Technology

Defense Agency Leaves Shopping List Online


An improperly secured database operated by the U.S. Defense Information

System Agency (DISA) allowed Internet surfers to view and place orders for

computers, networks, cell phones, software, and other technology used by the

military.

Before it was locked down over the weekend, visitors to the Web site of

DISA's Requirements Identification and Tracking System (RITS) were able to

peruse hundreds of requisition documents, such as a $310,000 order for "new

generation STE crypto devices" in support of the Global Command and Control

System.

A $235,000 order for 30 Sun Ultra 10 workstations for the same GCCS project

was also viewable by Web surfers.

Administrators of the RITS site, which was running IBM's Lotus Domino

database software, secured the system after being notified of the

vulnerability last Thursday by Kitetoa, a group of French security

enthusiasts.

Kitetoa founder Antoine Champagne says he stumbled across the URL for the vulnerable database "while

surfing around."

A DISA spokesperson acknowledged the security hole Monday, but could not

immediately comment further.

DISA is a combat support agency that provides much of the military's

computer networking capabilities.

Most of the RITS requisition documents contained names, e-mail addresses,

phone numbers, DISA ID numbers, and in some cases social security numbers,

of military personnel and contractors.

Besides orders for hardware and software, the RITS site allowed visitors to

place requests for remote access accounts and other network services.

According to a user's guide available from the site, the RITS system "is

accessible on the Intranet."

Last April, Kitetoa reported a similar problem with a Lotus Domino database

used to house DISA's Joint C4I Program Assessment Tool (JCPAT) database.

In a notice posted at its Web site about the RITS incident, Kitetoa scoffed

at the U.S. government's recent warnings to network administrators about

possible cyber-attacks.

"If you guys really care about cyber-threats, start with some basic

security. And read the manual," said Kitetoa, which provided a link to an IBM white paper entitled, "A Guide To Developing Secure

Domino Applications." By Brian McWilliams


American Apparel's Future
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus