A House of Representatives panel yesterday released a damning report about a Transportation Security Administration Web site built to address grievances from travelers errantly flagged by the government’s no-fly list. It conlucded that cronyism and a lack of oversight exposed thousands of site visitors to identity theft.
The House Committee on Oversight and Government Reform began its investigation into security lapses at the TSA’s Traveler Redress Web site last year, after Security Fix and other media outlets pointed out that the site accepted Social Security numbers and other sensitive information from travelers without encrypting the data, potentially allowing hackers to intercept the data. Wired.com noted in its coverage that the site was so laden in spelling errors that it resembled a phishing Web site, the sort typically set up by scammers to lure people into giving away personal and financial data.
The report, which liberally cites content and reader comments from Security Fix and Wired.com, found that the TSA awarded the contract without competition to Boston, Va based Desyne Web Services, and that the guy in charge of awarding the contract had previously worked at Desyne and was good friends with the owner. To date, Desyne has been awarded more than half a million taxpayer dollars worth of no-bid contracts by the TSA, according to the report.
The site’s security weaknesses remained undetected by the TSA for more than four months, despite congressional testimony from TSA Administrator Kip Hawley that the agency had assured “the privacy of users and the security of the system” before its launch, the report notes. “Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.”
“It’s strange that with $500,000 in TSA’s money, they couldn’t afford a real SSL cert,” Soghoian said.
This type of security oversight is unfortunately not as uncommon as you might think. On Wednesday, a reader tipped me off that the new member registration page for The Computing Technology Administration (COMPTIA) — which requests credit card numbers in addition to other sensitive data — was accepting new memberships and their credit card numbers without encrypting the data with Secure Sockets Layer (SSL) technology on the site. The security glitch was fixed within a few hours after I notified COMPTIA, but a COMPTIA spokesperson claimed that the organization had made no relevant changes to the site since my e-mail was sent.
By Brian Krebs | January 12, 2008; 9:15 AM ET
From the Washington Post