learn linux and unix commands - unix shell scripting

Primarily Lessons Learned from the TSA Laptop Mess


 
Thread Tools Search this Thread
# 1  
Old 08-06-2008
Primarily Lessons Learned from the TSA Laptop Mess

Last Christmastime, I was walking around Reagan National Washington Airport. I walked by a booth for the Clear program. I asked about the program which promises to help you clear security at the airport in much less time if you provide your personal information so the TSA contractors can conduct a background check. Since I already had a Top Secret security clearance, I thought it would be no problem. However, I had some nagging doubts and decided that I should wait and see how the program works out.

Fortunately for me, I trusted my instincts. Yesterday, I read the e-mail which said that an unencrypted laptop which belonged Verified Identity Pass, Inc., the TSA contractor operating the Clear program, lost an unencrypted laptop with the personal information for over 33,000 applicants. The laptop contained names, social security numbers, passport numbers, and a host of other personal information was stolen out of a locked cabinet at the San Francisco Airport. Since the hard drive was not encrypted, the information was easily compromised. To add insult to injury to the victims is the fact that the laptop went missing on July 26th and TSA was not notified until AUG 4th. In addition, the public was not informed until the next day. As a result, the trail of finding the information thieves probably has gone cold while leaving over 33,000 people vulnerable for over a week. This is a violation of at least the spirit of privacy policies such as the Office of Management & Budget M-06-19 which sets a requirement that all compromises of Personally Identifiable Information (PII) be reported to the US-CERT within one hour of discovery. Now, TSA may shift the blame to their contractor, but it doesn't relieve them of the responsibility.

Now that the horse is out of the barn, so to speak, here are some observations on preventing or mitigating future incidents:

- Government agencies need to remember that while they may delegate the work to contractors, they can not delegate the responsibility to safeguard it. Government agencies must assess the security controls of their contractors because the public trusts the government with their information, no matter where it is physically located.

- It's 2008, there are plenty of hard drive encryption and laptop locator software programs. It should be mandatory that all laptops which contain any type of sensitive information belonging to a government agency should have hard drive encryption. Laptops are too easy to steal or lose. Some agencies have already made this a requirement.

- All laptops with sensitive information should be required to have laptop recovery software such as Computrace, GadgetTrak, PCPhoneHome, etc. This would help recovery the laptops sooner and discourage potential thieves and buyers.

- It should not matter who technically owns the laptop, the loss of laptops with PII should be reported immediately to the government client, so they can report it to US-CERT and other organizations. Yes, this will be embarrassing for the contractor and potentially cause legal problems, it is the right and ethical thing to do. The public trusts the government with PII, the government agencies deserve a chance to mitigate the loss of such information quickly. A week is far too long.

It is my sincere hope that this incident will spur further action to secure PII on both government and contractor owned laptops.




Image
Image

More...
Login or Register to Ask a Question

Previous Thread | Next Thread

4 More Discussions You Might Find Interesting

1. Ubuntu

Laptop to laptop transfer files

Dear all, I would like to transfer my old laptop documents/files etc to the new laptop without using any external hard disk. Please let me know if its possible via any way. Thank in advance, emily (3 Replies)
Discussion started by: emily
3 Replies

2. Ubuntu

Connect 2 laptops with RJ45 cable (Ubuntu 10.10 laptop with Windows 7 laptop)

Hi to all, I have the problem that a laptops with windows XP cannot startup even in safe mode nor using last good known configuration. I have a Ubuntu 10.10 Live CD and booting from it I can read the Hard Drive. I need to do a backup the Hard Drive from XP laptop and I want to connect this... (5 Replies)
Discussion started by: cgkmal
5 Replies

3. Shell Programming and Scripting

How have you learned it ...

Hi! I am asking me what is the best way to become a good knowledge of scripting, perl etc. Because i have only a little bit knowledge about bash, also a little bit of sed & awk. when i start reading a book or article about scripting it is often so, that i have not enough knowledge of one topic.... (3 Replies)
Discussion started by: locutus01
3 Replies

4. UNIX for Advanced & Expert Users

Lesson Learned: Dual boot XP and Fedora 9

This post captures my recent experience in getting my Dell XPS Gen 3 to support dual boot of Windows XP (Professional) and the Fedora 9 Linux distribution. I searched quite a bit on the internet and found, of course, a variety of opinions regarding how to setup this type (dual boot) of... (1 Reply)
Discussion started by: rlandon@usa.net
1 Replies
Login or Register to Ask a Question