Risk
6/25/2012
03:50 PM
Connect Directly
RSS
E-Mail
50%
50%

TSA Wants To Monitor Employee Computer Activities

Transportation Security Administration seeks software to monitor employee keystrokes, emails, attachments, screen captures, file transfers, chats, network activities, and website visits.

Top 14 Government Social Media Initiatives
Top 14 Government Social Media Initiatives
(click image for larger view and for slideshow)
The Transportation Security Administration is looking for better ways to guard against insider threats and wants tools that can keep a close eye on employee computer activities.

The agency issued a Sources Sought solicitation in FedBizOpps on June 20, looking for software able to monitor and log a wide range of activities, including keystrokes, emails, attachments, screen captures, file transfers, chats, network activities, and website visits. The solicitation specifies that end users must not be able to tell they are being monitored, and must not be able to "kill" the monitoring.

The software must have the ability to monitor Windows OS, but the solicitation notes it also potentially should have the ability to monitor Mac OS X, as well.

Many of the capabilities TSA is looking for are commercially available now, but are used primarily for computer forensics, to look at activities after they have happened, said Chet Hosmer, VP and chief scientist with WetStone Technologies, a subsidiary of Allen Corporation that specializes in investigative software.

[ Insider threat? Outsider threat? The feds have to deal with them all. Read Feds Bust Hacker For Selling Government Supercomputer Access. ]

"Certainly over the last several years the focus on insider threats has become more prevalent than outsider threats," Hosmer said in an interview. "When we think about 'insider,' we think about people ... but it's not necessarily a human they're looking for. Devices coming in [to networks] could be the threat vector."

Malware continues to evolve in sophistication, he said, and the means and methods of protecting against it has had to evolve as well. For instance, some malware may insert keystrokes; detection might focus on how fast the keystrokes are being inserted, perhaps faster than a human (or that specific human) can type, he said.

The solicitation does not indicate whether TSA aims to store the vast amount of data such monitoring would generate and analyze it after the fact, or whether it is seeking to implement real- or near-real-time monitoring.

Hosmer thought it unlikely the solicitation was a response to the Wikileaks scandal, where a U.S. soldier has been accused of leaking thousands of pages of documents to the public by making them available for posting to the Web.

"Most of the leaks from Wikileaks came from overseas, not here. I haven't heard a lot of chatter about that at all," he said. "I think this solicitation is more serious than that. It sounds broader, the kinds of information they want to monitor ... potentially across agencies. Will contractors be involved? Will their systems be monitored, as well? How's that going to work?"

In an interesting bit of timing, the White House Office of Special Counsel issued a memo on employee monitoring policies to Executive Branch departments and agencies the same day TSA released its solicitation. The OSC warned agencies against using monitoring as a way of muzzling whistleblowers. OSC spokeswoman Ann O'Hanlon said the timing was purely coincidental.

She said the government generally is able to monitor users' computer use, as long as it provides disclosure up front that they are being monitored.

The Office of Management and Budget demands that federal agencies tap into a more efficient IT delivery model. The new Shared Services Mandate issue of InformationWeek Government explains how they're doing it. Also in this issue: Uncle Sam should develop an IT savings dashboard that shows the returns on its multibillion-dollar IT investment. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rharrold92201
50%
50%
rharrold92201,
User Rank: Apprentice
6/26/2012 | 3:40:04 AM
re: TSA Wants To Monitor Employee Computer Activities
TSA employees' computer activities being tracked should not be of any concern to anyone. The "quasi" enforcement organization will only be monitored as is most all government and private computer users' networks. U.S. Customs/DHS, BP, INS, DEA, FBI, and most other law enforcement agencies have for years provided recall features in their computer systems allowing internal affairs and other authorized officers to 'real time' monitor line activies and to review and replay officers' online activity. Plus, with little effort, analysis of online activity provides the means to target, monitor, predict and use as evidence, activities on computer systems that violate law and procedures. For an already questionable intrusion/misguided, overly expensive, deterrent system such as TSA ...to question the propriety of monitoring and using the information gleaned is ludicrous. Consider that users of any Internet link are already exposing themselves to continous surveillance, analysis, and predictive observation why should an organization who has been given the right to make the 4th Amendment the laughing stock of the world be any less exposed to scrutiny?
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/26/2012 | 1:40:10 AM
re: TSA Wants To Monitor Employee Computer Activities
I am a little surprised and disturbed the TSA isn't already doing this. There are a number of cases for doing this, not the least of which is preventing data leaks and policy violations that compromise security.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.