[Infowarrior] - WH Tour Cybersecurity: Send In Your SSN - Via Unencrypted, Unprotected Email!
Richard Forno
rforno at infowarrior.org
Fri Jan 14 05:42:36 CST 2011
Begin forwarded message:
From: Lauren Weinstein <lauren at vortex.com>
Date: January 13, 2011 11:42:16 PM EST
White House Tour Cybersecurity: Send In Your SSN
- Via Unencrypted, Unprotected Email!
http://lauren.vortex.com/archive/000799.html
Greetings. Before the U.S. government proceeds at all with their
controversial and risky Trusted Identities in Cyberspace Internet ID
scheme ( http://bit.ly/eZug4M ), perhaps they should demonstrate their
ability to follow for themselves the most basic of Internet security
procedures.
Very large numbers of persons tour the White House every year. All
prospective tour guests 14 years of age and older are required to
pre-submit their Social Security Numbers (SSN) for security checks
(apparently it is common for children under the age 14 to have their
SSNs submitted as well).
One might assume that information as sensitive as SSNs would be
handled by the associated authorities with the same care and diligence
as, say, a typical bank Web site -- using SSL/TLS encryption for the
protection of this data that is so often abused for identity fraud.
But that assumption would apparently be false. An array of
Congressional Web sites instruct would-be White House tour guests to
submit their personal information (names, dates of birth, *social
security numbers*, etc.) via *standard unencrypted e-mail* to
(for example) various addresses @mail.house.gov!
Here are just a few randomly selected examples where (apparently
customized by Congressional district in these cases) White House Tour
"XLS" Security Forms are provided for download along with instructions
for emailing them in for processing --
( Form: http://bit.ly/frTSn4 [house.gov] ):
Congressman Steve King: http://bit.ly/gqPG5L [house.gov]
Congressman Raul M. Grijalva: http://bit.ly/gQbUyV [house.gov]
Congressman John Kline: http://bit.ly/dUT4YY [house.gov]
And so on. Search around a bit for yourself -- you'll easily find
others. In fact, it appears that emailing back the Security Forms --
with absolutely no Internet transit protection for the personal
information included such as SSNs, is the standard mechanism that
Congress is mostly using -- and presumably the White House has
approved -- for White House tour requests.
If an insurance company, bank, or even a local school were caught
telling persons to submit required personal information such as Social
Security Numbers via easily diverted, observed, and otherwise abused
unencrypted email channels, there would likely be investigations and
hell to pay.
But Congress and the White House -- the same entities who presumably
wish to play such important "Cybersecurity" roles, apparently can't
even handle this basic aspect of Internet security correctly. Yet
we're supposed to trust their judgment relating to the creation of a
vast and complex Internet Trusted Identities infrastructure.
It would actually be quite funny -- if it weren't so utterly frightening.
--Lauren--
Lauren Weinstein (lauren at vortex.com)
http://www.vortex.com/lauren
Tel: +1 (818) 225-2800
Co-Founder, PFIR (People For Internet Responsibility): http://www.pfir.org
Founder, NNSquad (Network Neutrality Squad): http://www.nnsquad.org
Founder, GCTIP (Global Coalition for Transparent Internet Performance):
http://www.gctip.org
Founder, PRIVACY Forum: http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Google Buzz: http://bit.ly/lauren-buzz
More information about the Infowarrior
mailing list