Slashdot Mirror

← Back to Stories (view on slashdot.org)

GSA Bidding Site Compromised By Flaw

Posted by Zonk on from the let's-form-a-committee dept.

thomville writes "NY Times reports that eOffer, the government site allowing on-line bids for contracting government computer services, allowed viewing and modification of other contractor's corporate and financial data." From the article: "The security flaw, which could have permitted contractor fraud, was reported to the agency's inspector general on Dec. 22, but almost three weeks passed before the system was taken offline Wednesday afternoon. The General Services Administration is the federal agency responsible for procuring equipment and services, including computer security technology, making the lapse all the more striking. 'This is the government entity responsible for letting contracts for security,' said Mark Rasch, chief security counsel for Solutionary, a security firm. 'Clearly the people who log in would know about security.'"

26 of 43 comments (clear)

  1. Nothing to see here.... by zappepcs · · Score: 3, Funny

    move along...
    First Military intelligence was considered an oxymoron, and now the govermnent gives us Government Computer Security ??? This is a surprise? This is news? Wow, and to think, next thing you know, they'll be outsourcing tax processing to India... oh, wait....

    Never mind

    --
    Support NYCountryLawyer RIAA vs People
  2. Yeah... by andreMA · · Score: 3, Funny
    Clearly the people who log in would know about security.
    This is the Federal Government. Don't bet on that.
    1. Re:Yeah... by daspriest · · Score: 1
      I completely agree. Unless of course you always trust your security functions to the organization that had the lowest bid.

      Then I just feel sorry for you.

  3. ComputerWorld has more detail by joeflies · · Score: 4, Informative
    Computerworld article Apparently the "Flaw" was that records were accessed by a unique ID in the URL. Change the Unique ID, see a different record.

    The site used digital certs to protect authentication, so it wasn't amtter of the wrong users getting in. But once inside, clearly there's a problem with access rights (the app probably accessed all records as privleged user) and coding.

    1. Re:ComputerWorld has more detail by DrMrLordX · · Score: 3, Interesting

      That explains the flaw, but can anyone explain why it took three weeks to take the system down after the flaw was reported? And here I was thinking the delay in correcting false news coming out of the Sago mine was bad. Three hours is nothing compared to twenty days.

    2. Re:ComputerWorld has more detail by MichaelSmith · · Score: 2, Insightful
      records were accessed by a unique ID in the URL. Change the Unique ID, see a different record.

      Same as the GST hacking problem here in .au in 1999. The person who pointed this out to the tax office got charged with hacking because he tried out a few alternative URL's

      --
      http://michaelsmith.id.au
    3. Re:ComputerWorld has more detail by daspriest · · Score: 1

      Umm, its the government, do you really need any more explanation then that?

    4. Re:ComputerWorld has more detail by jo42 · · Score: 1

      Sounds like it was written by a kitchen table hack that passed all the HR buzzword requirements...

    5. Re:ComputerWorld has more detail by seann · · Score: 1

      "I was typing the URL from memory"

      --
      I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
    6. Re:ComputerWorld has more detail by MichaelSmith · · Score: 1

      He presented it as a report of a security problem, and in doing so, had to admit to testing (exploiting) it.

      --
      http://michaelsmith.id.au
    7. Re:ComputerWorld has more detail by seann · · Score: 1

      ouch.

      --
      I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
  4. Tripwiring flaws by KiloByte · · Score: 3, Interesting

    Actually, it is possible that the GSA waited with the response on purpose. At least this is what I used to do on a MUD -- carefully logging every action, in an attempt to get a list of the crooks. The bastards would then get slapped with appropiate action, including revoking gains for a period in the past. This would make them appropiately punished as opposed to simply fixing the flaw and let them slide.

    This assumes some competency on the GSA's part -- but oh well, whom am I kidding?

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:Tripwiring flaws by DrMrLordX · · Score: 4, Interesting

      An interseting theory. However, the kind of data available due to this exploit was sensitive enough that the GSA would have been nuts to let it leak to competitors in the first place. One violater could have racked up tons of data on other bidding firms and distributed to any number of non-violaters, so the prospect of punishing exploiters later doesn't really make up for the fact that dozens, if not hundreds, of firms could wind up with sensitive data without ever being caught by the GSA.

    2. Re:Tripwiring flaws by lanswitch · · Score: 1

      Maybe they set up a honeypot? You know, the one that doesn't give actual information, but just logs all requests.

  5. Wow. Government inefficiency. Surprise. by SMS_Design · · Score: 2, Informative

    Having seen how the Gov't works in regards to computer systems, this is no surprise. Something gets reported, sits in an inbox, is read by someone who doesn't care, so they forward it to someone else.. eventually, it hits the inbox of someone who cares. This person is the exception, not the rule. As soon as someone becomes a federal government employee, you can almost watch as they just stop giving a damn about anything.

  6. Ok, but.. by CCFreak2K · · Score: 5, Funny

    Did they find who left the Sony Music CD in the drive when they were done listening?

    --
    "Beware of he who would deny you access to information, for in his heart he dreams himself your master."
  7. Real data or... by phorm · · Score: 1

    If it were me doing it, I'd throw out lots of data, but all of it pretty much bunk. Makes things seem more realistic, while in reality making them useless.

  8. Re:Wow. Government inefficiency. Surprise. by erbmjw · · Score: 1

    For a number of the government employees it's not only that they stop giving a damn about anything. It's that after the repeated shitkickings and abuse they get for giving a damn either 1)their spirit gets broken, 2) they get out of the civil service before their spirit gets broken and tehy start not gioving a damn or 3)they become real nasty/skilled individuals who the senior bureaucrats are afraid to mess with.

  9. This kind of flaw is hard to fix by RedLaggedTeut · · Score: 1

    This kind of flaw is hard to fix, not because of the single flaw, but because it is likely that most other components of the system would have the same flaw, that is, if the system has lots of subdata "owned" by someone, fixing one flaw and going public about it would just have made people poke and prod at the other flaws.

    --
    I'm still trying to figure out what people mean by 'social skills' here.
  10. Uncertainty ? by smoker2 · · Score: 2, Interesting
    The security flaw, which could have permitted contractor fraud ...
    surely that should read

    The security flaw, which would have permitted contractor fraud

    There is no uncertainty, and it is wrong to suggest that there might be. It just makes the mistake seem less vital.

    Whether or not someone used that flaw to commit wrongdoing is irrelevant. The capability did exist.

    For those that think this is unnecessary grammar nazism, there is a difference between fact and probability.

    For example, if you were to leave a gate open on a field of cattle, then you would have allowed the cattle to escape. to say that you could have allowed them to escape twists the facts. An open gate does, in fact allow cattle to escape.

    If however, you shut the gate but didn't fasten the bolt correctly, then you could claim that the cattle could have escaped, because there was an element of uncertainty.

    A small point but important, especially in these days of endless corporate spin and EULAs.

    1. Re:Uncertainty ? by TubeSteak · · Score: 1

      Hopefully they had proper logging procedures in place to monitor every action taken on their website.

      If they didn't, then they pretty much have to assume that all their data is compromised, grammar-nazism or not.

      The gov't has a whole set of rules & laws just for dealing with requisitions/contracts and and since it is an outside contractor, I hope they get fuxxored in the butt for (most likely) violating the terms of their contract/allowing bids to be seen.

      --
      [Fuck Beta]
      o0t!
  11. A "cat strapped to buttered toast" decision. by sethstorm · · Score: 1

    Apply Occam's Razor. Select the most likely of the two following scenarios:

    1. The programmers of the bidding site were actually incompetent enough to oversee this very obvious flaw.
    2. The GSA ordered a backdoor in the system to manipulate the biddings and to allow bribes to flow easier.


    Unfortunately, this is a case where both A *and* B have both equal possibilities.

    --
    Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
  12. Re:Notabug by ebrandsberg · · Score: 2, Insightful

    Never attribute to cunning and deception what is easily explained by incompetence and laziness when it comes to the Government.

  13. 3rd Option.... by woolio · · Score: 1
    The programmers of the bidding site were actually competent enough to oversee this very obvious flaw.



    The difference is subtle (and probably a bit less likely), yet highly interesting!!
    (Recall that a foreman oversees his employees)

  14. Re:Notabug by Kirth+Gersen · · Score: 1

    > Never attribute to cunning and deception what is easily explained by incompetence and laziness when it comes to the Government.

    In whose interests is it that we should follow that rule?

  15. client certificates stupid? by eggfellow · · Score: 1

    from tfa:

    "The system relies, rather stupidly, on making it difficult to get in in the first place, by forcing you to get a client certificate for your browser," a mechanism for establishing the user's identity, said Mark Seiden, a security consultant who perform tests for corporations. "Well, the 9/11 hijackers also had authentic drivers' licenses..."

    is this as moronic a statement as it appears?