recommended reading

Exposure of DHS Employees’ Personal Data Shows Widespread Risk

Maksim Kabakou/Shutterstock.com

Law enforcement authorities tipped off the Homeland Security Department to a software error that had exposed personal details of DHS employees holding security clearances -- not the contractor responsible for protecting the data, underscoring a potential weakness in the federal procurement cycle. 

Department officials early last week notified personnel that an unnamed  security vendor had used a software program containing a “vulnerability” that could have revealed their sensitive information "including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations.” The data had been at risk from July 2009 until recently, when DHS fixed the system. 

Organizations across all sectors, from the General Services Administration to Apple, are threatened by software flaws that go unnoticed until a hacker exploits the glitch to steal data, or a hired penetration tester finds the weakness. DHS officials declined to comment when Nextgov asked how the vulnerability was discovered, and by whom. Federal contracts often do not require penetration testing, sometimes referred to as ethical hacking. 

"That's so common. If you don't tell me that I have to do something, I’m probably not going to do it, because I make more money that way," said Chris Eng, vice president of research at software security firm Veracode. A 2011 Veracode study indicated government applications have a 40 percent higher incidence of coding mistakes that are prone to abuse than software used in other industries.

This latest tech contractor misstep comes as the Obama administration, pursuant to a February computer security executive order, considers incorporating national cyber standards into federal acquisitions. Some vendors object to procurement language that would impose certain uniform software testing methods.

In written comments filed last week, the Software and Information Industry Association urged the executive branch to steer clear of prescribing any “software assurance scheme that would establish the government as a leader in the process of developing technology, or that would create a U.S.‐centric standard." The submission went on to state the trade group "opposes any effort to micromanage the conformance‐based assurance models” that might create barriers to international trade.

It is unclear whether the DHS business agreement at issue stipulated that security testing be performed on software prior to installation, or, if built in-house, whether testing was part of the software development process. Homeland Security officials said they are revisiting all contracts with security vendors who provide the same type of services. The department wants “to ensure all necessary requirements for protecting [personal information] are incorporated and that compliance mechanisms and incident response are included,” according to a DHS statement.

The Pentagon is at risk of programming exploits as well. Amid high-profile hacks facilitated by design flaws in computer code, a policy codified by the 2013 National Defense Authorization Act will require military software suppliers to follow new testing rules

DHS officials said the department recently learned of the glitch from "a law enforcement partner." They added: "There is no evidence that any unauthorized user accessed any personally identifiable information." Eng speculated authorities might have discovered merely the existence of the flaw while monitoring online forums where hackers tend to sell or share software vulnerabilities. The vague statement does not eliminate the possibility that a bad actor collected actual data without leaving a trail.

"If you parse the words carefully -- they are also not saying they have conclusively ruled it out. It's ambiguous wording. It's wording that is used frequently," he said. "It's not always possible for them to tell at that level of detail what was or was not breached."

Earlier this year, a user of an online federal contracting registry found a way of bypassing security controls to see every awardee’s personal and proprietary data, prompting the government to alert registrants about possible fraud, according to GSA, the system’s owner. IBM, the contractor operating the database, called the System for Award Management, or SAM, failed to detect the issue.  

After both departments’ security incidents, agency officials recommended that individuals affected place a fraud alert on their credit files. 

Consumer technology companies have also recently stumbled upon software defects, to their dismay. TwitterFacebook and Apple disclosed intrusions, reportedly perpetrated when their employees visited an infected software developer website that then passed on the malware to their machines. Shortly afterward, Microsoft confirmed its corporate systems also had suffered similar compromises. 

(Image via Maksim Kabakou/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.