Here's one we're all aware of.
http://www.wired.com/threatlevel/201...orker-malware/
A former TSA worker convicted of planting a logic bomb on a system used to screen airline passengers was sentenced to two years in prison and ordered to pay about $60,000 in restitution to the TSA.
Douglas Duchak, 46, had worked as a data analyst at the TSA’s Colorado Springs Operations Center, or CSOC, since 2004. He planted the malware in late 2009, after the agency gave him two weeks’ notice that he was being terminated from the job he’d held for five years.
The CSOC screens airport workers who have “access to sensitive information and secure areas of the nation’s transportation network,” and also identifies passengers who have a warrant out for their arrest, according to authorities. The CSOC network stores updated information from the government’s terrorist watchlist, as well as criminal histories from the U.S. Marshal’s Service Warrant Information Network.
Duchak’s job was to update the CSOC database as new information arrived from these two sources.
Every time the TSA says the scanners can't save or transmit images due to a software layer, this should be brought up. Many people are involved in writing, testing, installing and maintaining software on these machines. Any one of them is in a position to thwart software controls. Any system where hardware is controlled by software can be manipulated by semi-knowledgeable people. Whenever the TSA guy on Chaffetz's panel on 3/16 said "The machines can't transmit images" he was wrong. They "don't" transmit images because of the software currently installed but they "can".
Extrapolate this to secure traveler type programs where, I'm sure, the TSA will say the system is secure and your personal information is safe and you can see it really isn't. Any system which has a database accessible via a network can be hacked. Any distributed system where thousands of people will be able to view information and, minimally, hundreds will be able to modify that information is vulnerable.
Banks are routinely hacked into and personal identifying information such as credit cards, social security numbers and bank information is stolen. This is a risk we take for the convenience an electronic society has provided. I can guarantee the banks are paying their software guys a heck of a lot more than the TSA pays theirs. How many kids graduating with a computer science degree are thinking "Gee, I'd love to work for the government!"
I don't think this particular incident is newsworthy just in that it happened. All large organizations have criminals and potential criminals working for them. What is telling is that TSA routinely maintains that their workforce is somehow more dedicated than the rest of us (they're patriots, ya know) and that their management is able to control and prevent these sorts of issues better than the private sector.
I'd like to hear some specifics about how the software layer on the existing WBI machines is kept safe and screened for malware and how they plan to protect any data they would have in a secure flyer program. What kind of review is it subject to? Who tests it and how?