Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
Editor's Blog and Industry Comments

TSA Security Breach Shows Lack of Document Security Understanding

14 December, 2009
The US Transportation Security Administration recently posted airport screening procedures on the Federal Business Opportunities website with the most sensitive text blocked out, only to have the redacted text recovered and re-posted in its entirety by a blogger.
This enormous faux pas by a Government security authority revealed details of how to recognise the genuine credentials of Federal Air Marshals, CIA agents and US Congress ID as well as exceptions to the Explosive Trace Detection requirements, which countries' passport holders should be singled out for further inspection and even Walk-Through Metal Detector calibration procedures.


The 94-page document is still in the public domain since it is a PDF document which will already be saved on thousands of hard-drives for leisurely reading as well as appearing on numerous blogs. The TSA has responded by updating its procedures and launching an investigation into the document leakage.

Whether the redacted procedure should have been posted to the FedBizOpps site in the first place is one factor; the procedure contained many facts that hadn't been redacted that could be considered sensitive such as the handling of diplomatic pouches and the procedures for escorted dignitaries. In fact, the entire document is classified as "â€. No part of this record may be disclosed to persons without a "need to know"".

The second point is the methods used to obliterate the most sensitive parts and which led to the scandal.

Chris Wacker, the Senior Vice President of Laserfiche, document and content management specialists, explained to me:

"Sensitive parts of the document (such as what size wires are not noticed by x-ray scanners, and citizens of which countries automatically get extra screening), were redacted from the document. However, the person who released the document did not understand how to properly redact an electronic document. The TSA simply drew black rectangles over the sensitive areas. The PDF still contained the sensitive text in the text layer of the document. This means that anyone can simply select all in the document, copy, and paste somewhere else to see all the text. It only requires basic computer literacy to circumvent the redaction".

Is it possible then to redact such documents securely and black-out text from a document that you don't wish others to see without the possibility of the text being recovered?


"If the TSA had been using a certified electronic document management (EDM) solution like Laserfiche" Chris continued, "this problem would have been much less likely to have happened. Redaction is handled much more robustly using a certified EDM and can be set up to automatically "burn in" whenever a document is exported. This means that it is not possible to circumvent the redaction, because the text is removed from the image and from the text layer. This lapse shows a profound lack of understanding of electronic documents at the TSA."
Bookmark and Share