Attacks/Breaches
1/22/2014
05:05 PM
Connect Directly
RSS
E-Mail
50%
50%

DHS Warns Contractors About Breach Of Its Web Portal

More than 100 organizations got some bad news from DHS recently when it was revealed that hundreds of documents had been accessed without authorization

The U.S. Department of Homeland Security has sent warning letters to roughly 114 organizations whose data was exposed when hundreds of documents were accessed without authorization.

The move came after the department's Science and Technology Directorate was notified of the breach by a company that manages its external Small Business Innovation Research (SBIR)/Long Range Broad Agency (LRBAA) Web portal. Some 520 documents -- including whitepapers, decision notification letters, and documents regarding contract awards -- were accessed in the incident.

Sixteen of the organizations had bank information in the documents. All of the affected organizations were notified by the Science and Technology Directorate (S&T). According to a copy of the letter posted by security blogger Brian Krebs, the breach is believed to have occurred in the past four months.

"Notably, the letter does not assert that any security protocols, such as password protection or encryption, were circumvented to access the information," says Aaron Titus, chief privacy officer and general counsel at Identity Finder. "It's not even clear that the access was malicious."

"In my experience, breaches like this are often the result of a failure of basic sensitive data management practices," he says. "It's entirely possible that this information was accidentally left on a public server for four months without password or encryption protection."

None of the documents were classified, according to DHS. The agency did not offer any information about how exactly the data was accessed, stating only that the documents were downloaded from the portal by people outside of DHS. The incident remains under investigation.

"Since discovery of this incident, Science and Technology Directorate (S&T) has worked with the operator of this external Web portal to identify and resolve the security vulnerability, and all appropriate measures have been taken," a DHS S&T spokesperson tells Dark Reading. "All of the affected documents have been thoroughly reviewed to determine if there was a loss of sensitive personally identifiable information, proprietary or business-sensitive information, security information, export control sensitive information, and all potentially affected parties were notified before any nefarious activity could take place.

"S&T takes its responsibility to safeguard personal information seriously and is working with appropriate law enforcement partners on the ongoing investigation to determine the cause of the incident and the identities of the perpetrators,. It is important to note that none of S&T's internal systems were accessed or compromised."

Last year, DHS warned employees and former employees that their data may have been compromised after a vulnerability was discovered in software used by a DHS vendor to process personnel security investigations. The software was used to gather and store sensitive personally identifiable information (PII) for background organizations.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marcus Jackson
50%
50%
Marcus Jackson,
User Rank: Apprentice
6/8/2014 | 3:07:16 AM
Surveillance State
I am an avid Infoormation Week reader and I think this article highlights the systemic problems in our government. Homeland Security is an oxymoron for these people. We are are supposed to trust them to keep our Homeland safe and they can't even keep their own data safe. Or is it really more sisnster that that, do they engineer these "breaches" to overwhelm the average US citizen into believing the wolf is at the door to justify the surveillance state that Edward Snowden is trying to warn us about. Here

http://s1375.photobucket.com/user/mj04317/library/DHS

are some more of the documents that came can be attributed to this "breach". It looks like this LRBAA program is nothing more that a black operation/slush fund (probably a joint operation between DHS and CIA) to develop tracking tools to monitor what people access on the internet and build profiles on them. The emails even talk about collaborating with the Russians. No doubt an effort by the Shdow Government to gain more power. People need to wake up and become aware before the day comes that they wake up as slaves. Eternal vigilance is the price of liberty.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.