Slashdot Mirror
Uncle Sam's Travel Site Grounded By Breach
McGruber writes "Northrop Grumman's Govtrip.com website has been shut down following a security breach, according to a report by 'Security Fix' blogger Brian Krebs. Being a federal employee and frequent work traveler, I am (was?) a Govtrip user. My agency required me to use Govtrip to book all of my trips, including my airfare, car rentals, and hotel reservations, so Northrop Grumman's Govtrip databases contain my frequent flier numbers, Avis & Budget car rental numbers and frequent hotel guest (Choice Privileges, Marriott Rewards, Priority Club, etc.) numbers. Northrup-Grumman also stored all of my trip itineraries, including destinations, dates & modes of travel and the particular vendors (airline, hotel, rental car brand, etc.) used on a particular trip. Also stored on the website were my work travel credit-card (it has a $15,000 charge limit), personal checking account where my travel reimbursements were deposited, my home address, and emergency contacts ... just imagine what an accomplished social engineer can do with that combination of information!"
I think you should have posted that anonymously, just to be safe.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
...should be held liable for data breaches like this - even moreso that the private sector.
Feddy should have access to the latest security tools - many of which were developed in house - and not making extensive use of non-classified security tools to protect our information is downright criminal.
Next thing you know, the SS or Medicare database will be hacked and then we're really fucked.
(Okay, that's enough use of the <i> tag for one post I think...
If having another's check book account number means that one can withdraw from it, here's an easy fix:
Each account gets (at least) 2 numbers:
1. to deposit INTO it,
2. another to write cheques to get $$$ OUT of it, &
3. maybe a 3rd to let vendors & banks (with a cheque in-hand) to check that the balance covers the cheque.
It would - with that structure - not matter that this web site's security is breached (at least for -that- particular account).
Keeping such sensitive data on the internet is atrociously stupid.
You deserve a raise.
Northrup-Grumman may not be the only entity with such lax security.
The last I heard, Northrup-Grumman was a private company, even IF they work with
people in the government, they basically make aircraft and aircraft parts.
Why should they be trusted with ANY such information? Are the Orbitz(TM) of
the GAO?
The first line of the summary doesn't even match TFA. A few agencies, FAA & DoT are mentioned explicitly, started blocking the website on their networks to prevent the download of malware/viruses.
TFA specifically says that user information was not compromised, the submitter's car reservation confirmation number from last month is safe. The site was not shut down and loads fine for me.
What I don't get is the reasoning behind hosting 3 servers containing information on US government employees in Taiwan, what the hell?
Keeping that much financial data online is stupidity of the highest order.
Anyone who does that deserves anything they get for trusting the security of their card info to a third party.
I use online services a lot (increasingly so these last two years), and re enter my card info each time. Sure its slow, and less convenient, but if a site is hacked, my card details won't be stored there. I'm far too worried by that to let any site keep my card details.
A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
...you're totally screwed.
...frequent hotel guest (Choice Privileges, Marriott Rewards, Priority Club, etc.)
How much do these "guests" cost? and what sort of privileges and rewards do they offer in this club?
'hackers breached the site, then modified it to redirect users to a rogue URL that in turn directed attack code against their systems'
'was this breach similar to what happened in the FISERV/CheckFree incident, or did something else happen?'
Many, many companies have preferred travel vendors, and require their employees to use them for all travel. And "how rock solid is your DB security?" is rarely question one. Deciding on a travel provider pretty much always comes down to cost and security.
At a previous job, the reasonably small travel company we had to use got hacked into. They didn't know what, if anything was taken. They told us "sorry" and offered us 6 months of identity theft monitoring. My company didn't even cancel their contract. If you worked in the private sector, do you really think yours would?
I moved to a company that allows me to book my own travel direct through airline/hotel websites. It's a few more sites to visit for me, but at least I don't have some fly-by-night middleman with all my info. I'm lucky--few people have that option.
seriously... I am taking public transport it's making me sick just to listen to what happens to my tax dollars :)
The securest system is in a locked room, not connected to anything, and switched off. It's just not very useful.
You don't travel much, do you? Sure, I suppose I could call all the travel suppliers, and they could keep paper records. But that's massively inefficient.
Sorry, I WANT to be able to make travel arrangements quickly and easily. I want to have a profile with my favorite hotels and frequent traveler information so I don't need to type it in every time. I want to be able to see my upcoming reservations, so I know when my flight to Atlanta leaves this week, or so I can verify that I booked travel through the end of the month for a recurring reservation. I want to be able to update my trip from my iPhone when a flight gets canceled or a customer reschedules a site visit. And, yes, to the extent hotels require a credit card to hold a reservation, I want them to have that information available.
The great promise of the internet is in making life convenient. The above things all make my life as a frequent traveler more convenient. I don't think I'm unreasonable, or naive about security. I want companies to provide the services above, and to do that securely and well. This is not an impossible task. It's merely a difficult one.
Calling for people to remove any information that could be useful to identify thieves from any machine connected to the internet is the only thing that's atrociously stupid.
Can we at least spell Nothrop Grumman correctly?
when I was a federal employee it was illegal to use frequent flyer bonuses of any type.
The company has been claiming to be "...expanding their monitoring capabilities to include additional network and host based intrusion monitoring technologies" for years. The problem is that no one is willing to pay for it, because Northrop's customers correctly assert it should be a part of any IT infrastructure implementation contract. Since no one is willing to pay Northrop additional money to competently manage their networks, Northrop doesn't.
Making the problem worse, Northrop's sysadmins routinely delete or trim logs to which they have access because the company's information security will not tell the sysadmins what events are considered "reportable", so they log everything, which results in log files so large they can't be stored, or even reviewed daily.
And some of Northrop's server infrastructure won't support the current revision of the vendor's anti-virus software, so various divisions of the company request waivers to those requirements. Those waivers are a violation of company policy, even if compliance is impossible to achieve, but no one wants to re-write the policy to recognize the cold, hard reality that Northrop's infrastructure is so complicated that the "one size fits all" approach is the path to failure.
And, to top it all off, Northrop's information systems auditors are incompetent. They routinely refuse to document known deficiencies because it would make the company look bad, and the company's external auditor, Deloitte, sends softball auditors to Northrop that have no knowledge or expertise in the information systems they're auditing. Because Northrop has a documented "system of control", it's considered "mature", even if most of the controls are fiction.
So this doesn't surprise me in the least.
I was working at CSC in 2001 - 2002, and CSC had the contract for the Navy's civilian personnel timekeeping system. CSC had similar problems, with similar causes. Then, as with Northrop, the real problem is the utter lack of customer oversight and accountability.
I hope the CIA wasn't required to use it! :-)
I guess the cat is out of the bag now...
The Website was not disabled. Rather, the web-based compromise began redirecting users to malicious websites.
It is interesting to read that the 'compromise' was achieved through eAuthentication, a ubiquitous federal application serving multiple agencies.
It seems like the attack could have been more harmful than this apparently relative ineffectual inconvenience.
when I was a federal employee it was illegal to use frequent flyer bonuses of any type.
No, it's allowed now. Mostly worthless anyway since airlines make it almost impossible to use them.
Now, have a look at this: they had the DEFAULT configuration? Good grief!
The General Services Administration (GSA) and Northrop Grumman (NG) contractor has conducted extensive forensic analysis and confirmed that the GovTrip systems were successfully compromised. Forensic analysis revealed that hackers were able to gain access from four remote systems (3 systems residing in Taiwan and 1 system belonging to Harvard University) to exploit a default configuration setting in the GovTrip eAuthentication module that allowed remote administration using the Internet.
If you want news from today, you have to come back tomorrow.
Given the width and breath of the Bush Admimistration's lawlessness, the options open to avoid a civll war are reducting at a dramatic pace.
An, i.e. another, inquirey into the Bush Administration"s abdication of all laws, US, US States, International, will fail because the current leaders of the House and Senate, are at least guilty of ommision in regards to the Bush Administration's lawlessness.
This would normally necessitate an international war crimes inquiry and subsequent trial.
Unfortunately, many internaitonal governments, and their (let us say "Officials" rather than "Stooges") Officials are coplitious in the alleged (lets forget the pleasentries as the crimes are actual) crimes against humanity.
This necessitates actions through civil war, to pruge the US Federal goverment, and those recently relieved of duty, of the purpatrators of the crimes against the peoples of the States of the United States, and the peoples of the World. The purpatators are still "at large" and are a threat to the peoples of the United States of America and the Peoples of the world.
I'm a Govtrip user as well (the "E-Gov Travel Center for Excellence" just emailed me to tell me everything is just fine, so it must be back) and my primary question is why do we have defense contractors running internet travel sites?
Govtrip took a long time to become ready for prime-time and to this day isn't a model of the programming arts.
Wonder how much it costs...
A greater concern is "Electronic Questionnaires for Investigations Processing (e-QIP)". If you need a security clearance you go to the e-QIP site and put in your life history, friends, bank info, credit history, medical history, everything.
It's a identity thief's dream, absolutely everything needed for somebody else to become you. In fact someone with this kind of information would have a better claim to being you than YOU would.
But don't worry, it's hacker proof.