Slashdot Mirror

← Back to Stories (view on slashdot.org)

GSA Bidding Site Compromised By Flaw

Posted by Zonk on from the let's-form-a-committee dept.

thomville writes "NY Times reports that eOffer, the government site allowing on-line bids for contracting government computer services, allowed viewing and modification of other contractor's corporate and financial data." From the article: "The security flaw, which could have permitted contractor fraud, was reported to the agency's inspector general on Dec. 22, but almost three weeks passed before the system was taken offline Wednesday afternoon. The General Services Administration is the federal agency responsible for procuring equipment and services, including computer security technology, making the lapse all the more striking. 'This is the government entity responsible for letting contracts for security,' said Mark Rasch, chief security counsel for Solutionary, a security firm. 'Clearly the people who log in would know about security.'"

43 comments

  1. Nothing to see here.... by zappepcs · · Score: 3, Funny

    move along...
    First Military intelligence was considered an oxymoron, and now the govermnent gives us Government Computer Security ??? This is a surprise? This is news? Wow, and to think, next thing you know, they'll be outsourcing tax processing to India... oh, wait....

    Never mind

    --
    Support NYCountryLawyer RIAA vs People
  2. Yeah... by andreMA · · Score: 3, Funny
    Clearly the people who log in would know about security.
    This is the Federal Government. Don't bet on that.
    1. Re:Yeah... by daspriest · · Score: 1
      I completely agree. Unless of course you always trust your security functions to the organization that had the lowest bid.

      Then I just feel sorry for you.

  3. Could have? by Anonymous Coward · · Score: 0
    The security flaw, which could have permitted contractor fraud, was reported to the agency's inspector general


    Could have? So it didn't happen? Did Halliburton suddenly feel a swell of moral responsibility?
  4. ComputerWorld has more detail by joeflies · · Score: 4, Informative
    Computerworld article Apparently the "Flaw" was that records were accessed by a unique ID in the URL. Change the Unique ID, see a different record.

    The site used digital certs to protect authentication, so it wasn't amtter of the wrong users getting in. But once inside, clearly there's a problem with access rights (the app probably accessed all records as privleged user) and coding.

    1. Re:ComputerWorld has more detail by DrMrLordX · · Score: 3, Interesting

      That explains the flaw, but can anyone explain why it took three weeks to take the system down after the flaw was reported? And here I was thinking the delay in correcting false news coming out of the Sago mine was bad. Three hours is nothing compared to twenty days.

    2. Re:ComputerWorld has more detail by MichaelSmith · · Score: 2, Insightful
      records were accessed by a unique ID in the URL. Change the Unique ID, see a different record.

      Same as the GST hacking problem here in .au in 1999. The person who pointed this out to the tax office got charged with hacking because he tried out a few alternative URL's

      --
      http://michaelsmith.id.au
    3. Re:ComputerWorld has more detail by SleepyHappyDoc · · Score: 0, Troll

      Perhaps the government is outsourcing their computer security to Microsoft.

      --
      Stasis is death. Embrace change.
    4. Re:ComputerWorld has more detail by daspriest · · Score: 1

      Umm, its the government, do you really need any more explanation then that?

    5. Re:ComputerWorld has more detail by jo42 · · Score: 1

      Sounds like it was written by a kitchen table hack that passed all the HR buzzword requirements...

    6. Re:ComputerWorld has more detail by seann · · Score: 1

      "I was typing the URL from memory"

      --
      I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
    7. Re:ComputerWorld has more detail by MichaelSmith · · Score: 1

      He presented it as a report of a security problem, and in doing so, had to admit to testing (exploiting) it.

      --
      http://michaelsmith.id.au
    8. Re:ComputerWorld has more detail by seann · · Score: 1

      ouch.

      --
      I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
  5. Tripwiring flaws by KiloByte · · Score: 3, Interesting

    Actually, it is possible that the GSA waited with the response on purpose. At least this is what I used to do on a MUD -- carefully logging every action, in an attempt to get a list of the crooks. The bastards would then get slapped with appropiate action, including revoking gains for a period in the past. This would make them appropiately punished as opposed to simply fixing the flaw and let them slide.

    This assumes some competency on the GSA's part -- but oh well, whom am I kidding?

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:Tripwiring flaws by DrMrLordX · · Score: 4, Interesting

      An interseting theory. However, the kind of data available due to this exploit was sensitive enough that the GSA would have been nuts to let it leak to competitors in the first place. One violater could have racked up tons of data on other bidding firms and distributed to any number of non-violaters, so the prospect of punishing exploiters later doesn't really make up for the fact that dozens, if not hundreds, of firms could wind up with sensitive data without ever being caught by the GSA.

    2. Re:Tripwiring flaws by lanswitch · · Score: 1

      Maybe they set up a honeypot? You know, the one that doesn't give actual information, but just logs all requests.

  6. Wow. Government inefficiency. Surprise. by SMS_Design · · Score: 2, Informative

    Having seen how the Gov't works in regards to computer systems, this is no surprise. Something gets reported, sits in an inbox, is read by someone who doesn't care, so they forward it to someone else.. eventually, it hits the inbox of someone who cares. This person is the exception, not the rule. As soon as someone becomes a federal government employee, you can almost watch as they just stop giving a damn about anything.

  7. Ok, but.. by CCFreak2K · · Score: 5, Funny

    Did they find who left the Sony Music CD in the drive when they were done listening?

    --
    "Beware of he who would deny you access to information, for in his heart he dreams himself your master."
  8. So... by BorgCopyeditor · · Score: 0, Troll

    ...is this the result of another brilliant recess appointment of an unqualified person to a government post? ;-)

    --
    Shop as usual. And avoid panic buying.
    1. Re:So... by Anonymous Coward · · Score: 0

      Clearly you haven't seen the civilian government at work around Christmas-time, so I'll fill you in:

      If the entire earth caught on fire, burnt to a crisp, and fell into the ocean in the last two weeks of December, not a damn thing would be done about it until the incident was caught up with sometime in January. Because finding a civil service worker in December is like trying to find a snowflake in July.

      This story should be titled: "Shockingly, Government workers take Christmas off".

  9. Well... by Anonymous Coward · · Score: 0

    Since the morning seems to be slow, allow me to help get it going right.

  10. Real data or... by phorm · · Score: 1

    If it were me doing it, I'd throw out lots of data, but all of it pretty much bunk. Makes things seem more realistic, while in reality making them useless.

  11. Re:Wow. Government inefficiency. Surprise. by erbmjw · · Score: 1

    For a number of the government employees it's not only that they stop giving a damn about anything. It's that after the repeated shitkickings and abuse they get for giving a damn either 1)their spirit gets broken, 2) they get out of the civil service before their spirit gets broken and tehy start not gioving a damn or 3)they become real nasty/skilled individuals who the senior bureaucrats are afraid to mess with.

  12. This kind of flaw is hard to fix by RedLaggedTeut · · Score: 1

    This kind of flaw is hard to fix, not because of the single flaw, but because it is likely that most other components of the system would have the same flaw, that is, if the system has lots of subdata "owned" by someone, fixing one flaw and going public about it would just have made people poke and prod at the other flaws.

    --
    I'm still trying to figure out what people mean by 'social skills' here.
  13. Uncertainty ? by smoker2 · · Score: 2, Interesting
    The security flaw, which could have permitted contractor fraud ...
    surely that should read

    The security flaw, which would have permitted contractor fraud

    There is no uncertainty, and it is wrong to suggest that there might be. It just makes the mistake seem less vital.

    Whether or not someone used that flaw to commit wrongdoing is irrelevant. The capability did exist.

    For those that think this is unnecessary grammar nazism, there is a difference between fact and probability.

    For example, if you were to leave a gate open on a field of cattle, then you would have allowed the cattle to escape. to say that you could have allowed them to escape twists the facts. An open gate does, in fact allow cattle to escape.

    If however, you shut the gate but didn't fasten the bolt correctly, then you could claim that the cattle could have escaped, because there was an element of uncertainty.

    A small point but important, especially in these days of endless corporate spin and EULAs.

    1. Re:Uncertainty ? by TubeSteak · · Score: 1

      Hopefully they had proper logging procedures in place to monitor every action taken on their website.

      If they didn't, then they pretty much have to assume that all their data is compromised, grammar-nazism or not.

      The gov't has a whole set of rules & laws just for dealing with requisitions/contracts and and since it is an outside contractor, I hope they get fuxxored in the butt for (most likely) violating the terms of their contract/allowing bids to be seen.

      --
      [Fuck Beta]
      o0t!
    2. Re:Uncertainty ? by Anonymous Coward · · Score: 0

      If you leave the gate open, but the cows did not actually escape, the 'could have escaped' wording is accurate.

      They're not dodging responsibility with this wording. It's unknown whether or not anyone actually did anything unethical. That is the element of uncertainty. It is not certain that any contractor would have ever cheated, just as it's possible that no cows at all may have left the pasture.

      I must say, your post takes the semantic splitting-of-hairs to new depths of stupidity.

  14. Notabug by Anonymous Coward · · Score: 0

    Apply Occam's Razor. Select the most likely of the two following scenarios:

    1. The programmers of the bidding site were actually incompetent enough to oversee this very obvious flaw.
    2. The GSA ordered a backdoor in the system to manipulate the biddings and to allow bribes to flow easier.

    1. Re:Notabug by ebrandsberg · · Score: 2, Insightful

      Never attribute to cunning and deception what is easily explained by incompetence and laziness when it comes to the Government.

    2. Re:Notabug by Kirth+Gersen · · Score: 1

      > Never attribute to cunning and deception what is easily explained by incompetence and laziness when it comes to the Government.

      In whose interests is it that we should follow that rule?

  15. A "cat strapped to buttered toast" decision. by sethstorm · · Score: 1

    Apply Occam's Razor. Select the most likely of the two following scenarios:

    1. The programmers of the bidding site were actually incompetent enough to oversee this very obvious flaw.
    2. The GSA ordered a backdoor in the system to manipulate the biddings and to allow bribes to flow easier.


    Unfortunately, this is a case where both A *and* B have both equal possibilities.

    --
    Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
  16. Kind of similar security problem with Rogers Cable by Anonymous Coward · · Score: 0
    This reminds me a little of this story, concerning Rogers Cable here in Canada.

    It turns out that a feature/flaw on Rogers' website allowed you to check to see what cable channels your neighbours subscribed to. All you needed was a subscriber's name, phone number, and postal code (easily available information), and you could find out if the neighbours were subscribing to the Hustler Channel or Hard On Pridevision. Funny shit. Unfortunately Rogers fixed the problem.

  17. More Details by Anonymous Coward · · Score: 0

    http://www.thinkcomputer.com/corporate/news/restas sured.pdf

  18. Re:Gov't Employees == Affirmative Action Negroes by Anonymous Coward · · Score: 0

    'Shiftless' has to be my all time favorite adjective for describing colored folks. Bravo!

  19. Re:Wow. Government inefficiency. Surprise. by Anonymous Coward · · Score: 0

    Have you tried to get help from customer services of any large private organisation? Same thing

  20. GSA not a center of security excellence by Anonymous Coward · · Score: 0
    Up until about three years ago, a major GSA website was run by a monolithic CGI which constantly cored. None of the HTTP parameters were validated for length, so any very long param would overflow the buffer and cause a dump. Worse yet, the CGI executable had a file path that exactly followed the URL and was owned by and write enabled for the web-server's unix account. A stack smash would have been trivial, allowing complete replacement of the executable file, exposing the back-end financial DB for write and read access. When the vulnerability was pointed out, no action was taken, as a major project was underway (and months behind schedule) to update the site.

    It doesn't get much better than this in US Government. Some agencies and departments are more formal about security, but that formality often consists of laborious compliance with irrelevant procedures by individuals who know only how to follow their own misinterpretation of the "the book".

    Exploits trigger overreactions. If a password is hacked, the new requirement will be for weekly changes to passwords of at least 16 characters, including at least 4 each of alphabetic, numeric, symbol. The predictable result is that all the passwords are written on yellow stickies on the monitor bezels. But procedures have been enforced!

    1. Re:GSA not a center of security excellence by Anonymous Coward · · Score: 0

      But the system is Stangnet In the case of the USAF, we are limited to something call AFWAY to search for new computer equipment. It's a good site but the passwords are only eight characters, stagnet and does not have to be changed every 42-90 days like our network passwords.. It will become monolithic in scope soon.. I can guarntee it.

  21. 3rd Option.... by woolio · · Score: 1
    The programmers of the bidding site were actually competent enough to oversee this very obvious flaw.



    The difference is subtle (and probably a bit less likely), yet highly interesting!!
    (Recall that a foreman oversees his employees)

  22. client certificates stupid? by eggfellow · · Score: 1

    from tfa:

    "The system relies, rather stupidly, on making it difficult to get in in the first place, by forcing you to get a client certificate for your browser," a mechanism for establishing the user's identity, said Mark Seiden, a security consultant who perform tests for corporations. "Well, the 9/11 hijackers also had authentic drivers' licenses..."

    is this as moronic a statement as it appears?