recommended reading

Exposure of DHS Employees’ Personal Data Shows Widespread Risk

Maksim Kabakou/Shutterstock.com

Law enforcement authorities tipped off the Homeland Security Department to a software error that had exposed personal details of DHS employees holding security clearances -- not the contractor responsible for protecting the data, underscoring a potential weakness in the federal procurement cycle. 

Department officials early last week notified personnel that an unnamed  security vendor had used a software program containing a “vulnerability” that could have revealed their sensitive information "including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations.” The data had been at risk from July 2009 until recently, when DHS fixed the system. 

Organizations across all sectors, from the General Services Administration to Apple, are threatened by software flaws that go unnoticed until a hacker exploits the glitch to steal data, or a hired penetration tester finds the weakness. DHS officials declined to comment when Nextgov asked how the vulnerability was discovered, and by whom. Federal contracts often do not require penetration testing, sometimes referred to as ethical hacking. 

"That's so common. If you don't tell me that I have to do something, I’m probably not going to do it, because I make more money that way," said Chris Eng, vice president of research at software security firm Veracode. A 2011 Veracode study indicated government applications have a 40 percent higher incidence of coding mistakes that are prone to abuse than software used in other industries.

This latest tech contractor misstep comes as the Obama administration, pursuant to a February computer security executive order, considers incorporating national cyber standards into federal acquisitions. Some vendors object to procurement language that would impose certain uniform software testing methods.

In written comments filed last week, the Software and Information Industry Association urged the executive branch to steer clear of prescribing any “software assurance scheme that would establish the government as a leader in the process of developing technology, or that would create a U.S.‐centric standard." The submission went on to state the trade group "opposes any effort to micromanage the conformance‐based assurance models” that might create barriers to international trade.

It is unclear whether the DHS business agreement at issue stipulated that security testing be performed on software prior to installation, or, if built in-house, whether testing was part of the software development process. Homeland Security officials said they are revisiting all contracts with security vendors who provide the same type of services. The department wants “to ensure all necessary requirements for protecting [personal information] are incorporated and that compliance mechanisms and incident response are included,” according to a DHS statement.

The Pentagon is at risk of programming exploits as well. Amid high-profile hacks facilitated by design flaws in computer code, a policy codified by the 2013 National Defense Authorization Act will require military software suppliers to follow new testing rules

DHS officials said the department recently learned of the glitch from "a law enforcement partner." They added: "There is no evidence that any unauthorized user accessed any personally identifiable information." Eng speculated authorities might have discovered merely the existence of the flaw while monitoring online forums where hackers tend to sell or share software vulnerabilities. The vague statement does not eliminate the possibility that a bad actor collected actual data without leaving a trail.

"If you parse the words carefully -- they are also not saying they have conclusively ruled it out. It's ambiguous wording. It's wording that is used frequently," he said. "It's not always possible for them to tell at that level of detail what was or was not breached."

Earlier this year, a user of an online federal contracting registry found a way of bypassing security controls to see every awardee’s personal and proprietary data, prompting the government to alert registrants about possible fraud, according to GSA, the system’s owner. IBM, the contractor operating the database, called the System for Award Management, or SAM, failed to detect the issue.  

After both departments’ security incidents, agency officials recommended that individuals affected place a fraud alert on their credit files. 

Consumer technology companies have also recently stumbled upon software defects, to their dismay. TwitterFacebook and Apple disclosed intrusions, reportedly perpetrated when their employees visited an infected software developer website that then passed on the malware to their machines. Shortly afterward, Microsoft confirmed its corporate systems also had suffered similar compromises. 

(Image via Maksim Kabakou/Shutterstock.com)

Threatwatch Alert

User accounts compromised

1 Million Online Gaming Accounts Exposed

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.