House committee issues report and finds fault with TSA web site
Technorati Tag: Security Breach
Date Reported:
1/13/08
Organization:
U.S. Government
Contractor/Consultant/Branch:
Transportation Security Administration (TSA)
Desyne Web Services
Victims:
Certain people that used the TSA traveler redress website between October 6, 2006 and February 13, 2007.
Number Affected:
"thousands"
Types of Data:
Name, Social Security number, birth date, birth place, sex, height, weight, hair color, eye color, address, and home and work telephone number.
Breach Description:
According to the January, 2008 United States House of Representatives Committee on Oversight and Government Reform report titled INFORMATION SECURITY BREACH AT TSA: THE TRAVELER REDRESS WEBSITE;
"In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft."
Reference URL:
The official Committee on Oversight and Government Reform report
The CSO Online Story
Report Credit:
The United States House of Representatives Committee on Oversight and Government Reform, and special credit to Chris "Boarding Pass Hacker" Soghoian.
Response:
From the online sources cited above:
At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information.
[Evan] For those who don't know, Henry Waxman represents the 30th District of California in the House.
As this report describes, these security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight.
The report finds:
TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”
The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner.
The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.
The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the contractor.”
Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a government-wide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.
After conducting a detailed security accreditation review of the traveler redress website, TSA’s Chief Information Security Officer (CISO) granted the website a 12-month “Authority to Operate” in September 2006. The CISO did not detect a number of glaring security problems affecting the website when it went live on October 6, 2006.
[Evan] The TSA CISO is Patti Titus. I don't know how these security issues could have been missed!
The security vulnerabilities of the website included the following:
Chris Soghoian's Comments:
"the appearance of the site was so poor that he first suspected it was a “phishing” site"
"Incredible that they would take the site live using a self-signed certificate. It shows major incompetence (elementary oversight should have caught this) and at Desyne, Inc. Someone is either too stupid or too cheap to purchase a real SSL certificate before putting up a site that asks for personal data. This is Web Development 101. Anyone who has ever worked on an ecommerce site should [be] aware of the issues."
After Mr. Soghoian posted his analysis of the security vulnerabilities affecting the traveler redress website, TSA moved quickly to transfer the site to a more secure Department of Homeland Security domain.
TSA also contacted the individuals who had submitted their personal information through the unsecured “file your application online” link to inform them that they were at a heightened risk of identity theft.
To date, TSA has awarded Desyne almost $500,000 worth of no-bid contracts to provide web services to TSA and DHS
[Evan] $500,000!? As a taxpayer, I am miffed.
Commentary:
The investigation and report by the House Committee on Oversight and Government Reform is excellent. A very good read.
Interesting, from the TSA Privacy FAQs:
Question: How can TSA ensure the security of personal information it collects?
Answer: TSA takes a number of steps to ensure the security of personal information it collects about individuals. TSA’s Office of Privacy Policy & Compliance collaborates with the Chief Information Security Office (CISO) to work with program offices during the design and implementation of systems to ensure compliance with the Federal Information Security Management Act (FISMA) and the Privacy Act, 5 U.S.C. §552a. In addition to design and implementation standards, the CISO ensures that the systems are secured against unauthorized use through the use of a layered, defense-in-depth security approach involving procedural and information security safeguards as mandated by FISMA following National Institute of Standards and Technology (NIST) guidance.
Am I missing something?
Past Breaches:
October, 2007 - Stolen laptops contained sensitive TSA information
Date Reported:1/13/08
Organization:
U.S. Government
Contractor/Consultant/Branch:
Transportation Security Administration (TSA)
Desyne Web Services
Victims:
Certain people that used the TSA traveler redress website between October 6, 2006 and February 13, 2007.
Number Affected:
"thousands"
Types of Data:
Name, Social Security number, birth date, birth place, sex, height, weight, hair color, eye color, address, and home and work telephone number.
Breach Description:
According to the January, 2008 United States House of Representatives Committee on Oversight and Government Reform report titled INFORMATION SECURITY BREACH AT TSA: THE TRAVELER REDRESS WEBSITE;
"In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft."
Reference URL:
The official Committee on Oversight and Government Reform report
The CSO Online Story
Report Credit:
The United States House of Representatives Committee on Oversight and Government Reform, and special credit to Chris "Boarding Pass Hacker" Soghoian.
Response:
From the online sources cited above:
At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information.
[Evan] For those who don't know, Henry Waxman represents the 30th District of California in the House.
As this report describes, these security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight.
The report finds:
- TSA awarded the website contract without competition.
TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”
- The TSA official in charge of the project was a former employee of the contractor.
The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner.
- TSA did not detect the website’s security weaknesses for months.
The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.
- TSA did not provide sufficient oversight of the website and the contractor.
The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the contractor.”
Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a government-wide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.
After conducting a detailed security accreditation review of the traveler redress website, TSA’s Chief Information Security Officer (CISO) granted the website a 12-month “Authority to Operate” in September 2006. The CISO did not detect a number of glaring security problems affecting the website when it went live on October 6, 2006.
[Evan] The TSA CISO is Patti Titus. I don't know how these security issues could have been missed!
The security vulnerabilities of the website included the following:
- The Site Was Not Hosted on a Government Domain.
- The Home Page Was Not Encrypted
- The Submission Page Was Not Encrypted
- Encrypted Pages Were Not Properly Certified
Chris Soghoian's Comments:
"the appearance of the site was so poor that he first suspected it was a “phishing” site"
"Incredible that they would take the site live using a self-signed certificate. It shows major incompetence (elementary oversight should have caught this) and at Desyne, Inc. Someone is either too stupid or too cheap to purchase a real SSL certificate before putting up a site that asks for personal data. This is Web Development 101. Anyone who has ever worked on an ecommerce site should [be] aware of the issues."
After Mr. Soghoian posted his analysis of the security vulnerabilities affecting the traveler redress website, TSA moved quickly to transfer the site to a more secure Department of Homeland Security domain.
TSA also contacted the individuals who had submitted their personal information through the unsecured “file your application online” link to inform them that they were at a heightened risk of identity theft.
To date, TSA has awarded Desyne almost $500,000 worth of no-bid contracts to provide web services to TSA and DHS
[Evan] $500,000!? As a taxpayer, I am miffed.
Commentary:
The investigation and report by the House Committee on Oversight and Government Reform is excellent. A very good read.
Interesting, from the TSA Privacy FAQs:
Question: How can TSA ensure the security of personal information it collects?
Answer: TSA takes a number of steps to ensure the security of personal information it collects about individuals. TSA’s Office of Privacy Policy & Compliance collaborates with the Chief Information Security Office (CISO) to work with program offices during the design and implementation of systems to ensure compliance with the Federal Information Security Management Act (FISMA) and the Privacy Act, 5 U.S.C. §552a. In addition to design and implementation standards, the CISO ensures that the systems are secured against unauthorized use through the use of a layered, defense-in-depth security approach involving procedural and information security safeguards as mandated by FISMA following National Institute of Standards and Technology (NIST) guidance.
Am I missing something?
Past Breaches:
October, 2007 - Stolen laptops contained sensitive TSA information
Posted by Evan Francen at 1/15/2008 9:22 AM 
Categories: Poor Business Practice, Desyne Web Services, Transportation Security Administration
Categories: Poor Business Practice, Desyne Web Services, Transportation Security Administration
Posts Atom 1.0
You forgot the best part of the report:
"The TSA official in charge of the project was a former employee of the contractor. The TSA official who was the 'Technical Lead' on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne's owner."
Now, does that make things clearer?
Reply to this