An anonymous Slashdot reader writes: TSA checkpoints caused 6, 800 American Airlines passengers to miss their flights in just one week this spring, and the problem isn’t improving. “Two years ago the Transportation Security Administration (TSA) offered $15, 000 to anybody — literally anybody — who could come up with an idea to speed up airport security…” writes Popular Science. “They wouldn’t say who won or for which idea, but since we’re here two years later with longer wait times than ever, it’s fair to say it hasn’t lived up to the groundbreaking ideals of that call to action… Now in summer 2016, the TSA recommends arriving three hours early instead of a mere two.” So this spring the Seattle-Tacoma airport replaced many of the TSA staff with private screeners, although “Private security operates under strict direction from the TSA, and even those airports that heavily utilize private contractors still have a lot of TSA personnel in the back rooms…” according to the article. “The ability to do exactly what the TSA does, only faster and cheaper, seems to be the major draw.” Now 22 U.S. airports are using private screeners, although the Seattle and San Francisco airports are the only ones with significant traffic. The article also cites a Homeland Security report which discovered that investigators were able to smuggle a test bomb past security checkpoints in 67 out of 70 tests. Read more of this story at Slashdot.
More:
Long TSA Delays Force Airports To Hire Private Security Contractors
River Tam quotes a report from CSO Australia: Enterprise access management firm OneLogin has suffered an embarrassing breach tied to a single employee’s credentials being compromised. OneLogin on Tuesday revealed the breach affected a feature called Secure Notes that allowed its users to “store information.” That feature however is pitched to users as a secure way to digitally jot down credentials for access to corporate firewalls and keys to software product licenses. The firm is concerned Secure Notes was exposed to a hacker for at least one month, though it may have been from as early as July 2 through to August 25, according to a post by the firm. Normally these notes should have been encrypted using “multiple levels of AES-256 encryption, ” it said in a blog post. Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications. But it appears the company wasn’t using multi-factor authentication for its own systems. OneLogin’s CISO Alvaro Hoyos said a bug in its software caused Secure Notes to be “visible in our logging system prior to being encrypted and stored in our database.” The firm later found out that an employees compromised credentials were used to access this logging system. The company has since fixed the bug on the same day it detected the bug. CSO adds that the firm “also implemented SAML-based authentication for its log management system and restricted access to a limited set of IP addresses.” Read more of this story at Slashdot. 
Want to know why phishing continues to be one of the most common security issue? Half of the people will click on anything without thinking twice ArsTechnica reports: A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages — even though most of them claimed to be aware of the risks. The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month’s Black Hat security conference. Simulated “spear phishing” attacks were sent to 1, 700 test subjects — university students — from fake accounts. The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data — some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year’s Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message “access denied, ” but the site logged the clicks by each student. Read more of this story at Slashdot.