Report Concludes TSA Site Had Multiple Security Issues

By Max Brenn
23:38, January 11th 2008

The Congressional Committee on Oversight and Government Reform released today a report on information security breaches at the TSA's Traveler Redress Web site.

TSA (The Transportation Security Administration) was created on November 19, 2001, just two months after the 9/11 attacks. The agency was charged with “day-to-day Federal security screening operations for passenger air transportation.”

One of its earliest actions was to split the Federal Aviation Administration’s “watchlist” of persons not allowed to board commercial airlines into two separate lists: a “No-Fly List” and a “Selectee List.” Individuals on the No-Fly List are not allowed to board commercial flights, while travelers on the Selectee List are allowed to board only after additional security screening procedures.

According to press accounts, the size of these lists increased rapidly after September 11, 2001, as a variety of government agencies submitted names. Soon it was identified a dramatic increase in “false positives,” cases in which travelers with names identical or similar to names of suspected terrorists were prevented from boarding flights or were singled out for additional security inspections. Well-known false positives include Senator Ted Kennedy, whose name was close to the name of a suspected terrorist, and Catherine Stevens, the wife of Senator Ted Stevens, whose name was similar to “Cat” Stevens, the former name of the singer Yusuf Islam.

In order to address the problem TSA established the Office of Transportation Security Redress, a entity that created “Traveler Identity Verification Program,” through which individuals could submit documents showing they were not the same persons listed on the watch lists.

TSA's Traveler Redress was created in October 2006 in order to help the travelers whose names were erroneously listed on airline watch lists. But in February 2007, four months after the official launch of the site, Chris Soghoian, a Ph.D. student at the University of Indiana’s School of Informatics, posted a security analysis on his blog. He identified 15 reasons the site looked like a phishing scam.

TSA has taken the site offline and now hosts a traveler redress form on its own Web site.

At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a Web site that violated basic operating standards of Web security and failed to protect travelers' sensitive personal information.

The security vulnerabilities of the website included the following the site was not hosted on a government Domain, the Home Page was not encrypted, the Submission Page was not encrypted and the encrypted pages were not properly certified.

The report concluded that the TSA awarded the Web site contract without competition. TSA gave a Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress Web site. According to an internal TSA investigation, the "Statement of Work" for the contract was "written such that Desyne Web was the only vendor that could meet program requirements."

Neither Desyne nor the Technical Lead on the traveler redress Web site has been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay Desyne to host and maintain two major Web-based information systems: TSA's claims management system and a government-wide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.

“There were multiple factors that contributed to security vulnerabilities in the TSA traveler redress website. They included poor procurement practices, conflicts of interest, and weak oversight. The result of these shortcomings was that an insecure website collected sensitive personal information from American travelers for months without detection by TSA,” concludes the report.

According to the TSA’s spokesman, quoted by AP, the agency immediately fixed the site's security problems when it was made aware of the vulnerabilities last February. Every person who provided information to the insecure site was contacted, TSA spokesman Christopher White added. "This is an old issue that was completely cleared up early last year and is not a significant issue today," White said.