TSA’s insecure “Traveller Identity Verification” site slammed by Oversight Committee

First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report:

TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”
The TSA official in charge of the project was a former employee of the contractor The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner.
TSA did not detect the website’s security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.
TSA did not provide sufficient oversight of the website and the contractor. The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the contractor.”

House Oversight and Government Reform Committee
As for accountability,

Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a governmentwide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.

Risk Assessment is Hard

The BBC reports (TV personality) “Clarkson stung after bank prank” in which he published his bank account numbers in the newspaper:

The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs.

He wanted to prove the story was a fuss about nothing.

But Clarkson admitted he was “wrong” after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK.

Clarkson published details of his Barclays account in the Sun newspaper, including his account number and sort code. He even told people how to find out his address.

“All you’ll be able to do with them is put money into my account. Not take it out. Honestly, I’ve never known such a palaver about nothing,” he told readers.

It’s easy to mock (fun too!), but I’m not sure it’s the right response. Risk assessment is hard. Our instincts about how hard these things might be are often wrong. Criminals often live in places where it’s worth weeks or a month of their time to steal £500. That’s twice the average income in some places. Each risk assessment takes time and energy to perform.

As chaos is all around us, our ability to reasonably and quickly assess risk is stuck in another time.

Thanks to Phil Hallam-Baker and Ryan Singel for pointing this out. Phil has great video on his blog.

The Laboratories of Democracy in Action

Chris emailed me a bit before Christmas with a link to the new “New York State Security Breach Reporting Form.” How could we withhold this exciting news? I wanted to wait until people were back from vacation, so they didn’t miss it. The form is important because it’s starting to ask for more data. There’s a section to describe the breach:

Description of Breach (please select all that apply): [ ]Hacking incident; [ ]Inadvertent disclosure;
[ ]Stolen computer, CD, tape, etc; [ ]Lost computer, CD, tape, etc; [ ]Insider wrongdoing;
[ ] other (specify):_______________________________________________ [Attach additional description if necessary]

mmm, “attach additional description if necessary.” It’s a far cry from earlier “a general description of what happened.” That was what Ontario was asking for at the start of this year. New York’s “if necessary” could go, requiring additional descriptions. I’d love to read those, and I look forward to it.

I can be optimistic because States, and their attorneys general, are going to compete to best protect their citizens. As they’ve competed, the sky hasn’t fallen. Even at TJX, with the biggest disclosed commercial breach in the US so far, sales were up.

I love the emergent chaos of breach laws, and I look forward to lots more in the New Year.

How about a little fire?

pizza-fire.jpg

At WD-50 I saw something done to the potatoes that makes a cook scream, “yes!” A method of cooking the potatoes with an explanation using true understanding of the molecules inside the potatoes and the effects of heat on them.

The potatoes are peeled, sliced, and cooked in a water bath at 65 degrees celsius for 30 minutes. The potatoes are transferred to an ice bath to cool completely. At this point the potatoes are still crisp, seemingly unchanged. Once cooled, the potatoes are cooked just as you would have had you just peeled them. If the potatoes are seemingly unchanged, you might ask what on earth did they just do?

For the answer, you’ll have to read Today’s Secret Ingredient…Heat at TastingMenu.

And the McGee article she refers to is “The Invisible Ingredient in Every Kitchen.”
There are few things more chaotic than fire, and few emergent results more yummy than a nice pizza cooked in a brick and wood oven.

Photo: January 6th by Lili’s One-a-Day.

Andy Olmsted

Andy Olmsted, who posted as G’Kar on Obsidian Wings, was killed yesterday in Iraq. I always enjoyed his posts, especially when I disagreed with them, because he was so clearly thoughtful. I find myself terribly sad for the death of a man who I only knew through his words. He asked that we not politicize his death, and so I’ll simply say that people like him help make this country a wonderful place.

Hilzoy has posted a final post he wrote before he died: Andy Olmsted.

Believe it or not, one of the things I will miss most is not being able to blog any longer. The ability to put my thoughts on (virtual) paper and put them where people can read and respond to them has been marvelous, even if most people who have read my writings haven’t agreed with them. If there is any hope for the long term success of democracy, it will be if people agree to listen to and try to understand their political opponents rather than simply seeking to crush them.

Thank you.

Ohio Voters May Demand Paper Ballots

Ohio Secretary or State Jennifer Brunner announced yesterday that paper ballots must be provided on request.

Poll workers won’t be told to offer the option to voters but must provide a ballot if requested to help “avoid any loss of confidence by voters that their ballot has been accurately cast or recorded,” a directive from Secretary of State Jennifer Brunner said. The paper ballots would be counted by optical scanners at county elections boards.

The Ohio ACLU is against having paper ballots available in the primary, claiming that not having scanners at the local polling locations is against state and federal laws mandating that voters have to know if they made a mistake such as casting too many or too few votes when filling out the ballot.

But Brunner said after consulting with the attorney general’s office, she thinks the ACLU is “flat wrong” and that voters will be adequately educated to avoid unintended over-votes and under-votes — problems that plagued the punch-card voting system that the electronic machines replaced.
Even so, Brunner told The Dispatch that said she is re- thinking her previous recommendation that no ballots be counted in the precincts, after activists argued that would eliminate a way to verify whether the final results are accurate.

The option for having paper ballots is in response to feedback in response the report issued last month by Brunner’s office revealing several critical vulnerabilities in currently available electronic voting systems. Brunner has also recommended that Ohio move to all paper ballots for the November election and has asked that the state legislature Gov. Strickland approve and fund the change.
The executive report is long but very educational and well worth reading, especially the recommendations. The full details are also online as well. California also recently released their own extensive reviews some of which were leveraged for the Ohio study. I’ve only skimmed portions of it so far, but by all reports, it is also very enlightening.
Speaking of California, the Secretary of State Bowen, has announced some very impressive new requirements for the use of electronic voting. This is great stuff, that helps deal with the issues of existing machines while still allowing the democratic process to move forward. Hopefully other states will follow suit.

Citibank limiting ATM withdrawals in NYC?

Title:  Citibank limits ATM cash in city
Author: KERRY BURKE and LARRY McSHANE
Source: DAILY NEWS
Date Published:January 3rd 2008
Excerpt:
The New York-based Daily News  reported today that Citibank has limited the
cash amount its  customers can take out of ATM machines.   It is being
reported that the security of Citibank's ATM machines in New York have been
seriously compromised by fraud.  According to media reports, a spokesperson
for Citibank has stated that  "Though we can't provide details of ongoing
security investigations, we are working closely with law enforcement on
this matter."  Citibank declined to specify the amount of the new
withdrawal cap.
For complete article see: http://www.nydailynews.com/money/2008/01/03/2008-01-03_citibank_limits_atm_cash_in_city-2.html
For more security News visit the FIRST Security News site at:
http://www.first.org/newsroom/globalsecurity
http://www.first.org/newsroom/globalsecurity/rss.xml

(Passed along in case folks haven’t heard)

Send data leakers to jail? Heck, no!

In “Data breach officials could be sent to the big house,” we learn:jail.jpg

In his update on the HMRC data loss to MPs yesterday, Alistair Darling said: “There will now also be new sanctions under the Data Protection Act for the most serious breaches of its principles.

“These will take account of the need not only to provide high levels of data security but also to ensure that sensible data sharing practices can be conducted with legal certainty. We will consult early in the New Year on how this can best be done.”

The Times reports that ministers have accepted that the penalties for “gross failures” to protect citizens’ details should include criminal penalties. These could be as harsh as a two year prison sentence for the most serious offenses.

I can’t think of a better way to bury errors than to send people to jail for making them. We are able to learn about what goes wrong from these notices. There are likely some breaches which are due to gross negligence, for example, ignoring the clear advice of security experts that a scheme would never work. Do we want to discourage firms from seeking advice from security experts? Given how the UK’s Crown Prosecution Service wrote their hacking tool guidance, I shudder to think what they might come up with for breaches.


The costs too great, the likely benefits too small, and for those cases, I suspect that current rules of negligence would already apply.

Photo: Old historic Mulvane Jail, by swopedesig

New breach blog

overflowing-data.jpg

Evan Francen is maintaining a breach blog with more structure and commentary than either PogoWasRight or Attrition.

As I looked at it, I had a couple of thoughts.

  1. The first is that he doesn’t reference Attrition DLDOS numbers. (Then again, Pogo doesn’t either.) I think this is a mistake. When we founded CVE, it was because there were lots of independently maintained data sets like this, and correlation had become a problem. It feels like this is the same sort of data, and so getting coordination around cross-referencing would be great.
  2. My second thought is that in posts like his “The Breach Blog Month in Review November, 2007,” he attempts to derive cost information from the Ponemon Institute’s $197 number and multiplying it by the number affected. I think it’s possible to do better in several ways:

    • The numbers are broken out in the reports, and some of them are per-individual, and others are per breach. People deriving numbers should use the detailed information that the Institute offers.
    • There’s also the cost of lost business. Of the 5 organizations reporting a second (or later) breach, 4 were governments or government agencies: HMRC, Montana State University, the US Department of Veterans Affairs, and the Commonwealth of Massachusetts. It’s quite difficult for someone to stop interacting with HMRC or Massachusetts. It’s not possible to lose veteran status. It may be possible to get Montana State to destroy all personal data about you, but I doubt it. The fifth, Capital Health, is likely one or one of a very few health care options available to their customers. Given that the 2007 Ponemon report states:

      The cost of lost business continued to increase at more than
      30 percent, averaging $4.1 million or $128 per record compromised. Lost business now accounts for 65 percent of data breach cost

      For those organizations, the cost of a breach could justifiably be counted as no more than $69. ($197-$128=$69)

Anyway, it’s great for a wide spectrum of breach analysis to emerge. That chaos and competition will lead to better analysis and better security for us all.

Image: “The Breaking Dam,” by ReubenInStt