Something I alluded to before but since has been exposed to new light:

A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus [Zotob] then sweeping the internet, according to documents obtained by Wired News. […]

Later in the story . . .

[an IG report] found system vulnerabilities at the U.S. points of entry where the US-VISIT workstations are operating. It blames the weaknesses on poor communications between administrators in the field and those at US-VISIT’s Virginia data center. In February, the Government Accountability Office — Congress’ investigative arm — followed up with its own investigation of the program, faulting US-VISIT for not having an overall security plan.

The system that vets people who bother to come through ports of entry has no security plan. Sleep tight, America.

Prior to infecting CBP, the Zotob virus reportedly caused disruptions at The New York Times, ABC and CNN’s headquarters in Atlanta, as well as some offices on Capitol Hill. In late August, the FBI announced the arrest of two men in connection with the worm: 18-year-old Farid “Diabl0” Essebar in Morroco, and a 21-year-old Turkish man named Atilla Ekici, known online as “Coder.”

Arab hackers . . . Imagine that.

People deride big-iron, but it works and you’d be hard pressed to find someone writing exploits for PL/I. It is when the “solution” to big-iron “problems” is to slap an HTML front end on top of some middleware (plus card readers, plus biometrics, plus . . .) that you start to see major problems; not just from a security perspective, but in usability too. An EBCDIC-to-ASCII conversion and a Google appliance would work just as well, but why take the easy path when there are vendors on-site waiting to add to an already bloated work order?

There are many other systems like this that are supposed to help keep us safe. Keep thinking that the same or similar problems aren’t there. We shouldn’t be going for the quick fix; we should be going for the right fix and damn the inconvenience to travelers. Something I’m not looking forward to: The next generation of gov’t IT managers explaining to the next Commission on the next spate of terrorist attacks in the US why they chose to pursue – yet again – over-budget, under-performing, hole-riddled systems.

About the Author

Michael Tanji

Michael Tanji spent nearly 20 years in the US intelligence community. Trained in both SIGINT and HUMINT disciplines he has worked at the Defense Intelligence Agency, the National Security Agency, and the National Reconnaissance Office. At various points in his career he served as an expert in information warfare, computer network operations, computer forensics, and indications and warning. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East.