Sunday, January 13, 2008

Blogger exposes security flaws on TSA site

Since 9-11, we've spent billions upgrading security. Here is a sad report about how the TSA (Transportation Security Agency) put up a NOT very secure site with some of the money earmarked for making the nation more secure.

Even worse, it seems it wasn't the TSA didn't even discover the problem themselves. The problem was brought to light by a blogger!

Here is some commentary from the government report that examines this problem:

In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft.

After an internet blogger identified these security vulnerabilities in February 2007, the website was taken offline and replaced by a website hosted on a Department of Homeland Security domain.

At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information. As this report describes, these security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight.

The report reveals that the contract for the website was awarded without taking competitive bids to a company by a TSA employee, who was a former employee of the company designing the site. Even worse, it took months for the security flaws to be noticed and when they were, it was a blogger that brought them to everyone's attention!
The "hat tip" on this one belongs to a Chris Soghoian, who is a Ph.D. student at the University of Indiana’s School of Informatics. He used to write on the blog, "Slight Paranoia."

The first time Chris was considered "notorious" was when he put a fake boarding pass generator on the Internet. This attracted a lot of attention in the press, as well as that of the FBI.

Chris recently moved his blog to a CNet address, which can be seen, here.

Chris recently blogged about this report and added a comment about the lack of spell check being used on the TSA site, "Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers."

The official government conclusion is:

There were multiple factors that contributed to security vulnerabilities in the TSA traveler redress website. They included poor procurement practices, conflicts of interest, and weak oversight. The result of these shortcomings was that an insecure website collected sensitive personal information from American travelers for months without detection by TSA.

This led me to wonder if the TSA employees involved still have their jobs?

Much to my chagrin, I found my answer on the Committee on Government Oversight and Reforms press release on this matter:

Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a governmentwide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.
Full government report (PDF version, here.

No comments: