Slashdot Mirror

← Back to Stories (view on slashdot.org)

GSA Bidding Site Compromised By Flaw

Posted by Zonk on from the let's-form-a-committee dept.

thomville writes "NY Times reports that eOffer, the government site allowing on-line bids for contracting government computer services, allowed viewing and modification of other contractor's corporate and financial data." From the article: "The security flaw, which could have permitted contractor fraud, was reported to the agency's inspector general on Dec. 22, but almost three weeks passed before the system was taken offline Wednesday afternoon. The General Services Administration is the federal agency responsible for procuring equipment and services, including computer security technology, making the lapse all the more striking. 'This is the government entity responsible for letting contracts for security,' said Mark Rasch, chief security counsel for Solutionary, a security firm. 'Clearly the people who log in would know about security.'"

11 of 43 comments (clear)

  1. Nothing to see here.... by zappepcs · · Score: 3, Funny

    move along...
    First Military intelligence was considered an oxymoron, and now the govermnent gives us Government Computer Security ??? This is a surprise? This is news? Wow, and to think, next thing you know, they'll be outsourcing tax processing to India... oh, wait....

    Never mind

    --
    Support NYCountryLawyer RIAA vs People
  2. Yeah... by andreMA · · Score: 3, Funny
    Clearly the people who log in would know about security.
    This is the Federal Government. Don't bet on that.
  3. ComputerWorld has more detail by joeflies · · Score: 4, Informative
    Computerworld article Apparently the "Flaw" was that records were accessed by a unique ID in the URL. Change the Unique ID, see a different record.

    The site used digital certs to protect authentication, so it wasn't amtter of the wrong users getting in. But once inside, clearly there's a problem with access rights (the app probably accessed all records as privleged user) and coding.

    1. Re:ComputerWorld has more detail by DrMrLordX · · Score: 3, Interesting

      That explains the flaw, but can anyone explain why it took three weeks to take the system down after the flaw was reported? And here I was thinking the delay in correcting false news coming out of the Sago mine was bad. Three hours is nothing compared to twenty days.

    2. Re:ComputerWorld has more detail by MichaelSmith · · Score: 2, Insightful
      records were accessed by a unique ID in the URL. Change the Unique ID, see a different record.

      Same as the GST hacking problem here in .au in 1999. The person who pointed this out to the tax office got charged with hacking because he tried out a few alternative URL's

      --
      http://michaelsmith.id.au
  4. Tripwiring flaws by KiloByte · · Score: 3, Interesting

    Actually, it is possible that the GSA waited with the response on purpose. At least this is what I used to do on a MUD -- carefully logging every action, in an attempt to get a list of the crooks. The bastards would then get slapped with appropiate action, including revoking gains for a period in the past. This would make them appropiately punished as opposed to simply fixing the flaw and let them slide.

    This assumes some competency on the GSA's part -- but oh well, whom am I kidding?

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:Tripwiring flaws by DrMrLordX · · Score: 4, Interesting

      An interseting theory. However, the kind of data available due to this exploit was sensitive enough that the GSA would have been nuts to let it leak to competitors in the first place. One violater could have racked up tons of data on other bidding firms and distributed to any number of non-violaters, so the prospect of punishing exploiters later doesn't really make up for the fact that dozens, if not hundreds, of firms could wind up with sensitive data without ever being caught by the GSA.

  5. Wow. Government inefficiency. Surprise. by SMS_Design · · Score: 2, Informative

    Having seen how the Gov't works in regards to computer systems, this is no surprise. Something gets reported, sits in an inbox, is read by someone who doesn't care, so they forward it to someone else.. eventually, it hits the inbox of someone who cares. This person is the exception, not the rule. As soon as someone becomes a federal government employee, you can almost watch as they just stop giving a damn about anything.

  6. Ok, but.. by CCFreak2K · · Score: 5, Funny

    Did they find who left the Sony Music CD in the drive when they were done listening?

    --
    "Beware of he who would deny you access to information, for in his heart he dreams himself your master."
  7. Uncertainty ? by smoker2 · · Score: 2, Interesting
    The security flaw, which could have permitted contractor fraud ...
    surely that should read

    The security flaw, which would have permitted contractor fraud

    There is no uncertainty, and it is wrong to suggest that there might be. It just makes the mistake seem less vital.

    Whether or not someone used that flaw to commit wrongdoing is irrelevant. The capability did exist.

    For those that think this is unnecessary grammar nazism, there is a difference between fact and probability.

    For example, if you were to leave a gate open on a field of cattle, then you would have allowed the cattle to escape. to say that you could have allowed them to escape twists the facts. An open gate does, in fact allow cattle to escape.

    If however, you shut the gate but didn't fasten the bolt correctly, then you could claim that the cattle could have escaped, because there was an element of uncertainty.

    A small point but important, especially in these days of endless corporate spin and EULAs.

  8. Re:Notabug by ebrandsberg · · Score: 2, Insightful

    Never attribute to cunning and deception what is easily explained by incompetence and laziness when it comes to the Government.