Congressional report rips US TSA Web site security

A Web site commissioned by the U.S.
Transportation Security Administration (TSA) to help travelers whose names
were erroneously listed on airline watch lists originally had multiple security
problems that could lead to identity theft, says a congressional report released
Friday.

In addition, the TSA awarded the $48,816 contract for the Traveler Redress
Web site based on a request for quotes with requirements that only one Web design
firm could meet, says the report, released by the House of Representatives Committee
on Oversight and Government Reform. The TSA's technical lead and author
of a request for comments for the project was a longtime friend of the owner
of Desyne Web Services and had briefly worked for the Virginia firm, the
report says.

"This redress Web site had multiple security vulnerabilities: It was not
hosted on a government domain; its homepage was not encrypted; one of its data
submission pages was not encrypted; and its encrypted pages were not properly
certified," the report says. "These deficiencies exposed thousands
of American travelers to potential identity theft."

The TSA press office did not immediately respond to a request for comments
on the House report. A receptionist at Desyne said the appropriate person for
commenting was not available.

The redress Web site went live in October 2006 and blogger Christopher Soghoian,
a graduate student in informatics at Indiana University, pointed
out security problems there last February. The TSA took the Desyne Web site
down that month and now hosts a traveler redress form on its own Web site.

"This begs the question: Who are these guys, why don't they know how to
use SSL and how were they awarded this sweet contract?" Soghoian wrote
in February 2006. "Why can't TSA do a simple form submission themselves?"

One of the biggest concerns raised by Soghoian and the House report is that
the Desyne Web site did not use SSL (secure socket layer) encryption on its
home page or on its submissions page. Travelers were asked to submit personal
information such as their Social Security numbers and birth dates. The site
was not hosted on a government domain, meaning visitors "lost any assurance
they were visiting a legitimate government Web site," the House report
says.

The House report was also critical of Desyne's "no-bid" contract
to operate the redress Web site. Desyne had done work for TSA since 2004, and
as of late 2007, it continued to host the TSA's Web site where travelers could
file claims for damaged property. The TSA's April 2006 request for quotes for
the redress site said the design had to be consistent with the claims management
site, and it had to be hosted on the same server that hosted the claims management
site, the House report says.

As of September, Desyne continued to operate Web sites for TSA, and the company
has received more than $500,000 in business from the agency since 2004, the
report says. "TSA did not take action ... to sanction Desyne for poor performance,"
the report says.