Tuesday, February 20, 2007

New TSA Website back online - Now Less Phishy

Both Ryan Singel of Wired News, and Brian Krebs of the Washington Post picked up the story of TSA's extremely amateurish looking website last week.

The website was hosted by a private company, did not use SSL, did not have a OBM form number, and was riddled with typos - sure signs that you shouldn't trust it, and enough reason for some to claim (albeit humorously), that it was a phishing site.. After a few phone calls from members of the press, TSA pulled the website.


The TSA Traveler Identity Verification Program website still tells passengers to download and fill out a .pdf form. However,
just like a shady, perpetual going-out-of-business sale retailer, TSA's website has resurfaced again, only this time, with a new name. It isn't linked to yet from the main TSA.gov site, but can be found via links from dhs.gov

The new website is: https://trip.dhs.gov/.

New improvements:


  1. http is redirected to https. Thus, even if their webmasters make future mistakes, and forget to link to the secure website, their webserver will redirect all non-secure content to their secure server. Good move! Try it. Go to http://trip.dhs.gov and watch as your browser gets redirected to https://trip.dhs.gov/.

  2. OBM Control Number. Any collection of personal information by the government is required to include a OBM Control Number. This was absent from their previous website, and as reportedly, from the Microsoft Word file previously available for download. You can view their Paperwork Reduction Act Statement (which includes their OBM #1652-0044) here: https://trip.dhs.gov/pra.htm

  3. No more word documents! They previously had a MS-word file available for download, if you didn't wish to send your information to their outsourced webserver. Predictably, this ms word file included meta-data on who at TSA had edited the file. They have now shifted to a pdf file.


Problem: It is still outsourced.

Both http://www.tsa.gov and http://www.dhs.gov are served by akamai distributed proxies, so it's impossible to figure out where they're actually being hosted.

However, someone from TSA visited my website last month, so I do know that TSA's outbound web proxies are:

pnxuser1.tsa.dhs.gov A 129.33.119.12
pnxuser2.tsa.dhs.gov A 129.33.119.13
pnxuser3.tsa.dhs.gov A 129.33.119.14
pnxuser4.tsa.dhs.gov A 129.33.119.25
pnxuser5.tsa.dhs.gov A 129.33.119.26

(Note, this is why Tor is useful)

Additonally, http://tsa.dhs.gov (which runs a webserver, albeit not one configured for public viewing) resolves to:
tsa.dhs.gov A 129.33.119.130

TSA's new website, http://trip.dhs.gov, resolves to
trip.dhs.gov A 64.124.212.23

Now, it's quite possible that TSA/DHS own a number of chunks of ip address space. All i'm stating here, is that the ip addresses are known to be owned by TSA/DHS are nowhere near the ip used by the trip.dhs.gov website.

I don't know the ip address of the old website rms.desyne.com - since it is no longer listed in DNS records. However, www.desyne.com resolves to 64.124.142.34.

Furthermore, a traceroute of http://trip.dhs.gov, and http://www.desyne.com leads me to believe that they're both hosted in the same data-center. I'd be willing to bet a couple Fin Du Monde beers that even with a change of DNS, that desyne is still running and hosting TSA's Traveler Redress Inquiry Program (TRIP) website.



traceroute to trip.dhs.gov (64.124.212.23), 30 hops max, 38 byte packets

.....

12 so-5-0-0.mpr2.iad1.us.above.net (64.125.27.209) 81.561 ms 118.933 ms 84.338 ms
13 so-3-0-0.mpr1.iad2.us.above.net (64.125.29.134) 82.985 ms 81.489 ms 83.893 ms
14 * * *

traceroute to www.desyne.com (64.124.142.34), 30 hops max, 38 byte packets

.....

12 so-5-0-0.mpr2.iad1.us.above.net (64.125.27.209) 84.352 ms 83.722 ms 84.142 ms
13 so-3-0-0.mpr1.iad2.us.above.net (64.125.29.134) 82.005 ms 82.326 ms 83.552 ms
14 * * *




Problem: It still uses cookies!

As Ryan Singel expertly notes, 2003 White House OBM rules state that government websites should not use cookies: "Particular privacy concerns may be raised when uses of web technology can track the activities of users over time and across different web sites. [...] Because of the unique laws and traditions about government access to citizens' personal information, the presumption should be that "cookies" will not be used at Federal web sites."

Ryan additionally states: If cookies are going to be used, the rules require that the site include "clear and conspicuous notice" of the cookies, that there exists a "a compelling need to gather the data on the site," that there are "appropriate and publicly disclosed privacy safeguards" for cookie information, and that the head of the agency personally approves the cookies.

When I browse to both http://www.tsa.gov, and this new unannounced TSA website, I am given a web cookie - "ForeseeLoyalty_MID_8El4YcUdgN".

Admittedly, this is not nearly as big a problem as their un-SSL encrypted webserver. However, I want TSA to have to follow the rules. Especially since they make us follow them, even in cases where they won't actually tell us what the rules are.

The big question is: If TSA is following official US government policy, Kip Hawley, Director of TSA will have signed off on the use of cookies for TSA's website. Did he indeed sign off? Inquiring minds wish to know.

4 comments:

Cliff Barnard said...

Do I smell a FOIA?

Todd Larason said...

According to whois.arin.net, 64.124.212.23 is part of a block of addresses delegated to AboveNet and then sub-delegated to ConsumerAffairs.com:

CustName: ConsumerAffairs.Com, Inc.
Address: 1601 Cloverfield Blvd., 2nd Flr., South Tower
City: Santa Monica
StateProv: CA
PostalCode: 90404
Country: US
RegDate: 2005-12-12
Updated: 2005-12-12

NetRange: 64.124.212.0 - 64.124.212.255
CIDR: 64.124.212.0/24

64.124.142.34 is delegated to AboveNet also, but then subdelegated to Desyne:
CustName: DESYNE
Address: 11864 Sunrise Valley Drive
City: Reston
StateProv: VA
PostalCode: 20191
Country: US
RegDate: 2003-01-27
Updated: 2003-01-27

NetRange: 64.124.142.0 - 64.124.142.255
CIDR: 64.124.142.0/24


It's possible abovenet hasn't kept the records up-to-date, though.

pippa said...

Yeah, but check out the WHOIS for the DHS outbounds! It's a block assigned to IBM Datacenters in Boulder & the Research Triangle. Our own government doesn't maintain their OWN datacenters for homeland security????

saint satin stain said...

This proves why our allegedly fascist orientated government should never become actual fascists; they would be incompetent fascists. I saw a report somewhere about the security of government sites, and believe that all flunked. Does anyone know of the report? Where it may be found?