I and perhaps the rest on the IT Security industry look at the security theatre when traveling and it is something of an amusement. Taking nail files off old lady, Making injured people walk without crutches, forced to take off shoes in in the USA. It is all very very stupid.

The sad thing is that the front line staff have become so drummed into finding nail files, and scissors they can't see the real threats. As a IT security professional I travel with an assortment of unusual items to perform penetration testing, and when required for physical/social engineering jobs this includes lock picks, Access card cloning tools etc. (At AusCERT we ran a social engineering tutorial and as part of that we had a hands on class for proximity card cloning as well as lock picking to illustrate points as part of the class).

Recently due to a last minute change at the airport when coming back from AusCERT I had to carry on a bag that I had not planned too.

So when I got to security and I had to remove my laptop, I looked down and thought this is not going to go well. As my bag went through the xray machine this is a sample of some of the lock pick gear they would have seen in it.

The funny part is that they asked me if I had a nail file in there. I opened my bag ready to explain the reason behind these items. Well they picked out one item that resembled a nail file put it in it's own tray put it though the metal detector and the thought of loosing my nail file collection (aka the "toool" credit card size lock pick kit) was not pleasant but better than loosing everything.

They then said yep that was it and promptly gave it back to my honest shock.

You just can't make up theatre this good.

I am sitting on a virgin flight and reviewing all the security mistakes. At the moment something is in my bags or on my person of yours truly that gets a hit as explosives. Last two flights if I get selected for swabbing, I get the double positive reading. Which requires a "supervisor" sign off and a form of questions to fill in and extra viewing of my ID that I have to hand over.

Rather than help work out what is setting it off they prefer to just make me sign a form. I told them this is the second time in 3 weeks.

They demanded to see my boarding pass I explained I was using the new virgin mobile boarding pass and showed them a 3d barcode.

Next at the gate after scanning the boarding pass on my mobile the person at the gate waved me on. At the plane I showed them the 3D barcode and the guy could not compute he demanded my phone to run back and validate my boarding pass I refused and he broke.

I told what seat I was and that he could visit me if there was a problem. This allowed me on to the plane without validation (a trivial control but the airports none the less). As they have to validate all who enter the plane or can not take off.

The virgin app isn't even that good. As it looses all the flight data if you navigate away. (pro tip screenshot it on your mobile device). At least the URL to navigate to the boarding pass looked encrypted.

Thoughts on what we the public and customers should be asking of Vodafone;

1.  Why was something that access the most sensitive data of it's customers not protected with a two factor authentication mechanism.
2. What controls does Vodafone use to catch users attempting to capture large batches of users via searches (i.e  Search a then b or account no. 123 then 124etc.)
3. Did they not perform analysis on the patterns of login to IP address to possibly identify unusual behaviour? ie. Login account "ben" has logged in from 20 IP Addresses in the last month. 
4. Why did they not do simple controls such as locking logins to specific IP addresses as a low ball security control.
5. Who are there auditors and why did they not raise such a potential high risk problem?

 I very much doubt that we will ever know the true dataloss that has occurred over the years at Vodafone. And what of the other telcos ? Think they are doing something better perhaps but I wouldn't put money on it.

Lets hope the NSW Privacy Commissioner actually does something with this event and takes action.

So thought I'd share this there I was on the Manly ferry and I was trying to sort out a wifi issue with some portable equipment I had in the middle of Sydney harbour. Any how I see the below AP pop up, which given that I was passing Manly heads was a surprise. Note that there was no encryption (which was not a surprise in itself)

But then after seeing that I finally look up and see that we were overtaking this ;-)