Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security United States

GSA Bidding Site Compromised By Flaw 43

Posted by Zonk from the let's-form-a-committee dept.
thomville writes "NY Times reports that eOffer, the government site allowing on-line bids for contracting government computer services, allowed viewing and modification of other contractor's corporate and financial data." From the article: "The security flaw, which could have permitted contractor fraud, was reported to the agency's inspector general on Dec. 22, but almost three weeks passed before the system was taken offline Wednesday afternoon. The General Services Administration is the federal agency responsible for procuring equipment and services, including computer security technology, making the lapse all the more striking. 'This is the government entity responsible for letting contracts for security,' said Mark Rasch, chief security counsel for Solutionary, a security firm. 'Clearly the people who log in would know about security.'"
This discussion has been archived. No new comments can be posted.

GSA Bidding Site Compromised By Flaw More

GSA Bidding Site Compromised By Flaw

Comments Filter:

  • Nothing to see here.... (Score:4, Funny)

    by zappepcs ( 820751 ) on Sunday January 15, 2006 @03:49AM (#14474712) Journal
    move along...
    First Military intelligence was considered an oxymoron, and now the govermnent gives us Government Computer Security ??? This is a surprise? This is news? Wow, and to think, next thing you know, they'll be outsourcing tax processing to India... oh, wait....

    Never mind

  • Yeah... (Score:3, Funny)

    by andreMA ( 643885 ) on Sunday January 15, 2006 @03:51AM (#14474721)
    Clearly the people who log in would know about security.
    This is the Federal Government. Don't bet on that.
    • I completely agree. Unless of course you always trust your security functions to the organization that had the lowest bid.

      Then I just feel sorry for you.

  • ComputerWorld has more detail (Score:5, Informative)

    by joeflies ( 529536 ) on Sunday January 15, 2006 @04:03AM (#14474749)
    Computerworld article [computerworld.com] Apparently the "Flaw" was that records were accessed by a unique ID in the URL. Change the Unique ID, see a different record.

    The site used digital certs to protect authentication, so it wasn't amtter of the wrong users getting in. But once inside, clearly there's a problem with access rights (the app probably accessed all records as privleged user) and coding.

  • Tripwiring flaws (Score:4, Interesting)

    by KiloByte ( 825081 ) on Sunday January 15, 2006 @04:21AM (#14474776)
    Actually, it is possible that the GSA waited with the response on purpose. At least this is what I used to do on a MUD -- carefully logging every action, in an attempt to get a list of the crooks. The bastards would then get slapped with appropiate action, including revoking gains for a period in the past. This would make them appropiately punished as opposed to simply fixing the flaw and let them slide.

    This assumes some competency on the GSA's part -- but oh well, whom am I kidding?

    • Re:Tripwiring flaws (Score:4, Interesting)

      by DrMrLordX ( 559371 ) on Sunday January 15, 2006 @04:45AM (#14474832)
      An interseting theory. However, the kind of data available due to this exploit was sensitive enough that the GSA would have been nuts to let it leak to competitors in the first place. One violater could have racked up tons of data on other bidding firms and distributed to any number of non-violaters, so the prospect of punishing exploiters later doesn't really make up for the fact that dozens, if not hundreds, of firms could wind up with sensitive data without ever being caught by the GSA.
  • Having seen how the Gov't works in regards to computer systems, this is no surprise. Something gets reported, sits in an inbox, is read by someone who doesn't care, so they forward it to someone else.. eventually, it hits the inbox of someone who cares. This person is the exception, not the rule. As soon as someone becomes a federal government employee, you can almost watch as they just stop giving a damn about anything.
    • For a number of the government employees it's not only that they stop giving a damn about anything. It's that after the repeated shitkickings and abuse they get for giving a damn either 1)their spirit gets broken, 2) they get out of the civil service before their spirit gets broken and tehy start not gioving a damn or 3)they become real nasty/skilled individuals who the senior bureaucrats are afraid to mess with.

  • Ok, but.. (Score:5, Funny)

    by CCFreak2K ( 930973 ) on Sunday January 15, 2006 @04:46AM (#14474833) Homepage Journal
    Did they find who left the Sony Music CD in the drive when they were done listening?

  • So... (Score:1, Troll)

    by BorgCopyeditor ( 590345 )
    ...is this the result of another brilliant recess appointment of an unqualified person to a government post? ;-)

  • Uncertainty ? (Score:3, Interesting)

    by smoker2 ( 750216 ) on Sunday January 15, 2006 @08:04AM (#14475185) Homepage Journal
    The security flaw, which could have permitted contractor fraud ...
    surely that should read

    The security flaw, which would have permitted contractor fraud

    There is no uncertainty, and it is wrong to suggest that there might be. It just makes the mistake seem less vital.

    Whether or not someone used that flaw to commit wrongdoing is irrelevant. The capability did exist.

    For those that think this is unnecessary grammar nazism, there is a difference between fact and probability.

    For example, if you were to leave a gate open on a field of cattle, then you would have allowed the cattle to escape. to say that you could have allowed them to escape twists the facts. An open gate does, in fact allow cattle to escape.

    If however, you shut the gate but didn't fasten the bolt correctly, then you could claim that the cattle could have escaped, because there was an element of uncertainty.

    A small point but important, especially in these days of endless corporate spin and EULAs.

    • Hopefully they had proper logging procedures in place to monitor every action taken on their website.

      If they didn't, then they pretty much have to assume that all their data is compromised, grammar-nazism or not.

      The gov't has a whole set of rules & laws just for dealing with requisitions/contracts and and since it is an outside contractor, I hope they get fuxxored in the butt for (most likely) violating the terms of their contract/allowing bids to be seen.
  • from tfa:

    "The system relies, rather stupidly, on making it difficult to get in in the first place, by forcing you to get a client certificate for your browser," a mechanism for establishing the user's identity, said Mark Seiden, a security consultant who perform tests for corporations. "Well, the 9/11 hijackers also had authentic drivers' licenses..."

    is this as moronic a statement as it appears?

Slashdot Top Deals

"Money is the root of all money." -- the moving finger

Close