[SecurityRatty] tag: elementary

Hackers deface Large Hadron Collider Web site

Thu, 11 Sep 2008 20:00:00 +0000

Hackers have broken into the network of the Swiss particle-physics laboratory operating the Large Hadron Collider experiment that has just begun smashing atoms in the hope of finding the theorized Higgs particle, an elementary particle of mass.

Memo to the President

Tue, 12 Aug 2008 02:36:31 +0000

Obama has a cyber security plan.

It's basically what you would expect: Appoint a national cyber security advisor, invest in math and science education, establish standards for critical infrastructure, spend money on enforcement, establish national standards for securing personal data and data-breach disclosure, and work with industry and academia to develop a bunch of needed technologies.

I could comment on the plan, but with security the devil is always in the details -- and, of course, at this point there are few details. But since he brought up the topic -- McCain supposedly is "working on the issues" as well -- I have three pieces of policy advice for the next president, whoever he is. They're too detailed for campaign speeches or even position papers, but they're essential for improving information security in our society. Actually, they apply to national security in general. And they're things only government can do.

One, use your immense buying power to improve the security of commercial products and services. One property of technological products is that most of the cost is in the development of the product rather than the production. Think software: The first copy costs millions, but the second copy is free.

You have to secure your own government networks, military and civilian. You have to buy computers for all your government employees. Consolidate those contracts, and start putting explicit security requirements into the RFPs. You have the buying power to get your vendors to make serious security improvements in the products and services they sell to the government, and then we all benefit because they'll include those improvements in the same products and services they sell to the rest of us. We're all safer if information technology is more secure, even though the bad guys can use it, too.

Two, legislate results and not methodologies. There are a lot of areas in security where you need to pass laws, where the security externalities are such that the market fails to provide adequate security. For example, software companies who sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. But a bad law is worse than no law. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating software liabilities for software failures is good, detailing how is not. Legislate for the results you want and implement the appropriate penalties; let the market figure out how -- that's what markets are good at.

Three, broadly invest in research. Basic research is risky; it doesn't always pay off. That's why companies have stopped funding it. Bell Labs is gone because nobody could afford it after the AT&T breakup, but the root cause was a desire for higher efficiency and short-term profitability -- not unreasonable in an unregulated business. Government research can be used to balance that by funding long-term research.

Spread those research dollars wide. Lately, most research money has been redirected through DARPA to near-term military-related projects; that's not good. Keep the earmark-happy Congress from dictating how the money is spent. Let the NSF, NIH and other funding agencies decide how to spend the money and don't try to micromanage. Give the national laboratories lots of freedom, too. Yes, some research will sound silly to a layman. But you can't predict what will be useful for what, and if funding is really peer-reviewed, the average results will be much better. Compared to corporate tax breaks and other subsidies, this is chump change.

If our research capability is to remain vibrant, we need more science and math students with decent elementary and high school preparation. The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers, but also because science isn't valued in a country full of creationists. One way the president can help is by trusting scientific advisers and not overruling them for political reasons.

Oh, and get rid of those post-9/11 restrictions on student visas that are causing (.pdf) so many top students to do their graduate work in Canada, Europe and Asia instead of in the United States. Those restrictions will hurt us immensely in the long run.

Those are the three big ones; the rest is in the details. And it's the details that matter. There are lots of serious issues that you're going to have to tackle: data privacy, data sharing, data mining, government eavesdropping, government databases, use of Social Security numbers as identifiers, and so on. It's not enough to get the broad policy goals right. You can have good intentions and enact a good law, and have the whole thing completely gutted by two sentences sneaked in during rulemaking by some lobbyist.

Security is both subtle and complex, and -- unfortunately -- it doesn't readily lend itself to normal legislative processes. You're used to finding consensus, but security by consensus rarely works. On the internet, security standards are much worse when they're developed by a consensus body, and much better when someone just does them. This doesn't always work -- a lot of crap security has come from companies that have "just done it" -- but nothing but mediocre standards come from consensus bodies. The point is that you won't get good security without pissing someone off: The information broker industry, the voting machine industry, the telcos. The normal legislative process makes it hard to get security right, which is why I don't have much optimism about what you can get done.

And if you're going to appoint a cyber security czar, you have to give him actual budgetary authority -- otherwise he won't be able to get anything done, either.

This essay originally appeared on Wired.com.

Memo to Next President: How to Get Cyber Security Right

Thu, 07 Aug 2008 11:45:00 +0000

Obama has a cyber security plan.

Spread those research dollars wide. Lately, most research money has been redirected through DARPA to near-term military-related projects; that's not good. Keep the earmark-happy Congress from dictating (.pdf) how the money is spent. Let the NSF, NIH and other funding agencies decide how to spend the money and don't try to micromanage. Give the national laboratories lots of freedom, too. Yes, some research will sound silly to a layman. But you can't predict what will be useful for what, and if funding is really peer-reviewed, the average results will be much better. Compared to corporate tax breaks and other subsidies, this is chump change.

And if you're going to appoint a cyber security czar, you have to give him actual budgetary authority -- otherwise he won't be able to get anything done, either.

---

Bruce Schneier is chief security technology officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Do we need a farm system in the security industry?

Mon, 21 Jul 2008 12:17:30 +0000

Just read a good article by Lisa Vaas on Computerworld titles "When security staffers fail up". The article talks about some of the challenges that are faced by companies trying to provide proper security. While one of the issues is "bundled badness" which I will talk about later, the bigger problem that Lisa writes about is the profile of our security administrators. It is a familiar story I am afraid. Security people don't do a good job of "humanizing" themselves. Their peers don't understand what they are trying to accomplish and too often we speak in geek terms and try to dictate how people conduct business. As a result we are the "people in the way".

The next thing Lisa hits on is the obsession with certifications. Too many people think having a CISSP is the be all and end all of security. First of all, you can't hire enough of them and many of them don't have the practical business experience to take it to the next level. Than there is the security "prima donna". They just think they are smarter than everyone else and too many tasks are below them as to elementary. We have all met these types before as well.

Quickly on the "bundled badness" thing. Lisa rightfully points out that in spite of Mike Rothman's feelings to the contrary, though CIO and CFO types like to buy the bundle and get the jack of all trades suite cheaper than buying best of breeds individually, at the end of the day it is hurting our security. If you are really serious about securing the environment there is a world of difference between buying the bundle of goodness versus best in class tools.

Ultimately though, what are we to do about getting better security pros in the workplace? Do we need to change the certification process? Should companies have a different profile of who they hire for security positions. Do we need to develop some sort of farm system where security pros can cut their teeth and learn their craft, like the guilds and apprentices of yesteryear? The construction industry used to work like that. Maybe we should consider it too?

A fellow C-64 user always gets a nod here

Tue, 20 May 2008 10:30:27 +0000

Its gonna be a good day when I find a fellow C-64 user so early in the morning.
He’s got a great informative Blog too.
Check it out.

clipped from pcswizz.wordpress.com

The PCSwizz Blog

I was programming computers at age 7. Yes, 7! My parents bought me a brand new Commodore 64 when I was in the first grade to help me with elementary school. Ever since then(about 20 years) I have had a strong passion for computers. Within the last 5 years, I have had over 6 computers, one of which I built from scratch!

Rest assured I know my way around a computer. From BIOS settings to Windows Vista, I have extensive knowledge that I can use to fix your computer! I consistently keep up with the latest trends in computers, gadgets, and video games.

Stolen SunGard laptop affects at least 10 post-secondary schools

Mon, 21 Apr 2008 10:49:39 +0000

Technorati Tag: Security Breach

Date Reported:
4/17/08

Organization:
Various post-secondary schools, including but not necessarily limited to:
Central Connecticut State University
Eastern Connecticut State University
Southern Connecticut State University
Western Connecticut State University
Northwestern Michigan College
Northwest Missouri State University
Buffalo State College
State University College at Brockport
Monroe Community College

Contractor/Consultant/Branch:
SunGard Higher Education*

*From the SunGard Higher Education "About Us" page:
"SunGard Higher Education provides software, strategic consulting, and technology management services to colleges and universities. We help more than 1,600 institutions worldwide strengthen institutional performance by improving constituent services, increasing accountability, and enhancing the education experience.

SunGard Higher Education has a vision to unify people, process, and technology in an environment that addresses the needs of higher education institutions and the people they serve. We call this vision the Unified Digital Campus."
[Evan] All of "the needs" except one critical one... SECURITY!

Victims:
Students and a limited number of employees

Number Affected:
Unknown, but at least 23702

Types of Data:
Personal information including names, Social Security numbers and financial aid information

Breach Description:
"A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers."

Reference URL:
SunGard Higher Education (general)
The News-Times (Connecticut State University Schools)
Associated Press Connecticut (Connecticut State University System)
Associated Press Michigan (Northwestern Michigan College)
Maryville Daily Forum (Northwest Missouri State University)
The Buffalo News (Buffalo State College)
Democrat and Chronicle (State University of New York schools)
Northwestern Michigan College
Buffalo State College
State University College at Brockport

Report Credit:
SunGard Higher Education

Response:
From the online sources cited above:

A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers.

Security teams from affected institutions and SunGard Higher Education are working together to analyze and verify the data and notify affected individuals.

The laptop was protected with a strong password to access the operating system.
[Evan] It could be the strongest damn password in the world and still not provide an adequate level of security in my opinion. Operating system passwords (especially Windows) can be bypassed in a matter of seconds. This is a poor attempt to minimize the incident.

The computer was password-protected but contained unencrypted files with personally identifiable data
[Evan] Even though encryption is not the "end all", it would have (in conjunction with other controls) reduced the risk of exposure to a level that is acceptable to many organizations (mine included).

All affected customers have been notified. Customer names will not be disclosed for privacy and security reasons as the investigation continues.
[Evan] We already know of at least 10 post-secondary institutions.

The laptop was stolen in New York on March 13 and state officials say it contains the names and personal information of 3,502 present and former students of the four CSU universities.

could put the personal information of 1,600 Northern Michigan College students from 2003 at risk.

could potentially put personal information about Northwest Missouri State University students and alumni in the wrong hands.

Northwest believes it followed all appropriate internal procedures for protecting the privacy of its students. For its part, SunGard Higher Education has accepted responsibility for this incident and is working with the University to minimize any adverse consequences.
[Evan] This is a classic misunderstanding of the roles and responsibilities for information security governance and management. The custodians of the personal information were the schools AND SunGard, not only SunGard. It is the responsibility of the schools (as co-custodians) to require certain information protections from their vendors and contractors. This should be done through policy, contractual language and regular audit/enforcement.

Social Security numbers of about 16,000 current and former Buffalo State College students

affected thousands of students at State University College at Buffalo, State University College at Brockport and Monroe Community College.

We believe that the laptop was stolen for the hardware rather than the data. We do not know if any personally identifiable data was accessed by the thieves.
[Evan] This is another statement meant to minimize the impact of the incident. I do not doubt that often times computer equipment is stolen for the hardware value, but how do we know? I am guessing that more and more criminals are examining the contents of poorly secured computing devices and looking for additional opportunities. The "laptop was stolen for the hardware" argument doesn't work anymore.

The nature of that employee’s job included analysis of customer data as part of software implementation and upgrade projects.

The laptop was taken from an employee of SunGard, a Pennsylvania-based computer software company that provides Buffalo State’s records system, said Voldemar Innus, a college vice president and chief information officer.

Innus also said the laptop was secure.
[Evan] No offense Mr. Innus, but the laptop WAS NOT secure.

"The laptop was stolen for its own worth as hardware," Innus said. "We do not believe it was stolen because of the information that was on it. And it was heavily password protected, we’re told."

"The risk I would say is not that high, but that doesn’t matter," Innus said. "There are steps we need to take because of what happened."
[Evan] People like to throw these terms like "secure" and "risk" around without any validation. How did Mr. Innus determine the risk (of exposure and/or misuse) with respect to this incident?

The data was originally provided for SunGard to perform various services for the university system, but it was apparently retained longer than necessary to perform those services,

A dedicated Web site containing updated information may be accessed at www.sungardhe.com/laptoptheft.

A help desk has been established with a toll-free number, (866) 520-2408, to respond to questions from affected individuals.

Credit monitoring will be provided at no cost to the affected individuals, for a period of one year.
[Evan] Credit monitoring is a post-fraud activity. One year is very limited for information that has a much longer lifespan.

Buffalo State student reaction:
In a campus dormitory, Ben Bissell, a sophomore special education major, and his friend Thomas Dennis, a freshman English education major, were making housing arrangements for next year. Bissell said he got the e-mail and was aware of the situation. Dennis was not.

Bissell was surprised such sensitive information could be placed in such a portable device as a laptop, which could easily be lost or stolen.
[Evan] Mr. Bissell is a "data owner" in this instance. The school and SunGard are "data custodians". In simplistic terms, data owners dictate what level of protection is required for the data that they own and data custodians apply the designated level of protection. Did the school and SunGard apply the designated level of protection in this case?

"You’d think it would be somewhat secure," Bissell said of his personal information.

He plans to closely monitor his bank statements and account activity following the announcement.

Omar Vargas, a sophomore elementary education major, told a reporter it was the first he had heard of the stolen laptop, admitting he feels "less secure" knowing about it.

"There’s enough things to handle being on campus, like going to classes and deadlines," Vargas said. "Then, just to find out my personal information is threatened is like, man, who knows what that could jeopardize."
[Evan] Very true. If we all just did what we were supposed to do, we wouldn't have to worry so much about what others aren't doing.

"I could wind up with bad credit when I’m on a good roll."

Commentary:
I provided a lot of my commentary above. There is no excuse that I can think of for such poor information security practice and management. Can the people running these companies (such as SunGard) and those responsible for information security claim they didn't know any better? Does it not go against SunGard Higher Education (or school) policy to store confidential information on a laptop while relying solely on operating system level passwords?

Nuts.

Past Breaches:
Unknown

Lawmakers Proposing Millions for Elementary School Surveillance Cams

Tue, 15 Apr 2008 17:00:00 +0000

Federal lawmakers are considering a proposal to let public schools use millions in federal safety grants to install surveillance cameras. The measure, which would up funding to $50 million a year, will be debated in a key committee Thursday.

Is Technorati relevant anymore?

Thu, 28 Feb 2008 19:42:22 +0000

I have been thinking more about the RSA Bloggers Meet up that I wrote about yesterday. That got me thinking about how bloggers are so socially interactive and probably explains why we are such suckers for things like Twitter, Facebook, etc. Than I started thinking (I know a lot of thinking going on here, where it goes I don't know) about how blogging has changed in the years I have been at it. While blogging is bigger than ever, alot of the social network around has changed. For the most part, for the better I would add. However, one thing that has changed for me anyway, is Technorati.

When I first started blogging Technorati was the Google of blogs. In fact on the not too rare times that it took for ever to search on Technorati I would think it was being overrun with queries. Putting Technorati tags into my articles was elementary and mandatory. I used to check my Technorati rankings everyday and judged my blogs popularity by its "authority". I would eagerly comb the rankings to see who linked to my site. Then a funny thing happened. Technorati started making so many changes, when I would log in I couldn't find what I was looking for anymore. Than it would seem that no matter what I did, unless I went in and manually pinged my site, it would not update. After a while I got tired of manually pinging from Technorati and my authority started going down. Frankly, I didn't even care. Then after a while, I couldn't even figure out where to go to ping my site manually on Technorati anymore. It has just lost all relevance for me as a blogger. The shame is I think the blogger community was what Technorati was about.

Instead, I think Technorati has gone after the blog reader community. I can see the wisdom there. There are a lot more readers than their are writers. However, I am not sure they do a great job on that count either. Both Google and Yahoo and even MSN do a good job of blog coverage now. So do blog readers have any allegiance or affinity for Technorati? Does it do anything for them? I don't know. What I do know if they would have done a better job of keeping me abreast of the changes to their site and showing me how to use it and get value out of the service, I would spend more time there and not find it so irrelvant as I do now.

This is something I am going to discuss with my blogger buddies at the RSA bloggers meet up. With a "who's who" of security bloggers in attendance, what would you talk to them about?

Theft from vendor affects Modesto City Schools employees

Tue, 12 Feb 2008 12:03:09 +0000

Technorati Tag: Security Breach

Date Reported:
2/11/08

Organization:
Modesto City Schools

Contractor/Consultant/Branch:
Systematic Automation Inc.

Victims:
School district employees

Number Affected:
3,500

Types of Data:
Names, addresses, birth dates and Social Security numbers

Breach Description:
A computer hard drive containing sensitive personal information belonging to Modesto City School district employees was stolen from Systematic Automation Inc. in Fullerton, California. Systematic Automation Inc. prints annual benefits summaries for employees.

Reference URL:
The Modesto Bee online story
KCRA Channel 3 News story
ABC News Channel 10 story

Report Credit:
KCRA Channel 3 News

Response:
From the online sources cited above:

All 3,500 employees were affected by the breach, which happened after a computer drive with names, addresses, birth dates and Social Security numbers was stolen from a Southern California data processing firm in Fullerton.

Systematic Automation Inc., prints benefits information for employees including health benefits for the district.

The hard drive and three monitors were stolen at 4:30 a.m. in a "window smash" burglary, said Sgt. Linda King with the Fullerton Police Department.

An e-mail was sent out to all affected employees.

Snelling said the district sent the employee information in an encrypted format to Systematic Automation, where it apparently was stored on the computer in an unencrypted format.
[Evan] Good and bad. Good that the school district encrypted the information before sending it out. Bad that the school either did not communicate it's security expectations well or enforce them through regular audits of vendors.

"We want to do the accountable thing, which is to let everyone know so they can take their own steps to protect themselves," Modesto City Schools Superintendent Arturo Flores said.

Director of Business Services Dennis Snelling said no cases of identity theft connected with the data breach have been reported.

"We’re keeping an eye out," Snelling said. "We want our people to be able to protect themselves."

Snelling said other agencies had their data compromised in the theft, but he did not have details.
[Evan] Not cool.

Snelling sent a memo by e-mail and hard copy on paper just before 2 p.m. to warn employees and provide information about how to monitor for fraud.

District officials said they plan to look into the security practices of each agency to which that receives employee information is sent.
[Evan] Excellent addition to their practices. Vendors and contractors are extensions of the organization.

"We’d certainly be taking that up with Systematic Automation," he said. Employees with concerns can contact Louise Baker, supervisor of payroll and benefits, at 576-4192.

Victim Reaction:
"There are a lot of very unhappy people," said Ray Duran, vice president of the Modesto Teachers Association. "I just hate to think all my stuff is out there. We know these things happen. We just hope the district will find a way to remedy the problem."
[Evan] Unfortunately, there is little remedy for exposed information. Once information has been exposed, it stays exposed.

Sonoma Elementary teacher Judy Pierce said she was pleased at how quickly the district notified district employees and provided steps to help prevent identity theft.

"I think all of us hope in our lifetime we won’t be faced with these issues," Pierce said. "But (the district) gave us an entire two pages of steps of who to go to, who to contact. It made it very, very easy for us to follow through on it."

Commentary:
I am actually impressed with how well the school responded to this breach. It appears that they notified employees in a timely manner. The school also appears to know a thing or two about information security as demonstrated by encrypting the data and now recognizing the importance of evaluating vendor security practices.

Past Breaches:
Unknown

House committee issues report and finds fault with TSA web site

Tue, 15 Jan 2008 06:35:53 +0000

Technorati Tag: Security Breach

Date Reported:
1/13/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
Transportation Security Administration (TSA)
Desyne Web Services

Victims:
Certain people that used the TSA traveler redress website between October 6, 2006 and February 13, 2007.

Number Affected:
"thousands"

Types of Data:
Name, Social Security number, birth date, birth place, sex, height, weight, hair color, eye color, address, and home and work telephone number.

Breach Description:
According to the January, 2008 United States House of Representatives Committee on Oversight and Government Reform report titled INFORMATION SECURITY BREACH AT TSA: THE TRAVELER REDRESS WEBSITE;
"In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft."

Reference URL:
The official Committee on Oversight and Government Reform report
The CSO Online Story

Report Credit:
The United States House of Representatives Committee on Oversight and Government Reform, and special credit to Chris "Boarding Pass Hacker" Soghoian.

Response:
From the online sources cited above:

At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information.
[Evan] For those who don't know, Henry Waxman represents the 30th District of California in the House.

As this report describes, these security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight.

The report finds:

TSA awarded the website contract without competition.

TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”

The TSA official in charge of the project was a former employee of the contractor.

The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner.

TSA did not detect the website’s security weaknesses for months.

The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.

TSA did not provide sufficient oversight of the website and the contractor.

The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the contractor.”

Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a government-wide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.

After conducting a detailed security accreditation review of the traveler redress website, TSA’s Chief Information Security Officer (CISO) granted the website a 12-month “Authority to Operate” in September 2006. The CISO did not detect a number of glaring security problems affecting the website when it went live on October 6, 2006.
[Evan] The TSA CISO is Patti Titus. I don't know how these security issues could have been missed!

The security vulnerabilities of the website included the following:

The Site Was Not Hosted on a Government Domain.

Instead of being hosted on a government web domain (e.g., “tsa.gov”), the redress system was hosted on a commercial domain operated by the contractor (http//rms.desyne.com). When they left the government domain, visitors to the redress management site lost any assurance they were visiting a legitimate government website

The Home Page Was Not Encrypted

The website home page did not have an encrypted “secure socket layer” (SSL) with an “https” protocol identifier. As a result, every time travelers visited the site to check on the status of their applications, the control numbers they entered to access their files were vulnerable to theft. Once they obtained these numbers, attackers would have access to travelers’ personal information.

The Submission Page Was Not Encrypted

One of the site’s links that allowed travelers to submit personal information was also unsecured. Although travelers could access an encrypted page to submit personal information, a link reading “file your application online” transferred users to an unsecured site. Travelers submitting their name, address, Social Security numbers, eye color, place of birth, and other sensitive personal information through this link had no protection from attack

Encrypted Pages Were Not Properly Certified

Although other web pages within the site were SSL-protected, they were not properly certified. Under standard web security practices, operators of SSL-protected websites obtain third-party certifications to assure users that an outside party has approved the web site’s security measures. Instead of the proper third-party certification, the site had only an expired certification that Desyne itself had generated.

Chris Soghoian's Comments:
"the appearance of the site was so poor that he first suspected it was a “phishing” site"

"Incredible that they would take the site live using a self-signed certificate. It shows major incompetence (elementary oversight should have caught this) and at Desyne, Inc. Someone is either too stupid or too cheap to purchase a real SSL certificate before putting up a site that asks for personal data. This is Web Development 101. Anyone who has ever worked on an ecommerce site should [be] aware of the issues."

After Mr. Soghoian posted his analysis of the security vulnerabilities affecting the traveler redress website, TSA moved quickly to transfer the site to a more secure Department of Homeland Security domain.

TSA also contacted the individuals who had submitted their personal information through the unsecured “file your application online” link to inform them that they were at a heightened risk of identity theft.

To date, TSA has awarded Desyne almost $500,000 worth of no-bid contracts to provide web services to TSA and DHS
[Evan] $500,000!? As a taxpayer, I am miffed.

Commentary:
The investigation and report by the House Committee on Oversight and Government Reform is excellent. A very good read.

Interesting, from the TSA Privacy FAQs:
Question: How can TSA ensure the security of personal information it collects?

Answer: TSA takes a number of steps to ensure the security of personal information it collects about individuals. TSA’s Office of Privacy Policy & Compliance collaborates with the Chief Information Security Office (CISO) to work with program offices during the design and implementation of systems to ensure compliance with the Federal Information Security Management Act (FISMA) and the Privacy Act, 5 U.S.C. §552a. In addition to design and implementation standards, the CISO ensures that the systems are secured against unauthorized use through the use of a layered, defense-in-depth security approach involving procedural and information security safeguards as mandated by FISMA following National Institute of Standards and Technology (NIST) guidance.

Am I missing something?

Past Breaches:
October, 2007 - Stolen laptops contained sensitive TSA information