System Agency (DISA) allowed Internet surfers to view and place orders for
computers, networks, cell phones, software, and other technology used by the
Before it was locked down over the weekend, visitors to the Web site of
DISA's Requirements Identification and Tracking System (RITS) were able to
peruse hundreds of requisition documents, such as a $310,000 order for "new
generation STE crypto devices" in support of the Global Command and Control
A $235,000 order for 30 Sun Ultra 10 workstations for the same GCCS project
was also viewable by Web surfers.
Administrators of the RITS site, which was running IBM's Lotus Domino
database software, secured the system after being notified of the
vulnerability last Thursday by Kitetoa, a group of French security
Kitetoa founder Antoine Champagne says he stumbled across the URL for the vulnerable database "while
A DISA spokesperson acknowledged the security hole Monday, but could not
immediately comment further.
DISA is a combat support agency that provides much of the military's
computer networking capabilities.
Most of the RITS requisition documents contained names, e-mail addresses,
phone numbers, DISA ID numbers, and in some cases social security numbers,
of military personnel and contractors.
Besides orders for hardware and software, the RITS site allowed visitors to
place requests for remote access accounts and other network services.
According to a user's guide available from the site, the RITS system "is
accessible on the Intranet."
Last April, Kitetoa reported a similar problem with a Lotus Domino database
used to house DISA's Joint C4I Program Assessment Tool (JCPAT) database.
In a notice posted at its Web site about the RITS incident, Kitetoa scoffed
at the U.S. government's recent warnings to network administrators about
"If you guys really care about cyber-threats, start with some basic
security. And read the manual," said Kitetoa, which provided a link to an IBM white paper entitled, "A Guide To Developing Secure
Domino Applications." By Brian McWilliams