Like many folks who travel, I have long thought the Transportation Security Administration’s screening procedures frequently showed a lack of common sense. But the lack of sense, and of sensible security procedures, has never been more glaring than in the release of a TSA screening manual on the Web.
I don’t claim any expertise in transportation security and I have no idea of what the impact of this easily preventable breach will be. I am much more concerned with what it says about the general state of information security at TSA and its parent agency, the Department of Homeland Security, which is supposed to play a major role in the federal government’s cyber security efforts.
The 93-page manual was posted on a government Web site designed to give information to potential contractors. It’s not quite clear whether a scrubbed version of the document should ever have been put up for public view, but the big problem was that TSA used a totally inadequate method of blacking out the sensitive text in the Adobe Acrobat document. A blog called The Wandering Aramean posted the word that the document was available along with handy instruction on how to read the redacted material. The original TSA post has been taken down, but Crytome.org has posted two versions, one with the redactions removed and one that has been securely redacted. (Both are zipped PDF files.)
It’s the existence of the securely redacted file that should be most embarrassing to TSA and DHS. Back in 2005, in response to a series of breaches involving insecure redaction of both Microsoft Word and Acrobat biles by businesses and government agencies, the Information Assurance Directorate of the National Security Agency released a handy and thorough handbook (PDF) on secure redaction of documents.
You would think that after four years, anyone charged with protecting sensitive information in documents through redaction would have this document at his or her fingertips, if not committed to memory. The fact that DHS has not imposed this sort of security discipline throughout the agency is what the hordes of investigators now pouncing on TSA should really be looking at. And we can only hope that the who incident will serve as a warning to both businesses and government agencies that there is a right way and a wrong way to redact documents before publication, and failing to take the simple steps needed to do it right can be very costly.