Congressional report blasts TSA for security lapses on Web site
Committee blames lack of oversight; agency says newer site is working properly
Computerworld - A congressional report released today claims that a vulnerability-ridden Web site set up in 2006 by the Transportation Security Administration (TSA) was the result of poor acquisition practices, rampant conflicts of interest and inadequate oversight at the agency.
The Web site was designed to help airline travelers whose names were erroneously listed on terrorist watch-lists to seek to have the listings removed. But an investigation initiated last year at the request of U.S. Rep. Henry Waxman (D-Calif.) found that the TSA had awarded the Web site development contract without competition to a small Virginia-based contractor that was ill-equipped to do the job.
The TSA then completely failed to oversee the work of the contractor, according to the report, which was written by staffers at the House Committee on Oversight and Government Reform, which Waxman chairs. In addition, the report said that the TSA official in charge of the project was a former employee of the contractor and regularly socialized with the company's owner.
The Web site was activated in October 2006. Travelers seeking redress from the government on the watch-list entries were required to provide a wide range of information via the Web site, including their passport details, Social Security number, birth date and place of birth, as well as their height, weight and other personal data.
According to the report released by Waxman, the site posed a serious identity-theft risk to people who submitted information. The site wasn't hosted on a government Internet domain, nor did its home page and one of its data submission pages use encryption, said the report. It adds that none of the pages with encrypted fields provided users with actual digital certificates.
The report describes the security defects on the Web site as glaringly obvious. But they didn't come to light until they were publicized by Chris Soghoian, a Ph.D. student at the University of Indiana's School of Informatics who wrote about them on his personal blog last February.
Lara Uselding, a spokeswoman for the TSA, said today that the agency addressed all of the issues raised in Waxman's report months ago. Soon after the security flaws were identified, Uselding said, the original Web site was taken down and a new one was set up within the Web domain of the Department of Homeland Security, of which the TSA is a part.
The replacement site has been used without incident by more than 16,000 individuals, according to Uselding. She added that all of the more than 230 people who had input personal data on the original Web site have been notified of the security risks. Meanwhile, the contractor that built the first site -- a company called Desyne Web Services Inc. -- continues to do work for the TSA but is no longer involved with the redress management system, Uselding said.
According to Waxman's report, the TSA's initial request for quotes (RFQ) from outside contractors was worded in such a way as to ensure that only Boston, Va.-based Desyne would qualify for the $48,000 Web-site design job.
Desyne has done work for the TSA since 2004 and already had been awarded several contracts without competition, according to the report. One of the earlier contracts involved hosting a claims management site that enabled travelers to file online claims for damaged property. The RFQ for the redress management system required that the Web site be hosted on the same server, said the report.
The situation was compounded by the fact that the TSA's lead technical staffer on the redress management system project had a prior relationship with Desyne and the company's owner, who was a friend from high school.
The report said that relationship "seemed to blur the lines between the contractor's performance of the contract and TSA's contract oversight." It goes on to claim that the TSA staffer didn't have the information security knowledge needed to ensure that the system and Web site were built securely.
The TSA hasn't taken any action against Desyne in connection with the problems on the redress management system project, according to the report. Desyne officials didn't return a phone call seeking comment on the report's findings.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...