Christopher Soghoian

From Wikipedia, the free encyclopedia

Christopher Soghoian
Born 1981 (age 26–27)
Fields Information Security
Institutions Indiana University
Alma mater The Johns Hopkins University
James Madison University
Doctoral advisor Markus Jakobsson
Known for Boarding Pass Security

Christopher Soghoian (born c. 1981) is a blogger, activist and cybersecurity PhD student at Indiana University's School of Informatics in Bloomington, Indiana. He gained notoriety as the creator of a website that generated fake airline boarding passes.

Since September 2007, Soghoian has published his blog, Surveillance State [1], at CNET Networks' Blogger Network.

Contents

[edit] Fake boarding pass incident

On October 26, 2006, Soghoian created a website that allowed the user to generate fake boarding passes for Northwest Airlines. While the website visitor could change the boarding document to have any name, flight number or city that they wished, the generator defaulted to creating a document for Osama Bin Laden.

In the announcement for the boarding pass generator, Soghoian wrote that the ease of faking passes made it clear that the No-fly lists did not work. He listed two ways of avoiding the lists, one which required a fake boarding pass, and one which required the passenger to claim to have lost their ID.[1]

Information on how to modify boarding passes and exploit the same security breach had been widely publicized by others before, including Senator Charles Schumer (D-NY)[2] [3] and security expert Bruce Schneier, [4] but Soghoian received media attention for posting a program on his website to produce modified boarding passes automatically.

On October 28, 2006 his home was raided by agents of the FBI to seize computers and other materials related to Federal charges for conspiracy to commit fraud and forgery. [5] A letter sent by the FBI to Soghoian's Internet service provider lead to the removal of the website at the same time as the raid at his home.[6] A replacement Boarding-Pass Generator was posted on the Boing Boing web site by someone else on November 1, 2006. [7]

The FBI closed the criminal investigation in November 2006 without filing any charges. [8] According to copies of letters made public by Soghoian, the TSA conducted their own civil investigation beginning in December 2006.[9][10] This investigation was closed without any charges being filed in June 2007. [11][12]

[edit] Congressional investigation into TSA website flaws

In February 2007, Soghoian announced [13] that a TSA website was collecting private passenger information in a highly insecure manner. The website was intended to provide a way for passengers to file disputes in the event that they were incorrectly included on the No fly list. Passengers who submitted their information through the website were at risk of identity theft. TSA pulled, fixed and then relaunched the website within days, after the press picked up the story. [14]

In January 2008, The House Committee on Oversight and Government Reform issued a report on the incident, the result of a one year investigation.[15]

The report stated that the flawed website had operated insecurely for over four months during which over 247 people had submitted personal information using the insecure web-forms. [16] According to the report, the TSA manager responsible for assigning the contract was a high-school friend and former employee of the owner of the firm that created the website.[17]

The report also noted that "neither Desyne nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay Desyne to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA."[18]

[edit] Data breach legislation

Soghoian co-authored HB 1197, an update to Indiana's data breach legislation.[19] The state's original law, passed in 2006, did not require companies to notify their customers of a lost or stolen laptop containing their personal information, if the device was protected by a password. Soghoian lobbied his state representative, Matt Pierce, to fix this problem, after noting that a login password could be bypassed with common, off the shelf tools.

The bill replaced the flawed language, instead stating that companies do not have to disclose the loss or theft of a portable device when all personal data is encrypted, and the encryption key is not compromised, disclosed or known to the person who had taken the device.[20]

The bill was passed unanimously by the Indiana state House and Senate, and was signed by the Governor on March 24 2008.[21] It goes into effect on July 1 2008.

HB 1197 originally contained provisions that would require that any business suffering from a data breach notify the State Attorney General's office, which would have to post a copy of the report to its website. Another provision also would require that businesses follow "best practices in their industry" with regard to encryption and passwords. These provisions were removed in Senate committee after an intensive lobbying effort by AT&T, Microsoft and Reed Elsevier.[22][23]

[edit] Other research

In May 2007, Soghoian revealed a vulnerability in a number of extensions for the popular web browser Firefox, demonstrating that their automatic updating mechanisms could be hijacked to download malicious content. [24]

In June 2007, Soghoian revealed a vulnerability in the popular social networking site Facebook. Sophisticated search queries could reveal personal information (including sexuality and religion) of Facebook users who had marked their profiles as private.[25] One day later, Facebook fixed the problem by restricting searches on private profiles.[26]

[edit] References

  1. ^ Soghoian, Christopher (2006-10-26). Chris's NWA Boarding Pass Generator. Retrieved on 2007-03-05.
  2. ^ Schumer, Charles E. (2005-02-13). Schumer reveals new gaping hole in air security. Retrieved on 2006-11-30.
  3. ^ Schumer, Charles E. (2006-04-09). Schumer Reveals: In Simple Steps Terrorists Can Forge Boarding Pass And Board Any Plane Without Breaking The Law!. Retrieved on 2006-11-30.
  4. ^ Schneier, Bruce (2003-08-15). Flying on Someone Else's Airplane Ticket. Crypto-Gram. Retrieved on 2006-11-30.
  5. ^ Krebs, Brian. "Student Unleashes Uproar With Bogus Airline Boarding Passes", Washington Post, 2006-11-01. Retrieved on 2006-11-30. 
  6. ^ Singel, Ryan (2007-11-29). Is A Gov Shutdown Of A Website Without A Court Order Ilegal? Supreme Court Suggests Yes. Wired News. Retrieved on 2008-03-05.
  7. ^ Adams, John (2006-11-01). Replacement Boarding-Pass Generator, written in HTML and Javascript. Boing Boing. Retrieved on 2006-12-07.
  8. ^ "IU Student, Focus Of FBI Probe, Speaks Out", TheIndyChannel.com. Retrieved on 2006-11-30. 
  9. ^ Kane, David (2006-11-28). Letter of Investigation, page 1. Transportation Security Administration. Retrieved on 2006-12-07.
  10. ^ Kane, David (2006-11-28). Letter of Investigation, page 2. Transportation Security Administration. Retrieved on 2006-12-07.
  11. ^ Kane, David (2007-06-06). Warning Notice, page 1. Transportation Security Administration. Retrieved on 2007-07-23.
  12. ^ Kane, David (2007-06-06). Warning Notice, page 2. Transportation Security Administration. Retrieved on 2007-07-23.
  13. ^ Soghoian, Christopher (2007-02-13). TSA has outsourced the TSA Traveler Identity Verification Program?. Slight paranoia. Retrieved on 2007-06-16.
  14. ^ Singel, Ryan (2007-02-14). Homeland Security Website Hacked by Phishers? 15 Signs Say Yes. Threat Level -- Wired News. Retrieved on 2007-06-16.
  15. ^ Waxman, Henry (2007-02-23). Letter Requesting Documents from TSA: Oversight Committee Requests Information on TSA Traveler Identity Verification Website. House Committee on Oversight and Government Reform. Retrieved on 2007-06-16.
  16. ^ Background on Committee Report Regarding TSA's Redress Web Site. Transportation Security Administration (2008-01-11). Retrieved on 2008-03-05.
  17. ^ Singel, Ryan (2008-01-11). Vulnerable TSA Website Exposed by Threat Level Leads to Cronyism Charge. Wired News. Retrieved on 2008-03-05.
  18. ^ Chairman Waxman Releases Report on Information Security Breach at TSA's Traveler Redress Website. United States House Committee on Oversight and Government Reform (2008-01-11). Retrieved on 2008-03-05.
  19. ^ Pierce moves to increase personal data security. Press Release (2008-01-15). Retrieved on 2008-03-29.
  20. ^ HOUSE ENROLLED ACT No. 1197. Indiana General Assembly (2008-03-24). Retrieved on 2008-03-29.
  21. ^ Soghoian, Christopher (2008-02-25). Indiana passes blogger-written data breach bill. Surveillance State. Retrieved on 2008-03-29.
  22. ^ Our opinion: Identify theft bill hacked to pieces. Bloomington Herald-Times (2008-02-14). Retrieved on 2008-03-29.
  23. ^ Soghoian, Christopher (2008-02-05). Industry giants lobby to kill pro-consumer data-breach legislation. Surveillance State. Retrieved on 2008-03-29.
  24. ^ Krebs, Brian (2007-05-30). A New Vector For Hackers -- Firefox Add-Ons. Washington Post. Retrieved on 2007-06-16.
  25. ^ Soghoian, Christopher (2007-06-26). Go Fish: Is Facebook Violating European Data Protection Rules?. Slight Paranoia. Retrieved on 2008-03-05.
  26. ^ Singel, Ryan (2007-06-28). Private Facebook Pages Are Not So Private. Wired News. Retrieved on 2008-03-05.

[edit] External links