Defense Agency Leaves Shopping List Online

Faulty access controls open DISA's technology requisition system to snoops

An improperly secured database operated by the U.S. Defense Information System Agency (DISA) allowed Internet surfers to view and place orders for computers, networks, cell phones, software, and other technology used by the military.

Before it was locked down over the weekend, visitors to the Web site of DISA's Requirements Identification and Tracking System (RITS) were able to peruse hundreds of requisition documents, such as a $310,000 order for "new generation STE crypto devices" in support of the Global Command and Control System.

A $235,000 order for 30 Sun Ultra 10 workstations for the same GCCS project was also viewable by Web surfers.

Administrators of the RITS site, which was running IBM's Lotus Domino database software, secured the system after being notified of the vulnerability last Thursday by Kitetoa, a group of French security enthusiasts.

Kitetoa founder Antoine Champagne says he stumbled across the URL for the vulnerable database "while surfing around."

A DISA spokesperson acknowledged the security hole Monday, but could not immediately comment further.

DISA is a combat support agency that provides much of the military's computer networking capabilities.

Most of the RITS requisition documents contained names, e-mail addresses, phone numbers, DISA ID numbers, and in some cases social security numbers, of military personnel and contractors.

Besides orders for hardware and software, the RITS site allowed visitors to place requests for remote access accounts and other network services.

According to a user's guide available from the site, the RITS system "is accessible on the Intranet."

Last April, Kitetoa reported a similar problem with a Lotus Domino database used to house DISA's Joint C4I Program Assessment Tool (JCPAT) database.

In a notice posted at its Web site about the RITS incident, Kitetoa scoffed at the U.S. government's recent warnings to network administrators about possible cyber-attacks.

"If you guys really care about cyber-threats, start with some basic security. And read the manual," said Kitetoa, which provided a link to an IBM white paper entitled, "A Guide To Developing Secure Domino Applications."

By Brian McWilliams

Before it's here, it's on the Bloomberg Terminal. LEARN MORE