Slashdot Mirror

← Back to Stories (view on slashdot.org)

GSA Bidding Site Compromised By Flaw

Posted by Zonk on from the let's-form-a-committee dept.

thomville writes "NY Times reports that eOffer, the government site allowing on-line bids for contracting government computer services, allowed viewing and modification of other contractor's corporate and financial data." From the article: "The security flaw, which could have permitted contractor fraud, was reported to the agency's inspector general on Dec. 22, but almost three weeks passed before the system was taken offline Wednesday afternoon. The General Services Administration is the federal agency responsible for procuring equipment and services, including computer security technology, making the lapse all the more striking. 'This is the government entity responsible for letting contracts for security,' said Mark Rasch, chief security counsel for Solutionary, a security firm. 'Clearly the people who log in would know about security.'"

4 of 43 comments (clear)

  1. Re:ComputerWorld has more detail by DrMrLordX · · Score: 3, Interesting

    That explains the flaw, but can anyone explain why it took three weeks to take the system down after the flaw was reported? And here I was thinking the delay in correcting false news coming out of the Sago mine was bad. Three hours is nothing compared to twenty days.

  2. Tripwiring flaws by KiloByte · · Score: 3, Interesting

    Actually, it is possible that the GSA waited with the response on purpose. At least this is what I used to do on a MUD -- carefully logging every action, in an attempt to get a list of the crooks. The bastards would then get slapped with appropiate action, including revoking gains for a period in the past. This would make them appropiately punished as opposed to simply fixing the flaw and let them slide.

    This assumes some competency on the GSA's part -- but oh well, whom am I kidding?

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:Tripwiring flaws by DrMrLordX · · Score: 4, Interesting

      An interseting theory. However, the kind of data available due to this exploit was sensitive enough that the GSA would have been nuts to let it leak to competitors in the first place. One violater could have racked up tons of data on other bidding firms and distributed to any number of non-violaters, so the prospect of punishing exploiters later doesn't really make up for the fact that dozens, if not hundreds, of firms could wind up with sensitive data without ever being caught by the GSA.

  3. Uncertainty ? by smoker2 · · Score: 2, Interesting
    The security flaw, which could have permitted contractor fraud ...
    surely that should read

    The security flaw, which would have permitted contractor fraud

    There is no uncertainty, and it is wrong to suggest that there might be. It just makes the mistake seem less vital.

    Whether or not someone used that flaw to commit wrongdoing is irrelevant. The capability did exist.

    For those that think this is unnecessary grammar nazism, there is a difference between fact and probability.

    For example, if you were to leave a gate open on a field of cattle, then you would have allowed the cattle to escape. to say that you could have allowed them to escape twists the facts. An open gate does, in fact allow cattle to escape.

    If however, you shut the gate but didn't fasten the bolt correctly, then you could claim that the cattle could have escaped, because there was an element of uncertainty.

    A small point but important, especially in these days of endless corporate spin and EULAs.