[ISN] Web Site of Agency Is Called Insecure

InfoSec News isn at c4i.org
Mon Jan 16 01:24:50 EST 2006


http://www.nytimes.com/2006/01/13/technology/13secure.html

By JOHN MARKOFF
January 13, 2006

The General Services Administration has shut a Web site for government
contractors after a computer industry consultant reported that he was
able to view and modify corporate and financial information submitted
by vendors.

The security flaw, which could have permitted contractor fraud, was
reported to the agency's inspector general on Dec. 22, but almost
three weeks passed before the system was taken offline Wednesday
afternoon.

The General Services Administration is the federal agency responsible
for procuring equipment and services, including computer security
technology, making the lapse all the more striking.

"This is the government entity responsible for letting contracts for
security," said Mark Rasch, chief security counsel for Solutionary, a
security firm. "Clearly the people who log in would know about
security."

The agency said it believed that the flaw had not been exploited by
intruders or by authorized users.

It is not clear how long the problem existed. The Web site, called
eOffer, was introduced in May 2004 to let companies respond
electronically to requests for proposals for computer technology
services and products.

Computer security consultants said the flaws could have had
consequences ranging from corporate espionage to bid tampering. They
also said the agency now faced the challenge of verifying the accuracy
of contracting data.

The site remained inoperative yesterday evening with a posted message
stating: "The eOffer system is down for maintenance. Please pardon the
inconvenience, thank you."

The security flaws were discovered by Aaron Greenspan, president of
Think Computer, a computer security firm based in Dallas, when he
tried to register his company as a government contractor last month.

While entering data on the site, he said, he discovered that it was
possible to call up documents at random and to take over the accounts
of other companies by simply entering a publicly available business
identification number once he had validated his own account with the
system.

"Theoretically, one could have started a bidding war between Boeing
and Lockheed Martin, or Dell and Gateway, or changed the terms of
their existing contracts," he said.

According to Mr. Greenspan, the contract data on the Web site
stretched back at least nine years.

When the system was introduced last year, the agency said it was
intended to meet President Bush's mandate "to improve effectiveness
and efficiency in government." It was intended to save time and money
by bypassing the paper-based process for negotiating contracts.

A spokeswoman for the agency said yesterday that it had begun an
"intensive search" to identify "possible irregularities within the
electronic tools G.S.A. provides to its customers."

The spokeswoman, Jennifer E. Millikin, deputy director of
communications, said the agency acknowledged that the flaw compromised
the integrity of the Web tool but that it "believes the problem was
brought to the agency's attention before it became a hazard to other
users." She said the 20-day interval before the site's shutdown
reflected the processing of the inspector general's report within the
agency.

The site, used by about 1,200 of the agency's tens of thousands of
contractors, should be online again by the middle of next week, she
said.

An independent computer security consultant who examined Mr.  
Greenspan's written presentation to the agency said that the designers
of the eOffer site had made a series of bad design decisions.

"The system relies, rather stupidly, on making it difficult to get in
in the first place, by forcing you to get a client certificate for
your browser," a mechanism for establishing the user's identity, said
Mark Seiden, a security consultant who perform tests for corporations.  
"Well, the 9/11 hijackers also had authentic drivers' licenses.  
Perhaps they believe that it's good enough to know who to go after if
they misbehave once they're in the club."

In filing an electronic application to become a government contractor,
Mr. Greenspan was forced to repeat the process several times. After
doing so, he noticed that the file's identifying number had been
changed to a number one digit higher.

He then copied the old number into his browser and discovered that his
original file was still stored on the eOffer Web site. Wondering
whether he had stumbled on a security flaw, he changed the number
again, and the system sent him another document - a price list that
had been submitted by another company.

Further investigation led Mr. Greenspan to discover that it was
possible to view and then change other companies' electronic offers.

Because each offer's electronic first page yielded the given company's
business identifier, it was possible to paste that identifier into the
eOffer sign-in page and adopt the identity of any company. All that
was necessary was to have a valid security certificate for the eOffer
system masquerade as any other company using the system, he said.

He said he had been able to log in using the identity of some major
aerospace and electronics companies, including Boeing and Gateway.

"My reaction was everything but surprised," he said. "It's a very
common problem."

This is not the first time that Mr. Greenspan has ferreted out
security flaws in commercial computer systems. A year ago, he notified
businesses at South Station in Boston that a wireless Internet system
made it possible to see confidential information. The flaws were
corrected.

In February he discovered a software flaw in systems operated by
PayMaxx Inc., a payroll processor in Franklin, Tenn.; the flaw
revealed financial information on tens of thousands of employees. The
company minimized the extent of the disclosure and corrected the
deficiency.





More information about the ISN mailing list