Tuesday, February 20, 2007

TSA continues to demonstrate incompetence

A web page on the TSA's website for travelers "who were told you are on a Federal Government Watch List" displays evidence of being a phishing site--it's probably not, it's just so badly done that it looks like a hacked web site that's submitting its details to an unrelated third party.

TSA responded that "We are aware there was an issue and replaced the site. The issue has been fully addressed. We take IT responsibilities seriously. There never a vulnerability; just a small glitch."

The full story may be found at Wired Blogs, which points out fifteen features that make the TSA form submission site look dangerous.

Also check out this comment at Christopher Soghoian's blog:
This may be surprising to hear: I am an employee at a major airline and I just recieved an e-mail that said we now have access to the TSA no-fly list, selectee list, and cleared list. I just accessed it and found it to contain thousands of names, DOB, SSN#s, drivers licesense #'s, military ID #'s, addresses, and even home phone #'s. The TSA just made this list and all of this information readily available to thousands of employees at my airline (and probably others). I think that previously this list was only available to ticket agents, but now it is available to every employee.
I find it quite disturbing that any airline employee has access to this information, and that many of the ppl on the cleared list have to give up there SSN# and other information.

(Hat tip to Bruce Schneier's blog.)

No comments: