US security agency leaks data

Damning report slams TSA

Written by Iain Thomson

vnunet.com, 14 Jan 2008

The US Transportation Security Administration (TSA) has been slammed by the House Oversight and Government Reform Committee for sloppy website security.

In a damning report the Committee identified major security leaks in a vital TSA web page that could allow personal information to be harvested.

Vulnerable details included name, address, Social Security number, birth date and place and even eye colour.

The Committee found that the TSA was not even hosted on government servers, as the website was outsourced to Desyne Web Services, a private contractor, in a no-bid contract.

The TSA employee who put out the tender is claimed to be a childhood friend of the owner and a former employee.

"There were multiple factors that contributed to security vulnerabilities in the TSA traveller redress website, including poor procurement practices, conflicts of interest and weak oversight," said the report.

"The result of these shortcomings was that an insecure website collected sensitive personal information from American travellers for months without detection by TSA."
The report found that the home and submission pages of the site, which was used by people appealing against being refused permission to fly, had no SSL encryption at all.

The site was not hosted on a secure government website, which caused confusion to users, and some pages were falsely listed as having third-party SSL certification.
The flaws were only fixed after Chris Soghoian, a Ph.D student, publicised them on his Slight Paranoia blog.

"[It is] incredible that they would take the site live using a self-signed certificate," Soghoian told the Committee.

"It shows major incompetence at Desyne. Someone is either too stupid or too cheap to purchase a real SSL certificate before putting up a site that asks for personal data. This is Web Development 101."

The problem started when the TSA was created and took control of the lists of people not allowed to fly over US airspace. The list contained just 16 names on 11 September 2001, but has since grown to over 70,000.

Mistakes were commonplace and misidentified terrorist suspects included Senator Ted Kennedy, several children (including some younger than a year old) and the singer Cat Stevens.

A Department of Justice investigation found that 43 per cent of people on the list were false positives.

The appeals process was paper based for four years and had three officers assigned, leading to a backlog of tens of thousands of applications.

The TSA moved the operation online but decided that it did not have the space to host the site and outsourced it to Desyne.

The Committee found that the Request for Quote was written in such a way that Desyne could be the only bidder, since it specified reuse of existing TSA code which only Desyne, as it already had $500,000 worth of existing business with the organisation, would have.

"TSA investigators found that the primary author of the April 2006 statement of work was the director of the Claims Management Office, Nicholas Panuzio," the report said.

"Panuzio told TSA investigators he had known Desyne's owner since high school, had worked for Desyne for eight months in 2001 and 2002, and still met regularly with Desyne's owner and others for drinks or dinner.

"Panuzio played a key role in the development of the traveler redress website. For example, one email exchange shows that the Redress Management project director, James Kennedy, relied on Panuzio's recommendation to pay Desyne's December 2006 invoice.

"Although he had earlier disclosed this conflict of interest to the TSA Office of Chief Counsel, Panuzio did not disclose it to the project manager or to the lead contracting officer on the project."

The Committee said that the problems on the site had now been fixed, and that it is being hosted by the Department for Homeland Security.

No action is being considered against Panuzio because he had not profited personally, or Desyne, which still hosts two TSA websites.

It has not been a good 12 months for the TSA. The organisation was forced to call in the FBI last year after it lost 100,000 staff records stored on an external hard drive.

See also:

reader comments

related articles

UK considers RFID tags for prisoners

Porridge with chips 14 Jan 2008

 

US whistleblower's details exposed on the web

Bankruptcy fraud whistleblower files civil lawsuit 13 Dec 2007

Florida man arrested after huge data theft

Information on 8.5 million customers on sale for five years 05 Dec 2007

Government loses Standard Life customer details

Courier leaves 15,000 accounts at risk 05 Nov 2007

MPs call to criminalise data loss

Justice Select Committee demands heavy fines and/or jail terms 03 Jan 2008

latest news

NCE shows Shepway the way

VAR implements BakBone Software's Netvault: Backup to upgrade the council's IT infrastructure 13 May 2008

BT to sell data centres to HP

Reports claim BT will offload its UK data centres in £1.5bn deal 12 May 2008

NetServices hunts AV resellers

Telco aims to tap into IP video explosion by recruiting audiovisual specialists 12 May 2008

More news

poll

What Credit Crunch?

What Credit Crunch?

Is the UK more confident in its economy than Europe?

Previous poll results

Toughbook

CRN product cast: Panasonic Toughbooks

This exclusive video, commissioned by Panasonic, provides a unique demonstration of the latest Toughbook notebooks

Infosec Video Lounge Part 2

Infosec video lounge in association with Microsoft Part Two

More CRN TV

events

Channel Expo 2008

Channel Expo 2008

The 2008 Channel Expo in May will be bigger and better than ever

CRN Fight Night logo

CRN Channel Fight Night 2008

CRN's inaugural white-collar boxing event aims to raise money for a variety of good causes

More Events

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Advertisement

White papers

Search white papers

Top categories