$2,000 Bribe Bought Password To DC P.O. System

theodp writes "While the Administration is counting on new Federal CIO Vivek Kundra to simplify and speed the federal IT procurement process, it's doubtful he'll be able to reduce red tape to the extent that a former minion of his did at the scandal-rocked D.C. Office of the CTO. Exhibiting some truly out-of-the-box thinking, project manager Tawanna Sellmon not only processed phony invoices for the contractor at the center of the D.C. bribery and kickback scandal, she also gave him the password to the city's computerized database used to track purchase orders. Sellmon pleaded guilty last week for her role in the scam, which netted her an envelope containing $2,000 in cash, as well as an undisclosed number of $25-$100 gift cards."

What always astounds me about govt corruption

[amplt1337]

...is just how laughably cheap people can be bought for. Two grand and some gift cards? SERIOUSLY? You'd go to jail for that? When you're a project manager at a government job with great benefits, probably making more than that every WEEK?

It's like the Abramoff scandal. People will sell out their country for Capitals tickets. It's not even the Bulls or something!!

Re:The problem with bribery

[AlecC]

Reading TFA, it looks as if she didn't sell the password, she gave it away to be helpful, and the contractor only later gave her the $2000 (and gift cards) as a present. I.e. she didn't realise what she was doing, that the password she gave him permitted him, basically, to authorise any bill he chose to submit. So she is primarily guilty of total stupidity rather than criminal intent. Maybe, for the good of the species, such stupidity should be treated as even more criminal - but it isn't.

What this makes clear, yet again, is that the human is the weakest point in any system, and any human who has not received positive training in security is a very weak point indeed. Which says that, whatever the physical security, any government database with thousands of users, let alone hundreds of thousands as planned form some, will be subverted, for certain, within months.

Proof Positive that Social Engineering Is Easier

[Syncerus]

This article is an ideal example of a social engineering crack. Consider the comparative difficulty of a technical cracking job and compare it to the simplicity and cheapness of what actually took place. The solution was actually quite elegant in a sordid way.

I once worked for a company that was experiencing a surge of highly organized fraud originating from Romania. Before I left, we were preparing to develop a major anti-fraud application, etc., at great expense. At one meeting I suggested that we just hire a few Romanian private detectives to knock on some doors and quietly suggest to the lowlifes that it would be healthier to leave us alone; the other people in the meeting looked at me as though I were green.

LOL.

Social Engineering

[DrWho520]

No manner of technology can defeat good, social engineering. An intelligent attack is made upon the weakest link in the system. In this case, an unscrupulous user with privileges.