Security Ripcord

I usually try to avoid talking about the security news that others are talking about unless it has directly impacted me in a day to day function. First of all, there are plenty of people doing it. If you would like my opinion on a subject I will be happy to give it but I am going to try and not subject you to it. I am sure you have your own resources that are sufficient at decrypting security concerns as they occur. This is the main reason for some of the lulls in my postings. Basically, nothing to say.

Well, today I am going to break that habit. I have been following the recent posts describing the TSA Traveler Identity Verification Program website. Christopher Soghoian, Ryan Singel, Kevin Poulsen, and Brian Krebs are doing a great job following this topic.

Although I have not read all the comments from all the sites, one of them on Christopher’s site caught my eye.

Anonymous said…

This may be surprising to hear: I am an employee at a major airline and I just recieved an e-mail that said we now have access to the TSA no-fly list, selectee list, and cleared list. I just accessed it and found it to contain thousands of names, DOB, SSN#s, drivers licesense #’s, military ID #’s, addresses, and even home phone #’s. The TSA just made this list and all of this information readily available to thousands of employees at my airline (and probably others). I think that previously this list was only available to ticket agents, but now it is available to every employee.
I find it quite disturbing that any airline employee has access to this information, and that many of the ppl on the cleared list have to give up there SSN# and other information.
4:20 PM

I know that this is by “Anonymous” and that the information contained here might not be true. But what if it is? How is releasing this information to such a wide audience helpful to our protection? Although you can argue that maybe ticket agents should be privy to a lot of this information to help them distinguish between individuals on the No-Fly list and those with similar or the same names. Why do ALL employees need this information? Although I am sure (let’s hope) there is an authentication mechanism but where is the authorization mechanism? Have these people heard of “need-to-know”? Aren’t these people members of the government and use to dealing with sensitive information?

I am all about people looking to the website security that TSA is using to protect individuals registering for their program. I think we should also be asking questions about how they are handling the rest of this data. Of course you might say, well, the people on this list are criminals and terrorists. And I will ask you, “Are they?” What about identity theft? Whose information is it really?

UPDATE: Opps, I just realized I did not read the post correctly. The user information is for people on all lists – “TSA no-fly list, selectee list, and cleared list.” Yes, people should worry about this very much. Is it worth signing up even if it is through the secure website. Definitely not the way to handle sensitive information? I guess another question is: Where is the TSA security professional? Why is s/he not involved with protecting this type of data?

Go forth and do good things,
Cutaway

TSA, security, Schneier, Kerbs, 27bstroke6, Soghoian, Security Ripcord

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.