GSA shuts down insecure contracting Web site
Security flaw allowed registered users of eOffer to access other companies’ proprietary documents.
The General Services Administration on Wednesday shut down a Web site for electronic submission of contractor bids because information on the site was not secure.
A security consultant hoping to join GSA's general schedule of pre-approved vendors discovered the security loopholes Dec. 22. But the agency did not disable the site, called eOffer, for several weeks. A message on the site says it is "down for maintenance." The agency is investigating whether any procurement fraud occurred.
Aaron Greenspan, president of Dallas-based Think Computer, said he discovered that after legitimately logging on to the site, he could access proprietary bidding documents from other companies. The system also permitted users to adopt the identity of any company with a Dun & Bradstreet identifying number, giving any user the ability to create fraudulent bids or to modify existing ones.
"You could just pretend to be whoever you wanted to," Greenspan said.
Except for the initial logon, the site contained no security or authentication measures, Greenspan said. Gaining access to the system was difficult; it required sending notarized statements via mail and downloading software. One Washington, D.C., area GSA procurement consultant who tried getting an accredited logon said the agency never responded to his request, even after he followed all the required steps.
But once users gained a security certificate, they could roam freely inside the system, Greenspan said. GSA's security measures only "limited the number of people who could exploit the system," he said. At the same time, eOffer certificate holders have the most interest in hacking the system, he added.
There are about 1,200 authenticated users of eOffer, according to GSA spokeswoman Jennifer Millikin. Less than 1 percent of private sector bidding material comes through the site, Millikin said, adding that it will be back online by Jan. 18.
The system, designed by Pennsylvania-based Unisys and Silanis, its Canadian subcontractor, has been live since May 2004. A Unisys representative said GSA requested all calls on eOffer be directed to the agency.
The agency "took immediate action" on the same day its inspector general notified the agency of the site's design flaws, Millikin said. But Greenspan said he notified the GSA inspector general about the security hole the same day he discovered it -- in late December. He also said the inspector general's office rejected his offer to visit a GSA regional office in New York while he was on vacation there, telling him they would send personnel to visit him in Dallas in early January.
The problems with eOffer came as no surprise for the D.C. area procurement consultant. "We make a living off of GSA and their basic ineptness," he said. The Web application is unwieldy and difficult to use, he added.
Most companies still submit actual paper bids to GSA. A capable electronic submission system is a 21st century necessity for the agency, said Phil Kiviat, a partner at IT consultancy Guerra, Kiviat, Flyzik and Associates. "These systems are really the way business should be done," he said.
In a written summary of his GSA experiences, Greenspan said his GSA bid examiner said several times that sticking to the paper process would be easier than using eOffer.
NEXT STORY: From OPM to Congress?