Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Flight Passenger Data Retention Dangers

Imperva : 31 May, 2011  (Technical Article)
Imperva reviews the proposal to retain passenger data by the US DHS with the context of Advanced Persistent Threats and how hackers could target this data

Tal Be’ery, Imperva’s Web Research Team Leader, reviews security considerations and how hackers might target the data held by the US government on millions of passengers who fly between the US and Europe as reported in Today's Guardian.

The personal data of millions of passengers who fly between the US and Europe, including credit card details, phone numbers and home addresses, may be stored by the US department of homeland security for 15 years, according to a draft agreement between Washington and Brussels leaked to the Guardian.

Tal Be’ery raises three key issues:

1 Who would find this data most attractive?

This is a prime target for Advanced Persistent Threats (APT). As instead of stealing data, APT hackers could try to:

* Insert data. For example, make an "Osama Bin Laden" entry and give it "no need to check at all" clearance.

* Get data out. For example:

* Find out all the information about a person which is, by definition, enough information to allow him into the US. Create fake passports using this information.

* Find out about all people travelling to the US.

Of course – it doesn't have to be a digital attack. An attacker may convince some employee, even low ranking one, to give him some (or all data). Think Bradley Manning.

To be clear, I'm not saying that this Data Base shouldn't exist because of these reasons – it should be closely defended and guarded as a prime target of APT.

2 How they should protect the data?

Like Fort Knox only with database firewalls, auditing, excessive rights management control. And it really calls for the implementations of novel approaches such as Prof. Adi Shamir’s (the 'A' in RSA) idea of a set-base blurred database that will allow the verification of given details but will not allow arbitrary information retrieval.

3 Who should protect the data?

This is an interesting case where one country is holding data on another countries citizens, I don't think there's any regulation yet on this issuet. This calls for global regulatory action and standards. For example - Who will audit the Data Base to ensure it's carefully protected?

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo