Report: TSA site vulnerable to breaches
WASHINGTON (AP) - January 11, 2008 As many as 247 travelers who petitioned the government between
October 6, 2006 and February 13, 2007 to have their names removed
from those lists may be vulnerable, according to a congressional
investigation.
The investigation into the Transportation Security
Administration's traveler redress site found security problems with
the government-sanctioned Web site, which have since been fixed.
The report, posted Friday on the House Oversight and Government
Reform Committee's Web site, also found that TSA awarded a no-bid
contract to a small Virginia-based company to run the program.
Investigators found one of the senior program managers at TSA
who oversaw the launch of the redress site is a former employee of
Desyne Web Services - the company that received the $48,816
contract to develop the site and continues to do business with TSA
today. The employee is also a high school friend of the company's
owner, according to the report.
TSA immediately fixed the site's security problems when it was
made aware of the vulnerabilities last February. Every person who
provided information to the insecure site was contacted, TSA
spokesman Christopher White said. And there is no evidence than
anyone's identity has been stolen.
"This is an old issue that was completely cleared up early last
year and is not a significant issue today," White said.
A graduate student in Indiana discovered the site's security
vulnerabilities last February while researching a paper on boarding
pass security. Chris Soghoian - who is getting his doctorate in
information security at Indiana University - noticed that the
redress site was not secure, yet it asked for names, Social
Security numbers and birthdates. Soghoian said when he sees a site
like this "alarm bells go off in my head."
The lack of security makes the site vulnerable to those who want
to steal others' identities.
Soghoian was interviewed for the congressional report.
Soghoian said he initially thought the site was a "phishing"
site - a fraudulent Web site that tricks consumers into handing
over personal information. But he soon discovered this was TSA's
solution to help reduce innocent travelers from experiencing
unnecessary security restrictions.
TSA has two lists - the no-fly list which can keep a traveler
from boarding a plane and the selectee list which tags domestic
airline passengers for extra searching and questioning at airports.
These lists are much smaller portions of the terrorist watchlist.
It takes more evidence of terrorist links to get on these smaller
sections of the list than it does to get on the full list.
Travelers have been prevented from boarding planes because their
names were similar to names on the lists.
The agency is close to releasing rules for a frequent traveler
program that would ensure a person is only mistaken for someone
else on a watchlist once.
---
On the Net:
http://oversight.house.gov/documents/20080111092648.pdf
http://www.dhs.gov/xtrvlsec/programs/gc-1169673653081.shtm
http://www.desyne.com/done.htm