The AirSafe.com News

↑ Grab this Headline Animator

Showing posts with label redacted. Show all posts
Showing posts with label redacted. Show all posts

11 December 2009

Continued Fallout from TSA Release of Sensitive Security Information

Rep. Peter King of the US House of Representatives recently sent a letter to Secretary Janet Napolitano, head of the Department of Homeland Security (which oversees TSA), and among other requests asked DHS how it was addressing the repeated posting of the security manual on other web sites and "what legal actions, if any, could be taken to compel its removal."

AirSafeNews.com is not one of those sites that has posted copies of the unredacted security manual. However, it has provided links to both the redacted and unredacted versions of the document that are hosted by its partner site AirSafe.com.

However, by the time AirSafeNews.com first wrote about this document, it was already available in a wide variety of places, including major US media organizations like ABC News, and CBS News; and also at document sharing sites like Scribd.com. The document is also available at sites the specialize in releasing secret and restricted government and corporate documents such as Cryptome.com and Wikileaks.org. A search on Google or Bing would quickly reveal many other sites that have either the document or links to the document.

Even if all online copies were to disappear from the web tomorrow, it has likely already been downloaded millions of times around the world. The unredacted copy hosted at AirSafe.com was downloaded over 4,000 times in the first two days that it was available. The reality of the Internet is that it is an international enterprise, and no single nation, not even the United States, can eliminate access to a document. Once a document is available online, it is very, very difficult to make it unavailable online. Using legal means to remove the TSA document from the Internet would be at best an exercise in futility.

Survey Responses
Earlier this week, we put out a survey asking three questions about this latest TSA scandal. The survey in the article asked three questions, and 21 members of the AirSafe.com audience responded.

The the first question asked for a yes or no response. The second question had as response choices Yes, No, Maybe, and Other. The third question asked for a general response. The questions and their responses were as follows:

1. Did you download and review the TSA report?
Thirteen had downloaded the document, and eight did not.

2. Should the head of the TSA resign?
Nine believed that the head of the TSA should not resign, seven thought the head should resign, four said maybe, and one did not respond.

3. Tell Us What You Think About this Situation
The responses are included below with only slight editing for spelling and grammar:
  • No-one should be exempted from screening now that we know who has been allowed in without a check.

  • Whoever is in charge of the section responsible for dissemination of documents.

  • It's unfortunate maybe the guy who didnt black out the areas correctly should resign.

  • I do not care about very strict screening, it has to be, what matters to me is security.

  • I downloaded the manual but did not review fully. Yes he should resign, same with the fellow that made the document public. TSA should learn from this and ensure they do not create additional work for themselves and avoidable delays for the rest of us at the airports.

  • This was an accident; not so serious one, in my opinion.

  • It puts the traveling public in danger.

  • I think that if this is typical of how our government functions, then it's no wonder half of Americans have no faith in the ability of the government to run things like health care. Whoever is responsible for this error should be fired and steps should be taken to be sure this doesn't happen in the future. First of all they need a competent IT person to do this sort of thing.

  • Absolutely unacceptable and sooooooo stupid!!

  • Really? You people (presumably those behind AirSafeNews.com) are just feeding the fire and all of you who keep circulating this information should be tried as traitors to the US Constitution.

  • Typical no-brainer attitude. Shouldn't try something unless you know what you are doing.

  • I don't feel safer.

  • Use it to prevent other occurrences...firing only encourages cover ups.

  • The responsible employee should resign.

Related Articles
TSA Releases Extremely Sensitive Security Information Online
How the TSA Could Have Easily Avoided Its Recent Security Problem

Resources
Full TSA report
Redacted TSA report
TSA prohibited and restricted Items
TSA Statement from December 9, 2009
Original AirSafeNews.com article on this topic
NSA procedures for redacting a document
Microsoft advice for minimizing metadata in Word documents
Tools for removing hidden data from Government Computer News

Photo: gregoryjameswalsh

Bookmark and Share
Posted by airsafe at 11:33 AM 1 comments
Labels: , , , , , , , , ,

10 December 2009

How the TSA Could Have Easily Avoided Its Recent Security Problem

The recent controversy over the accidental release of extremely sensitive security information by the TSA has been a huge embarrassment to the agency, and very likely revealed details about the TSA security process that could make it easier for individuals or groups to bring prohibited items into the secure areas of airport terminal or onto aircraft. It would also make it easier for someone to take steps to avoid extra screening at the airport.

TSA Problem Was Completely Avoidable
One step that the TSA reportedly took, putting five employees and contractors involved in the document release on administrative leave, may have only involved those who were responsible for preparing and releasing the document. Perhaps a more important issue is whether this problem could have been avoided. It is very likely that the problem was not only avoidable, but specific step-by-step procedures to avoid this kind of problem have been widely available to the US government for several years.

According to an article in Federal Computer Week, over the last few years, the US military in Iraq, the White House, and the US Department of Justice have all had similar situations where a improperly redacted document was released to the public, and the sensitive information within those documents were later uncovered.

In wake of those events, the National Security Agency (NSA) issued guidance to US federal agencies that included detailed instructions on how to process a word processing document in such a way that any sensitive information would be eliminated from the final PDF document. The report, titled “Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF,” has been freely available to the public for several years, and the instructions in that document could have been used by the TSA to avoid their recent embarrassing episode.

Highlights of the NSA Report
Word processing documents such as Microsoft Word contain many kinds of information such as text, graphics, tables, images, and metadata, and more. This complex combination of data makes it easy to accidentally expose information, especially when someone does not properly remove sensitive information before the document is released to the public.

Techniques that work with printed documents, such as blacking out an area of text or graphics, or reducing the size of a graphic, often do not work with electronic documents because the information is still contained within the document. Most word processing documents also contain hidden information such as comments or prior versions of the document, that may also be very sensitive.

The NSA's document had very clear instructions that anyone could use to take an MS Word file or just about any other kind of word processing file and systematically remove any sensitive content, including metadata, before creating a PDF file for public distribution. Let's hope that the TSA has the good sense to follow the NSA's procedures, or something like it, the next time they redact a document.

Related Articles
TSA Releases Extremely Sensitive Security Information Online
Continued Fallout from TSA Release of Sensitive Security Information

Resources
Full TSA report
Redacted TSA report
TSA prohibited and restricted Items
TSA Statement from December 9, 2009
Original AirSafeNews.com article on this topic
NSA procedures for redacting a document
Microsoft advice for minimizing metadata in Word documents
Tools for removing hidden data from Government Computer News
Bookmark and Share
Posted by airsafe at 2:09 AM 0 comments
Labels: , , , , , , ,

09 December 2009

TSA Releases Extremely Sensitive Security Information Online

The latest TSA controversy involves an inadvertent release of a document containing very sensitive security information that resulted in making key security procedures available to the public. The document, “Screening Procedures: Standard Operating Procedures,” provided standard procedures for TSA screening personnel in airports. It was the third revision, and was dated 28 May 2008. The document contained a range of information, including some sensitive security information that was redacted by the TSA.

The TSA posted it on the web site FedBizOpps.gov in March 2009, and it was removed from the site this past Sunday after the TSA realized, with the help of a number of blogs including Wanderingaramean.com, that the blacked out portion did not hide the information. You can download the redacted version and see for yourself.

It appears that the part of the TSA responsible for releasing the document to the FedBizOpps.gov site had a fundamental misunderstanding of how electronic documents work. It's likely that when the TSA 'redacted' areas of sensitive information in the original word processing document, black rectangles were placed over those areas, covering the information, but not deleting it. By selecting the blackened areas in the PDF document, copying it, and pasting it into a word processing file in a program like MS Word, Notepad, or OpenOffice Writer, anyone can recover the information that was within those blackened areas.

By the time the TSA had the document removed from the FedBizOpps.gov web site, it was too late. Copies of the redacted and unredacted information were now widely available online, and the information that was once hidden from the pubic is now out in the open.

Potential Security Impacts
The aviation security manual included details on TSA procedures for screening passengers, special rules for handling the diplomats, law enforcement officials, and CIA employees, and the technical settings and tolerances used by metal and explosive detectors used at airports.

Some of the more sensitive details in the TSA document were not widely known prior to the release of this document. Clearly, anyone attempting to do harm to the US air transportation system may use this information to attempt to fraudulently gain access to airliners or to secure areas of an airport terminal, or to take prohibited items through TSA security. This breach of security may force the TSA to change one or more procedures, and may make current security procedures and technology either less effective, or completely ineffective against some threats.

Because details about aviation security procedural or policy changes are typically not released to the public or subject to Freedom of Information Act requests, it is unlikely that the public will be made aware of any TSA changes, unless of course such information is accidentally released.

Highlights of Redacted Information
The redacted sections of the document contained a range of information, some of it mundane, and others frightening. The highlights, with page numbers from the 93-page document, are below:

  • There exists an explosives trace detection screening protocol in which a percentage of checked baggage is screened using closed bag search (40%), limited open bag search (40%), and full open bag search (20%) procedures (page 9).

  • Transportation Security Officers should not handle explosives, incendiaries, or weapons if such items are discovered during the screening process (page 20).

  • There are specific procedures to follow to check the credentials of law enforcement officers and other armed government employees (page 21).

  • Calibration testing procedures for walk-through metal detectors (page 27).

  • Daily testing procedures for walk-through metal detectors (page 28).

  • Operational test procedure for x-ray systems (page 29).

  • Contamination control procedures for explosives trace detection devices (page 30).

  • Procedures for clearing armed security officers into the secure area of the terminal (pages 28-40).

  • Procedures for the screening of foreign dignitaries being escorted by the Central Intelligence Agency (page 43-44).

  • Screening exemptions for TSA employees (page 45).

  • Categories of passengers who are to be exempted from closer scrutiny after initially being selected for extra screening (page 47).

  • Alternate screening procedures go into effect when primary screening devices are not working (page 52).

  • Matrix of special screening procedures for law enforcement officers ( pages 54-55).

  • Photos and graphics of with sample credentials for Federal Air Marshals, ATF employees, CIA employees, and members of the US Congress (pages 57-60).

  • Procedures to use if explosives trace detection devices or x-ray devices are are unavailable or have limited function (page 77).

  • Explosives trace detection exemptions for persons with disabilities (page 78).

  • Allowing explosives trace detection procedures for bags and containers while using physical searches for all other items (page 78).

  • Unless exempted by the airline or the TSA security director, passengers with passports issued by the following countries are to be selected for extra screening: Cuba, Iran, North Korea, Libya, Syria, Sudan, Afghanistan, Lebanon, Somalia, Iraq, Yemen, and Algeria (page 81).

  • Characteristics of suspect identification (page 82).

  • Alternative methods for checking travel documents (page 83).

Lessons Learned
Perhaps the most important lesson to be learned here is that electronic documents are not like printed documents. Depending on the document, what you see is not necessarily what you get. The version that you see may have coded within the document data about previous edits, formatting information, and hidden characters. There may also be several layers of information, such as the case with the TSA document where the blacked out portion did not eliminate the sensitive information, but merely covered it up.

A more effective method for redacting a document would have been to delete the sensitive information from the original document before turning it into a PDF file. Perhaps this TSA security controversy will be a lesson to anyone who works with electronic documents that they should be careful when 'redacting' documents.

Resources
Full TSA Report
Redacted TSA Report
TSA Prohibited and Restricted Items

Follow Up Articles
How the TSA Could Have Easily Avoided Its Recent Security Problem
Continued Fallout from TSA Release of Sensitive Security Information

Survey and Comments
Given the security implications of this TSA release of information, AirSafeNews.com would be particularly interested in any comments that you may have. Please take the time to fill out the survey below:

The survey is now closed. The results of the survey are available here.
Bookmark and Share
Posted by airsafe at 3:01 AM 0 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)