http://www.nytimes.com/2006/01/13/technology/13secure.html By JOHN MARKOFF January 13, 2006 The General Services Administration has shut a Web site for government contractors after a computer industry consultant reported that he was able to view and modify corporate and financial information submitted by vendors. The security flaw, which could have permitted contractor fraud, was reported to the agency's inspector general on Dec. 22, but almost three weeks passed before the system was taken offline Wednesday afternoon. The General Services Administration is the federal agency responsible for procuring equipment and services, including computer security technology, making the lapse all the more striking. "This is the government entity responsible for letting contracts for security," said Mark Rasch, chief security counsel for Solutionary, a security firm. "Clearly the people who log in would know about security." The agency said it believed that the flaw had not been exploited by intruders or by authorized users. It is not clear how long the problem existed. The Web site, called eOffer, was introduced in May 2004 to let companies respond electronically to requests for proposals for computer technology services and products. Computer security consultants said the flaws could have had consequences ranging from corporate espionage to bid tampering. They also said the agency now faced the challenge of verifying the accuracy of contracting data. The site remained inoperative yesterday evening with a posted message stating: "The eOffer system is down for maintenance. Please pardon the inconvenience, thank you." The security flaws were discovered by Aaron Greenspan, president of Think Computer, a computer security firm based in Dallas, when he tried to register his company as a government contractor last month. While entering data on the site, he said, he discovered that it was possible to call up documents at random and to take over the accounts of other companies by simply entering a publicly available business identification number once he had validated his own account with the system. "Theoretically, one could have started a bidding war between Boeing and Lockheed Martin, or Dell and Gateway, or changed the terms of their existing contracts," he said. According to Mr. Greenspan, the contract data on the Web site stretched back at least nine years. When the system was introduced last year, the agency said it was intended to meet President Bush's mandate "to improve effectiveness and efficiency in government." It was intended to save time and money by bypassing the paper-based process for negotiating contracts. A spokeswoman for the agency said yesterday that it had begun an "intensive search" to identify "possible irregularities within the electronic tools G.S.A. provides to its customers." The spokeswoman, Jennifer E. Millikin, deputy director of communications, said the agency acknowledged that the flaw compromised the integrity of the Web tool but that it "believes the problem was brought to the agency's attention before it became a hazard to other users." She said the 20-day interval before the site's shutdown reflected the processing of the inspector general's report within the agency. The site, used by about 1,200 of the agency's tens of thousands of contractors, should be online again by the middle of next week, she said. An independent computer security consultant who examined Mr. Greenspan's written presentation to the agency said that the designers of the eOffer site had made a series of bad design decisions. "The system relies, rather stupidly, on making it difficult to get in in the first place, by forcing you to get a client certificate for your browser," a mechanism for establishing the user's identity, said Mark Seiden, a security consultant who perform tests for corporations. "Well, the 9/11 hijackers also had authentic drivers' licenses. Perhaps they believe that it's good enough to know who to go after if they misbehave once they're in the club." In filing an electronic application to become a government contractor, Mr. Greenspan was forced to repeat the process several times. After doing so, he noticed that the file's identifying number had been changed to a number one digit higher. He then copied the old number into his browser and discovered that his original file was still stored on the eOffer Web site. Wondering whether he had stumbled on a security flaw, he changed the number again, and the system sent him another document - a price list that had been submitted by another company. Further investigation led Mr. Greenspan to discover that it was possible to view and then change other companies' electronic offers. Because each offer's electronic first page yielded the given company's business identifier, it was possible to paste that identifier into the eOffer sign-in page and adopt the identity of any company. All that was necessary was to have a valid security certificate for the eOffer system masquerade as any other company using the system, he said. He said he had been able to log in using the identity of some major aerospace and electronics companies, including Boeing and Gateway. "My reaction was everything but surprised," he said. "It's a very common problem." This is not the first time that Mr. Greenspan has ferreted out security flaws in commercial computer systems. A year ago, he notified businesses at South Station in Boston that a wireless Internet system made it possible to see confidential information. The flaws were corrected. In February he discovered a software flaw in systems operated by PayMaxx Inc., a payroll processor in Franklin, Tenn.; the flaw revealed financial information on tens of thousands of employees. The company minimized the extent of the disclosure and corrected the deficiency. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 22:33:22 PST