Congressional report rips US TSA Web site security
A Web site commissioned by the U.S.
Transportation Security Administration (TSA) to help travelers whose names
were erroneously listed on airline watch lists originally had multiple security
problems that could lead to identity theft, says a congressional report released
Friday.
In addition, the TSA awarded the $48,816 contract for the Traveler Redress
Web site based on a request for quotes with requirements that only one Web design
firm could meet, says the report, released by the House of Representatives Committee
on Oversight and Government Reform. The TSA's technical lead and author
of a request for comments for the project was a longtime friend of the owner
of Desyne Web Services and had briefly worked for the Virginia firm, the
report says.
"This redress Web site had multiple security vulnerabilities: It was not
hosted on a government domain; its homepage was not encrypted; one of its data
submission pages was not encrypted; and its encrypted pages were not properly
certified," the report says. "These deficiencies exposed thousands
of American travelers to potential identity theft."
The TSA press office did not immediately respond to a request for comments
on the House report. A receptionist at Desyne said the appropriate person for
commenting was not available.
The redress Web site went live in October 2006 and blogger Christopher Soghoian,
a graduate student in informatics at Indiana University, pointed
out security problems there last February. The TSA took the Desyne Web site
down that month and now hosts a traveler redress form on its own Web site.
"This begs the question: Who are these guys, why don't they know how to
use SSL and how were they awarded this sweet contract?" Soghoian wrote
in February 2006. "Why can't TSA do a simple form submission themselves?"
One of the biggest concerns raised by Soghoian and the House report is that
the Desyne Web site did not use SSL (secure socket layer) encryption on its
home page or on its submissions page. Travelers were asked to submit personal
information such as their Social Security numbers and birth dates. The site
was not hosted on a government domain, meaning visitors "lost any assurance
they were visiting a legitimate government Web site," the House report
says.
The House report was also critical of Desyne's "no-bid" contract
to operate the redress Web site. Desyne had done work for TSA since 2004, and
as of late 2007, it continued to host the TSA's Web site where travelers could
file claims for damaged property. The TSA's April 2006 request for quotes for
the redress site said the design had to be consistent with the claims management
site, and it had to be hosted on the same server that hosted the claims management
site, the House report says.
As of September, Desyne continued to operate Web sites for TSA, and the company
has received more than $500,000 in business from the agency since 2004, the
report says. "TSA did not take action ... to sanction Desyne for poor performance,"
the report says.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
