Report: TSA site put travelers at risk...and a bit of poetic justice
UPDATE: See below for TSA's response.
A scathing congressional report released Friday confirms that security flaws in a Transportation Security Administration site put thousands of Americans at risk of identity theft.
The report (PDF) also reveals that a no-bid contract to create the site was awarded to an outside company by a TSA employee who had previously worked for that company. Was this just business as usual at TSA?
TSA: Security ain't its forte
(Credit: CNET)In October 2006, the TSA launched a Web site to help travelers whose names were erroneously listed on airline watch lists. This site had a number of security vulnerabilities: it was not hosted on a government domain; its home page was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers.
The report notes that TSA's chief information security officer conducted a detailed security accreditation review of the traveler redress site before it went live. He/she did not notice any of the glaring holes that I highlighted in my initial blog post on the subject. The report does not note whether the chief information security officer was ever punished for this failure to detect obvious flaws.
For the four months that the site was up, thousands of people visited it, and 247 travelers submitted highly personal information (including their Social Security number and place of birth) through an insecure, non-SSL encrypted form. TSA's lax security practices resulted in thousands of Americans being put at a direct risk of identity theft.
The site was only taken down after I discovered it in February 2007 and posted something to my blog. Shortly after, Wired and a number of other sites picked up the story, and TSA was shamed into pulling down the site.
In addition to noting the security problems on the site, I also expressed significant skepticism regarding Desyne Web Services, the Virginia-based Web site design firm that was running and operating the site. In my original blog post, I wrote:
"This begs the question: Who are these guys, why don't they know how to use SSL and how were they awarded this sweet contract? Why can't TSA do a simple form submission themselves?"
My initial concern seems to be well founded, as the newly released report reveals. The TSA official in charge of the project awarded the contract--without competition--to one of his former employers, a company owned by one of his high school buddies.
Proving that this is just business as usual for TSA, the report notes that "neither Desyne nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay Desyne to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA."
UPDATE: When reached for comment, TSA spokesman Christopher White stated that "every issue that the committee brought up has been addressed many months ago. We are not interested in rehashing last year's issues."
When asked whether TSA is concerned with the ethical concerns that surrounded the no-bid sweetheart contract, he stated that there are "no ethical issues (to be) brought up. We hold ourselves to very high ethical standards. It is useless for the American public to rehash this old garbage that doesn't exist today."
He also stated that "many many months ago, when this was a legitimate issue, TSA did notify each person who may have been affected." However, he said, TSA "did not offer to pay for credit monitoring" for those passengers. He stressed that, "we have absolutely no indication that anyone's identity has been misused as a result of this incident."
White could not immediately answer questions related to the complete lack of sanctions for the TSA employee managing the contract and promised to get back to me after looking into the issue.
For those readers who are not aware, the FBI conducted a 2 a.m. raid of my home back in October 2006, after I created a Web site demonstrating the ease with which passengers could create fake boarding passes. After the FBI dropped its investigation, the TSA investigated me for six months and threatened me with tens of thousands of dollars in civil fines. No charges were ever filed.
I discovered the initial security flaws in TSA's redress Web site, and the congressional investigation is a direct result of a blog post that I wrote in February 2007. I'd be lying if I said that I wasn't grinning from ear to ear with the news of this report.
It's poetic justice, if you will, for the unpleasantness that TSA put me through.
Desyne, the firm that created the Web site, could not be immediately reached for comment.
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
Bush needs to be impeached, imprisoned and tortured to death along with his entire family and his entire administration. That might show the world that we're truly sorry for unleashing this evil upon humanity.
In fairness, what I said to you was that we are not focusing on problems that occurred last year (or almost 18 months ago now) that we addressed many, many months ago. We are focused on this year and our ability to protect the American traveling public which leads us directly to Secure Flight.
As an agency, we have absolutely no problem admitting when we are wrong and when we could have done things differently. In this case we certainly could have done several things differently and once we identified these issues (admittedly through your reporting that got picked up in Wired and others) we took immediate action. The plans to migrate to a DHS-wide solution had been under way for several months and more than 16,000 travelers have used www.dhs.gov/trip since the migration in February 2006 safely and securely.
I also mentioned to you that the public at large is much more concerned about the daily misidentifications that occur at airports all over the country today by dozens of airlines trying to match the no-fly and selectee as opposed to something that happened and was fixed early in 2006.
That?s why Secure Flight is so important, it?s TSA?s answer to uneven watch list matching that results in 5-year-olds being told they?re on the no-fly list (their not) and people using the DHS redress site in the first place. Secure Flight takes watch list matching from dozens of airlines and brings it into TSA. By asking passengers for full name and itinerary we can quickly and very accurately determine if the passenger that is planning to fly today is the individual that poses a legitimate threat to aviation. Once this is up and running, you?re only going to be misidentified once. This means much less hold ups, inabilities to print boarding passes at home or on a kiosk and a better focus on the true bad guys.
Christopher White
TSA Spokesman
Sorry, but we ARE focusing on problems that occured almost 18 months ago. It is apparent that there's a lack of ethics involved in just giving jobs out to old buddies, despite your claim that there is not (in my opinion, this is forgiveable if they are at least competent.. but they weren't.) There's a lack of competence in not checking over the site created to make sure it has at least minimal security in place. It's not acceptable to gloss over possible information leaks and not provide credit monitoring to people who's information you didn't protect... in fact this may be illegal in some states. It is also apparent that if all of the above is considered kosher, lying about fixing internal problems probably is too. I don't believe you or your agency that these problems are solved.. so that specific site is down. This is more a comment about systemic problems apparent by a site like that going live to begin with. If they are solved, prove it! I don't trust you or your agency to implement "secure flight" either, given the lack of ethics, and obvious lack of competence shown by OK'ing a site that doesn't have SSL and is full of security holes. To clarify it is **NOT** acceptable to build a "secure flight" system that has no security and safeguards in place, and just plan to put those up later. In this modern day and age, a totally unsecured site can be hacked within minutes of being put up.
"I also mentioned to you that the public at large is much more concerned about the daily misidentifications that occur at airports all over the country today by dozens of airlines trying to match the no-fly and selectee as opposed to something that happened and was fixed early in 2006."
This is a site read by computing experts. I don't care what the public at large is concerned about. They aren't concerned by a lot of problems that would absolutely cripple their bank accounts and identities if people like me weren't concerned about them. Don't brush problems like this aside, this just demonstrates your incompetence to take on a job like this.
I could go over the rest point-by-point, but clearly I disagree with it in general too.
after reading your post, i am more confused than before. why would i or anyone else be satisfied with being misidentified only once versus two or ten times? "Once this is up and running, you?re only going to be misidentified once. This means much less hold ups, inabilities to print boarding passes at home or on a kiosk and a better focus on the true bad guys"
The issue here, bigger than the crappy website security, is the fact that a TSA employee awarded a no-bid contract to a firm which was his former employer, and run by his high-school buddy.
I'd argue that the American public are quite concerned about corruption, and the fact that your agency has yet to fire this guy proves that something is seriously rotten in the state of Denmark (or TSA, rather).
I'd also like to know why your CISO wasn't fired for approving this website in the security review before it went live.
I'm still waiting for your callback, Mr. White, with answers to these questions.
A no-fly list based on full names alone is in fact the worst way to identify people who pose a threat.
Wikipedia: Walter F. Murphy, McCormick Professor of Jurisprudence at Princeton, reported that the following exchange took place at Newark on 1 March 2007, where he was denied a boarding pass "because I [Professor Murphy] was on the Terrorist Watch list." The airline employee asked, "Have you been in any peace marches? We ban a lot of people from flying because of that." "I explained," said professor Murphy, "that I had not so marched but had, in September 2006, given a lecture at Princeton, televised and put on the web, highly critical of George Bush for his many violations of the constitution." To which the airline employee responded, "That'll do it."
-
by james148654610316814
January 13, 2008 4:57 PM PST
- Christopher White,.
-
Reply to this comment
-
-
-
by christopherwhite
January 13, 2008 6:15 PM PST
- James,
-
-
(9 Comments)how many other drinking buddies are awarded million dollar security contracts and do a half-assed job? I'm a member of the flying public and yes, I'm very concerned.
Couldn't agree more. You should be concerned, as we have been during the 18 months since this took place.
It?s completly unacceptable for us, the TSA, to post a non-secure link for people submitting information about themselves to a government agency in order to be identified as legitimate travelers. Bottom line is there?s no excuse and we?ve tried hard to learn from our mistakes. We?ve tightened controls of the programs we run, the information we request and the way we handle that information. All of our programs are now in the .gov domain and all are secure.
We have posted information on what happened, what went wrong and how we fixed it on our Web site, http://www.tsa.gov/press/happenings/tsa_site.shtm and we?re updating the site now with some additional important facts listed below.
We also conducted a forensic audit after the incident and we learned that 247 people had used the non-secure document and upload to apply for redress with TSA. We immediately reached out to these individuals and warned them of this situation, specifically telling them that no one from TSA would contact them or ask for information from them. We also suggested several methods of monitoring their credit. To this point, TSA has no knowledge of any of these individuals' identities being misused.
It is also important to know that the only time the information was not secure was from the desktop of the user enroute to the servers that process the redress applications. For an individual's identity to be compromised, it would have to have been intercepted during this transmission, over 12 months ago.
These are not excuses for what happened, only a more complete explanation of facts surrounding the incident.