Security flaws found in systems that track recovery-related spending at Transportation

Transportation Department websites that post stimulus spending results could be vulnerable to hackers looking to attack visitors' computers and manipulate data, according to the department's inspector general.

In December 2009, the IG's office began examining safeguards for the systems that track the $48 billion Congress authorized Transportation to spend on projects that create jobs, such as high-speed rail and road widening. The Recovery Act requires agencies to update the public on stimulus spending via Recovery.gov, but most agencies also maintain in-house websites for financial management and more granular reporting. The IG published its findings on Transportation's sites in a report released on Monday.

The report uncovered 1,759 high-risk threats to the department's websites. Recovery-related databases and servers also were vulnerable to attack, but at a lower risk. The threats existed because Transportation failed to configure its sites, databases and servers according to standard controls, the audit said.

"These vulnerable websites could put users' computers in danger by allowing hackers to gain access to the users' computer and their personal information," Earl Hedges, acting assisting IG for financial and IT audits, wrote in the report. "One particular vulnerability, found on eight of the 13 websites, could allow hackers to use the websites to launch attacks on users' computers."

Transportation officials said no incidents have been detected, but it is unclear whether security problems with the department's systems have affected Recovery.gov or FederalReporting.gov, the password-protected inbox that recipients of stimulus funds use to file updates. "We do penetration testing on a regular basis as part of a larger vulnerability management function to ensure the security of our systems," Ed Pound, spokesman for the Recovery Accountability and Transparency Board, an independent agency that maintains Recovery.gov, said on Monday.

High-risk weaknesses on servers that host recovery data could have made it possible for attackers to crack passwords, hijack servers and inject viruses into Transportation's network, Hedges said. In addition, if intruders broke into databases that store grant information, they could have altered or destroyed the data.

For security purposes, the report did not disclose specific vulnerabilities. The IG provided those details to Transportation officials, who said they would fix the most severe problems by Nov. 8.

"We take information technology security seriously, and Department of Transportation information security specialists have already taken action to address the issues identified in the inspector general's report," department spokeswoman Olivia Alair said on Monday.

In responding to a draft of the report on Sept. 30, Transportation Chief Information Officer Nitin Pradhan wrote the IG requesting that the office inform department officials sooner when detecting such serious cyber risks. He agreed with the IG's recommendations to immediately resolve the highest risks.

"In light of the importance of this issue, my office ensures that the deputy secretary is kept apprised of our progress on a weekly basis," Pradhan added.