Windows XP on TSA laptops? TSA Dinged in Wireless Cybersecurity Audit

DHS Office of Inspector General (OIG) dinged TSA in a recent security audit. High-risk vulnerabilities were detected in Federal Air Marshals' Blackberry devices, in patch management, in configuration controls . . . and can you believe Windows XP on TSA laptops?

We've questioned whether or not IT departments are too slow to patch Windows, and then took a survey that basically told us what we know, that patching Windows is a necessary evil and a huge time sink for IT. Well it must be a royal pain for TSA IT as well. DHS Office of Inspector General (OIG) dinged TSA in a recent security audit over lapses in patch management and configuration controls and made recommendations to better protect TSA's wireless network and devices.

While the report redacts the actual numbers, can you believe that some TSA laptops are running the low hanging fruit and one of the most hacked OS of all times, Windows XP? Windows 7 has been out since October 2009, but XP? Come on! Surely the government can afford to upgrade from such an insecure OS? Maybe TSA or DHS is unaware that Microsoft wants XP to die and even set a kill date? Perhaps the TSA should consider consulting the NSA's Best Practices Datasheet [PDF] and strive for the minimum recommended security to keep even home networks secure? The NSA says Vista and Windows 7 are more secure than XP; 64-bit versions are better yet and "substantially increases the effort of an adversary to attain" a "root compromise."

The OIG recommended for TSA to revise its patch management process and update patches more frequently. The report [PDF] "identified high-risk vulnerabilities involving patch and configuration controls. Improvements are needed to enhance the security of wireless components to fully comply with the department's information security policies and better protect TSA's and Federal Air Marshal Service's wireless infrastructure against potential risks, threats, and exploits."

While no high-risk vulnerabilities were identified on "wireless network infrastructure or rogue or unauthorized wireless networks or devices attributed to TSA or the Federal Air Marshal Service," auditors did detect "signal leakage from TSA's wireless network," but "we determined that this was not a security risk because of the mitigating controls implemented," the report continued.

The audit of TSA networks, devices, and patch management also mentioned vulnerabilities in Windows Server 2003, as well as the fact that BlackBerry enterprise servers (BES) supporting Federal Air Marshals' BlackBerry devices had a backlog of security patches, leaving them at risk for security threats. "Unless addressed immediately, each instance of vulnerability provides an attacker with the potential opportunity to exploit a system."

Regarding those vulnerable Blackberry phones, Homeland Security Today noted, "With these vulnerabilities, hackers could potentially exploit unsecured wireless networks to monitor data transmissions, examine the flow of communications between parties, execute denial of service attacks, alter messages, or even impersonate legitimate users to steal sensitive data provided by airline passengers."

In total, the OIG made four recommendations to improve security. As a whole, Homeland Security Today reported that TSA wireless security lapses include:

Potential exploits facing unsecured wireless networks include eavesdropping, where hackers can monitor data transmissions; traffic analysis, where hackers can examine the flow of communications between parties; denial of service, where hackers can overload a network by bombarding it with communication requests; masquerading, where a hacker impersonates a legitimate user; and message replay and modification, where hackers transmits or modifies original messages.

The audit concluded that "Overall, TSA has implemented effective physical and logical security controls to protect its wireless network and devices." TSA John Pistole wrote that the OIG did find "high-risk vulnerabilities involving patch and configuration controls on two of the four systems tested," but that TSA improved wireless security after the audit and all "identified findings have been addressed or corrected."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful cybersecurity companies