Homeland Security Website Hacked by Phishers? 15 Signs Say Yes — UPDATED 3 Times
- By Ryan Singel
- February 14, 2007 |
- 12:44 am |
- Categories: Uncategorized
Has the Transportation Security Administration’s website been hacked? All indications are yes, and that a malicious phishing attack has been launched against travelers who have or think they have been delayed because they are on a watchlist or have a name similar to a person on the watchlist.
A new link on the TSA’s Our Travelers page directs people who “were told you are on a Federal Government Watch List” to click on a link taking them to this site, which, by all accounts, fits the profile of an attempt to harvest personal information and identity document details.
(UPDATE: The site has been changed and now redirects to https://trip.dhs.gov/index.html. However, the janky spelling, incorrect information and the possibly illegal collection of information without an OMB control number can still be found on the website as of 12:30 pm PST. TSA has still not responded to my call for comment.
1:05 PST — TSA employee Christopher White called to say “We are aware there was an issue and replaced the site. The issue has been fully addressed. We take IT responsibilities seriously. There never a vulnerability; just a small glitch.” That’s not quite accurate, as the non-SSL encrypted form submission was a vulnerability, but I take it to mean the site wasn’t hacked by phishers. White did not have an answer as to why there is no OMB number for the information collection, saying he was concerned at the moment with the site’s security.)
Let us count the 15 ways this site looks dangerous:
- The site looks like a TSA webpage but is actually a subdomain (rms.desyne.com) of a Virginia-based web design company spelled Desyne that lists a P.O. Box for an address on its main domain page.
- The site is ostensibly the new contact page for the Rice-Chertoff Initiative (RCI) Department of Homeland Security Traveler Redress Inquiry Program (DHS TRIP), which was “developed as a voluntary program by DHS to provide a one-stop mechanism for individuals to request redress who believe they have been: (1) Denied or delayed boarding; (2) denied or delayed entry into or departure from the United States at a port of entry; or (3) identified for additional (secondary) screening at our Nation’s transportation.”That initiative, which took more than a year to develop, was announced on January 6, 2007 and the public comment period on the data collection ends on March 6. Miraculously, the site is already live.
- The online form has no OMB control number, which is required of every federal form requesting personal information.
- The website issues itself its own SSL certificate, so there is no trusted agency that verifies that this page belongs to the web design company, let alone TSA
- While the first link on the submit information page goes to an SSL page (encrypted communication with the server), the bolded link reading file your application online in the center of the page sends the user to the exact same form but unencrypted. A simple .htaccess redirect would solve this.
- The same page indicates that the document for submitting information can be downloaded as a .PDF. However, the link actually goes to a Microsoft Word document, which is not only a proprietary format — it’s a security-nightmare of a format. That document also lacks the required OMB control number.
- Once you submit your information, you are given a control number that you can use to check the status of your application. The page for entering your control number is unencrypted.
- The page is rife with words oddly capitalized and sentences that are incomplete or meaningless. For example, on this page, identity is misspelled as indentity. The same page spells mail as Mail and fax as FAX. The page also tells you to be ready to fill out an online form and to be ready to send your passport or three other identity documents to the TSA.
- The “preform” page shares the same odd capitalization and also has a bolded subheading that reads “Submit you application by other means”
- Once you finally get to the online form, you are required to provide your name, height, eye color, date and place of birth, phone number, street address, and city. However, according to the form, the state you live in and your zip code are optional.
- You are then told to be prepared to “provide either a copy of a US Passport (Passport No. must be clearly visible) or at least three (3) of the following documents in order for your request to be processed. Check the box next to the document(s) that you are submitting with this completed form and enter the requested information for each in the space provided to the right of the documents checked. If the requested information is not applicable, enter n/a in the appropriate box.” Unless I’m behind the times, I don’t know how to FTP a copy of my passport or my birth certificate and voter registration card.
- At the end of the form, you are told what the information is used for, as the Privacy Act requires: “PRIVACY ACT STATEMENT: Authority: The authority for collecting this information is 49 U.S.C. § 114. Principal Purpose(s): This voluntary submission is provided to afford you the ability to confirm your identity as distinct from an Furnishing this information is voluntary; however, the Transportation Security Administration may not be able to confirm your identity without this information.” I did not cut and paste incorrectly; the purpose of the program is to “confrim your identity as distinct from an.”
- The final portion of the form tells you what else might be done with the information besides sending you a piece of paper saying ‘I’m not the terrorist you are already holding in Guantanamo‘: “Routine uses of this information include disclosure to appropriate governmental agencies for law enforcement or security purposes, or to airports or air carriers to verify your identity for purposes of security screening.” This part seems about dead on.
No indication of how long the information is stored, when it is deleted, whether your personal details will be lodged in an FBI data warehouse for eternity — just in case. No word on whether your IP address or other online information is also fair game for routine sharing with other government agencies.
- This site, which shouldn’t yet be launched, says it was last updated on July 24, 2006.
- The FAQ, which includes the word “Traveler’s” — when they clearly mean lower-case, pluralized possessive travelers’, also is missing several pages. Answer two and three (the latter telling you how useless the program actually is) aren’t linked to in the FAQ section.
So, in summary, I wouldn’t use this form at all, nor would I recommend downloading the Word document. If you actually want to fill out a form and have the possibility of getting whitelisted or maybe getting a letter saying you aren’t the terrorist they are looking for (but still getting hassled at the ticket counter since you’ll never be able to use a kiosk or print your boarding pass at home), email the TSA at firstname.lastname@example.org and hope they send you a form.
Do I really think its a phishing site? No. But it looks like one and the sheer incompetence of the web design makes me doubt that this shoddy contractor practices decent security on the backend database.
Perhaps the TSA should hire some real company to create a Traveler Identity Verification Program’s Website Identity Verification Program. It’ll probably only take a few years.
And if this is the quality of IT work we should expect from the TSA, let’s hope the economy doesn’t collapse when and if the government ever launches Secure Flight, a program that would marry the travel industry’s IT structure to TSA’s and have government bureaucrats check names of airline passengers against bloated and inaccurate government watchlists.
Hat tip goes to Christopher Soghoian, who first noticed and blogged this oddity. Soghoian, as loyal readers will remember, is the security researcher still under investigation by the TSA for vividly demonstrating that the watchlists can be routed around by a dedicated attacker with access to PhotoShop or knows how to view source on a web page. That security hole still exists.
Update: The Washington Post’s Brian Krebs says TSA’s is failing its middle name.
Consider what this means for a passenger who is stewing in the airport terminal after missing his flight because a TSA screener confused him with that other Robert Johnson on the TSA’s special list. The good Mr. Johnson is told he can try to prevent this misunderstanding from happening again if he submits data requested by the travel identity verification site. He pops open his laptop, hops on the airport terminal’s wireless network, completes the form and clicks “submit.” Meanwhile, a digital terrorist on the other side of the terminal has just captured the data Johnson submitted because it was sent without SSL.
Update 2: Someone seems to have noticed the blog postings and the SSL issue now looks fixed and sends you to an SSL protected DHS page. Still no word on the other irregularities.
Also on Wired.com