Congressional Report Slams TSA For Security Breach

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/news/showArticle.jhtml?articleID=205602931

By Thomas Claburn
InformationWeek
January 11, 2008 

Hundreds of Americans inappropriately placed on airline security watch 
lists and either banned from commercial air travel or subject to 
additional screening have also had to worry about identity theft for the 
past year. The Transportation Security Administration Web site set up to 
help innocent travelers clear their name has been deemed "insecure."

A report issued on Friday by the House Oversight and Government Reform 
Committee says that between October 6, 2006, when the TSA launched its 
Redress Management System [RMS] site, and February 13, 2007, when the 
site ceased operation following revelations about its lack of security, 
"[a]t least 247 travelers submitted their personal information through 
the unsecured 'file your application online' link."

The report [1], prepared at the request of Chairman Henry Waxman, 
accuses the TSA of "poor procurement practices, conflicts of interest, 
and weak oversight." It finds that the company hired to design the site, 
Desyne Web Services [2] in Virginia, was awarded a "no-bid" contract, 
that the TSA official in charge of the site was a former employee of the 
contractor, and that the TSA did not detect the security issues for 
months.

The report also states that neither Desyne nor the TSA site's technical 
lead have been sanctioned for their roles in deploying the insecure site 
and that the TSA's relationship with Desyne remains ongoing.

The TSA maintains the problems covered in the report have been dealt 
with. "Each issue that the Committee has raised has been thoroughly 
addressed by TSA many months ago," said TSA spokesperson Christopher 
White, adding that the TSA has no reason to believe that any of 247 
individuals have been subject to identity theft.

The Department of Homeland Security launched its successor to the RMS, 
the DHS Traveler Redress Inquiry Program (DHS TRIP), on February 20, 
2007. DHS TRIP remains the primary resource for those seeking to correct 
information in government databases that might hinder their ability to 
travel.

More than 17,000 travelers have used DHS TRIP safely and securely since 
it launched, said White.

According to a September 2007 report from the U.S. Department of 
Justice, that "43% of the names reported to the TSC [Terrorist Screening 
Center database] are false positives." The TSC database, maintained by 
the FBI, is the source for names on the government's No-Fly List.

"Well-known false positives include Senator Ted Kennedy, whose name was 
close to the name of a suspected terrorist, and Catherine Stevens, the 
wife of Senator Ted Stevens, whose name was similar to 'Cat' Stevens, 
the former name of the singer Yusuf Islam," the House report says.

[1] http://oversight.house.gov/documents/20080111092648.pdf
[2] http://www.desyne.com/


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/