Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
State admits flaws in passport control
Published: 2008-07-07

Weak, or non-existent, controls limiting access to passport files allowed federal workers to peek at celebrity records, the U.S. State Department acknowledged in a report released on Thursday.

The heavily redacted report summarizes an investigation by the Office of Inspector General into the alleged improper access of passport records, following media reports in March that government contractors peeked at the records of three presidential candidates. The OIG found many weaknesses and potential vulnerabilities in the way passport information is managed and compared the State Department's processes to other agencies, such as the Internal Revenue Administration and the Social Security Administration, which are also responsible for citizens' personally identifiable information.

During the investigation, which lasted from March 24 to May 2, the OIG developed a list of 150 U.S. citizens frequently searched for on the Internet and found that the celebrities had their records accessed 4,148 times between September 2002 and March 2008. The report found that 23 people on the list did not have the records accessed at all during the period, while 9 people from the list had their records accessed more than 100 times. The OIG did not make a determination of whether the hits were authorized or unauthorized.

"The OIG report ... was very useful in focusing our attention," Michael D. Kirby, Principal Deputy Assistant Secretary of State for Consular Affairs, said during a press conference on Thursday. "We had some systems in place. The report highlights the fact that perhaps they could have been more robust."

As the United States upgrades its passports system to include electronic data in the documents, the security of the system and the electronic passport themselves have come under intense scrutiny. Security researchers have claimed that the current passport could leak data to unwanted snoops and that the methods used to encrypt the data could be broken.

The Bureau of Consular Affairs, the group within the State Department responsible for processing and administering the United States' passport program, uses a number of proprietary systems for entering data, issuing passports and accessing the data. The OIG's report, however, mainly deals with the Passport Information Electronic Records System (PIERS). The system tracks usage of the approximately 192 million passports issued to 127 million U.S. citizens.

According to the report, there were about 20,500 users with active PIERS accounts, of which only about 12,200 users are actually employees or contractors of the State Department. However, the Bureau of Consular Affairs investigated the credentials and found that about half belonged to former workers or people who had not accessed the systems in 90 days.

The report -- posted by Government Executive -- issued 22 recommendations for fixing the problems, most of which were redacted from the publicly released report. Among the six recommendations included in the public report, the OIG suggested that the State Department improve its auditing of the systems for security vulnerabilities, develop procedures and penalties for third-party disclosure of passport records, and review its privacy impact statements.

If you have tips or insights on this topic, please contact SecurityFocus.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus