Risk
6/25/2012
03:50 PM
50%
50%

TSA Wants To Monitor Employee Computer Activities

Transportation Security Administration seeks software to monitor employee keystrokes, emails, attachments, screen captures, file transfers, chats, network activities, and website visits.

Top 14 Government Social Media Initiatives
Top 14 Government Social Media Initiatives
(click image for larger view and for slideshow)
The Transportation Security Administration is looking for better ways to guard against insider threats and wants tools that can keep a close eye on employee computer activities.

The agency issued a Sources Sought solicitation in FedBizOpps on June 20, looking for software able to monitor and log a wide range of activities, including keystrokes, emails, attachments, screen captures, file transfers, chats, network activities, and website visits. The solicitation specifies that end users must not be able to tell they are being monitored, and must not be able to "kill" the monitoring.

The software must have the ability to monitor Windows OS, but the solicitation notes it also potentially should have the ability to monitor Mac OS X, as well.

Many of the capabilities TSA is looking for are commercially available now, but are used primarily for computer forensics, to look at activities after they have happened, said Chet Hosmer, VP and chief scientist with WetStone Technologies, a subsidiary of Allen Corporation that specializes in investigative software.

[ Insider threat? Outsider threat? The feds have to deal with them all. Read Feds Bust Hacker For Selling Government Supercomputer Access. ]

"Certainly over the last several years the focus on insider threats has become more prevalent than outsider threats," Hosmer said in an interview. "When we think about 'insider,' we think about people ... but it's not necessarily a human they're looking for. Devices coming in [to networks] could be the threat vector."

Malware continues to evolve in sophistication, he said, and the means and methods of protecting against it has had to evolve as well. For instance, some malware may insert keystrokes; detection might focus on how fast the keystrokes are being inserted, perhaps faster than a human (or that specific human) can type, he said.

The solicitation does not indicate whether TSA aims to store the vast amount of data such monitoring would generate and analyze it after the fact, or whether it is seeking to implement real- or near-real-time monitoring.

Hosmer thought it unlikely the solicitation was a response to the Wikileaks scandal, where a U.S. soldier has been accused of leaking thousands of pages of documents to the public by making them available for posting to the Web.

"Most of the leaks from Wikileaks came from overseas, not here. I haven't heard a lot of chatter about that at all," he said. "I think this solicitation is more serious than that. It sounds broader, the kinds of information they want to monitor ... potentially across agencies. Will contractors be involved? Will their systems be monitored, as well? How's that going to work?"

In an interesting bit of timing, the White House Office of Special Counsel issued a memo on employee monitoring policies to Executive Branch departments and agencies the same day TSA released its solicitation. The OSC warned agencies against using monitoring as a way of muzzling whistleblowers. OSC spokeswoman Ann O'Hanlon said the timing was purely coincidental.

She said the government generally is able to monitor users' computer use, as long as it provides disclosure up front that they are being monitored.

The Office of Management and Budget demands that federal agencies tap into a more efficient IT delivery model. The new Shared Services Mandate issue of InformationWeek Government explains how they're doing it. Also in this issue: Uncle Sam should develop an IT savings dashboard that shows the returns on its multibillion-dollar IT investment. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rharrold92201
50%
50%
rharrold92201,
User Rank: Apprentice
6/26/2012 | 3:40:04 AM
re: TSA Wants To Monitor Employee Computer Activities
TSA employees' computer activities being tracked should not be of any concern to anyone. The "quasi" enforcement organization will only be monitored as is most all government and private computer users' networks. U.S. Customs/DHS, BP, INS, DEA, FBI, and most other law enforcement agencies have for years provided recall features in their computer systems allowing internal affairs and other authorized officers to 'real time' monitor line activies and to review and replay officers' online activity. Plus, with little effort, analysis of online activity provides the means to target, monitor, predict and use as evidence, activities on computer systems that violate law and procedures. For an already questionable intrusion/misguided, overly expensive, deterrent system such as TSA ...to question the propriety of monitoring and using the information gleaned is ludicrous. Consider that users of any Internet link are already exposing themselves to continous surveillance, analysis, and predictive observation why should an organization who has been given the right to make the 4th Amendment the laughing stock of the world be any less exposed to scrutiny?
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/26/2012 | 1:40:10 AM
re: TSA Wants To Monitor Employee Computer Activities
I am a little surprised and disturbed the TSA isn't already doing this. There are a number of cases for doing this, not the least of which is preventing data leaks and policy violations that compromise security.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.