US security agency leaks data

The US Transportation Security Administration (TSA) has been slammed by the House Oversight and Government Reform Committee for sloppy website security.

In a damning report the Committee identified major security leaks in a vital TSA web page that could allow personal information to be harvested.

Vulnerable details included name, address, Social Security number, birth date and place and even eye colour.

The Committee found that the TSA was not even hosted on government servers, as the website was outsourced to Desyne Web Services, a private contractor, in a no-bid contract.

The TSA employee who put out the tender is claimed to be a childhood friend of the owner and a former employee.

"There were multiple factors that contributed to security vulnerabilities in the TSA traveller redress website, including poor procurement practices, conflicts of interest and weak oversight," said the report.

"The result of these shortcomings was that an insecure website collected sensitive personal information from American travellers for months without detection by TSA."
The report found that the home and submission pages of the site, which was used by people appealing against being refused permission to fly, had no SSL encryption at all.

The site was not hosted on a secure government website, which caused confusion to users, and some pages were falsely listed as having third-party SSL certification.
The flaws were only fixed after Chris Soghoian, a Ph.D student, publicised them on his Slight Paranoia blog.

"[It is] incredible that they would take the site live using a self-signed certificate," Soghoian told the Committee.

"It shows major incompetence at Desyne. Someone is either too stupid or too cheap to purchase a real SSL certificate before putting up a site that asks for personal data. This is Web Development 101."

The problem started when the TSA was created and took control of the lists of people not allowed to fly over US airspace. The list contained just 16 names on 11 September 2001, but has since grown to over 70,000.

Mistakes were commonplace and misidentified terrorist suspects included Senator Ted Kennedy, several children (including some younger than a year old) and the singer Cat Stevens.

A Department of Justice investigation found that 43 per cent of people on the list were false positives.

The appeals process was paper based for four years and had three officers assigned, leading to a backlog of tens of thousands of applications.

The TSA moved the operation online but decided that it did not have the space to host the site and outsourced it to Desyne.

The Committee found that the Request for Quote was written in such a way that Desyne could be the only bidder, since it specified reuse of existing TSA code which only Desyne, as it already had $500,000 worth of existing business with the organisation, would have.

"TSA investigators found that the primary author of the April 2006 statement of work was the director of the Claims Management Office, Nicholas Panuzio," the report said.

"Panuzio told TSA investigators he had known Desyne's owner since high school, had worked for Desyne for eight months in 2001 and 2002, and still met regularly with Desyne's owner and others for drinks or dinner.

"Panuzio played a key role in the development of the traveler redress website. For example, one email exchange shows that the Redress Management project director, James Kennedy, relied on Panuzio's recommendation to pay Desyne's December 2006 invoice.

"Although he had earlier disclosed this conflict of interest to the TSA Office of Chief Counsel, Panuzio did not disclose it to the project manager or to the lead contracting officer on the project."

The Committee said that the problems on the site had now been fixed, and that it is being hosted by the Department for Homeland Security.

No action is being considered against Panuzio because he had not profited personally, or Desyne, which still hosts two TSA websites.

It has not been a good 12 months for the TSA. The organisation was forced to call in the FBI last year after it lost 100,000 staff records stored on an external hard drive.