Skip to main content

Student points out 2nd security flaw on TSA Web site

  • Story Highlights
  • Indiana University graduate student discovers new loophole in a TSA Web site
  • Report: Site potentially jeopardized private information from scores of people
  • Student says site had no "lock" icon to indicate information was encrypted
  • Also, he said domain name was not a government address
  • Next Article in Travel »
From Mike M. Ahlers
Decrease font Decrease font
Enlarge font Enlarge font

WASHINGTON (CNN) -- For those keeping score, it's Chris Soghoian 2, Transportation Security Administration 0.

For the second time, Soghoian, an Indiana University graduate student, has succeeded in embarrassing the TSA by exposing potential vulnerabilities to its security systems.

Soghoian first caught the government's attention when he put an airline "boarding pass generator" on his Web site. Visitors to the site generated some 36,000 fake boarding passes before the FBI took it down, he said.

Though the fake passes couldn't be used to board planes, people on government "watch lists" conceivably could use them to get past airport screening checkpoints, said Soghoian, who said he wanted to shame the TSA into taking action to close the security loophole.

His latest tussle with the agency is outlined in a report by Rep. Henry Waxman's House Committee on Oversight and Government Reform, which credits the graduate student with discovering a loophole in a TSA Web site last year that potentially jeopardized private information from scores of people.

The TSA created the site to give people who were wrongly on terror watch lists a means of redress. But one of the two links on the site was not secure, the TSA acknowledged in September. The agency said there is no evidence that any information was compromised.

Soghoian said he came upon the Web site while conducting graduate research on computer security.

"There were a lot of things that jumped out at me," he said. The domain name was not a government address, he said, and there wasn't a "lock" icon to indicate information was encrypted or a privacy notice, typically required on government sites that collect information.

"On top of that, there were so many typographical errors that it looked like it was thrown together by a teenager," Soghoian said. "It looked like an amateurish job."

Soghoian posted his analysis on his Slight Paranoia blog, and other bloggers contributed additional criticisms of the site, with some suggesting it might even be a "phishing" site that mischievous hackers created to look like a government Web site.

After The Washington Post picked up the story, the TSA acknowledged that 247 people submitted their personal information through an unsecured link. But the TSA said the information was only vulnerable while being sent, not after it was received and stored.

Soghoian said he's particularly concerned the TSA's chief information security officer, or CISO, had reviewed the Web site and cleared it for use. "The CISO did not detect a number of glaring security problems affecting the Web site when it went live," the Waxman report said.

Waxman's investigators also raised possible conflict-of-interest issues involving creation of the site. The TSA official who was the "technical lead" on the project had a prior relationship with Desyne Web Services Inc., the only company to respond to the agency's offer to develop the site.

That official told TSA investigators he had known Desyne's owner since high school, had worked for the company for eight months in 2001 and 2002, and still met regularly with its owner and others for drinks or dinner, the report said.

"According to TSA investigators, [the official's] close relationship with Desyne seemed to blur the lines between the contractor's performance of the contract and TSA's contract oversight," the congressional report said. To date, the TSA has awarded Desyne almost $500,000 worth of no-bid contracts, the report said.

But the TSA did not sanction the official because an agency investigation "found he had not profited personally from the Desyne contract."

"We did conduct our own ethics investigation, and we found no wrongdoing," said TSA spokesman Christopher White. "No one person has contracting authority. This is not the case of one individual saying, 'I really like these folks, I've worked with them. I'm going to pick them.' "

White said the official disclosed his relationship with the potential vendor at the beginning of the process.

Soghoian's critics said the student's disclosures of security breaches could help terrorists. But he maintains the TSA responds to discoveries only after they receive media attention. And even then, he said, no one is held accountable for security failures.

"There is a significant lack of consequence and accountability at the TSA," he said. "There should be consequences; there should be consequences for this kind of thing."

Of Soghoian's tactics, White said, "There's absolutely nothing personal between the TSA and [Soghoian]. In fact he's met with a number of our officials.

"Anytime we do anything wrong, we admit it. We learn from our lesson and move on." E-mail to a friend E-mail to a friend

All About Transportation Security Administration

  • E-mail
  • Save
  • Print