GSA Database May Have Leaked Contractor Banking and Other Proprietary Data-SQL Injection Bugs Still Commonly Found on Government
Posted Mar 16 2013 2:19pm
How long has SQL injection bugs in computer code been around…a long time and there’s still tons of holes out there with this long time identified weakness. Now we have a contractor data base that may have been exploited and the security experts are on the case to find out what exactly happened. A patch has now since be added to plug the vulnerability. Also, security people do run a SQL injection as a test as well to ensure everything is secure. Now if someone is smart enough the article says here and had the talent to use a SQL injection, they could have had access to a lot of proprietary information. US CIO, Steven VanRoekel originally from Microsoft certainly has his hands full with putting out fires and securing government networks.
The comments in the article are from a security company that is also registered in the data base and of course they are concerned as to what information could have been leaked about them. They are SQL injection experts and test networks themselves as a line of business. Back in 2008 I posted about Harvard Medical and what service they use to scan for security leaks. We are being hacked today one way or another and it was even in the news this week that Bill Gates was hacked and it was relative to information obtained from a credit agency, nothing to do with Microsoft but as you know the credit agencies sell a lot of data, replicate it and so forth so they are with creating data for sale making the number of places to hack a lot more plentiful for sure.
If we had half the focus on security that we have on crappy little phone apps we would be miles ahead. I know everyone has a couple of those and I probably have a couple on my phone that could be considered “crappy” too but we are overrun with them and again security is out there just screaming for help.
Here’s a great example of data for sale and you should know that health insurance companies buy and sell a lot of data so the banks sell your credit and debit card information to them. How much data do the insurers need? The cost of all of this certainly is part of why health insurance is so expensive today.
This is a good time to use this very entertaining video again about SQL injections and what happens. If you can watch James Bond movies and understand, you will get most of this and again very well done. This is a fictional story as could happen in Las Vegas if appropriate holes and security problems existed. This video is five years old so time to get a hold of those SQL holes for sure. Below is the link to my post from 2011 with the same video. You will need Silverlight in your browser to watch.
Back on track, those estimated 600,000 companies currently registered will now get free credit monitoring that are registered at GSA…hardly sounds like it’s going to put a dent in here does it if in fact someone did get all the information as they may be looking for more than just credit information. Oh well, enjoy the free from the government I guess due to this latest hack if you are one of the companies registered in the data base. All those who use social security numbers appear to be given first priority on the free credit services. BD
The GSA notice states, "The security of this information is a top priority for this agency and we will continue to ensure the system remains secure."
Johnson's company, which is registered on the SAM database, was notified of the incident by email shortly after 2:00 a.m. on Saturday morning. He said the delay likely is due to the high volume of messages being sent.
GSA applied a software patch to block the exposure and the agency has no evidence that any company's data was improperly used, altered or lost, government officials stated. A full review is ongoing, the officials added.
If there was an intruder, Johnson said the hacker likely could have been seeking the proprietary information of a competitor. Identity fraud was another possibility, he said.
An FAQ posted on the GSA website Friday night states, “Registrants using their Social Security numbers instead of a [Taxpayer Identification Number] for purposes of doing business with the federal government may be at greater risk for potential identity theft." Free credit monitoring services will be made available to those registrants, agency officials added.