Note: There is a maximum of 200 words per comment. If you wish to post more, please visit our forum.
Security breach identified on aviation Web site
By Eileen Sullivan, Associated Press Writer
Saturday, January 12, 2008 | No comments posted.
WASHINGTON — Some travelers may be vulnerable to identity theft after petitioning the government a year ago to have their names removed from lists that restrict them from flying.
As many as 247 travelers who petitioned the government between Oct. 6, 2006, and Feb. 13, 2007, to have their names removed from those lists may be vulnerable, according to a congressional investigation.
The investigation into the Transportation Security Administration’s traveler redress site found security problems with the government-sanctioned Web site, which have since been fixed.
The report, posted Friday on the House Oversight and Government Reform Committee’s Web site, also found that TSA awarded a no-bid contract to a small Virginia-based company to run the program.
Investigators found one of the senior program managers at TSA who oversaw the launch of the redress site is a former employee of Desyne Web Services — the company that received the $48,816 contract to develop the site and continues to do business with TSA today. The employee is also a high school friend of the company’s owner, according to the report.
TSA immediately fixed the site’s security problems when it was made aware of the vulnerabilities last February. Every person who provided information to the insecure site was contacted, TSA spokesman Christopher White said. And there is no evidence than anyone’s identity has been stolen.
“This is an old issue that was completely cleared up early last year and is not a significant issue today,” White said.
A graduate student in Indiana discovered the site’s security vulnerabilities last February while researching a paper on boarding pass security. Chris Soghoian — who is getting his doctorate in information security at Indiana University — noticed that the redress site was not secure, yet it asked for names, Social Security numbers and birth dates. Soghoian said when he sees a site like this “alarm bells go off in my head.”
The lack of security makes the site vulnerable to those who want to steal others’ identities.
Soghoian was interviewed for the congressional report.
Soghoian said he initially thought the site was a “phishing” site — a fraudulent Web site that tricks consumers into handing over personal information. But he soon discovered this was TSA’s solution to help reduce innocent travelers from experiencing unnecessary security restrictions.
TSA has two lists — the no-fly list which can keep a traveler from boarding a plane and the selectee list which tags domestic airline passengers for extra searching and questioning at airports. These lists are much smaller portions of the terrorist watchlist. It takes more evidence of terrorist links to get on these smaller sections of the list than it does to get on the full list. Travelers have been prevented from boarding planes because their names were similar to names on the lists.
The agency is close to releasing rules for a frequent traveler program that would ensure a person is only mistaken for someone else on a watchlist once.
On the Net:
http://oversight.house.gov/documents/20080111092648.pdf
http://www.dhs.gov/xtrvlsec/programs/gc—1169673653081.shtm
http://www.desyne.com/done.htm
As many as 247 travelers who petitioned the government between Oct. 6, 2006, and Feb. 13, 2007, to have their names removed from those lists may be vulnerable, according to a congressional investigation.
The investigation into the Transportation Security Administration’s traveler redress site found security problems with the government-sanctioned Web site, which have since been fixed.
The report, posted Friday on the House Oversight and Government Reform Committee’s Web site, also found that TSA awarded a no-bid contract to a small Virginia-based company to run the program.
Investigators found one of the senior program managers at TSA who oversaw the launch of the redress site is a former employee of Desyne Web Services — the company that received the $48,816 contract to develop the site and continues to do business with TSA today. The employee is also a high school friend of the company’s owner, according to the report.
TSA immediately fixed the site’s security problems when it was made aware of the vulnerabilities last February. Every person who provided information to the insecure site was contacted, TSA spokesman Christopher White said. And there is no evidence than anyone’s identity has been stolen.
“This is an old issue that was completely cleared up early last year and is not a significant issue today,” White said.
A graduate student in Indiana discovered the site’s security vulnerabilities last February while researching a paper on boarding pass security. Chris Soghoian — who is getting his doctorate in information security at Indiana University — noticed that the redress site was not secure, yet it asked for names, Social Security numbers and birth dates. Soghoian said when he sees a site like this “alarm bells go off in my head.”
The lack of security makes the site vulnerable to those who want to steal others’ identities.
Soghoian was interviewed for the congressional report.
Soghoian said he initially thought the site was a “phishing” site — a fraudulent Web site that tricks consumers into handing over personal information. But he soon discovered this was TSA’s solution to help reduce innocent travelers from experiencing unnecessary security restrictions.
TSA has two lists — the no-fly list which can keep a traveler from boarding a plane and the selectee list which tags domestic airline passengers for extra searching and questioning at airports. These lists are much smaller portions of the terrorist watchlist. It takes more evidence of terrorist links to get on these smaller sections of the list than it does to get on the full list. Travelers have been prevented from boarding planes because their names were similar to names on the lists.
The agency is close to releasing rules for a frequent traveler program that would ensure a person is only mistaken for someone else on a watchlist once.
On the Net:
http://oversight.house.gov/documents/20080111092648.pdf
http://www.dhs.gov/xtrvlsec/programs/gc—1169673653081.shtm
http://www.desyne.com/done.htm
The comments below are from users of theworldlink.com and do not necessarily represent the views of The World or Lee Enterprises. Participation Guidelines
Note: There is a maximum of 200 words per comment. If you wish to post more, please visit our forum.
Note: There is a maximum of 200 words per comment. If you wish to post more, please visit our forum.
Not already registered?
The World welcomes your comments about stories, and we encourage a robust dialogue on this site. All comments must meet reasonable standards of decency and civility.
Please follow these basic rules:
- No defamatory comments about individuals or businesses.
- No deliberately false information.
- No obscenity or racially offensive language.
- No harassment, verbal abuse, threats or personal attacks.
- No information that invades another person's privacy.
- No business solicitations or charitable solicitations.
Comments that violate these standards will not be posted. Users with repeated violations may be banned from future posting.Comments will be approved throughout the day during business hours. After hours and weekend comments may not appear until the following business day. It may take a couple of hours before comments are approved.
The World generally does not edit comments, but we reserve the right to edit any comment that does not meet our standards.
Close Guidelines