Loss of Privacy

The DHS and TSA like to tell us that what they are doing is making America safer, but a new report by the House Oversight and Government Reform subcommittee shows that little to nothing has changed in security to prevent breaches from occurring.

The breaches — amounting to about seven a day, or about five per year at every airport — include everything from people who accidentally leave a bag on a checkpoint conveyor belt to those who purposefully evade security and get onto airplanes without proper screening.

A TSA spokesman did not contest the figure, but questioned its significance, saying all breaches are investigated and resolved. The agency said it did not have a breakdown of breaches by severity.

This is the spin that the TSA puts on a real problem. They dismiss it by saying that it’s not significant because they’ve been investigated and resolved. It doesn’t address the original problem of preventing security breaches to begin with. These breaches occur in places where they should never happen in the first place.

– 14,322 breaches into secure entries, passages or other means of access to the secure side of the airport.

– Approximately 6,000 breaches involving a TSA screener failing to screen a passenger or a passenger’s carry-on property, or doing either improperly.

– 2,616 instances involving an individual getting past the checkpoint or exit lane without submitting to all screening and inspections. Some 1,388 of these have occurred at the perimeter areas of airports.

None of these breaches should even be possible if the people the TSA hired actually did their job. There is no excuse. For the TSA to simply say that they don’t matter because they’ve been investigated and resolved confirms to many people that the TSA is incompetent and should no longer exist as a force to protect airport security.

TSA spokesman Nicholas Kimball said the figures represent a “tiny fraction of 1% percent of the more than 5.5 billion travelers at the more than 450 airports nationwide that we have screened effectively since 9/11.”

It doesn’t matter if it is a tiny fraction. The TSA is often quick to point out that new procedures that have included taking off your shoes and full body scanners, are put into place precisely to catch that tiny 1% that might do something wrong. You cannot use that 1% to defend intrusions of privacy and then dismiss them as trivial and still expect to be taken seriously. Either that 1% is important or it is not.

25,000 security breaches. 0 terrorist attacks prevented. Those two facts illuminate just how ineffective and unnecessary the TSA really is.

I work at an airport, and sometimes, while working on computers near a security point, a TSA person will come and chat to me. Yesterday, a TSO told me that last week, a person from the street (not even a passenger! Just a deranged guy who walked into the airport) had slipped through a security checkpoint by basically just walking between the wall and the checkpoint, ducking under or going around those black retractable belt things they use to make lines.

The kicker is, it took TSA 2 hours to figure it out, and it wasn’t anything to do with their amazing skills, either. The crazy guy was making trouble in the gate area and an airline employee called the police. The guy didn’t have a boarding pass or anything like that. Good job, TSA! Way to justify that budget.

If true, and there’s no reason not to believe otherwise, it just highlights how useless security is at the airport.

The recent RockYou hack has revealed, once again, why it’s so easy to do such things. People used predictable passwords despite the vast amount of warnings not to.

Sensitive login credentials – stored in plain text – were left exposed because of a SQL injection bug in RockYou’s website. RockYou admitted the breach, which applied to user password and email addresses for widgits it developed, and pledged to improve security in order to safeguard against future problems.

From over 32 million passwords, the results were, sadly, not surprising. The top ten were:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

While the top ten shouldn’t surprise you, the fact that over fifty percent of the passwords used regular names, slang, and common dictionary words should. Even worse, the admins stored the information in plain text, something that should never be done. Hashing the passwords is not difficult, yet RockYou failed to do such a basic task. RockYou also didn’t have simple security protocols in places, such as minimum password length, and alphanumeric passwords.

Users should be looking to create more difficult passwords or suffer the consequences of further breaches.

With President Obama pushing for more electronic medical records, Americans need to look closely at just how well guarded their personal, medical information really is.  Wikileaks reports that the Virginia Prescription Monitoring Program was hacked into and over 8 million medical records are being held for a $10 million ransom in an encrypted database.

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh For $10 million, I will gladly send along the password.”

Virginia now has a statement [pdf] clarifying that the backups are fine and details [pdf] on what was stored on the files.

In October 2008, a similar event occurred.  Though smaller in nature, these types of breaches will become commonplace if everyone’s medical information is digitized.  It’s just too easy for criminals to access.  There’s so much information in medical files that it’s a goldmine just waiting to be dug through.  Sometimes, low tech, i.e. paper, is still the best way to go.

Here’s something to think about.  Identity theft.  Hacking people’s medical records.  Getting hit by a car and sent, barely conscious, to the hospital.  Do you trust electronic medical records now?

Govtrip.com is the website that many federal employees are required to use when booking work related travel.  The site was shut down after it was infected with a virus.

Sometime on Feb. 11, hackers changed the Govtrip.com Web site to redirect visitors to a site that installed malicious software…..Govtrip.com also is used to reimburse workers via direct deposit, which means that many federal employees’ checking account information is stored there as well.

Fortunately, as soon as the problem was noticed, the site was shut down.  On February 12th, many employees were being told how to manually book trips until the problem was solved.

According to an analysis shared with Washingtonpost.com, the compromise of govtrip.com came from multiple sources and was fairly extensive.

The government hopes to have the site fully restored by Monday, February 23rd.  Until then, Northrop Grumman, the company that had run the site, has had its authority revoked.  It seems that Northrop Grumman isn’t the best company for this sort of situation, yet, they keep being awarded contracts to do so.