Law enforcement authorities tipped off the Homeland Security Department to a software error that had exposed personal details of DHS employees holding security clearances -- not the contractor responsible for protecting the data, underscoring a potential weakness in the federal procurement cycle.
Department officials early last week notified personnel that an unnamed security vendor had used a software program containing a “vulnerability” that could have revealed their sensitive information "including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations.” The data had been at risk from July 2009 until recently, when DHS fixed the system.
Organizations across all sectors, from the General Services Administration to Apple, are threatened by software flaws that go unnoticed until a hacker exploits the glitch to steal data, or a hired penetration tester finds the weakness. DHS officials declined to comment when Nextgov asked how the vulnerability was discovered, and by whom. Federal contracts often do not require penetration testing, sometimes referred to as ethical hacking.
"That's so common. If you don't tell me that I have to do something, I’m probably not going to do it, because I make more money that way," said Chris Eng, vice president of research at software security firm Veracode. A 2011 Veracode study indicated government applications have a 40 percent higher incidence of coding mistakes that are prone to abuse than software used in other industries.
This latest tech contractor misstep comes as the Obama administration, pursuant to a February computer security executive order, considers incorporating national cyber standards into federal acquisitions. Some vendors object to procurement language that would impose certain uniform software testing methods.
In written comments filed last week, the Software and Information Industry Association urged the executive branch to steer clear of prescribing any “software assurance scheme that would establish the government as a leader in the process of developing technology, or that would create a U.S.‐centric standard." The submission went on to state the trade group "opposes any effort to micromanage the conformance‐based assurance models” that might create barriers to international trade.
It is unclear whether the DHS business agreement at issue stipulated that security testing be performed on software prior to installation, or, if built in-house, whether testing was part of the software development process. Homeland Security officials said they are revisiting all contracts with security vendors who provide the same type of services. The department wants “to ensure all necessary requirements for protecting [personal information] are incorporated and that compliance mechanisms and incident response are included,” according to a DHS statement.
The Pentagon is at risk of programming exploits as well. Amid high-profile hacks facilitated by design flaws in computer code, a policy codified by the 2013 National Defense Authorization Act will require military software suppliers to follow new testing rules.
DHS officials said the department recently learned of the glitch from "a law enforcement partner." They added: "There is no evidence that any unauthorized user accessed any personally identifiable information." Eng speculated authorities might have discovered merely the existence of the flaw while monitoring online forums where hackers tend to sell or share software vulnerabilities. The vague statement does not eliminate the possibility that a bad actor collected actual data without leaving a trail.
"If you parse the words carefully -- they are also not saying they have conclusively ruled it out. It's ambiguous wording. It's wording that is used frequently," he said. "It's not always possible for them to tell at that level of detail what was or was not breached."
Earlier this year, a user of an online federal contracting registry found a way of bypassing security controls to see every awardee’s personal and proprietary data, prompting the government to alert registrants about possible fraud, according to GSA, the system’s owner. IBM, the contractor operating the database, called the System for Award Management, or SAM, failed to detect the issue.
After both departments’ security incidents, agency officials recommended that individuals affected place a fraud alert on their credit files.
Consumer technology companies have also recently stumbled upon software defects, to their dismay. Twitter, Facebook and