Travel-Booking Site for Federal Agencies Hacked
Govtrip.com, which handles travel reservations for at least a dozen U.S. government agencies, last week was infected with a virus that tried to install malicious software when users visited the site, causing some agencies to block employees from accessing it, Security Fix has learned.
Sometime on Feb. 11, hackers changed the Govtrip.com Web site to redirect visitors to a site that installed malicious software. A number of agencies, including the departments of Agriculture, Energy, Health & Human Services, Interior, Transportation, and Treasury, use the site exclusively to book travel arrangements. Govtrip.com also is used to reimburse workers via direct deposit, which means that many federal employees' checking account information is stored there as well.
On Thursday, Feb. 12, the Federal Aviation Administration began urging employees to avoid visiting the site. Rather, employees seeking to make travel arrangements were given instructions on how to book travel arrangements manually, FAA spokeswoman Laura Brown said.
"When we first realized there was a problem, we blocked access to the site from our end, because people who had contact with it were reporting some kind of virus being downloaded," Brown said.
Govtrip.com is managed by defense contractor Northrop Grumman, which declined to comment for this story. The company referred all inquiries to the General Services Administration.
GSA spokesman Robert Lesino said the agency's ability to comment was limited because the incident was still under investigation. GSA issued the following statement:
"On February 11, 2009, some users of GovTrip when logging on to the site were redirected to a site that delivered malicious software to their computers. No personal data was known to be compromised. The incident was quickly identified and a US CERT [alert] was issued. GSA, the vendor, and customer agency IT specialists are moving swiftly to identify short-term and long-term measures to find the source of the incident and to prevent such an incident from recurring."
On Tuesday, the Department of Transportation sent an agency-wide e-mail to employees warning them to steer clear of Govtrip.com.
"The Department has identified a security issue with the use of GovTrip. The GovTrip system has been blocked from inside the DOT network. Employees should not access GovTrip from any DOT/FHWA PC while at work and we strongly suggest employees refrain from any attempts to access GovTrip using a home system or government-issued laptop as this could cause the PC to be infected with a virus that may not be detected by your anti-virus software. This safeguard will be in effect until further notice. Once this issue is resolved, all employees will be notified when to resume use of the GovTrip system."
While it remains unclear what type of malware infested Govtrip.com, there are indications that the site's administrators are still struggling to keep it available and online. The site was inaccessible throughout Tuesday evening and into Wednesday morning.
Update, Feb. 21, 2:53 p.m. ET: According to an analysis shared with Washingtonpost.com, the compromise of govtrip.com came from multiple sources and was fairly extensive. From an internal government memo:
The General Services Administration (GSA) and Northrop Grumman (NG) contractor has conducted extensive forensic analysis and confirmed that the GovTrip systems were successfully compromised. Forensic analysis revealed that hackers were able to gain access from four remote systems (3 systems residing in Taiwan and 1 system belonging to Harvard University) to exploit a default configuration setting in the GovTrip eAuthentication module that allowed remote administration using the Internet.
GSA and NG are moving forward to ensure security safeguards and controls are implemented. Additionally, NG is expanding their monitoring capabilities to include additional network and host based intrusion monitoring technologies.
Until those systems are in place, however, Northrop Grumman will have its authority to operate the service on behalf of federal agencies revoked, the memo notes. The GSA said it anticipates restoring government access to govtrip.com on Monday, Feb. 23.
February 18, 2009; 10:20 AM ET
Categories: Fraud , Latest Warnings , Safety Tips , U.S. Government
Save & Share: Previous: Verizon to Implement Spam Blocking Measures
Next: Attackers Exploiting Unpatched Flaw In Adobe Reader, Acrobat
Posted by: hairguy01 | February 18, 2009 10:40 AM | Report abuse
Posted by: Wallenstein | February 18, 2009 11:00 AM | Report abuse
Posted by: McCarthy911 | February 18, 2009 11:54 AM | Report abuse
Posted by: XGCX | February 18, 2009 12:16 PM | Report abuse
Posted by: lol1231 | February 18, 2009 3:03 PM | Report abuse
Posted by: KevinEWilliams | February 18, 2009 3:10 PM | Report abuse
Posted by: rasky | February 18, 2009 3:36 PM | Report abuse
Posted by: traveler12 | February 18, 2009 5:24 PM | Report abuse
Posted by: orffteacher | February 19, 2009 8:37 AM | Report abuse
Posted by: 438-47960 | February 19, 2009 3:25 PM | Report abuse
Posted by: featheredge9 | February 19, 2009 7:32 PM | Report abuse
Posted by: ThomasWhitney | February 25, 2009 11:31 AM | Report abuse
The comments to this entry are closed.