Tuesday, February 27, 2007

Do You Really Trust DHS, TSA & The Bush Administration?

Lawmaker Probes TSA Website Gaffe

The Bush administration has been asking us to trust them because they know what they are doing. Yet, time after time, we see flawed intelligence reports, failed data security measures, lack of due process, and an overall disregard for our privacy and our civil liberties.

Here, once again, we see that these folks cannot really protect us because they do not understand the depth of measures it takes to assure that all that is necessary to be done is being done. These slip-shod efforts at collecting data and causing breaches that leave everyone of us exposed to financial and privacy risks are fast becoming the typical Bush administration approach.

So, can you really trust the president when he says, "Trust me..."????
A powerful congressional committee is investigating a Transportation Security Administration website that promised to help air travelers caught up in terrorist watch lists, after a Wired News blog revealed that the site was potentially exposing user's personal information to eavesdroppers.

The House Committee on Oversight and Government Reform asked the TSA on Friday to turn over documents related to the Traveler Verification Identity Program website to determine how the site was designed, and whether government security and privacy regulations were violated.

That site was intended to allow domestic airline travelers whose names are similar to entries on the government's No Fly List and other watchlists to submit a complaint online, instead of calling TSA and requesting a form be sent to them by mail.

However, the site was full of misspellings and nonsensical directions, and asked travelers to provide sensitive personal information on an unencrypted page. Travelers in an airport using a wireless connection would be at risk of having their personal information stolen and used to commit identity fraud.

Additionally, the site, which was entered from a link on the TSA's main website, was hosted on the website of Desyne.com, a web design company that has a P.O. Box as its contact information -- adding to the impression it was not a legitimate government site.

Committee chairman Rep. Henry Waxman (D-California) told TSA in his letter (.pdf) that the "overall appearance of the site was so poor that web experts first assumed it was a so-called 'phishing' site, a site internet hackers had created to look like a TSA website page."

Waxman also asked the agency to turn over by March 9 documents regarding Desyne, communications about security with that company, and the period of time that the site was running without encryption.

Despite appearances, TSA spokesman Christopher White assured Wired News last week that the site was not part of a phishing attack.

"We take IT responsibilities seriously. There was never a vulnerability; just a small glitch," White said.

The Traveler Verification Identity Program site was taken down last Friday. It was replaced this week by a completely different webpage offering the same service, but now called the Travel Redress Inquiry Program, or TRIP.

Like its flawed predecessor, the TRIP site is aimed at helping innocent travelers prone to being snared by government watchlists, which have swelled to more than 100,000 names post 9/11. The watchlists' size and lack of details have led to repeated hassles for people with common names, including senators, government employees with security clearances, and at least one nun.

Homeland Security officials hope the new system will reduce travel delays for those travelers by creating a "white list" of cleared individuals that will accompany the watchlists distributed to airlines and border security employees.

The new site eliminates all 15 problems pointed out by the Wired News blog 27bStroke6 last week, following a tip from Christopher Soghoian, a security researcher under investigation by the TSA for creating a website that makes it easy to print fake boarding passes that fool screeners.

The new TRIP site, however, is not without privacy issues. It places a tracking cookie labeled "Forsee Loyalty" in browsers of people using an Apple computer. Government websites are not supposed to use such cookies unless there is a good reason, and the head of the agency signs off on their use.

27bStroke6 also discovered that the main TSA website was setting two cookies, including one from a web marketing company with an expiration date 10 years in the future. The TSA quietly replaced those cookies with a new batch that expires as soon as the browser is closed.

0 Comments:

Post a Comment

<< Home