Want To Report A Dangerous Drug Dealer? Just Enter Your Personal Info Into The DEA's Unsecured Webform

from the we-know-all-about-you,-but-good-luck-finding-out-about-us dept

Chris Soghoian, the ACLU’s chief technologist, has decided to troll the DEA. His complaint is valid, though. The problem is, how do you troll the DEA when it’s almost impossible to find the contact info of the person you want to speak to? Just like the FBI has more options at its disposal than simply demanding Apple help it beat down an iPhone’s front door, Soghoian was able to route around the DEA’s unforthcoming attitude.

How to disclose a security flaw to the DEA.
1 Find CISO on LinkedIn.
2 Look up consulting company records.
3 Email.https://t.co/sRK56FSkEL

— Christopher Soghoian (@csoghoian) February 28, 2016

If you can’t read/see the tweet, it says:

How to disclose a security flaw to the DEA.
1 Find CISO on LinkedIn.
2 Look up consulting company records.
3 Email.

The email address was harvested from a third-party website for a company DEA CISO Bret Stevens is apparently associated with, Innovative Security Solutions, Inc., conveniently located in northeastern Virginia, right outside of Washington, DC.

This site will allow you to edit company info, provided you can socially engineer your way into a position at the company. That being said, it looks loads better than the company’s original site, which appears to have been last updated five minutes after the domain was registered (2004).

There’s nothing on this site referring to Bret Stevens, current DEA security chief, but then again, the site doesn’t appear to be subject to frequent updates. Or any updates.

Anyway, Soghoian wanted to point out a security flaw on the DEA’s website. The DEA will accept tips from citizens. However, it does absolutely nothing to protect these helpful citizens. From Soghoian’s notification email:

The DEA operates an online tip­form, through which individuals can report “possible violation of controlled substances laws and regulations. Violations may include the growing, manufacture, distribution or trafficking of controlled substances.”

See: http://www.dea.gov/ops/submit.php

This website does not use HTTPS to protect the transmission of information. It should.

Quite correct. Not only has the Office of Management and Budget stated every agency must use HTTPS on all public-facing websites by the end of 2016, but you’d think a form that collects personal info about members of the public — especially in conjunction with info about possibly armed and violent criminals — would be given an extra layer of security. Apparently, the DEA is not all that concerned about its tips being scooped by criminals, or criminals intercepting unsecured tips in order to target do-gooders.

Soghoian’s email also suggests the agency be a little more transparent about its security staff.

On a more general note, I would also like to encourage you to post publicly contact information for your information security team, so that researchers and other individuals can responsibly disclose flaws such as this issue. This is a best practice followed by some federal agencies, widely adopted by those in the private sector, and promoted as a best practice by the Federal Trade Commission.

If this email manages to reach Bret Stevens, it will likely be sneered/groused at before being discarded as the imperious communications of a meddling motormouth representing an entity far too concerned about the rights of all Americans, especially the guilty, drug-dealing ones. As for its unsecured tip form, it will likely remain unsecured until the DEA is finally forced into compliance with the OMB’s instructions.

Use at your own risk.

Filed Under: bret stevens, chris soghoian, dea, failures, https, security