TSA site pwned by identity thieves

The TSA's website was hacked, seemingly by identity thieves who used the "Click here if you're on a no-fly list" to harvest personal information. Lots of sites get pwned by hackers. Most of those sites aren't run by entities who claim that they're keeping the skies safe by taking away our toothpaste. Is it any wonder that an organization that thinks flip-flops are made safer by passing through the X-ray machine is incapable of managing to secure its own servers?


A new link on the TSA's Our Travelers page directs people who "were told you are on a Federal Government Watch List" to click on a link taking them to this site, which, by all accounts, fits the profile of an attempt to harvest personal information and identity document details.

(UPDATE: The site has been changed and now redirects to https://trip.dhs.gov/index.html. However, the janky spelling, incorrect information and the possibly illegal collection of information without an OMB control number can still be found on the website as of 12:30 pm PST. TSA has still not responded to my call for comment.

1:05 PST — TSA employee Christopher White called to say "We are aware there was an issue and replaced the site. The issue has been fully addressed. We take IT responsibilities seriously. There never a vulnerability; just a small glitch." That's not quite accurate, as the non-SSL encrypted form submission was a vulnerability, but I take it to mean the site wasn't hacked by phishers. White did not have an answer as to why there is no OMB number for the information collection, saying he was concerned at the moment with the site's security.)

Link

(via Schneier)