eOffer Still Vulnerable, Consultant Says GSA’s eOffer online bidding website is still wide open to security breaches, according to the computer consultant who found the vulnerability that shut down the site for a week. Aaron Greenspan, CEO of the small Dallas software company Think Computer, told Set-Aside Alert it is still possible to hijack a registered company’s information and change it at will. He described how to do it, but those details are not being published. After Greenspan alerted GSA to the vulnerability in December, the site was shut down from Jan. 11 until Jan. 18. A notice said it was offline for “maintenance.” GSA reactivated eOffer, but Greenspan said the security holes have not been plugged: “In my opinion it is a vulnerability. In the opinion of GSA, it is not.” A GSA spokeswoman did not return repeated calls requesting comment. “If it’s true that they haven’t fixed the problem...it will most certainly sour contractors on it,” said Larry Allen, executive vice president of the Coalition for Government Procurement, an organization of GSA schedule contractors. He said contractors post proprietary information about their pricing and discounting policies on eOffer. “This is highly sensitive data that needs to be protected.” Greenspan said the security flaw allows any registered user of eOffer to adopt the identity of another company, access that company’s information in the database and alter it. A company’s price list or its bid on a particular task order could be changed, he said. “The ability to log in as any company is still there,” he said Jan. 23. “They have done some minor revisions, but I don’t think they have fixed the problem.” When GSA reactivated the site, it posted a warning that unauthorized use is “strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act.” GSA officials have touted eOffer as a key component of their emphasis on electronic procurement. Using eOffer, GSA can post solicitations for task orders against its schedules and accept vendor proposals, including documentation, electronically. Shortly after the site was launched in 2004, Neal Fox, then assistant commissioner of the Federal Supply Service, declared, “To us, the future of doing business is paperless.” (SAA 11/19/04) But contractors and buyers have been slow to adopt the system. GAS said only about 1,200 of the more than 17,000 schedule contractors have registered to use the site. Allen, of the contractors’ group, said, “If they don’t get the problems ironed out in short order, it could sink the system.” The website, eoffer.gsa.gov, also houses eMod, which allows schedule vendors to submit requests for contract modifications electronically. Greenspan said he discovered the security hole in December when he was trying to register Think Computer at eOffer. “Theoretically, one could have started a bidding war between Boeing and Lockheed Martin, or Dell and Gateway, or changed the terms in their existing government contracts,” he said in a public report on the flaw. He reported his findings to GSA’s office of inspector general on Dec. 22. He said people in the office appeared to take the problem seriously, but “could not convince the rest of the agency to move.” It was three weeks later before GSA took the eOffer site offline. Greenspan said he emphasized that “virtually every major company in the United States (and thousands of small businesses, since the Small Business Administration is also linked to the [Central Contractor Registration])” could be vulnerable because of the flaws in GSA’s systems. He said he has not been able to learn how long the flaws have existed or whether any contractor’s data has been tampered with.