Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uncle Sam's Travel Site Grounded By Breach

Posted by timothy on from the bailout-is-in-order dept.

McGruber writes "Northrop Grumman's Govtrip.com website has been shut down following a security breach, according to a report by 'Security Fix' blogger Brian Krebs. Being a federal employee and frequent work traveler, I am (was?) a Govtrip user. My agency required me to use Govtrip to book all of my trips, including my airfare, car rentals, and hotel reservations, so Northrop Grumman's Govtrip databases contain my frequent flier numbers, Avis & Budget car rental numbers and frequent hotel guest (Choice Privileges, Marriott Rewards, Priority Club, etc.) numbers. Northrup-Grumman also stored all of my trip itineraries, including destinations, dates & modes of travel and the particular vendors (airline, hotel, rental car brand, etc.) used on a particular trip. Also stored on the website were my work travel credit-card (it has a $15,000 charge limit), personal checking account where my travel reimbursements were deposited, my home address, and emergency contacts ... just imagine what an accomplished social engineer can do with that combination of information!"

20 of 67 comments (clear)

  1. Just to be safe by Hognoxious · · Score: 3, Funny

    I think you should have posted that anonymously, just to be safe.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  2. Accounts need 2 access no's: In & Out #'s by ivi · · Score: 4, Interesting

    If having another's check book account number means that one can withdraw from it, here's an easy fix:

    Each account gets (at least) 2 numbers:

    1. to deposit INTO it,
    2. another to write cheques to get $$$ OUT of it, &
    3. maybe a 3rd to let vendors & banks (with a cheque in-hand) to check that the balance covers the cheque.

    It would - with that structure - not matter that this web site's security is breached (at least for -that- particular account).

    1. Re:Accounts need 2 access no's: In & Out #'s by SmokeyTheBalrog · · Score: 2, Interesting

      You may be right about which one is secure. (Answer: neither.)

      But, if you use American Express they will really help you with purchase problems/charge back. (Had em rape a camera vendor once.) And other credit cards will help to varying degrees. And if you are renting a car you usually get free insurance. Then there are frequent flyer miles you get with purchases.

      Do checking accounts offer any of these? If so I would really like to know.

      And in the end I carry a piece of thin plastic vs a rather thick bundle of paper.

      With a few credit/bank cards, about $20-$60 in cash, IDs, I use a mini-wallet and have space to spare.
      Mine is similar to this one:
      http://www.hotref.com/Wenger-Leather-Card-Wallet-p-3643.html

      My whole wallet ends up being 1/2 to 1/3 what others carry.

    2. Re:Accounts need 2 access no's: In & Out #'s by elefantstn · · Score: 2, Interesting

      You wouldn't give the Kwik-E-Mart your checking account number. You use a credit card (if not cash) because it has fraud monitoring and the ability to dispute charges.

      What you were missing in your GP comment is that in this particular scenario, the OP only needs to give govtrip.com access to his account for deposit reasons. Therefore, if someone were to steal his information under the multiple-account-number system, all they would have is the ability to deposit more money into his account. He's not using his checking account to pay for anything on that site.

      --
      If it ain't broke, you need more software.
    3. Re:Accounts need 2 access no's: In & Out #'s by j1mmy · · Score: 2, Interesting

      A credit card is ideal because it places risk at the credit card company instead of at the bank, where your money is. A fraudulent credit card charge is far easier to deal with than a fraudulent withdrawl. Good luck paying your bills when your checking account is empty.

  3. bad summary by socsoc · · Score: 4, Informative

    The first line of the summary doesn't even match TFA. A few agencies, FAA & DoT are mentioned explicitly, started blocking the website on their networks to prevent the download of malware/viruses.

    TFA specifically says that user information was not compromised, the submitter's car reservation confirmation number from last month is safe. The site was not shut down and loads fine for me.

    What I don't get is the reasoning behind hosting 3 servers containing information on US government employees in Taiwan, what the hell?

    1. Re:bad summary by sunking2 · · Score: 2, Informative

      I believe what they meant was that those were where the remote hosts that hacked the site were. Along with one from Harvard. But still, the summary is so full of paranoia and hype its almost sickening. This seems to be nothing more than a front page being changed to redirect to a new destination. Hardly anything to get your panties in a twist.

  4. Re:Sadly by cypherwise · · Score: 2, Informative

    Contractors basically bid on any contract they can. Then hire the expertise needed to complete that contract during/after the bidding. Many of the big name contractors do A LOT more than their traditional public image leads many to believe.
    Also, would it have really made a difference if the website was .gov or .com? The government, in general, doesn't have the desire to produce and maintain a site like that in-house.

  5. And now they have your /. handle too... by Patch86 · · Score: 2, Funny

    ...you're totally screwed.

  6. details of hack .. by viralMeme · · Score: 2, Interesting

    'hackers breached the site, then modified it to redirect users to a rogue URL that in turn directed attack code against their systems'

    'was this breach similar to what happened in the FISERV/CheckFree incident, or did something else happen?'

  7. Spelling??? by LiQiuD · · Score: 4, Funny

    Can we at least spell Nothrop Grumman correctly?

  8. Re:Governments... by Clover_Kicker · · Score: 3, Insightful

    Northrop-Grumman (i.e. the company who runs the site, the guys who fucked up) is private sector.

    Being in the private sector is not magic pixie dust that makes people smarter and systems more secure.

  9. Re:Sadly by Hognoxious · · Score: 2, Informative

    The government, in general, doesn't have the ability to select a competent contractor to produce and maintain a site like that in-house.

    Fixed now.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  10. Re:Governments... by Curunir_wolf · · Score: 4, Interesting

    They are also the company that is basically taking over all of the IT functions for the Commonwealth of Virginia. It's working about as smoothly as you would expect.

    I'm sure once all the agencies have turned over all their equipment, applications, and network services to Northrop-Grumman to be run from their new high-efficiency data center, that It service will improve, security will be rock-solid, and costs will drop like a stone.

    --
    "Somebody has to do something. It's just incredibly pathetic it has to be us."
    --- Jerry Garcia
  11. Re:what? by codepunk · · Score: 3, Informative

    Let me enlighten you here mr security expert. Once you hit that submit button on your shopping cart at joe's online store, you have no idea what just happened with that information. I don't care if you
    put in your cc number a thousand times it does not in any way mean that the other end is not storing the information. In fact for all you know it sends a email to someone that processes the order, however
    mr hacker already owns that server and grabs everything running through the mail spool. Or has just modified the code to send himself a copy of your information as well.

    --


    Got Code?
  12. I used to work for Northrop... by Anonymous Coward · · Score: 2, Interesting

    The company has been claiming to be "...expanding their monitoring capabilities to include additional network and host based intrusion monitoring technologies" for years. The problem is that no one is willing to pay for it, because Northrop's customers correctly assert it should be a part of any IT infrastructure implementation contract. Since no one is willing to pay Northrop additional money to competently manage their networks, Northrop doesn't.

    Making the problem worse, Northrop's sysadmins routinely delete or trim logs to which they have access because the company's information security will not tell the sysadmins what events are considered "reportable", so they log everything, which results in log files so large they can't be stored, or even reviewed daily.

    And some of Northrop's server infrastructure won't support the current revision of the vendor's anti-virus software, so various divisions of the company request waivers to those requirements. Those waivers are a violation of company policy, even if compliance is impossible to achieve, but no one wants to re-write the policy to recognize the cold, hard reality that Northrop's infrastructure is so complicated that the "one size fits all" approach is the path to failure.

    And, to top it all off, Northrop's information systems auditors are incompetent. They routinely refuse to document known deficiencies because it would make the company look bad, and the company's external auditor, Deloitte, sends softball auditors to Northrop that have no knowledge or expertise in the information systems they're auditing. Because Northrop has a documented "system of control", it's considered "mature", even if most of the controls are fiction.

    So this doesn't surprise me in the least.

    I was working at CSC in 2001 - 2002, and CSC had the contract for the Navy's civilian personnel timekeeping system. CSC had similar problems, with similar causes. Then, as with Northrop, the real problem is the utter lack of customer oversight and accountability.

  13. Re:Sadly by perlchild · · Score: 2, Insightful

    If it let them snoop on who was traveling to their competitor's facilities during particularly hectic contracts, I'd say it would have made a difference.

    Not that it's contracted out, but that it's contracted out to a large firm who already does a specific kind of business with the government. Contracting out to orbitz or american express for travel is one thing. Contracting to someone who has a corporate interest in knowing who visits Boing, is another.

  14. CIA? by divisionbyzero · · Score: 2, Insightful

    I hope the CIA wasn't required to use it! :-)

  15. Hype by emance · · Score: 4, Informative

    The Website was not disabled. Rather, the web-based compromise began redirecting users to malicious websites.

    It is interesting to read that the 'compromise' was achieved through eAuthentication, a ubiquitous federal application serving multiple agencies.

    It seems like the attack could have been more harmful than this apparently relative ineffectual inconvenience.

  16. Defense Contractor Web Services? by fazookus · · Score: 2, Insightful

    I'm a Govtrip user as well (the "E-Gov Travel Center for Excellence" just emailed me to tell me everything is just fine, so it must be back) and my primary question is why do we have defense contractors running internet travel sites?
    Govtrip took a long time to become ready for prime-time and to this day isn't a model of the programming arts.

    Wonder how much it costs...

    A greater concern is "Electronic Questionnaires for Investigations Processing (e-QIP)". If you need a security clearance you go to the e-QIP site and put in your life history, friends, bank info, credit history, medical history, everything.
    It's a identity thief's dream, absolutely everything needed for somebody else to become you. In fact someone with this kind of information would have a better claim to being you than YOU would.

    But don't worry, it's hacker proof.