10
Feb 15

Defense Contract Management Agency Probes Hack

The Defense Contract Management Agency, the U.S. federal government entity responsible for performing contract administration services for the Department of Defense, is responding to a suspected cybersecurity breach and has pulled a number of its servers offline while the investigation continues, KrebsOnSecurity has learned.

The public Web site for the DCMA has been offline for nearly two weeks.

The public Web site for the DCMA has been offline for nearly two weeks.

A notice posted to the DCMA’s home page communicates little about the investigation, other than to note that “corrective action is in progress,” and that “work is being done to restore service as quickly as possible.”

Contacted about the outage, DCMA spokesman David Wray said suspicious activity was detected on a DCMA public-facing server January 28, resulting in an ongoing investigation.

“So far, no DCMA, DoD or Defense Industrial Base data nor any Personal Identification Information has been breached. A cyber protection team from Joint Forces Headquarters, Department of Defense Information Network, is working with DCMA to enhance network security. DCMA’s website has been intentionally taken offline while the team investigates the activity. All other network operations have proceeded as normal.”

Wray declined to elaborate on the nature or extent of the intrusion. However, sources within the DCMA say the agency has been having “major system issues, including a number of internal systems.”

“We have been told it was due to issues with unscheduled maintenance, but the regular emails from [DCMA higher-ups] seem to indicate a larger, unspoken problem,” said one DCMA employee who asked to remain anonymous.

Sources say the problem relates not just to the DCMA’s main Web site but to resources that DCMA employees use for telework to review federal contracts between external companies and the Department of Defense.

Headquartered at Fort Lee, VA, the DCMA often handles Foreign Military Sales contracts.

This is a developing story. More as it becomes available. Stay tuned.

Tags: , ,

40 comments

  1. How you find this information is mind boggling, Do you think that a Government should be required to give as much information to the public about such intrusions, as the public sector is?

  2. China, Iran, Russia, or North Korea Take your pick who’s responsible

    • I used to work for the federal government once upon a time a long ago.

      May I suggest that we hold off on blaming russia/north koria/iran/hippies/height asbury/gay (I am one)/or anyone else . . .

      May we consider blaming the incredible short-time type attitudes that I have witnissed during my tenure while working for the U.S. Navy as an engineer?

      I cannot count all of the work that I had to re-do because the person who was supposed to do it was waiting for retirement or leaving early to go play the horse races or complaining about the world while working or whatever.

      When I left civil service (cilly service), I did more in one day than I saw some of my colleagues do in a week and with far fewer re-works

      • Coming from private industry (13 years) to civil service (many more), I can say that I’ve had that same observation on BOTH sides.

        I will not, however, make any all-inclusive comments except to say that I’ve seen good and bad in both environments.

        Certainly can’t say that IA is any better on either side either…

        • Ahhhh One of my favorite sayings;

          Q: Whats the difference between Complaint and Compliant?
          A: The direction “IA” is facing.

  3. Gotta give them Feds some credit. At least they didn’t say, “Your security is very important to us and we take this breach very seriously. This was a sophisticated attack. Free credit monitoring is on the way! Now, on to business as usual…”

    • Love your comment! “Now, on to business as usual…”

    • One would figure, government entities that make the rules, would have a better security posture. I am not pointing fingers at any organization, simply hear me out.

      Some of the “security scores” these organizations receive are pretty bad. I figure most would lead by example, rather than do as I say, not as I do. DOJ, DOE and a few others had terrible scores a few years back – when attacks were not as active. As the threat/ threat activity increases, the security posture must go through the roof as well….

      Since I currently do not know the typical ‘security score” for this organization, it cannot be judged in that manner. But old habits die hard. I just hope that the breach was caught early enough to thwart a massive issue.

      If some one was to infiltrate a database like this, it could create a lot of issues. Let’s leave it at that.

  4. “We don’t know what the hell is going on, but nothing was compromised”… Well I certainly feel better now.

  5. See https://ccacprompter.dcma.mil/ for more information. The SSL is not trusted

    Your connection is not private

    Attackers might be trying to steal your information from ccacprompter.dcma.mil (for example, passwords, messages, or credit cards).

    NET::ERR_CERT_INVALID

    • That is probably due to your computer’s certificate store lacking the DOD root and Intermediate CAs. Check the certification path on the site.

  6. Seems like the Russians are getting entsy and trying to find out if we are sending boom care packages to the Ukranians.

  7. Wow, that’s an unfortunate initialism!

  8. I saw my first virus wreck our field computers off a floppy from Ft. Lee, Virginia – brings back memories. Back then logistics could be easily swapped to manual mode – I wonder about now?

  9. There literally needs to be a new federal holiday created in which all federal entities go about testing the strength of their security on their websites.

    No matter how many times this happens, I’m always in shock.

    • A new federal holiday sounds great! Let’s put it between President’s Day and Memorial Day (that’s a long stretch!). 😀

      AFA it goes… You really shouldn’t be surprised. Civil servant pay is a bit lower than private industry pay and there are a LOT less bonuses, etc. If the brainiacs in private industry can’t stop the hacks, chances are pretty good that the Feds can’t either (well, they *could* but then this wouldn’t be a democracy and we probably wouldn’t have web access… 😉 ).

      • Easter is a major holiday that falls in that time period.

        Also April Fool’s Day … except some people WANT to go to work that day, to make merry on their coworkers.

        • My phone starts ringing off the hook on 4/1 after coworkers run around sticking post-it notes to the undersides of optical mice.

    • The states will have to have a “security test” day on the same day as the federal entities.

      No reason to try to access any federal internet site while it is DDOSing itself. Or pentesting. Or GIGO testing.

    • Give the Government a Holiday, and they will take it. They will sit at home and task contractor leads to do the project.

      It shouldn’t boil down to a day – week – month or year. Compliance scans should be done on a regular basis, meaning they should happen – practically – all the time. A person scanning the network isn’t guaranteed to find all the systems and devices on the network each and every time.

      Without going into much details, reports are sent to the people in charge of the systems, and given a deadline to get compliant. Once they say they are, another scan is performed. So, if the system is used as intended, all works right.

      Obviously there will be holes found and exploited by the evil side, which seems like is an ongoing event. I talk with a few pen testers and they often refer to the old adage ” It only takes one” – meaning an evil entity only needs to land within a network, and eventually the odds are in their favor that they will get elevated privileges to do more damage.

      Due diligence, due care should always be on the forefront of many managers, engineers, analysts and workers. It’s almost a daily drumbeat to keep the network secure.

  10. Brian:

    Just curious why the publication date/dateline on all of your recent articles reads “Feb 15” — are you writing back to us from the future? That would explain some of your more prescient observations.

    B

  11. Date DoD slated to shut down:

    27
    FEB 15

  12. Question: How can we maintain security in the U.S., when most or all computers have their manufacture controlled by countries such as China?

    • Brian is amazingly productive isn’t he? He – along with his blossoming network of friends, confidants and contributors to this website are a collective force majeure. Positive results of said parties in concert with our government are near at hand although seemingly painfully protracted in this hurry-up world.

  13. This story reminds of an episode of NCIS:LA that aired not long ago.

  14. Their website for the public is online 100% http://www.dcma.mil/

  15. Krebs can play a mean Mexican guitar. Keep up the good work.

  16. As of 15Feb2015 https://www.dmca.mil is still running their 2014-vintage certificate. And RC4-128. And whether or not ccacprompter has a valid cert (chrome’s error message is quite arcane) that cert was issued in 2012. Makes one question their certificate hygiene…