Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Uncle Sam's Travel Site Grounded By Breach

timothy posted more than 5 years ago | from the bailout-is-in-order dept.

Security 67

McGruber writes "Northrop Grumman's Govtrip.com website has been shut down following a security breach, according to a report by 'Security Fix' blogger Brian Krebs. Being a federal employee and frequent work traveler, I am (was?) a Govtrip user. My agency required me to use Govtrip to book all of my trips, including my airfare, car rentals, and hotel reservations, so Northrop Grumman's Govtrip databases contain my frequent flier numbers, Avis & Budget car rental numbers and frequent hotel guest (Choice Privileges, Marriott Rewards, Priority Club, etc.) numbers. Northrup-Grumman also stored all of my trip itineraries, including destinations, dates & modes of travel and the particular vendors (airline, hotel, rental car brand, etc.) used on a particular trip. Also stored on the website were my work travel credit-card (it has a $15,000 charge limit), personal checking account where my travel reimbursements were deposited, my home address, and emergency contacts ... just imagine what an accomplished social engineer can do with that combination of information!"

Sorry! There are no comments related to the filter you selected.

Just to be safe (3, Funny)

Hognoxious (631665) | more than 5 years ago | (#26947939)

I think you should have posted that anonymously, just to be safe.

Re:Just to be safe (1)

mooki5 (1483973) | more than 5 years ago | (#26948311)

scary

Re:Just to be safe (0)

Anonymous Coward | more than 5 years ago | (#26948407)

No, not necessary. I've already taken care of matters there. I should thank Mr. McGruber. Errr, wait a moment, I AM Mr. McGruber now...

Governments... (0)

Anonymous Coward | more than 5 years ago | (#26947941)

...should be held liable for data breaches like this - even moreso that the private sector.

Feddy should have access to the latest security tools - many of which were developed in house - and not making extensive use of non-classified security tools to protect our information is downright criminal.

Next thing you know, the SS or Medicare database will be hacked and then we're really fucked.

(Okay, that's enough use of the <i> tag for one post I think...

Re:Governments... (3, Insightful)

Clover_Kicker (20761) | more than 5 years ago | (#26948365)

Northrop-Grumman (i.e. the company who runs the site, the guys who fucked up) is private sector [google.ca] .

Being in the private sector is not magic pixie dust that makes people smarter and systems more secure.

Re:Governments... (4, Interesting)

Curunir_wolf (588405) | more than 5 years ago | (#26948647)

They are also the company that is basically taking over all of the IT functions for the Commonwealth of Virginia. It's working about as smoothly as you would expect. [timesdispatch.com]

I'm sure once all the agencies have turned over all their equipment, applications, and network services to Northrop-Grumman to be run from their new high-efficiency data center, that It service will improve, security will be rock-solid, and costs will drop like a stone.

Re:Governments... (1)

aliensexfiend (656910) | more than 5 years ago | (#26949119)

Not completely private sector. Because they are a defense contractor, they must use U.S. citizens and can't outsource outside of the Unites States.

Re:Governments... (1)

cellocgw (617879) | more than 5 years ago | (#26949789)

They are also the company that is basically taking over all of the IT functions for the Commonwealth of Virginia. It's working about as smoothly as you might expect
Take it from an employee of a tiny company owned by a bigger company owned by NGC: their IT dep't is just as bad as the one at your company, with bigger egos, more abusive policies, and possibly the longest and stupidest internal URLs I've seen in my life. Heck, we have to create a new and different password (from all the other internal NGC passwords we have) just to access the "employee ergonomics training site" inside their internal network.
oops... once this gets out I'll be an *ex*-employee.

Accounts need 2 access no's: In & Out #'s (4, Interesting)

ivi (126837) | more than 5 years ago | (#26947953)

If having another's check book account number means that one can withdraw from it, here's an easy fix:

Each account gets (at least) 2 numbers:

1. to deposit INTO it,
2. another to write cheques to get $$$ OUT of it, &
3. maybe a 3rd to let vendors & banks (with a cheque in-hand) to check that the balance covers the cheque.

It would - with that structure - not matter that this web site's security is breached (at least for -that- particular account).

Re:Accounts need 2 access no's: In & Out #'s (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26948041)

I think you are describing the French RIB system (one-way bank transfers)

Re:Accounts need 2 access no's: In & Out #'s (1)

SmokeyTheBalrog (996551) | more than 5 years ago | (#26948105)

Your system solves nothing.

In this case, if they where using your system, they would get the account number needed to write checks OUT. Since this IS a booking service. The thieves can now get cash out of your account. Are you really that worried about thieves depositing money INTO your account?

#3 Seems like some kind of check bounce protection. They already do the same thing with Credit Cards without needed an extra number. But banks don't want to change anything since they get free money from any bounced checks and check protection "services".

Anyways, I use checks so rarely that when I have to use one it takes me embarrassingly long to remember how to do it. I pay everything with my credit card. A credit card has more security, better features, more fraud protection, and builds my credit. So, why use a check?

Re:Accounts need 2 access no's: In & Out #'s (1)

Runaway1956 (1322357) | more than 5 years ago | (#26948419)

"A credit card has more security, better features, more fraud protection, and builds my credit. So, why use a check?" The credit card companies have brainwashed you quite well. Of course, this measure of success has been attained after what, 40 years of effort?

Re:Accounts need 2 access no's: In & Out #'s (2, Interesting)

SmokeyTheBalrog (996551) | more than 5 years ago | (#26948771)

You may be right about which one is secure. (Answer: neither.)

But, if you use American Express they will really help you with purchase problems/charge back. (Had em rape a camera vendor once.) And other credit cards will help to varying degrees. And if you are renting a car you usually get free insurance. Then there are frequent flyer miles you get with purchases.

Do checking accounts offer any of these? If so I would really like to know.

And in the end I carry a piece of thin plastic vs a rather thick bundle of paper.

With a few credit/bank cards, about $20-$60 in cash, IDs, I use a mini-wallet and have space to spare.
Mine is similar to this one:
http://www.hotref.com/Wenger-Leather-Card-Wallet-p-3643.html [hotref.com]

My whole wallet ends up being 1/2 to 1/3 what others carry.

Re:Accounts need 2 access no's: In & Out #'s (2, Interesting)

j1mmy (43634) | more than 5 years ago | (#26950035)

A credit card is ideal because it places risk at the credit card company instead of at the bank, where your money is. A fraudulent credit card charge is far easier to deal with than a fraudulent withdrawl. Good luck paying your bills when your checking account is empty.

Re:Accounts need 2 access no's: In & Out #'s (1)

danwesnor (896499) | more than 5 years ago | (#26948617)

And your comment is completely wrong. The traveler pays all expenses on his credit card. The government uses the system to deposit the payback into the travelers account.

Re:Accounts need 2 access no's: In & Out #'s (1)

SmokeyTheBalrog (996551) | more than 5 years ago | (#26948825)

Perhaps I'm simply not understanding what you are proposing.

#1 Use this number to make a purchase

#2 Use this number to make a payment

If someone steals #1 they can make purchases in my/your name right?

Example: You go to local-mart and make a purchase using number #1. (Yes, I just said number, number.) Cashier copies number #1, goes to online-mart, and makes some purchases. I don't see how having 2 or 3 numbers would keep someone from abusing one of them? (Of course the last step is the cashier going to jail.)

Perhaps I am missing something?

Re:Accounts need 2 access no's: In & Out #'s (2, Interesting)

elefantstn (195873) | more than 5 years ago | (#26949655)

You wouldn't give the Kwik-E-Mart your checking account number. You use a credit card (if not cash) because it has fraud monitoring and the ability to dispute charges.

What you were missing in your GP comment is that in this particular scenario, the OP only needs to give govtrip.com access to his account for deposit reasons. Therefore, if someone were to steal his information under the multiple-account-number system, all they would have is the ability to deposit more money into his account. He's not using his checking account to pay for anything on that site.

Re:Accounts need 2 access no's: In & Out #'s (1)

ivi (126837) | more than 5 years ago | (#26952883)

#1 "to deposit INTO" - the agency deposits refunds/reimbursements into it

#2 is printed on cheques (hopefully, only genuine cheques, issued by holder's bank, but - these days - this is a risk; don't give this number out... ie, don't write a lot of cheque)

#3 I originally thought it might be harmless to let folks you have to write a cheque to, so they can see if they're likely to be able to cash the cheque, but I now think it poses a risk, eg:

Someone with #2, might like to know how LARGE a cheques it might be safe for them to write...

Of course, most cheques in Australia are marked "for deposit only" (eg, via 2 parallel lines, printed diagonally across each cheque), and that
might be at least a bit problematic for most fraudsters...

So, I'm down to just #1 & #2, now (or a single credit card number, as in my earlier reply to my OP).

Re:Accounts need 2 access no's: In & Out #'s (1, Informative)

Anonymous Coward | more than 5 years ago | (#26953237)

yeah, you have it backwards. He used the checking acct for REIMBURSEMENTS. under ivi (126837)'s system, they would not be able to do anything with that number except give him more money, because the number would be used solely for deposits

Re:Accounts need 2 access no's: In & Out #'s (1)

ivi (126837) | more than 5 years ago | (#26952817)

I would have thought that payments to the travel agency would be made via credit card (for cash-flow reasons) and any reimbursements might (for reasons unclear to me) have to go back via check account.

Using a credit card for money flowing in both directions might work in Australia (if not where the article's story it set), because - last time I checked - abuse of one's credit card here (without the holder's knowledge or authority) can't cost the card-holder more than, say, $50, and it might be less or even $0 (haven't checked... anyone else in Oz able to confirm or add to this?)

Re:Accounts need 2 access no's: In & Out #'s (1)

fulldecent (598482) | more than 5 years ago | (#26958261)

Solution with ING: open a new account (as in a new savings account in your existing account) and create a periodic transfer out for each day and for each number of cents in a power of two (make them in decreasing order). This is now your in-only account. Money xfered in is transfered out and maintains a zero balance.

Let's see (1)

Monoliath (738369) | more than 5 years ago | (#26948001)

Keeping such sensitive data on the internet is atrociously stupid.

 

You're an idiot. (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26948241)

The securest system is in a locked room, not connected to anything, and switched off. It's just not very useful.

You don't travel much, do you? Sure, I suppose I could call all the travel suppliers, and they could keep paper records. But that's massively inefficient.

Sorry, I WANT to be able to make travel arrangements quickly and easily. I want to have a profile with my favorite hotels and frequent traveler information so I don't need to type it in every time. I want to be able to see my upcoming reservations, so I know when my flight to Atlanta leaves this week, or so I can verify that I booked travel through the end of the month for a recurring reservation. I want to be able to update my trip from my iPhone when a flight gets canceled or a customer reschedules a site visit. And, yes, to the extent hotels require a credit card to hold a reservation, I want them to have that information available.

The great promise of the internet is in making life convenient. The above things all make my life as a frequent traveler more convenient. I don't think I'm unreasonable, or naive about security. I want companies to provide the services above, and to do that securely and well. This is not an impossible task. It's merely a difficult one.

Calling for people to remove any information that could be useful to identify thieves from any machine connected to the internet is the only thing that's atrociously stupid.

Re:You're an idiot. (1)

Runaway1956 (1322357) | more than 5 years ago | (#26948433)

"I want companies to provide the services above, and to do that securely and well." Did you say atrociously stupid? Perhaps you aren't up on current affairs? Check out Wall Street. Corporate America is unable to recognize worthless paper securities, let alone create a secure environment in which to keep data.

Re:You're an idiot. (1)

McGruber (1417641) | more than 5 years ago | (#26954221)

The great promise of the internet is in making life convenient. The above things all make my life as a frequent traveler more convenient.

I'm the article submitter. My employer, a federal agency, has its internal network, with internal websites. I cannot comprehend why a critical work function -- travel -- was outsourced in a way that users must go out to the public internet and access a public website. Does that make sense to anyone?

Good Work! (1)

Bob_Who (926234) | more than 5 years ago | (#26948021)

You deserve a raise.

Sadly (1)

zoomshorts (137587) | more than 5 years ago | (#26948031)

Northrup-Grumman may not be the only entity with such lax security.
The last I heard, Northrup-Grumman was a private company, even IF they work with
people in the government, they basically make aircraft and aircraft parts.

Why should they be trusted with ANY such information? Are the Orbitz(TM) of
the GAO?

Re:Sadly (2, Informative)

cypherwise (650128) | more than 5 years ago | (#26948079)

Contractors basically bid on any contract they can. Then hire the expertise needed to complete that contract during/after the bidding. Many of the big name contractors do A LOT more than their traditional public image leads many to believe.
Also, would it have really made a difference if the website was .gov or .com? The government, in general, doesn't have the desire to produce and maintain a site like that in-house.

Re:Sadly (1)

El Torico (732160) | more than 5 years ago | (#26948239)

The government, in general, doesn't have the ability to produce and maintain a site like that in-house.

There. Fixed it for you.

Re:Sadly (2, Informative)

Hognoxious (631665) | more than 5 years ago | (#26948601)

The government, in general, doesn't have the ability to select a competent contractor to produce and maintain a site like that in-house.

Fixed now.

Re:Sadly (1)

KORfan (524397) | more than 5 years ago | (#26952571)

Actually they did, it was called Travel Manager, and it worked slightly better than GovTrip. It also didn't cost $13.50 every time we processed a travel voucher.

Re:Sadly (2, Insightful)

perlchild (582235) | more than 5 years ago | (#26949093)

If it let them snoop on who was traveling to their competitor's facilities during particularly hectic contracts, I'd say it would have made a difference.

Not that it's contracted out, but that it's contracted out to a large firm who already does a specific kind of business with the government. Contracting out to orbitz or american express for travel is one thing. Contracting to someone who has a corporate interest in knowing who visits Boing, is another.

Re:Sadly (1)

JGH4 (124117) | more than 5 years ago | (#26953221)

Please take off the tin foil hat. Your post implies that NGC has the competence to do something like this. As a current employee, I can assure you that this is not the case. Currently they barely know when their own employees are traveling to customer sites let alone time to track down the competitors...

bad summary (4, Informative)

socsoc (1116769) | more than 5 years ago | (#26948045)

The first line of the summary doesn't even match TFA. A few agencies, FAA & DoT are mentioned explicitly, started blocking the website on their networks to prevent the download of malware/viruses.

TFA specifically says that user information was not compromised, the submitter's car reservation confirmation number from last month is safe. The site was not shut down and loads fine for me.

What I don't get is the reasoning behind hosting 3 servers containing information on US government employees in Taiwan, what the hell?

Re:bad summary (2, Informative)

sunking2 (521698) | more than 5 years ago | (#26948249)

I believe what they meant was that those were where the remote hosts that hacked the site were. Along with one from Harvard. But still, the summary is so full of paranoia and hype its almost sickening. This seems to be nothing more than a front page being changed to redirect to a new destination. Hardly anything to get your panties in a twist.

Re:bad summary (1)

Teferison (1403841) | more than 5 years ago | (#26948259)

They are not hosting information IN Taiwan, they were hacked FROM Taiwan..

Forensic analysis revealed that hackers were able to gain access from four remote systems (3 systems residing in Taiwan and 1 system belonging to Harvard University)

Re:bad summary (1)

socsoc (1116769) | more than 5 years ago | (#26948267)

Yeah, I guess I misread that part...

Re:bad summary (1)

McGruber (1417641) | more than 5 years ago | (#26954261)

Actually, the Govtrip website was completely down for most of the week. Here's a mxlogic report that says just that:

http://www.mxlogic.com/securitynews/web-security/govtrip-hacked-offline-for-more-than-a-week979.cfm [mxlogic.com]

Second, "user information was not compromised" was how they first responded to the initial reports of a break-in at the (monster.com outsourced) government's job site (http://www.usajobs.opm.gov/)

Re:bad summary (1)

socsoc (1116769) | more than 5 years ago | (#26957439)

I'm glad you followed up with more information, but none of those two things were mentioned in your original linked TFA, usajobs especially...

what? (1)

thermian (1267986) | more than 5 years ago | (#26948065)

Keeping that much financial data online is stupidity of the highest order.

Anyone who does that deserves anything they get for trusting the security of their card info to a third party.

I use online services a lot (increasingly so these last two years), and re enter my card info each time. Sure its slow, and less convenient, but if a site is hacked, my card details won't be stored there. I'm far too worried by that to let any site keep my card details.

Re:what? (0)

Anonymous Coward | more than 5 years ago | (#26948415)

Keeping that much financial data online is stupidity of the highest order.

Anyone who does that deserves anything they get for trusting the security of their card info to a third party.

As a federal employee, I agree it is stupid, but it is also required. Since I like to get reimbursed for official travel, I comply with this.

Re:what? (3, Informative)

codepunk (167897) | more than 5 years ago | (#26948659)

Let me enlighten you here mr security expert. Once you hit that submit button on your shopping cart at joe's online store, you have no idea what just happened with that information. I don't care if you
put in your cc number a thousand times it does not in any way mean that the other end is not storing the information. In fact for all you know it sends a email to someone that processes the order, however
mr hacker already owns that server and grabs everything running through the mail spool. Or has just modified the code to send himself a copy of your information as well.

Re:what? (1)

thermian (1267986) | more than 5 years ago | (#26950809)

Let me enlighten you here mr security expert. Once you hit that submit button on your shopping cart at joe's online store, you have no idea what just happened with that information. I don't care if you
put in your cc number a thousand times it does not in any way mean that the other end is not storing the information. In fact for all you know it sends a email to someone that processes the order, however
mr hacker already owns that server and grabs everything running through the mail spool. Or has just modified the code to send himself a copy of your information as well.

Oh great, now I'm going to be even more paranoid about online shopping, thanks for that :(

I see what you're saying though.

Re:what? (0)

Anonymous Coward | more than 5 years ago | (#26955547)

How the fuck can you be on /. and not know about HTTP POST?

And now they have your /. handle too... (2, Funny)

Patch86 (1465427) | more than 5 years ago | (#26948085)

...you're totally screwed.

Re:And now they have your /. handle too... (1)

El_Oscuro (1022477) | more than 5 years ago | (#26949083)

"This is totally insecure, but very convenient"

O RLY? (1)

Vectronic (1221470) | more than 5 years ago | (#26948123)

...frequent hotel guest (Choice Privileges, Marriott Rewards, Priority Club, etc.)

How much do these "guests" cost? and what sort of privileges and rewards do they offer in this club?

Re:O RLY? (1)

volxdragon (1297215) | more than 5 years ago | (#26948381)

Um, they cost nothing - it is offered to *anyone* that stays at the hotels for free (at least the Marriott program is, I assume the others are as well). As for perks/privileges, you can get free nights stay, room upgrades, cheaper room rates, expedited customer service, etc. Now, you can argue those "perks" should not be given to someone on government business, but I would disagree - they are offered uniformly to everyone, why discriminate here?

Re:O RLY? (0)

Anonymous Coward | more than 5 years ago | (#26958349)

*Woosh*

And the obvious hooker joke is lost in space forever.

details of hack .. (2, Interesting)

viralMeme (1461143) | more than 5 years ago | (#26948141)

'hackers breached the site [hackinthebox.org] , then modified it to redirect users to a rogue URL that in turn directed attack code against their systems'

'was this breach [databreaches.net] similar to what happened in the FISERV/CheckFree incident, or did something else happen?'

What do you think makes Govtrip unique? (0)

Anonymous Coward | more than 5 years ago | (#26948153)

Many, many companies have preferred travel vendors, and require their employees to use them for all travel. And "how rock solid is your DB security?" is rarely question one. Deciding on a travel provider pretty much always comes down to cost and security.

At a previous job, the reasonably small travel company we had to use got hacked into. They didn't know what, if anything was taken. They told us "sorry" and offered us 6 months of identity theft monitoring. My company didn't even cancel their contract. If you worked in the private sector, do you really think yours would?

I moved to a company that allows me to book my own travel direct through airline/hotel websites. It's a few more sites to visit for me, but at least I don't have some fly-by-night middleman with all my info. I'm lucky--few people have that option.

Stop that bragging... (0)

Anonymous Coward | more than 5 years ago | (#26948195)

seriously... I am taking public transport it's making me sick just to listen to what happens to my tax dollars :)

Spelling??? (4, Funny)

LiQiuD (571447) | more than 5 years ago | (#26948293)

Can we at least spell Nothrop Grumman correctly?

Re:Spelling??? (1)

LiQiuD (571447) | more than 5 years ago | (#26948309)

GD Typo. Northrop Grumman

Re:Spelling??? (1)

RoboRay (735839) | more than 5 years ago | (#26949209)

Are you sure that's it?

Re:Spelling??? (1)

Kredal (566494) | more than 5 years ago | (#26948501)

Guess not.

Re:Spelling??? (1)

ScrewMaster (602015) | more than 5 years ago | (#26949951)

Uncle Sam's Travel Site Grounded By Breach

Can we at least spell Nothrop Grumman correctly?

Well, at least it wasn't grounded by a breech.

frequent flyer? (0)

Anonymous Coward | more than 5 years ago | (#26948417)

when I was a federal employee it was illegal to use frequent flyer bonuses of any type.

DEFAULT configuration? (1)

Frosty Piss (770223) | more than 5 years ago | (#26952327)

when I was a federal employee it was illegal to use frequent flyer bonuses of any type.

No, it's allowed now. Mostly worthless anyway since airlines make it almost impossible to use them.

Now, have a look at this: they had the DEFAULT configuration? Good grief!

The General Services Administration (GSA) and Northrop Grumman (NG) contractor has conducted extensive forensic analysis and confirmed that the GovTrip systems were successfully compromised. Forensic analysis revealed that hackers were able to gain access from four remote systems (3 systems residing in Taiwan and 1 system belonging to Harvard University) to exploit a default configuration setting in the GovTrip eAuthentication module that allowed remote administration using the Internet.

Re:frequent flyer? (1)

MCZapf (218870) | more than 5 years ago | (#26952377)

when I was a federal employee it was illegal to use frequent flyer bonuses of any type.

They changed that a decade or more ago. The theory is, since these programs and benefits are offered to everyone, they aren't considered a "bribe" to government employees. In practice, I think allowing use of these benfits still increases unnecessary travel and travel costs (due to individual loyalty to particular airlines/hotel chains which aren't always the best choice from the government standpoint).

I used to work for Northrop... (2, Interesting)

Anonymous Coward | more than 5 years ago | (#26948845)

The company has been claiming to be "...expanding their monitoring capabilities to include additional network and host based intrusion monitoring technologies" for years. The problem is that no one is willing to pay for it, because Northrop's customers correctly assert it should be a part of any IT infrastructure implementation contract. Since no one is willing to pay Northrop additional money to competently manage their networks, Northrop doesn't.

Making the problem worse, Northrop's sysadmins routinely delete or trim logs to which they have access because the company's information security will not tell the sysadmins what events are considered "reportable", so they log everything, which results in log files so large they can't be stored, or even reviewed daily.

And some of Northrop's server infrastructure won't support the current revision of the vendor's anti-virus software, so various divisions of the company request waivers to those requirements. Those waivers are a violation of company policy, even if compliance is impossible to achieve, but no one wants to re-write the policy to recognize the cold, hard reality that Northrop's infrastructure is so complicated that the "one size fits all" approach is the path to failure.

And, to top it all off, Northrop's information systems auditors are incompetent. They routinely refuse to document known deficiencies because it would make the company look bad, and the company's external auditor, Deloitte, sends softball auditors to Northrop that have no knowledge or expertise in the information systems they're auditing. Because Northrop has a documented "system of control", it's considered "mature", even if most of the controls are fiction.

So this doesn't surprise me in the least.

I was working at CSC in 2001 - 2002, and CSC had the contract for the Navy's civilian personnel timekeeping system. CSC had similar problems, with similar causes. Then, as with Northrop, the real problem is the utter lack of customer oversight and accountability.

Re:I used to work for Northrop... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26949917)

The key phrase is, "the real problem is the utter lack of customer oversight and accountability."

Face it, the Government is incompetent and/or lazy. Why, because nearly every government employee is incompetent and/or lazy. The only way to restore faith in Government is to establish term limits for elected officials (and appointees) and remove union protection from all civil servants.

CIA? (2, Insightful)

divisionbyzero (300681) | more than 5 years ago | (#26949309)

I hope the CIA wasn't required to use it! :-)

Isn't the site supposed to be a secret? (1)

Darkk (1296127) | more than 5 years ago | (#26950319)

I guess the cat is out of the bag now...

Hype (4, Informative)

emance (1279126) | more than 5 years ago | (#26950345)

The Website [govtrip.com] was not disabled. Rather, the web-based compromise began redirecting users to malicious websites.

It is interesting to read that the 'compromise' was achieved through eAuthentication [gsa.gov] , a ubiquitous federal application serving multiple agencies.

It seems like the attack could have been more harmful than this apparently relative ineffectual inconvenience.

RE: Civil War (0)

Anonymous Coward | more than 5 years ago | (#26954097)

Given the width and breath of the Bush Admimistration's lawlessness, the options open to avoid a civll war are reducting at a dramatic pace.

An, i.e. another, inquirey into the Bush Administration"s abdication of all laws, US, US States, International, will fail because the current leaders of the House and Senate, are at least guilty of ommision in regards to the Bush Administration's lawlessness.

This would normally necessitate an international war crimes inquiry and subsequent trial.

Unfortunately, many internaitonal governments, and their (let us say "Officials" rather than "Stooges") Officials are coplitious in the alleged (lets forget the pleasentries as the crimes are actual) crimes against humanity.

This necessitates actions through civil war, to pruge the US Federal goverment, and those recently relieved of duty, of the purpatrators of the crimes against the peoples of the States of the United States, and the peoples of the World. The purpatators are still "at large" and are a threat to the peoples of the United States of America and the Peoples of the world.

Defense Contractor Web Services? (2, Insightful)

fazookus (770354) | more than 5 years ago | (#26959523)

I'm a Govtrip user as well (the "E-Gov Travel Center for Excellence" just emailed me to tell me everything is just fine, so it must be back) and my primary question is why do we have defense contractors running internet travel sites?
Govtrip took a long time to become ready for prime-time and to this day isn't a model of the programming arts.

Wonder how much it costs...

A greater concern is "Electronic Questionnaires for Investigations Processing (e-QIP)". If you need a security clearance you go to the e-QIP site and put in your life history, friends, bank info, credit history, medical history, everything.
It's a identity thief's dream, absolutely everything needed for somebody else to become you. In fact someone with this kind of information would have a better claim to being you than YOU would.

But don't worry, it's hacker proof.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?