INSE 6150: Scribe Notes for Lecture 10 HUMAN SECURITY: PROCEDURES (EXAMPLE: AIRPORTS) AND USABILITY

Transcription

1 INSE 6150: Scribe Notes for Lecture 10 Scribed by: Seema Kottappurath April 10, 2015 HUMAN SECURITY: PROCEDURES (EXAMPLE: AIRPORTS) AND USABILITY Human oriented Security also known as Soft Security consists of: 1. Procedures 2. Usability 3. Social Engineering PROCEDURES Procedures are the codes/rules that must be followed within an organization where the description would be in a language used by humans. It is a pathway between the code and the humans. Example 1 : The Certificate Authority decides whether they are talking to Google or not before giving out the certificate by following certain procedures within the organization. Eg: DNS validation, Send out an , Inperson etc. Example 2 : AIRPORTS Airport Security are governed by two primary government agencies, the Transport security and the Customs. The organisation that deals with the transport security in Canada is known as the Canadian Air Transport Security Authority (CATSA) that checks for weapons and for liquids. The Canadian customs is the Canadian Border Services (CBS) which comes into play for international travel. They are responsible for checking to see if the passenger possesses drugs, currency greater than 10,000 dollars and organics. Under organics though liquids are screened by the CATSA and the vegetables and plant section are dealt by the customs. In order for a traveller to travel on an airplane the list of must haves and must not haves are given below: Must Haves: Must Not Haves: ID (Passport) Boarding Pass Weapons or Ammunitions Drugs Currency of greater than 10,000 dollars Organics (vegetation, chemicals) Liquids greater than 100ml On the NO FLY list

2 Containers of liquids, food and personal items in your carry-on must be 100 ml/100 grams (3.4 oz) or less. All containers must fit in one clear, resealable plastic bag no more than 1-litre in capacity. The bag must be transparent so screening officers can easily see the contents. The Government of Canada set these limits based on national and international consultations and analysis. The 100mL restriction is set by the International Civil Aviation Organization (ICAO). The complete list of items that can be carried are given on the CATSA website: Why Liquid Restrictions are put in place? It is a direct response to a bomb threat Exceptions Those that are purchased from Duty Free (As there is a chain of custody where the origin is trusted) Baby formula Contact Lens Solution SECURITY THEATER Bruce Schneier has perfectly coined the term Security Theater to the security measures that are implemented to make people feel more secure than to really doing something to improve security. When an incident occurs people want something to be done to feel safe even if it doesn t make them safe. Airport security is reactionary and hence critics claim it as a security theater. Example 1 : The restriction placed on the amount of liquids (<100ml) that can be carried in the carryon luggage. The idea is to prevent making a bomb with it but other security loopholes can be used to achieve the same goal as the allowed items such as the baby formula or the contact lens solution can be used for the same purpose.

3 Example 2 : At the airport, after a bomb was found in a person s shoes thereafter ever since during the security screening shoes are asked to be taken off every single time. Example 3: If the laptop that one is carrying does not turn on, it won t be allowed. If it does turn on, it is let through even though there are ways to circumvent to use it for hiding a bomb. PHYSICAL SECURTY IN THE AIRPLANE Locks- to protect the check in baggage. Cockpit Locks- After the 9/11 incident, locks were installed for the cockpit doors that were not present earlier. The locks can be locked from the inside and the pilot/flight attendants could unlock the code from the outside. The threat would be they could be co- erced into giving up the code. From the inside, the pilot can override the unlock. This model assumes the pilot is trustworthy. How to update the trust model if the pilot is not trust worthy? Discussion arose after the German Wings Incident where the pilot intentionally crashed the plane into the Alps by taking control of the air plane and set it for rapid descent to crash it. He did this by locking the cockpit door and by overriding the access code entered from the outside by the captain. Airmarshalls Remote Unlock/ Control discussed Procedure Implemented: Two people inside the cockpit always AIRPORTS A Procedural Vulnerability that is now fixed. A person on the No Fly List could fly anyways as different parties were responsible for different things. The airline and the Transport security checks did not co-ordinate. ASSUMPTION: Can fake a Boarding Pass but can t fake a Passport

4 Real Boarding Pass(BPA)- Purchased from the Airline using a different name that is not on the No Fly List. Fake Boarding Pass(BPB)- Create a fake Boarding Pass using the Real Name. Passport- Has the real name. Only the Airline checks for the No Fly list and not the CATSA. Step1 How to fly even when your name is on the No Fly List? The person uses a fake name which the Airline checks against the No Fly List. If the name is not on the No Fly List, a Boarding Pass(BPA) is issued which contains the fake name that was used by the person. ( BPA, No Fly List ) Step 2 The person creates a fake Boarding Pass(BPB) with his/her real name at the security. The CATSA checks if the name contained in the Boarding Pass(BPB) matches with his/her piece of identity, the Passport. If it matches he s allowed in. This information is not matched against the flight information though as CATSA does not have access to the Airline s No Fly List. ( BPB, Passport ) Flight Information/No Fly List Step 3 At the Gate, the real Boarding Pass(BPA) with the fake name is used again. Here, the BPA is checked against the Flight Information and since it matches, the person is granted permission to fly even if on the No Fly List. ( BPA, No Fly List ) Passport

5 How to avoid this security loophole? i. Passport is required when you book. ii. CATSA and Airline should exchange information. iii. People show ID when boarding the plane. Nowadays at the Gate, you have to show your Boarding pass along with your Passport and this solves the problem. (Passport, Boarding Pass, Flight Information) BPA BPA Airport s Secure and Insecure Areas INSECURE ZONE Security screening Security Screening SECURE ZONE

6 Generally, majority of the Airports are designed in such a way most of the airport areas are considered as insecure. Once the security screening is done, then the area onwards is considered as a secure zone as shown in the above diagram. In this design, suppose an accident happens and a person manages to enter the secure zone somehow then the ways to contain the situation are either to 1. Ignore someone has entered the secure zone 2. Airport shutdown by making everyone re-enter the airport for performing security screening once again. However, in the case of the Amsterdam Airport all the areas are insecure except at the gates to board the airplane which is considered secure as the security screening process occurs here. Gate1 Gate 3 SECURE SECURE Gate 2 SECURE Figure: Amsterdam Airport Design

7 SPOT PROGRAM A document that was leaked to a news agency, Intercept where a US based program called SPOT that was designed by the TSA (Transport Security Agency). At the airport, while directing the travellers to stand in different lines before the actual physical security process, there are officers trained to identify suspicious behaviour and passes you on to secondary screening. Behaviour is analysed the moment travellers enter the airport until the procedure of clearing security. They have a guideline that assigns points for certain behaviours and once they reach 10 points, that passenger would be assigned for secondary screening. Refer: SPOT USABILITY Usability is how well users can use security products such as softwares, procedures etc. The usability research started with PGP (Encrypted ) as it is quite complex to use even for cryptographers as the user needs to set up the public/private keys, verify signatures with public key etc. A mental model of how the software worked was needed to use it. Security often fails because users are not experts or are unmotivated with regards to security. Case Study- Why Johnny can t encrypt? If users cannot use the secure tool then there is no security in the end even if the tool provides all the security properties. Security tools needs some form of expertise level such as the knowledge of public key Eg: Even for using a Password Manager, the user has to have a mental model of how to use it. Aspects of Usable Security: i. Defaults are very important as Normal users would not change the default options. ii. Users often make mistakes so redundancy could be built into the software

8 iii. Users need a proper functioning mental model of the tool that they are using. EVALUATION METHODOLOGIES FOR USABILITY 1. Cognitive Walkthrough 2. User Studies 1. COGNITIVE WALKTHROUGH It is a usability evaluation method in which the experts evaluates the tool and will `walk through the user tasks pretending to be a user and defines certain core tasks that a normal user might get caught at doing so. The purpose of the cognitive walkthrough is the system s learnability for new users or infrequent users and is a methodological process. Core tasks Eg: In PGP, user can successfully encrypt an . Heuristics/Guidelines 1. Users should know the next step 2. Users should be able to determine how to do it using the user interface. 3. Users should know they have completed a task. 4. Users should recover from non-criticial errors. 5. Users should not make dangerous errors. 6. Terminology should be understandable. 7. Users should be comfortable with the interface. 8. Users should be aware of the status at all times. Eg: Lock symbol appears to be unlocked Use of the software to understand the behaviour.

9 REFERENCES