Network News

X My Profile
View More Activity

Report: TSA Site Exposed Travelers To ID Theft

A House of Representatives panel yesterday released a damning report about a Transportation Security Administration Web site built to address grievances from travelers errantly flagged by the government's no-fly list. It conlucded that cronyism and a lack of oversight exposed thousands of site visitors to identity theft.

The House Committee on Oversight and Government Reform began its investigation into security lapses at the TSA's Traveler Redress Web site last year, after Security Fix and other media outlets pointed out that the site accepted Social Security numbers and other sensitive information from travelers without encrypting the data, potentially allowing hackers to intercept the data. Wired.com noted in its coverage that the site was so laden in spelling errors that it resembled a phishing Web site, the sort typically set up by scammers to lure people into giving away personal and financial data.

The report, which liberally cites content and reader comments from Security Fix and Wired.com, found that the TSA awarded the contract without competition to Boston, Va based Desyne Web Services, and that the guy in charge of awarding the contract had previously worked at Desyne and was good friends with the owner. To date, Desyne has been awarded more than half a million taxpayer dollars worth of no-bid contracts by the TSA, according to the report.

The site's security weaknesses remained undetected by the TSA for more than four months, despite congressional testimony from TSA Administrator Kip Hawley that the agency had assured "the privacy of users and the security of the system" before its launch, the report notes. "Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage."

Chris "Boarding Pass Hacker" Soghoian, the researcher and now cnet.com blogger who first discovered the TSA site screw-up, said half a million bucks is a lot of change for a few Web site forms.

"It's strange that with $500,000 in TSA's money, they couldn't afford a real SSL cert," Soghoian said.

This type of security oversight is unfortunately not as uncommon as you might think. On Wednesday, a reader tipped me off that the new member registration page for The Computing Technology Administration (COMPTIA) -- which requests credit card numbers in addition to other sensitive data -- was accepting new memberships and their credit card numbers without encrypting the data with Secure Sockets Layer (SSL) technology on the site. The security glitch was fixed within a few hours after I notified COMPTIA, but a COMPTIA spokesperson claimed that the organization had made no relevant changes to the site since my e-mail was sent.

By Brian Krebs  |  January 12, 2008; 9:15 AM ET
Categories:  From the Bunker , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Barbara Moratek Is Not Your Friend
Next: Safeguarding Your Passwords

Comments

The TSA is a sham and every one of its useless workers is a money-grubbing traitor to the USofA. This organization and its workers suck. Get rid of them all!!!

Posted by: Brad Mustang | January 12, 2008 1:55 PM | Report abuse

T.S.A.= Thousands Standing Around.

Operation "Window Dressing" is working just fine.

Posted by: MemySelfandi | January 12, 2008 2:06 PM | Report abuse

Your freedom of speech is protected by the same government that established this organization. Thanks for the negative comment. Please, in the future, keep in mind that what you do with your freedom is your choice. Remember that some of us TSA shams have also defended your freedom overseas, and continue to defend it WHILE employed by US. So, thanks.

Posted by: TSAScrnr | January 12, 2008 2:10 PM | Report abuse

Congratulations Brian!

you've won today's Tortured Syntax award for your seventh paragraph.

Triple Negative!!

Wow!!

Second Prize, of course, goes to your editor.

Where is Ben Bradlee when we seem to need him most? :>)

Posted by: Joe Winkelmann | January 12, 2008 2:15 PM | Report abuse

To have hired the contrator and exposed people to identity theft should be considered as criminal. I am sick of what State and Government agencies (and their employees on both large and small scales) get away with and the waste in spending. At the least, immediate firings need to occur and the money for the website recouped.

Posted by: Chris | January 12, 2008 2:54 PM | Report abuse

Anyone who still believes that you can trust the nations security to a Republican administration probably believes every word of the Bible too. How many suicide bombers have they found trying board planes? How many Grandmas don't fly anymore because of the rough treatment they get at airports? A lot of show to make the public think their doing something. Meanwhile, they can't run a secure web site, they can't even continue illegally taping phone calls because the FBI doesn't pay it's phone bills. Ronnie Raygun said that government is the problem. Well it sure is when the Republicans are in charge.

Posted by: thebob.bob | January 12, 2008 3:07 PM | Report abuse

TSA workers are not the problem. The people that run agency are the ones that should be criticized for its failings. The incoherent policies and procedures that leave thier workforce in a difficult position. Security or Customer service???? The workers generally take thier job serious, and are tireless in thier approach to safety, more so then the boys in Washington. TSA Officers are on the front line absorbing all the anger from a lazy, self centered, inconsiderate public. Who could give a rats ass about the carnage of 9-11 as long as they can still sip thier lattes while the prance through a security check point without having to take off thier pungent shoes.

Posted by: Tom | January 12, 2008 3:43 PM | Report abuse

America wouldn't have freedom without the TSA, and other vital US agencies. The government keeps you safe from bad people so you can be free.

If this makes sense to you, then you may like the movie "They Live", by John Carpenter.

Posted by: infrequent flyer | January 12, 2008 3:50 PM | Report abuse

I am so tired of government computers being hacked that when I renewed my special ham-radio callsign with the F.C.C., I used a one-time ShopSafe Web-generated credit card with a $50 limit and 60-day expiration. Amazon, I trust, but not any branch of the U.S. government, where I served as a Marine, federal agent and intelligence agent.

Posted by: Rick | January 12, 2008 3:54 PM | Report abuse

It is unfortunate that front-line TSA workers have to take the brunt of feedback from a public frustrated by TSA policies. But it is uncharitable and provably wrong that all the anger is simply due to lazy, self-centeredness -- and insulting to imply that it is due to insensitivity to 9-11. TSA agents are having to enforce policies that, as noted ad nauseum, are reactive and easily routed around. I feel for them, they did not create the policies. But unfortunately, they are representatives of an agency that appears hamfisted and -- as indicated in the article -- in some areas corrupt, incompetent, and placing its constituents in danger.

Posted by: Jay | January 12, 2008 3:59 PM | Report abuse

A lack of freedom of speech has resulted with people errantly being added to the no-fly list, necessitating this boondoggle of a program. A half mil no bid contract, that fails to execute common security measures to protect users info? Cronyism? And all this based on a false flag operation, more commonly known as The Great Terror Attacks of 911.

Posted by: sdemetri | January 12, 2008 4:36 PM | Report abuse

Based upon spelling and grammar, I think Brian works for the TSA.

Posted by: mike | January 12, 2008 5:16 PM | Report abuse

I can't go in to 7-11 without shoes on, but thanks to TSA I must take them off at security checkpoints.
go figure

Posted by: wow | January 12, 2008 5:20 PM | Report abuse

The lower echelon of TSA workers are are mostly hard-working, decent people trying to put bread on the table for their families. I blame this mess on upper level management and those who think they are untouchable and therefore, unaccountable for their actions. Wasn't it just last year that the personal information of thousands of workers was stolen from a laptop left unguarded somewhere? Apply the blame where it is truly deserved!

Posted by: C | January 12, 2008 5:26 PM | Report abuse

"some of us TSA shams have also defended your freedom overseas, and continue to defend it WHILE employed by US. " ....... PullEEZE .... Let me get my violin. You aren't defending AMERICA in Iraq OR the Airport. Iraq is a filthy LIE about WMD's. TSA is uniformed snitches searching for BONGS, and stealing toiletries from Grandmas. Sorry if I burst yer bubble, but you SHOULD have figured it out yourself. Ever wonder WHY all those confiscated liquid items that are supposedly "dangerous explosives" are just tossed into big containers ?!?!?! BECAUSE TSA KNOWS IT IS ALL A LIE. You are a pawn in a gigantic fraud, that many people are getting RICH off.

Posted by: Citizen | January 12, 2008 6:01 PM | Report abuse

From the website:

Is my information secure?

TSA takes the security of personal information very seriously. The personal information TSA collects is protected by the highest set of security protocol standards established by the federal government.

TSA regularly assesses and updates our cyber security protocols and programs to ensure the protection of both public and private data sources. Passengers seeking redress should feel confident that their personal data will be protected and used only for its intended purpose.

Posted by: wo42lf | January 12, 2008 6:02 PM | Report abuse

If the airlines were truly free enterprise we would not see this kind of misconduct. Because of corporate welfare from government the feds call the shots with no accountability.Cant America see that these areas of security fail over and over and our government cannot make us safe. Ask yourself do you really think people like myself will ever sit idle and let another 9/11 happen? No way! The false since of security only makes matters worse. Loss of freedom = more security = more government = less personal responsibility = fall of a great nation.

Posted by: tim | January 12, 2008 6:13 PM | Report abuse

I always thought that TSA stands for Those Stupid Americans and now it would seem I was correct.

Posted by: Jason | January 12, 2008 6:42 PM | Report abuse

The front-line, visible, TSA employees are just doing their jobs, and trying to eke out a living in the process.

They are compartmentalized from, and blissfully ignorant to, the shenanigans taking place daily at TSA's Arlington, VA headquarters.

The cronyism discussed in Krebs' piece barely scratches the surface of TSA's gross incompetence and waste of tax dollars taking place on a daily basis.

The TSA screeners are simply the "public face" of the TSA. They mean well, and deserve our understanding and cooperation. They do not set the rules and/or the operational policies of their employer.

Hopefully, someday soon, a cracker-jack reporter will expose the day in and day out chicanery being hoisted on the flying public by 24 floors worth of highly paid "decision makers" sitting in Arlington, VA.

Posted by: Former Insider | January 12, 2008 7:23 PM | Report abuse

Your only "security" is between your left and right ears. If you enter your personal info on a webpage address that doesn't begin with https, then it is not secure. But because people are unaware of this factor, the TSA is blamed for not using an https certificate, aka SSL, wherever appropriate. The bottom line is that no-one is protecting anyone from anything. And the government cannot protect your freedom, especially if you don't trade it away for "security". Black belt karate will pass all "screeners". Only if we use our heads and think can we have any chance of protecting our freedom. If someone used a wig to hide a weapon, all wigs would then need to be removed? What is someone used their passport to hide chemicals. Your only security is between your left and right ears.

Posted by: infrequent flyer | January 12, 2008 7:33 PM | Report abuse

I have noticed that government is one of the worst offenders of database security, I am not surprised.

I am sure it did not take anyone long to notice that the site did not use a secure server for the data. I am also sure that someone must have pointed it out to them the first day. In their arrogance they probably ignored it until congress got involved.

I don't know what bothers me more their incompetence or the cronyism.

Posted by: Robert | January 12, 2008 8:47 PM | Report abuse

The TSA (Terrorized Suckers Association) workers have no self esteem. Who could do that job more than a few weeks and not realize the scam they're part of? Those that do leave (self respect) won't even add that to their resume. Those that stay are the unemployable in real industry. Just more government welfare for dimwits who finally get to play rent-a-cop. Check the requirements for being a gate cop - fog a mirror?

Posted by: Think of it | January 12, 2008 9:44 PM | Report abuse

We hold these truths to be self-evident: That all men are created equal; that they are endowed by their creator with certain unalienable rights; that, among these, are life, liberty and the pursuit of happiness; that, to secure these rights, governments are instituted among men, deriving their just powers from the consent of the governed; and, whenever any form of government becomes destructive of these ends, it is the right of the people to alter or to abolish it. -July 4, 1776. The Declaration of Independence

Posted by: Sid | January 12, 2008 9:54 PM | Report abuse

If you must have airport security (highly debateable), then why not junk the TSA and turn security operations over to the same people who operate the Las Vegas Casinos.

Their security is seamless and rock solid (just look up and around to see what I mean), yet simultanously they manage they create a welcoming environment for their patrons.
Their doors are always wide open and they welcome your visit.

Imagine being able to walk into the airport, buy a ticket - using cash! - and not have to go through metal detectors, take off your shoes, etc. and merely board the airplane. Imagine travel becoming dignified and convenient again. Imagine being able to meet friends and loved ones as they arrive, instead of hoping you'll see them on the sidewalk outside the "security" zone. Imagine being able to go over to the airport just for lunch and to kill some time looking at the planes.

Imagine, just imagine, travel ceasing to be what it has become over the years - between bottom-feeding airlines seeking to enhance "shareholder value" and security bureaucrats making you "safer" - something that's intrusive, degrading, and dehumanizing.

Just imagine.

Posted by: VICB3 | January 12, 2008 10:27 PM | Report abuse

I'm sorry but this is absolutely comical, in a pathetic sort of way.
The Transportation SECURITY Administration, created under Bush, threatens our own personal security. Only in a BUSH world.

What's next, Dept of Homeland Security sells whole geographical parts of America to China or Saudi Arabia?

Posted by: Greg | January 12, 2008 10:38 PM | Report abuse

VICB3, that Idea is too smart to become reality... the issue of that form of terrorism would disappear from the political landscape and bore the media.

But I totally agree with you.

Posted by: JustAnObserver | January 13, 2008 2:11 AM | Report abuse

Why worry about foreign terrorists? We have our own government stabbing us in the back.

Posted by: CR | January 13, 2008 7:26 AM | Report abuse

Let me get this straight. The TSA cannot build a secure personal database, yet their parent department, DHS, wants every person in the country to provide a ton of personal data to them, in the form of the REAL ID act, to put into a national database. Wonderful, we don't have to wait for terrorists to hurt us, our own government is doing a fine job of that.

Posted by: Brent | January 13, 2008 11:57 AM | Report abuse

The TSA is nothing but a bunch of minimum wage unemployables who no doubt routinely pass terrorists thru security because they can't read the Arabic slogans on their T-shirts that probably say Death to all Jews.
In the meantime they strip search nuns and Boy Scouts.
More and more this country resembles a WWII movie with the Gestapo asking "Vere are your papers".

Posted by: Michael | January 13, 2008 12:56 PM | Report abuse

Imagine yourself as a visitor from another planet reading the commentary. Vitriolic, emotion based attacks. Whining. Unreasoning dislike of bureaucrats and bureaucracy. A wee bit of intelligent analysis.

This column stirred up a hornet's nest!

Posted by: kfritz | January 13, 2008 2:19 PM | Report abuse

This is just a small taste of what lies in wait for everyone when the Real ID scam is implemented.

Posted by: AC | January 13, 2008 3:57 PM | Report abuse

My Comment is this actually before you blame the goverment for any short comings just remember we Americans elected the officials that made the rules and regs for the Tsa so directly any problem we have with any goverment office is caused by us the American people .

Posted by: G | January 13, 2008 4:05 PM | Report abuse

The root issue at hand is far deeper than the airlines need of security. Obviously the government has stepped in since the airlines themselves cannot be trusted to do the job.

But is the TSA and the U.S. government doing the job or as enough that needs to be done, the first time around, before another event occurs?

Had the Bush Administration not start a war, had they provided a better more friendly cooperative foreign policy we all would be getting along more...

And had the American people elected and bothered to follow up with their elected public officials to insure what is right from wrong, we all would be in a better situation than the present shrinking economy...

Posted by: William | January 13, 2008 4:47 PM | Report abuse

I don't know which is is the solution: bring web development in-house or sub-out the work, but there should be -- if there isn't already -- a review board for all Federal government web sites that collect citizen information. If a web site doesn't go past that board before going live, then there should be automatic and severe penalties. Hit the government employees and contractors equally hard and let's see how quickly these egregious security lapses disappear.

Posted by: C.B. | January 14, 2008 10:15 AM | Report abuse

January 20, 2009...the end of an ERROR

Posted by: drivensnow2525 | January 14, 2008 10:50 PM | Report abuse

What's next, Dept of Homeland Security sells whole geographical parts of America to China or Saudi Arabia?


No...they tried to sell our ports to Dubai...a country where Halliburton just moved their corporate headquarters...connect the dots anyone ??

Posted by: drivensnow2525 | January 14, 2008 10:59 PM | Report abuse

lowest market price, or the price which is commonly paid for the use of LdKdggKrCB Money, therefore, is the only part of the circulating capital of a society,

Posted by: James | January 18, 2008 6:17 AM | Report abuse

Is there no end to what the American Citizen will suffer at the hands of fear mongering money grabbers?

Posted by: JimB | January 18, 2008 2:58 PM | Report abuse

Useful site. Thank you.
http://anime-yuri-hentai.theperfectposition.info/map.html anime yuri hentai

Posted by: anime yuri hentai | April 25, 2008 1:16 AM | Report abuse

Useful site. Thanks!!
http://how-to-masterbate.theperfectposition.info/map.html how to masterbate

Posted by: how to masterbate | April 25, 2008 1:46 AM | Report abuse

Useful site. Thank you!!
http://clit-closeups.theperfectposition.info/map.html clit closeups

Posted by: clit closeups | April 25, 2008 1:46 AM | Report abuse

Useful site. Thank you!!
http://ab-sauna.theperfectposition.info/map.html ab sauna

Posted by: ab sauna | April 25, 2008 2:17 AM | Report abuse

Useful site. Thank you!!
http://ab-sauna.theperfectposition.info/map.html ab sauna

Posted by: ab sauna | April 25, 2008 2:18 AM | Report abuse

Useful site. Thanks!
http://old-clits.theperfectposition.info/map.html old clits

Posted by: old clits | April 25, 2008 3:27 AM | Report abuse

Useful site. Thanks!!!
http://wet-and-wild-girls.theperfectposition.info/map.html wet and wild girls

Posted by: wet and wild girls | April 25, 2008 4:33 AM | Report abuse

Useful site. Thank you!!!
http://eat-my-wife-pussy.theperfectposition.info/map.html eat my wife pussy

Posted by: eat my wife pussy | April 25, 2008 6:48 AM | Report abuse

Useful site. Thanks!!!
http://interracial-anal-cream-pie.milisa.uni.cc/ interracial anal cream pie

Posted by: interracial anal cream pie | May 2, 2008 1:36 PM | Report abuse

Useful site. Thanks!
http://justin-carroll-gay.saruella.uni.cc justin carroll gay

Posted by: justin carroll gay | May 2, 2008 8:37 PM | Report abuse

Useful site. Thanks!!
http://shelley.byethost24.com/uk-premi96/index.html hockey card sidney crosby

Posted by: hockey card sidney crosby | May 3, 2008 1:02 AM | Report abuse

Useful site. Thank you!
http://francis.20xhost.com/midtown-a8/index.html bowling ball spinner

Posted by: bowling ball spinner | May 3, 2008 3:22 AM | Report abuse

Useful site. Thank you!!!
http://vicky.ifastnet.com/tennis-t59/index.html leprechauns dont play basketball

Posted by: leprechauns dont play basketball | May 3, 2008 5:18 PM | Report abuse

Useful site. Thank you!!!
http://vicky.ifastnet.com/tennis-t59/index.html leprechauns dont play basketball

Posted by: leprechauns dont play basketball | May 3, 2008 5:19 PM | Report abuse

Useful site. Thank you:-)
http://salin.ifastnet.com/boat-desdb/index.html golf channel uk

Posted by: golf channel uk | May 3, 2008 8:02 PM | Report abuse

Useful site. Thank you:-)
http://salin.ifastnet.com/boat-desdb/index.html golf channel uk

Posted by: golf channel uk | May 3, 2008 8:02 PM | Report abuse

Useful site. Thank you!
http://breaking-into-a-2005-toyota-corrola.placeers.info/map.html breaking into a 2005 toyota corrola

Posted by: breaking into a 2005 toyota corrola | May 3, 2008 11:49 PM | Report abuse

Useful site. Thanks!!!
http://group-gay-galleries.balentina.co.cc/map.html group gay galleries

Posted by: group gay galleries | May 4, 2008 3:44 AM | Report abuse

Useful site. Thanks!
http://lesbian-websites.balentina.co.cc/map.html lesbian websites

Posted by: lesbian websites | May 4, 2008 10:09 AM | Report abuse

Useful site. Thank you.
http://absolutely-cam-free-lady-nude-web.balentina.co.cc/map.html absolutely cam free lady nude web

Posted by: absolutely cam free lady nude web | May 4, 2008 11:23 AM | Report abuse

Useful site. Thank you!!!
http://3d-rikku-hentai.balentina.co.cc/map.html 3d rikku hentai

Posted by: 3d rikku hentai | May 4, 2008 12:05 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company