Attacks/Breaches
1/22/2014
05:05 PM
Connect Directly
RSS
E-Mail
50%
50%

DHS Warns Contractors About Breach Of Its Web Portal

More than 100 organizations got some bad news from DHS recently when it was revealed that hundreds of documents had been accessed without authorization

The U.S. Department of Homeland Security has sent warning letters to roughly 114 organizations whose data was exposed when hundreds of documents were accessed without authorization.

The move came after the department's Science and Technology Directorate was notified of the breach by a company that manages its external Small Business Innovation Research (SBIR)/Long Range Broad Agency (LRBAA) Web portal. Some 520 documents -- including whitepapers, decision notification letters, and documents regarding contract awards -- were accessed in the incident.

Sixteen of the organizations had bank information in the documents. All of the affected organizations were notified by the Science and Technology Directorate (S&T). According to a copy of the letter posted by security blogger Brian Krebs, the breach is believed to have occurred in the past four months.

"Notably, the letter does not assert that any security protocols, such as password protection or encryption, were circumvented to access the information," says Aaron Titus, chief privacy officer and general counsel at Identity Finder. "It's not even clear that the access was malicious."

"In my experience, breaches like this are often the result of a failure of basic sensitive data management practices," he says. "It's entirely possible that this information was accidentally left on a public server for four months without password or encryption protection."

None of the documents were classified, according to DHS. The agency did not offer any information about how exactly the data was accessed, stating only that the documents were downloaded from the portal by people outside of DHS. The incident remains under investigation.

"Since discovery of this incident, Science and Technology Directorate (S&T) has worked with the operator of this external Web portal to identify and resolve the security vulnerability, and all appropriate measures have been taken," a DHS S&T spokesperson tells Dark Reading. "All of the affected documents have been thoroughly reviewed to determine if there was a loss of sensitive personally identifiable information, proprietary or business-sensitive information, security information, export control sensitive information, and all potentially affected parties were notified before any nefarious activity could take place.

"S&T takes its responsibility to safeguard personal information seriously and is working with appropriate law enforcement partners on the ongoing investigation to determine the cause of the incident and the identities of the perpetrators,. It is important to note that none of S&T's internal systems were accessed or compromised."

Last year, DHS warned employees and former employees that their data may have been compromised after a vulnerability was discovered in software used by a DHS vendor to process personnel security investigations. The software was used to gather and store sensitive personally identifiable information (PII) for background organizations.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marcus Jackson
50%
50%
Marcus Jackson,
User Rank: Apprentice
6/8/2014 | 3:07:16 AM
Surveillance State
I am an avid Infoormation Week reader and I think this article highlights the systemic problems in our government. Homeland Security is an oxymoron for these people. We are are supposed to trust them to keep our Homeland safe and they can't even keep their own data safe. Or is it really more sisnster that that, do they engineer these "breaches" to overwhelm the average US citizen into believing the wolf is at the door to justify the surveillance state that Edward Snowden is trying to warn us about. Here

http://s1375.photobucket.com/user/mj04317/library/DHS

are some more of the documents that came can be attributed to this "breach". It looks like this LRBAA program is nothing more that a black operation/slush fund (probably a joint operation between DHS and CIA) to develop tracking tools to monitor what people access on the internet and build profiles on them. The emails even talk about collaborating with the Russians. No doubt an effort by the Shdow Government to gain more power. People need to wake up and become aware before the day comes that they wake up as slaves. Eternal vigilance is the price of liberty.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.