Like Tree2Likes
  • 1 Post By SLY4420
  • 1 Post By JAM1096

Thread: Sam vulnerability

  1. #1
    Forum Member

    Join Date
    Jul 2007
    Location
    Monroe, MI
    Posts
    292

    Default Sam vulnerability

    Looks like the Gov. software has done it again. Just received this email from SAM. I am not too happy if this is true.

    Dear SAM user

    The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.

    Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. As a precaution, GSA is taking proactive steps to protect and inform SAM users.

    The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.

    Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge.

    In the meantime, we wanted you to be aware of certain steps that all SAM users may want to take to protect against identity theft and financial loss. Specific information is available at http://www.gsa.gov/samsecurity. If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.

    We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this situation. The security of your information is a critical priority to this agency and we are working to ensure the system remains secure. We will keep you apprised of any further developments.

    Sincerely,

    Amanda Fredriksen
    Acting Assistant Commissioner
    Integrated Award Environment

  2. #2
    MembersZone Subscriber
    ktb9780's Avatar
    Join Date
    Dec 2004
    Location
    Auburndale, FL
    Posts
    6,088

    Default

    Really? Are you kidding me? You apologize for any breaches in a system that you control and that has now opened everyone up to identity theft? Well thank you very much Mr Government transparency act? Boy you have really screwed the pooch on this one royally! What bone-headed administrator authorized the use of a system with a major security breach loophole in it such as to open the financial account information of all applicants to be stolen and used for illegal gain? Good Lord is there absolutely zero level of competency left at the federal level?

    Folks this is 100% totally unacceptable. We have diligently tried to comply with a system which was launched apparently without proper Beta testing and which has demonstrated now that it is fraught with technical issues, glitches and now we find that it is openly subject to and has most likely already been hacked for our sensitive financial information about our cities and departments accounts.

    This is absolutely ludicrous and its time to get angry, its time to say enough is enough, its time to take action here! I strongly recommend that you forward a copy of that email letter immediately to every Senator and Congressman in your district and demand that a full accounting and investigation occur here to determine the extent of the damage that has already occurred and the likelihood of continued damage. Their warning to monitor our accounts would tend to indicate to a reasonable person that they at this point do NOT really know if or how much information has already been illegally and maliciously purloined. We should also demand that until they fix this SAM system and secure it properly, that this SAM registration requirement immediately be stopped and that all requirements for registration within it be waived until such time as the system has been fixed of all these glitches, bugs and security problems.
    Kurt Bradley
    Fire/EMS/EMA Grant Consultant
    " Never Trade Skill for Luck"

  3. #3
    MembersZone Subscriber

    Join Date
    Oct 2006
    Location
    Gregory, MI
    Posts
    135

    Default

    Yep, got one as well.

  4. #4
    Forum Member
    EMT6126's Avatar
    Join Date
    Mar 2011
    Location
    Byrdstown TN>
    Posts
    177

    Default

    Preach on Brother kurt, and belive me its getting forwarded. Jeff
    I can do all things through Christ which strengtheneth me.

  5. #5
    Forum Member

    Join Date
    May 2009
    Posts
    15

    Default

    Similar email I recieved in my junkmail, but not really sure why I got it because I have not got or applied to change our expired CCR number over too a new SAM system number. Could some identity being hacked into off of another system and targeting DHS applicants?

  6. #6
    Forum Member

    Join Date
    Jul 2007
    Location
    Monroe, MI
    Posts
    292

    Default

    Quote Originally Posted by fireflame9 View Post
    Similar email I recieved in my junkmail, but not really sure why I got it because I have not got or applied to change our expired CCR number over too a new SAM system number. Could some identity being hacked into off of another system and targeting DHS applicants?
    When this all started, the Gov't said that all information would be automanticly transferred over from CCR to SAM. I would check to see if your information has been transferred. You may just not know that is has been transferred.

  7. #7
    Forum Member

    Join Date
    Jan 2012
    Location
    Huntsburg Ohio
    Posts
    12

    Default

    A little concerned cause I don't have a letter. Should I be watching my account also, and why wasn't I notified? Thanks for any insight.

  8. #8
    MembersZone Subscriber
    ktb9780's Avatar
    Join Date
    Dec 2004
    Location
    Auburndale, FL
    Posts
    6,088

    Default

    Quote Originally Posted by sandy3810_ View Post
    A little concerned cause I don't have a letter. Should I be watching my account also, and why wasn't I notified? Thanks for any insight.
    Most are finding it in their spam folder Sandy
    Kurt Bradley
    Fire/EMS/EMA Grant Consultant
    " Never Trade Skill for Luck"

  9. #9
    Forum Member

    Join Date
    Jan 2012
    Location
    Huntsburg Ohio
    Posts
    12

    Default

    Nothing in my spam folder either. But I'm going to copy this letter from here and figure I should have rec'd one. Guess I best be notifying my government leaders. Thanks for the info everyone.

  10. #10
    Forum Member
    SLY4420's Avatar
    Join Date
    Jul 2004
    Posts
    1,982

    Default

    Now on the site:

    SAM.gov is down for maintenance until Tuesday, 19 Mar 2013 at 9 am EDT. GSA is undertaking a review of the system and is pursuing necessary actions to provide security to SAM registrants. The security of this information is a top priority for GSA. We apologize for any inconvenience caused.
    sandy3810_ likes this.

  11. #11
    MembersZone Subscriber
    ktb9780's Avatar
    Join Date
    Dec 2004
    Location
    Auburndale, FL
    Posts
    6,088

    Default

    Yea as I figured they would not resolve that issue in 24 hours. This was posted there this morning:

    Some components of SAM.gov are temporarily unavailable. Users will not be able to register a new entity or update an entity record until Entity Management is available at 9:00 a.m. on Monday, March 25. GSA currently is strengthening security measures to protect user information.
    The security of SAM registrants' information is a top priority for the agency and we will continue to ensure the system remains secure.
    For additional information, see the SAM security vulnerability FAQs. You may call the FedInfo hotline at 1-800-FED-INFO for immediate support.

    The FAQs are an interesting read and reflect my previous concerns about the origianl letter and what has actually happened. Stay tuned folks this is going to get interesting.
    Kurt Bradley
    Fire/EMS/EMA Grant Consultant
    " Never Trade Skill for Luck"

  12. #12
    Forum Member

    Join Date
    Mar 2011
    Posts
    57

    Default

    I love the part were it mentions those that CHOSE to have their accounts veiwable to the public are at greatest risk. Don't remember having a choice in the matter.
    sandy3810_ likes this.

  13. #13
    MembersZone Subscriber
    ktb9780's Avatar
    Join Date
    Dec 2004
    Location
    Auburndale, FL
    Posts
    6,088

    Default

    Quote Originally Posted by JAM1096 View Post
    I love the part were it mentions those that CHOSE to have their accounts veiwable to the public are at greatest risk. Don't remember having a choice in the matter.
    My point exactly, its almost like they are trying to make it out like we are the ones who were irresponsible here and all we were trying to do is assure that if we won a grant we actually got to receive the award and were not holding up others from getting their award either. IMHO a Congressional inquiry and investigation is fully warranted.
    Kurt Bradley
    Fire/EMS/EMA Grant Consultant
    " Never Trade Skill for Luck"

  14. #14
    Forum Member

    Join Date
    Jul 2007
    Location
    Monroe, MI
    Posts
    292

    Default

    Just talked to my contact for Senator Levin, sent him a letter. GSA will be getting a phone call from his office. My contact was not happy about the breach of security.

  15. #15
    MembersZone Subscriber
    ktb9780's Avatar
    Join Date
    Dec 2004
    Location
    Auburndale, FL
    Posts
    6,088

    Default

    After doing some online research it appears that we are not the first to complain about this SAM.gov registration requirement It appears that way back in Oct 2012 the Dept of Defense told SAM .gov to take a hike and removed the requirement for their DoD contractors to register because the system was at that time having issues with registration, functionality etc.... and this was back in October according to this article: http://www.clearancejobs.com/defense...e-from-sam-gov

    It appears that those issues and others have now become grossly evident and they expect us to swallow that same bitter pill? Now if the Department of Defense contractors were waived on registration requirements, why not us? SAM.gov this is strike 2 for you guys, time to fall back and punt and start holding your own IT contractors accountable for selling you a software program that appears to be a deeply flawed system. Folks don't be apathetic about this; if you don't express your concerns here nothing will get done about this.
    Last edited by ktb9780; 03-20-2013 at 08:08 AM.
    Kurt Bradley
    Fire/EMS/EMA Grant Consultant
    " Never Trade Skill for Luck"

  16. #16
    Forum Member

    Join Date
    Jan 2012
    Location
    Huntsburg Ohio
    Posts
    12

    Default

    I rec'd a call last night from the office of Congressman David Joyce. He is very interested also. Am doing a followup letter to him this morning.

  17. #17
    MembersZone Subscriber

    Join Date
    Oct 2006
    Location
    Gregory, MI
    Posts
    135

    Default

    Just got off the phone with my contact in Senator Stabenow's office, call to GSA from their DC office being made as well. They are aware of it (and not happy), and did agree that a Congressional investigation is warranted.

  18. #18
    Forum Member

    Join Date
    Jul 2007
    Location
    Monroe, MI
    Posts
    292

    Default

    Had a phone conversation with a person from FEMA, if you are like me and thought that this system is used just in the U.S., your dead wrong. This system is used world wide, any company that has a contract with the Federal Government must use this system. Just think of all of the bases that we have around the world, China, the middle east just to name a few.

    This is more of a security breach than what we are being led to believe. Congress needs to get involved. Call your Reps in Washington and get the involved. The person I talked to said that FEMA was not given a choice about using this system, it was mandated that they have to use it. Nothing like telling someone to use a flat tire and that they will repair it later.

    I've made my calls, please make yours. This SAM deal is really slowing things down this year.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Log in

Click here to log in or register