In any case, I was just pointed to a new Web page entitled "New 'Red Flag' Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft". The document discusses how financial institutions and creditors must comply with "red flag rules" and create programs to protect consumers from identity theft.

So, wouldn't you think, of just about any agency, the FTC would be pretty secure from an identity theft risk of their own?

Nah, I didn't think so.

Here's what the GAO found out:

The CIO told us that agency staff cannot directly access external Web-based email through the agency's Web browsers, and agency employees have been instructed not to use such systems for official FTC business. However, this official said that agency employees may use the commission's remote application delivery environment to obtain limited access to external Web-based email as a convenience.

On the surface, it might seem that the FTC isn't as bad as Homeland Security. FTC officials aren't allowed to surf their personal Hotmail and Gmail accounts -- at least not directly.

But what the agency employees can do is use a Citrix-based solution (think Go-To-Meeting) to remote desktop their way out of the FTC firewall and, most likely, connect to their PCs at home.

Yep, rather than simply access the Web (with all its attendant risks), FTC employees are allowed to remotely tunnel out of their FTC offices to home, accessing PCs containing all sorts of who-knows-what.

To be fair, as long as the Citrix session remains secure, there's no problem because anything bad that's going to happen would happen on the employee's home computer and not make it back to the FTC. It's like watching an explosion on TV -- it might look cool, but you won't have any embers to clean up from your living room carpet.

However, if you were to go out to a nice fireworks store and bring an M-80 firecracker back to your living room and set it off under the ottoman, then you've got problems. Likewise, if employees are tunneling out to their home PCs, they now have a way to completely bypass the FTC firewall and bring files from their home computers (completely open to the Wild Wild West that's the Internet) inside the FTC's secured firewall.

In a sense, because FTC employees can tunnel through the FTC firewall in such a way that their individual Web accesses are hidden due to the Citrix remote desktop functionality, they're even less secure than the folks at Homeland Security. At least the Homeland Security firewalls can see every packet, every IP address, and every Internet protocol used. Not so for the FTC. All that's hidden inside the Citrix tunnel.

What makes this particularly disturbing is there's now a way for FTC employees to purposely bring data inside the firewall -- without any trace. It's possible to monitor the number of bytes used per employee, but no way at all to monitor what those bytes make up within the Citrix tunnel. So what might they bring inside? Hopefully nothing scary. But what if someone wanted to do harm? Who would know?

Remember, the FTC is our leading identity theft protection crusader. This sort of security flaw makes you feel all warm and fuzzy, doesn't it?

Nah, I didn't think so.

At least I didn't pick on the White House this time.

Daniel Koffler is a Contributing Editor to DominoPower. Daniel is a R6 CLP and works as an IT consultant for major organizations in North America and Europe, specializing in network design, security analysis and knowledge management, he is also the author of several OpenSource projects. Daniel can be reached at dkoffler@users.sourceforge.net.