Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Vulnerability Found On US Federal Government Contractors Site

Posted by samzenpus on from the open-book dept.

dstates writes "SAM (Systems for Awards Management) is a financial management system that the US government requires all contractors and grantees to use. This system has recently been rolled out to replace the older CCR system. Friday night, thousands of SAM users received the following message: 'Dear SAM user, The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity's registration information, including both public and non-public data at all sensitivity levels.' From March 8 to 10, any registered user who searched the system could view confidential information including account and social security numbers for any other user of the system. Oops! The Government Services Administration says that they have fixed the problem."

10 of 35 comments (clear)

  1. Hackers by presspass · · Score: 4, Insightful

    This is the real reason to hype a 'cyberwar':

    Malfeasance.

  2. Who'd be surprised? by Anonymous Coward · · Score: 5, Insightful

    Half of our shared government is devoted to the proposition that government itself is THE problem our country has, and any step taken to damage the credibility of, or simply interfere with government is a positive step.

    Therefore, funding at all levels is cut, and even minimal oversight gets cut.

    Without oversight, contractors get more 'emergency' jobs, and have to expand, without anyone checking what they're doing. So, they buy more computers, hire more staff, and roll out services as quick as they can.

    Who would be surprised that minimal standards for something as tertiary to the money-making process as security gets ignored in this process? You hire contractors to cover government jobs so they can work faster (sloppy), automate more, not double-check everything.

    When inevitable problems occur, you blame the contractor, hire the next contractor, and pretend everything is good for a while longer.

    The end result meets the ideal though - a completely inefficient government, more privatization, and a way to pretend all the corruption is just how government works, even though you're actually forcing it to act this way.

  3. Re:fixed ? by wonkey_monkey · · Score: 3, Insightful

    Firstly, how do you know that's all they did? Secondly, why wouldn't it constitute a fix, if it (y'know) fixes the problem?

    --
    systemd is Roko's Basilisk.
  4. This is why .... by PPH · · Score: 3, Funny

    ... my company only does cash business with the government. Payments to be made in small, non-sequential serial numbered bills. To be deposited at a designated locker at a bus station.

    --
    Have gnu, will travel.
    1. Re:This is why .... by Anonymous Coward · · Score: 4, Insightful

      I have literally NEVER heard of any kind of problem like this happen in a private enterprise.

      Sony kept PSN user info in an internet facing, plaintext database.

      Not defending the government, but rather pointing out that if you've 'never heard of this in private business,' you haven't paid a lick of attention.

      --CanHasDIY

    2. Re:This is why .... by oodaloop · · Score: 2

      Give yourself one whoosh and lose 10,000 XP.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  5. Re:Bets please by FatdogHaiku · · Score: 2

    The old system was retired on November 21, 2012, so I'd guess the flaw was there from the start.
    http://www.acquisition.gov/SAM_Guides/index.html

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  6. Not Really by Anonymous Coward · · Score: 2, Interesting

    The reason Northrop Grumman is raping your ass is because congress comes up with a random budget at random times. Therefore, we can only fix problems on their schedule, which means that we have to pay Northrop to drop other customers to do the work we desperately need, when it becomes desperate enough to get congressional add money, and then pay them to keep everyone on staff that is no longer working on their project because we tied up resources for this, and then we get to pay them to get extra people up to speed quickly.

    Before you go blame this on our programming, only one of these has been due to a real failure in anything other than politics. We did find a latent bug that didn't get triggered for the first decade of the airplane. However, that's 3 lines of code and 2 test flights. All of these other 3x the estimated cost projects were done 2 years late and in an emergency instead of in the schedule we had NG on contract for.

    You can get better, but you can't pay more for Northrop. However, it's our fault for consistently binging and purging at their trough.

  7. summary wrong again by jklovanc · · Score: 2

    any registered user who searched the system could view confidential information including account and social security numbers for any other user of the system

    Only users who had entity administrator rights and delegated entity registration rights could do that. So they were users with higher than normal privileges. The main issue was that the SSN of some entities were displayed to some users who were not allowed to administrate those entities. The users with entity administrator rights and delegated entity registration rights need to see the SSN of entities they have rights to administrate. In the search function I bet the SSN was in a column that was only visible to users with those rights. The issue comes when the column is displayed. Rather than filter each row to see if the user was allowed to see that specific entity's information the user was allowed to see every entity's information. In some rows the information should have been there in others it should have been blank. Why not only allow them to search entities they can administrate? What if the user is looking for the public information on an entity they can not administrate?. In effect they had the column filter correct but not the row filter.

    When there are users with some administration powers it is a complex problem to give them enough access without giving them too much.

    In the end it comes down to a small data exposure exploitable by a few users who have privileged user access. This is very different from a hacker being able to access the information. I bet anyone who has dealt with these kinds of complex permissions have made similar mistakes. Hopefully they get caught in QA but sometimes they slip through. I laugh when I see posts about these security holes being an example of government incompetence considering the number of security holes in most major software packages in existence. If you have an ax to grind with the government this is not a good target.

  8. Re:SPOF by gmuslera · · Score: 2

    If all those companies have to login to a single website (that could require java, flash, acrobat, or whatever that could have a 0-day exploit, and no one will block anything from there, as is a trusted website), it could be used to plant something like Red October in a lot of sensible places. It could be in a not very visited place of the site to delay detection while still getting victims (i.e. just replacing a pdf), could not be detected in all companies it tries to infect, could be low profile enough as it will reach every company, or focus in a particular contractor as have to log in there anyway.

    If they can't manage to have secured that only site, probably won't be able to do so with multiple sites neither. but a single intrusion won't have the same broad reach.