red Tape Chronicles has posted a quick warning:

Airline travelers may want to think twice about swiping their credit cards at airport self-service check-in kiosks following the possible theft of credit card account numbers from the kiosks at Canada’s largest airport in Toronto.

One Canadian airline, WestJet, already has suspended use of credit cards for check-in at the Toronto kiosks in the wake of the investigation by Visa and MasterCard, which was revealed last week. Fliers can still use the machines, but now must use other methods – by swiping frequent flier cards, entering confirmation codes or using their passports.

Figures. Is there any way for a customer to identify a compromised kiosk? Of course not. The investigation team could not even find evidence.

…Scott Armstrong, spokesman for the Greater Toronto Airports Authority, which owns the machines, said investigators inspected the devices and found no signs of tampering. That suggests the data was collected by the machines and stored somewhere, then stolen by hackers who managed to access it – either directly or through the network that connects the kiosks to the airlines.

No signs of tampering does not mean you can trust the kiosk. Avivah Litan from Gartner, who seems to be quoted in security stories all the time even though she has no insightful comments, provides readers with this nugget of nonsense:

Unless the kiosks are equipped with the latest in tamper-proof technology and card readers that encrypt data when the card is swiped, they are highly prone – given their public locations – to criminal tampering. They are a perfect target for thieves.

Ms. Litan, I know you represent Gartner and your name is all over these stories, but please take a close look at the facts. Latest in tamper-proof technology and card readers that encrypt data…pfffftwhat TF are you talking about? Consumers obviously could never identify a secure kiosk. Are you suggesting some sort of “Seal of PCI DSS”? How would you recommend they identify a card reader that encrypts? Please, someone get me a towel for my monitor. Kiosks in public locations a perfect target for thieves? Are you f%#$^@#ng kidding me? Where do you think companies should put a kiosk? Locked in a safe? IT IS A KIOSK!

Whew, don’t even get me started on this kind of “analysis”. Apologies, ranting. Had to get that out. Must catch breath.

The bottom line here is that there are a couple things happening that expose risks of un-staffed payment card readers, and the two may even be related. First, PCI is actually moving the bar, tightening controls at merchants, and so attack vectors are changing. Those who fall below the new baseline, even though they are not merchants, are going to have to keep up with the Jones or see threats turn their way. Second, the underground economy continues to expand and become more sophisticated in parallel with the growth of technology. Like water running downhill, it will find a path of least resistance.

The real question is not just who wrote the kiosk software, but who approved use of credit cards in them and for what purpose? Was it for payment? I mean did anyone believe them to be in compliance with the PA-DSS (payment application data security standard) or similar? It’s a trick question, really, since the PA-DSS is brand new and even the best practices for payment applications have been recently introduced. Anyone familiar with the card payment security standards knows this. That means attackers know this and they also know which implementations are insecure. On the other hand, consumers do not know either. So, again, who approved credit cards at airline kiosks and why?

Hopefully people who read this story also will see the connections to electronic voting systems and realize why they are a really, really bad idea.

Halvar Flake Denied US Entry

A few weeks ago I flew into Toronto for a presentation on security. The customs officer asked me a series of questions about my work, as was expected. It went something like this:

Here on business? What are you doing?
I will be speaking on Internet security.
Will you be paid?
No, not by the conference.
You work for free?
No, my company pays me a salary.
Aha! So you do get paid. Where are they based?
In the United States.
Thank you, have a nice day.

Unfortunately it sounds like Halvar Flake ran into the same set of questions when entering the US for BlackHat and made a mistake. The Blackpages describe his experience:

In the process of checking his luggage, some portion of his printed materials for his training were discovered. This triggered a series of questions about his business and his immigration status, with the US officials finally settling on the position that if he was going to profit as an individual speaker at Black Hat, he was a de facto employee of the conference and could not enter the States without qualifying for and obtaining an H1B visa.

The “de facto employee” interpretation sounds incorrect to me, but who knows what was said at the time. It is certainly hard to think clearly after flying long distances across time zones and it is not uncommon for officials to ask intentionally misleading and confusing questions to trip people.

I am reminded of a story of Ellis Island where a German immigrant practiced his answers in English over and over to ensure his chances of admitted to America. Upon reaching the station for entry he was asked “Name please?”. In a sudden panic the German blurted out “Ich…Ich…vergessen!” The officer, without batting an eye, wrote down “Mike Ferguson” on the man’s entry card and said “Welcome to America! Next, please.”

Mistakes on the border are common and I don’t have any details on this incident, but I will say that when I had dinner with Halvar at RSA this past year he argued a number of very obtuse angles on some common topics like how to social engineer. Joanna Rutkowska and he teased out questions of human behavior and I only intervened to steer them away from mathematical and scientific expectations and into the realm of what I consider the greater reality of social, cultural and historical factors in security. He is obviously a very smart guy with strong opinions. He may even enjoy taking a contrarian position, which can be great in research but I suspect it might not have been to his benefit when facing an immigration officer.

Perhaps if he had been better prepared by the conference organizers about the state of American employment/visas, or researched the requirements, or if he had just said he was paid by a German firm to speak at a conference in America, he would have been cleared. Now due to a simple misunderstanding about compliance he will have to present remotely or worse, not at all. I hope he is able to clear things up for the future and his story might present a lesson learned in the security community about…security.

Central Plains biofuels symposium

Good news:

Kansas State University will host a symposium on the sustainability of biofuels production and processing in the Central Plains. The symposium, scheduled for September 16 at the K-State Alumni Center in Manhattan, Kan., is being sponsored by the Kansas Center for Agricultural Resources and the Environment, K-State Research and Extension, and the K-State Center for Sustainable Energy.

A pre-symposium poster paper session is planned for September 15 from 5-7 p.m. Posters will also be on display during the symposium. Poster entries are now being accepted at http://www.dce.k-state.edu/conf/bioenergy/. Topics must be related to the program purpose. Submission deadline is September 1. Poster presenters are required to register for the symposium and to pay the $40 registration fee.

Target audience for the symposium includes university faculty and staff, state and federal agency personnel, farm groups, and industry representatives from Kansas and neighboring states.

This program is designed to disseminate technical information regarding the sustainability of biofuels production and processing, including production of feedstocks, biofuels processing, by-product utilization, implications for use of natural resources, short- and long-term economics, and social and environmental impacts. Presentations will summarize existing technical information, ongoing research, and technological challenges for the future.

Questions about poster submissions and registration should be directed to Debbie Hagenmaier, program coordinator, at debbieh AT k-state.edu. Questions about the symposium program or purpose should be directed to Bill Hargrove at bhargrov AT k-state.edu.

Amazing that there will only be two weeks between submission and the symposium. Maybe I will propose something on national security, individuality and energy policy. The link between biofuels and security management is more tangible than ever.