The Transportation Security Administration (TSA) -- those chappies who obsess about bombs in Pepsi cups and rifle your luggage for plastique and make you take off your shoes -- evidently don't know much about computer security. 

The web site was hosted on a commercial domain by a contractor and did not use SSL encryption for submission forms that transmit sensitive identification information. The few pages of the site that did use SSL used an expired certificate that had been self-signed by the contractor. The lack of proper encryption was brought to the attention of TSA last year by security researcher Chris Soghoian, who noted that such "major incompetence" could have been avoided by basic oversight.

[...] According to the report, the TSA was completely unaware of the security issues while the site was in operation. During that time, thousands of travelers submitted personal information through the website and a TSA administrator claimed in congressional testimony that the agency had assured "the privacy of users and the security of the system."

Of course, nobody important was really endangered by running a poorly protected site ...

The site—which enables travelers to seek removal from airline watch lists by providing personal identification information—operated for four months before the vulnerabilities were detected.

See?  It was only complainers who were possibly exposed to identity theft -- theft they themselves were responsible for, after all, by posting personal identification information on the web.

But how could the TSA have possibly allowed such a shoddy installation to occur for an official government web site?

The web site was created by Desyne Web Services, a web marketing firm from northern Virginia whose clientèle includes the FBI, USA Today, and George Foreman. TSA awarded Desyne a no-bid contract valued at $48,816 for development of the redress system. According to the report, the Request for Quote (RFQ) issued by TSA prior to making the deal stated that Desyne was "the only vendor that could meet the program requirements." The report notes that Nicholas Panuzio, the TSA employee and technical lead who authored the RFQ, had previously worked for Desyne and had known the owner of the web design company since high school—a serious conflict of interest.

Surely quick and effective action was taken as soon as this all was discovered.

Following the revelation of security vulnerabilities in the system, TSA transferred the site to a Department of Homeland (DHS) Security domain and notified users who submitted information through the unencrypted form that they had been exposed to risk of identity theft. The committee's report notes, however, that TSA never reprimanded Panuzio or imposed sanctions on Desyne. In fact, the report says that Desyne continues to operate several major TSA web sites and has received over $500,000 of no-bid contracts web services from TSA and DHS.

Nice work, if you can get it.

Filed under :: Hi-Tech :: Homeland Security
Link · Print · Edit · TR/G