Thread: Govtrip hacked

All my Students in class right now are PISSED...I have always hated Govtrip..and now this is just another nail in the Coffin I hope so we can get back to a more reliable user friendly system for travel...

Yeh, well, Northrup Grumman IS ...Govtrip.

Another combination of those corporations our former President, Dwight Eisenhower, warned us about 50 years ago. Industrial behemoth defense corporations who ply their trade on every form of government contract they can get their teeth on.

We should have listened to his warnings, you know, - that tentacles of the military industrial complex would reach into every facet of government, and our lives.

"In the Councils of Government, we must guard against acquisition of unwarranted influence, whether sought, or unsought, by the military industrial complex. "

He was sooo....right.

My thought on the hacking.... To redirect a domain to a different server does not necessarily mean you need to have hacked the website or the server that the site is hosted on. It's possible that the domain name server was hacked. If the registrar was hacked, they could point the domain name (govtrip.com) to any ip address. Govtrip's domain name is handled by CSC Corporate Domains. It's possible that either someone hacked CSC or someone successfully pulled a phishing scam on Northrop Grumman. CSC handles some of the largest and most popular sites like ING Direct and GovTrip. Below is the whois info for govtrip.com:

Registrant:
Northrop Grumman Corp.
Domain Name Coordinator
1840 Century Park East
Mail Stop 30/110/CC
Los Angeles, CA 90067-2199
US
domainnamecounsel@ngc.com
+1.3105536262 Fax: +1.3102013023

Domain Name: GOVTRIP.COM
Registrar of Record: Corporate Domains, Inc.

Administrative Contact:
Northrop Grumman Corp.
Domain Name Coordinator
1840 Century Park East
Mail Stop 30/110/CC
Los Angeles, CA 90067-2199
US
domainnamecounsel@ngc.com
+1.3105536262 Fax: +1.3102013023
Technical Contact:
Northrop Grumman Corp.
Christopher Mincer
12900 Federal Systems Park Dr
Fairfax, VA 22033
US
christopher.mincer@ngc.com
+01.7038035448 Fax: +01.7038035448

Domain servers in listed order:

ETSPROEXT02.GOVTRIP.COM
ETSPROEXT01.GOVTRIP.COM

Created on..............: 04-Dec-02
Expires on..............: 04-Dec-09
Record last updated on..: 18-Jul-07

And here is a notice that CSC Corporate issued in December. It says that there have been phishing attempts on CSC domains.
http://www.cscprotectsbrands.com/alert120108.html

December 1, 2008

DOMAIN NAME SCAM ALERT – Email from Corporation Service Company Ltd

Corporation Service Company is the trusted partner of over 50% of the 100 Best Global Brands, including 3 of the top 4, for global domain registrations and brand protection. We have recently learned that a 3rd party posing as “Corporation Service Company Ltd” has been trying to leverage the strong reputation of our company as a protector of corporate brands to perpetrate a domain name registration scam through the distribution of e-mails using variations of “cscprotectsbrands” (see example below).

These communications were neither initiated nor authorized by Corporation Service Company. We are taking appropriate action against the parties to require them to cease and desist this activity. To avoid becoming a victim of this scam, CSC strongly cautions you against responding to, or purchasing any domain names from, this sender or other unfamiliar 3rd parties.

We would also like to take this opportunity to remind brand owners that these types of domain registration scams are very popular and can sometimes lure an inexperienced member of your brand team into registering domain names with unknown and unscrupulous 3rd parties. Please review our FAQ regarding these types of scams for recommended best practices you can use to handle domain name registration scams within your organization.

If you should have any further questions or need assistance with registration of a domain name, please contact CSC at:

North America: 1-888-780-2723
Europe: +44 (0)20 7751 0055

Fabijo- it's not just that possibility- it's worse.

Did you see the message today?

Looks like by "contracting it out to Northrup Grumman", they lost all control over the servers.

A compromised server.

And it doesn't stop there. GSA has pulled Northrup Grumman's authorization.

You have been compromised, your server that your agency requires you to go to, has been compromised, and the agency never knew, because the agency didn't check the servers of it's contractor- it relied on Northrup Grumman's self-certification that everything was fine.

Only it wasn't.

And now we get this-

You have been compromised.

Message follows:
.................................................. .................................................. ........
TO: ALL Employees

FROMsomeone in hot water), Acting Assistant Secretary for Budget & Programs
Chief Financial Officer

another one, in real, real hot water), Acting Chief Information Officer

SUBJECT: GovTrip

This a follow up to our broadcast message of last week on GovTrip.

GSA has suspended GovTrip due to a security issue.

Once GSA determines that GovTrip is safe for a return to operations, (we will) will coordinate with GSA to perform testing, after which we expect the system to be up and running within 24 hours. We ask that (our) employees refrain from any attempted use of GovTrip until officially notified by the Department. If for some reason, we are not able to reauthorize use of GovTrip by early Monday morning we will make a decision on an alternative plan for processing travel reimbursements and notify employees accordingly.

The Department was notified late on Thursday, February 12th that another agency that uses GovTrip had reported a security incident. As a precautionary measure to protect (our) systems and employees, (we) requested that access to GovTrip for (our) users be blocked.

The General Services Administration (GSA) which manages the contract with Northrop Grumman held several meetings over this past weekend with federal agencies and Northrop Grumman. This effort focused on assuring that GovTrip is secure and safe to use. GSA’s subsequent actions are described in their letter, attached to this message, one of which was a shutdown of GovTrip for use by customer agencies and employees.

At this time there is no set date or time at which a return to operation is expected. The (our) Chief Information Officer (CIO) has been scanning (our in-house) computers to ensure no additional intrusions have occurred during the GovTrip outage. GSA has assured us that their forensics to date have not identified access to any sensitive personal or financial information

Additionally, both GSA and (our department) are working with (our department's) travel credit card provider to eliminate or reduce traveler exposure to late payment or other penalties for failing to pay authorized travel expenses.

Thanks for your patience.

----
(forwarded GSA mail follows)
-----------------

GSA Federal Acquisition Service

February 18, 2009


MEMORANDUM FOR NORTHROP GRUMMAN GOVTRIP CUSTOMERS

FROM: Timothy J. Burke
DIRECTOR
FEDERAL ACQUISITION SERVICE
OFFICE OF TRAVEL AND TRANSPORTATION SERVICES

SUBJECT: Northrop Grumman GovTrip Security Incident

The General Services Administration (GSA), as the managing agency for the E-Gov Travel Service (ETS) master contract, is providing this memo as clarification on a recent Northrop Grumman GovTrip security incident.

In addition to managing the master contract, GSA is responsible for oversight of the GovTrip Security Plan and the GSA/FAS Chief Information Officer (CIO) is the Designated Approving Authority (DAA) responsible for granting Northrop Grumman the Authority to Operate GovTrip.

On Wednesday 2/11/09 a US CERT was submitted by Department of Energy, a user Agency under the GovTrip contract. The incident noted that end-users were experiencing unusual activity while logging on to the GovTrip service. US CERT proceeded with its normal course of action to review and determine scope and scale.

GSA along with the customer community worked collaboratively and aggressively to mitigate risk and secure the continuity of GovTrip operations. The government initiated a significant and comprehensive forensic effort which identified a GovTrip webserver to be compromised. A new server is being built by Northrop Grumman that is intended to meet and exceed acceptable government security requirements. Until Northrop Grumman provides the completed mitigation plan and completes security enhancements of the system, the GSA/FAS CIO, DAA has
revoked the Authority to Operate (ATO).

Actions are being taken to restore the ATO and GSA is hopeful it will be restored in the next few days. The forensic efforts continue to assure this incident is fully investigated.

Note- they are scanning "in-house" computers.

Nothing is said about "out-house" computers.

I know lots of people who do GOVTRIP vouchers, authorizations, and orders from either home computers, or other computers while on the road.

Who, and how, will "scan" those, to see if they have been infected by the hacked GOVTRIP website?

Not looking good.....

We're getting hit from all sides. Govtrip and those FAA HQ social security numbers. I also just got a letter from the FAA Eastern Region Federal Credit Union. It said that I'm getting a new card, because my card is one that has been possibly affected by a merchant security breach.

Here's an article on redirecting websites:

http://www.computerworld.com/action/...icleId=9107978

The vulnerability could allow attackers to redirect Web traffic and e-mails to systems under their control

Originally Posted by james48843

note- they are scanning "in-house" computers.

Nothing is said about "out-house" computers.

I know lots of people who do govtrip vouchers, authorizations, and orders from either home computers, or other computers while on the road.

Who, and how, will "scan" those, to see if they have been infected by the hacked govtrip website?

Not looking good.....

you have a computer in your out-house?

Originally Posted by cbackous

you have a computer in your out-house?

Originally Posted by cbackous

you have a computer in your out-house?

Why not? I do some of my best thinking while sitting on the crapper!