Bloomberg Anywhere Remote Login Bloomberg Terminal Demo Request


Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.


Financial Products

Enterprise Products


Customer Support

  • Americas

    +1 212 318 2000

  • Europe, Middle East, & Africa

    +44 20 7330 7500

  • Asia Pacific

    +65 6212 1000


Industry Products

Media Services

Follow Us

Bloomberg Customers


Defense Agency Leaves Shopping List Online

An improperly secured database operated by the U.S. Defense Information

System Agency (DISA) allowed Internet surfers to view and place orders for

computers, networks, cell phones, software, and other technology used by the


Before it was locked down over the weekend, visitors to the Web site of

DISA's Requirements Identification and Tracking System (RITS) were able to

peruse hundreds of requisition documents, such as a $310,000 order for "new

generation STE crypto devices" in support of the Global Command and Control


A $235,000 order for 30 Sun Ultra 10 workstations for the same GCCS project

was also viewable by Web surfers.

Administrators of the RITS site, which was running IBM's Lotus Domino

database software, secured the system after being notified of the

vulnerability last Thursday by Kitetoa, a group of French security


Kitetoa founder Antoine Champagne says he stumbled across the URL for the vulnerable database "while

surfing around."

A DISA spokesperson acknowledged the security hole Monday, but could not

immediately comment further.

DISA is a combat support agency that provides much of the military's

computer networking capabilities.

Most of the RITS requisition documents contained names, e-mail addresses,

phone numbers, DISA ID numbers, and in some cases social security numbers,

of military personnel and contractors.

Besides orders for hardware and software, the RITS site allowed visitors to

place requests for remote access accounts and other network services.

According to a user's guide available from the site, the RITS system "is

accessible on the Intranet."

Last April, Kitetoa reported a similar problem with a Lotus Domino database

used to house DISA's Joint C4I Program Assessment Tool (JCPAT) database.

In a notice posted at its Web site about the RITS incident, Kitetoa scoffed

at the U.S. government's recent warnings to network administrators about

possible cyber-attacks.

"If you guys really care about cyber-threats, start with some basic

security. And read the manual," said Kitetoa, which provided a link to an IBM white paper entitled, "A Guide To Developing Secure

Domino Applications." By Brian McWilliams

blog comments powered by Disqus