Lawmaker Probes TSA Website Gaffe

Randy Burge burge at proactiveteams.com
Sat Sep 22 08:10:32 PDT 2007 

Lawmaker Probes TSA Website Gaffe

<http://www.wired.com/science/discoveries/news/2007/02/72790>

Ryan Singel 02.23.07 | 12:00 PM
A powerful congressional committee is investigating a Transportation  
Security Administration website that promised to help air travelers  
caught up in terrorist watch lists, after a Wired News blog revealed  
that the site was potentially exposing user's personal information to  
eavesdroppers.

The House Committee on Oversight and Government Reform asked the TSA  
on Friday to turn over documents related to the Traveler Verification  
Identity Program website to determine how the site was designed, and  
whether government security and privacy regulations were violated.

That site was intended to allow domestic airline travelers whose  
names are similar to entries on the government's No Fly List and  
other watchlists to submit a complaint online, instead of calling TSA  
and requesting a form be sent to them by mail.

However, the site was full of misspellings and nonsensical  
directions, and asked travelers to provide sensitive personal  
information on an unencrypted page. Travelers in an airport using a  
wireless connection would be at risk of having their personal  
information stolen and used to commit identity fraud.

Additionally, the site, which was entered from a link on the TSA's  
main website, was hosted on the website of Desyne.com, a web design  
company that has a P.O. Box as its contact information -- adding to  
the impression it was not a legitimate government site.

Committee chairman Rep. Henry Waxman (D-California) told TSA in his  
letter (.pdf) that the "overall appearance of the site was so poor  
that web experts first assumed it was a so-called 'phishing' site, a  
site internet hackers had created to look like a TSA website page."

Waxman also asked the agency to turn over by March 9 documents  
regarding Desyne, communications about security with that company,  
and the period of time that the site was running without encryption.

Despite appearances, TSA spokesman Christopher White assured Wired  
News last week that the site was not part of a phishing attack.
"We take IT responsibilities seriously. There was never a  
vulnerability; just a small glitch," White said.

The Traveler Verification Identity Program site was taken down last  
Friday. It was replaced this week by a completely different webpage  
offering the same service, but now called the Travel Redress Inquiry  
Program, or TRIP.

<snip>

<http://www.wired.com/science/discoveries/news/2007/02/72790>



-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list