Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Vulnerability Found On US Federal Government Contractors Site

samzenpus posted about a year ago | from the open-book dept.

Government 35

dstates writes "SAM (Systems for Awards Management) is a financial management system that the US government requires all contractors and grantees to use. This system has recently been rolled out to replace the older CCR system. Friday night, thousands of SAM users received the following message: 'Dear SAM user, The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity's registration information, including both public and non-public data at all sensitivity levels.' From March 8 to 10, any registered user who searched the system could view confidential information including account and social security numbers for any other user of the system. Oops! The Government Services Administration says that they have fixed the problem."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


fixed ? (1)

Anonymous Coward | about a year ago | (#43197447)

Changing some permissions does not constitute a fix.

Re:fixed ? (3, Insightful)

wonkey_monkey (2592601) | about a year ago | (#43197593)

Firstly, how do you know that's all they did? Secondly, why wouldn't it constitute a fix, if it (y'know) fixes the problem?

Re:fixed ? (-1, Offtopic)

dutabura (2867991) | about a year ago | (#43199163)

http://www.cloud65.com/ [cloud65.com] my neighbor's step-sister makes $88/hour on the laptop. She has been laid off for 5 months but last month her pay was $16032 just working on the laptop for a few hours. Read more on this site

Re:fixed ? (1)

metajunkie (2368612) | 1 year,29 days | (#43205235)

Firstly, how do you know that's all they did? Secondly, why wouldn't it constitute a fix, if it (y'know) fixes the problem?

My read on the original comment was that dstates was poking some fun at the notion that they 'could' fix the problem. How do you 'fix' unauthorized SSN access? It isn't really fixable - the FAQ sited says they are giving them access to free credit monitoring services. Gee thanks. That doesn't fix anything. Whoever was responsible for releasing that FAQ needs to do some soul-searching, imho. It seemed, to me, to almost suggest that the users were somehow responsible for this breach, because they "opted in" to a public search option. Excuse me, but they didn't opt into a public search of their SSNs. The rest of the FAQ was equally disturbing. The section "Who was impacted?" is laughable. But they didn't have the balls to just come out and say "we don't know". It is clear they don't have logging enabled at a suitable level to know who was impacted. "When did the security incident take place?" Another chuckle here, no? There are one of two possibilities - either they introduced the problem to the system on the 8th of March, 2013 - and again are lacking in accountability; or, as it states, the vulnerability was discovered on the 8th - and they have no idea when it was introduced. So, either they screwed the pooch on the 8th (it happens), or this exposure was much longer in duration than what the FAQ is leading people to believe. In either case, it screams cowardice in the harsh light of accountability. Pathetic. The whole situation is pathetic. Too many people hiding behind the increasingly inaccurately interpreted notion that 'no computer can be 100% secure' - as if that is an excuse to lay-off, or never hire proper sys-admins and infosec people. As if that is a reason to fly fast and free with updates and patches - rather than having actual dev and test environments. The problem isn't the level of difficulty in creating and maintaining a secure environment - the problem is that people don't want to hire FTEs when they can cling to hopes of buying some silver bullet software program that never needs configuration or maintenance. "How do I know if my data was exposed?" - "Why did this Happen?" - yeah... more dodging and reiterating that they have now patched the system. I guess they have been taking lessons from politicians. Why not state the truth? Here's my best guess, 'we are under-staffed, over-worked, under-paid, and pissed off - when we told them we needed more system administrators, we were told to sit down, shut up, and be thankful we still have jobs.' ... just a guess. I've done vuln assessments and pentests coast to coast - and it is the same in just about 90% of the cases. This isn't just a government phenomena - and I can't speak for the rest of the world - but this IS a US phenomena. This is pass the buck and avoid responsibility and accountability at its worst.

Re:fixed ? (1)

JLennox (942693) | about a year ago | (#43197753)

An automated test is more important then a fix. People goof. Can't fix that but you can test for it.

Who'd be surprised? (5, Insightful)

Anonymous Coward | about a year ago | (#43197527)

Half of our shared government is devoted to the proposition that government itself is THE problem our country has, and any step taken to damage the credibility of, or simply interfere with government is a positive step.

Therefore, funding at all levels is cut, and even minimal oversight gets cut.

Without oversight, contractors get more 'emergency' jobs, and have to expand, without anyone checking what they're doing. So, they buy more computers, hire more staff, and roll out services as quick as they can.

Who would be surprised that minimal standards for something as tertiary to the money-making process as security gets ignored in this process? You hire contractors to cover government jobs so they can work faster (sloppy), automate more, not double-check everything.

When inevitable problems occur, you blame the contractor, hire the next contractor, and pretend everything is good for a while longer.

The end result meets the ideal though - a completely inefficient government, more privatization, and a way to pretend all the corruption is just how government works, even though you're actually forcing it to act this way.

Re:Who'd be surprised? (0)

Anonymous Coward | about a year ago | (#43197907)

This would make sense except for the fact that the GSA had a recent scandal involving lavish perks and millions of dollars spent on frivolous conferences. So I'm not buying your theory that small-government conservatives are to blame here.

I'd say that large bureaucracies with poor oversight and "too big to fail" mentality are ultimately to blame for the ineptitude of governments, or in this case, the GSA being unable to competently put together a website.

Re:Who'd be surprised? (1)

meglon (1001833) | about a year ago | (#43199083)

...and... did the GSA design the program? No.

Too many people who blame government for everything don't look at the simple point that issues like this are usually mistakes made by the vendors who sell shoddy crap to the government. It's a lot like blaming government for the fraud in medicare, when it's actually the doctors committing fraud, and you don't hear about it until the government catches the criminal.

Government is always the problem....when you have idiots elected to office who intentionally try to fuck up the government from within.

http://www.huffingtonpost.com/michael-s-lofgren/scientology-for-rednecks_b_2707087.html [huffingtonpost.com]

Re:Who'd be surprised? (0)

Anonymous Coward | 1 year,29 days | (#43206135)

What in the name of Confucius does your reply have to do with the point you replied to?

Not Really (2, Interesting)

Anonymous Coward | about a year ago | (#43198251)

The reason Northrop Grumman is raping your ass is because congress comes up with a random budget at random times. Therefore, we can only fix problems on their schedule, which means that we have to pay Northrop to drop other customers to do the work we desperately need, when it becomes desperate enough to get congressional add money, and then pay them to keep everyone on staff that is no longer working on their project because we tied up resources for this, and then we get to pay them to get extra people up to speed quickly.

Before you go blame this on our programming, only one of these has been due to a real failure in anything other than politics. We did find a latent bug that didn't get triggered for the first decade of the airplane. However, that's 3 lines of code and 2 test flights. All of these other 3x the estimated cost projects were done 2 years late and in an emergency instead of in the schedule we had NG on contract for.

You can get better, but you can't pay more for Northrop. However, it's our fault for consistently binging and purging at their trough.

Re:Who'd be surprised? (0)

Anonymous Coward | 1 year,29 days | (#43201505)

Just like marketing... we know half the government is the problem and the other half is the solution. We just don't know which half is which.

This is the problem with all secure systems (1)

eksith (2776419) | about a year ago | (#43197639)

The moment someone else needs access, you have to bring down a wall to let them in.

This is why .... (3, Funny)

PPH (736903) | about a year ago | (#43197655)

... my company only does cash business with the government. Payments to be made in small, non-sequential serial numbered bills. To be deposited at a designated locker at a bus station.

Re:This is why .... (0, Insightful)

Anonymous Coward | about a year ago | (#43197761)

Right the fuck on! It's amazing anyone trusts the government for anything. I have literally NEVER heard of any kind of problem like this happen in a private enterprise.

Re:This is why .... (4, Insightful)

Anonymous Coward | about a year ago | (#43197903)

I have literally NEVER heard of any kind of problem like this happen in a private enterprise.

Sony kept PSN user info in an internet facing, plaintext database.

Not defending the government, but rather pointing out that if you've 'never heard of this in private business,' you haven't paid a lick of attention.


SPOF (1, Interesting)

gmuslera (3436) | about a year ago | (#43197705)

Making all government contractors to sign in in a single "trusted" site is a good recipe for disaster. In fact, is the perfect honeypot to convince people that we are under attack.

Re:SPOF (1)

fuckface (32611) | about a year ago | (#43197937)

Making all government contractors to sign in in a single "trusted" site is a good recipe for disaster. In fact, is the perfect honeypot to convince people that we are under attack.

This is a troll, right? If you think the government is capable of gathering information from MULTIPLE sources and making heads or tails from it, I have a couple of memorial fountains to sell you in lower Manhattan. Likewise, if you think that that 5 websites would have fewer bugs than one website ... How the hell did you get such a low ID anyway?

Re:SPOF (2)

gmuslera (3436) | about a year ago | (#43199003)

If all those companies have to login to a single website (that could require java, flash, acrobat, or whatever that could have a 0-day exploit, and no one will block anything from there, as is a trusted website), it could be used to plant something like Red October [hitb.org] in a lot of sensible places. It could be in a not very visited place of the site to delay detection while still getting victims (i.e. just replacing a pdf), could not be detected in all companies it tries to infect, could be low profile enough as it will reach every company, or focus in a particular contractor as have to log in there anyway.

If they can't manage to have secured that only site, probably won't be able to do so with multiple sites neither. but a single intrusion won't have the same broad reach.

Re:SPOF (1)

Anonymous Coward | about a year ago | (#43198795)

Exactly why I registered at CCR/SAM with a bank account that has all of $10 in it (to keep the account open). When the Gov't pays us, I immediately transfer the money over to our real business account--at the bank where I know the manager.

Its OK, that would be illegal (0)

Anonymous Coward | about a year ago | (#43197717)

Don't worry.
Viewing other users info is clearly against the terms of use for that site so even thinking about doing that would be a federal felony!
No-one would ever risk the combined wrath of the many federal law enforcment agancies...

But...The ACA is manageable by Uncle Sam (1, Troll)

BoRegardless (721219) | about a year ago | (#43197891)

US government agencies should have no problem managing the entire healthcare system under the ACA because there are so many tens of thousands of pages of regulations, they will obviously cover every single thing that needs to be done and done correctly and safely...

completely obvious (2)

nutsaq (116096) | about a year ago | (#43198009)

I'm in that system. I knew it was hosed years ago (like 7), when, immediately after registering, I began to receive boatloads of spam related to govt contracts. It's likely been wide open for ages.

Re:completely obvious (1)

helobugz (2849599) | about a year ago | (#43199589)

That's because you didn't opt-out of "publicly" listing your company's infoz, though I've never understood why the fraq any private sector contractors should EVER have such easy access to the data. Alas, it's too late, anyway! I am still getting boatloads of spam from after I first registered on CCR several years ago (like, 5). Never would have imagined listing company infoz for gov agencies to see would lead to copious amounts of SPAM. One company even snail mailed me a nice ink pen with my company's name on it, trying to sell me pens.

IBM fixed? Or GSA? (1)

Anonymous Coward | about a year ago | (#43198017)

This was developed by IBM, not GSA. And as it's a multi-phase project, I doubt IBM handed it over yet. Then again, it's still GSA management's fault for not managing the project well.


Again??? (0)

Anonymous Coward | about a year ago | (#43198143)

Another security vulnerability? Again? At some point, with all the billions the US government spends on the military industrial complex, you would think that they would get some kind of security handle on a system that they had a hand in building! Since this isn't the first time, I won't waste my time trying to offer advice: they have ignored good advice in the past, and since they haven't learned from past mistakes, just conclude they will surely repeat them.

summary wrong again (2)

jklovanc (1603149) | about a year ago | (#43198623)

any registered user who searched the system could view confidential information including account and social security numbers for any other user of the system

Only users who had entity administrator rights and delegated entity registration rights could do that. So they were users with higher than normal privileges. The main issue was that the SSN of some entities were displayed to some users who were not allowed to administrate those entities. The users with entity administrator rights and delegated entity registration rights need to see the SSN of entities they have rights to administrate. In the search function I bet the SSN was in a column that was only visible to users with those rights. The issue comes when the column is displayed. Rather than filter each row to see if the user was allowed to see that specific entity's information the user was allowed to see every entity's information. In some rows the information should have been there in others it should have been blank. Why not only allow them to search entities they can administrate? What if the user is looking for the public information on an entity they can not administrate?. In effect they had the column filter correct but not the row filter.

When there are users with some administration powers it is a complex problem to give them enough access without giving them too much.

In the end it comes down to a small data exposure exploitable by a few users who have privileged user access. This is very different from a hacker being able to access the information. I bet anyone who has dealt with these kinds of complex permissions have made similar mistakes. Hopefully they get caught in QA but sometimes they slip through. I laugh when I see posts about these security holes being an example of government incompetence considering the number of security holes in most major software packages in existence. If you have an ax to grind with the government this is not a good target.

Re:summary wrong again (1)

ckedge (192996) | about a year ago | (#43199291)

> Only users who had entity administrator rights

A huge fraction of "users" in that system is an "administrator". You "administer" your company's information. There is afaik no other reason to have a "user account" on the system. An individual user *may* have administrator rights to multiple "corporate entity IDs".

Also this system contains an account for EVERY tiny little company that has ever had at least one contract with a federal agency, or ever dreamed of selling something into a government environment.

> This is very different from a hacker being able to access the information

It is DEAD EASY to create an "entity" and a related "user account" to administer the entity. It would probably take them a week to figure out that something's funny with a new entity, and even then, you'd still have your "administrative level" user account, which they'd leave enabled/on so you can "fix your entity's registration details".

Re:summary wrong again (1)

jklovanc (1603149) | about a year ago | (#43199513)

Entity administrator rights is only half of the requirements. You forgot about the second part that the entity must also have "delegated entity registration rights". You have to have rights to register other entities and I doubt that they give that right to everyone. While the first hurdle is pretty easy the second one is probably much harder.

Where's the Quality Assurance? (0)

Anonymous Coward | about a year ago | (#43199073)

That sounds like a basic QA fail. Such access issues should have been picked up during testing as a standard test case.

freakin' morons (0)

Anonymous Coward | about a year ago | (#43199633)

I got an email saying that my SSN may have been compromised, which is totally retarded because my only active SAM registry is a C corp with a TIN. I don't recall ever posting my SSN for that entity registration...

Now, I have to wonder, did they take it upon themselves to automatically lookup & store SSN #'s to correspond to a POC's name/address/etc?? Somehow, I wouldn't doubt it..

Re:freakin' morons (0)

Anonymous Coward | 1 year,30 days | (#43200399)

I got an email saying that my SSN may have been compromised, which is totally retarded because my only active SAM registry is a C corp with a TIN.

No "compromised" email yet for me. I updated from CCR to SAM (S-corp with a TIN) about a week ago...just in time for this to happen. Didn't see any sign of SSN being added to my record during the update.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account