Want To Report A Dangerous Drug Dealer? Just Enter Your Personal Info Into The DEA's Unsecured Webform

from the we-know-all-about-you,-but-good-luck-finding-out-about-us dept

Mon, Feb 29th 2016 8:25am — Tim Cushing

Chris Soghoian, the ACLU's chief technologist, has decided to troll the DEA. His complaint is valid, though. The problem is, how do you troll the DEA when it's almost impossible to find the contact info of the person you want to speak to? Just like the FBI has more options at its disposal than simply demanding Apple help it beat down an iPhone's front door, Soghoian was able to route around the DEA's unforthcoming attitude.

How to disclose a security flaw to the DEA.
1 Find CISO on LinkedIn.
2 Look up consulting company records.
3 Email.https://t.co/sRK56FSkEL
— Christopher Soghoian (@csoghoian) February 28, 2016

If you can't read/see the tweet, it says:

How to disclose a security flaw to the DEA.
1 Find CISO on LinkedIn.
2 Look up consulting company records.
3 Email.

The email address was harvested from a third-party website for a company DEA CISO Bret Stevens is apparently associated with, Innovative Security Solutions, Inc., conveniently located in northeastern Virginia, right outside of Washington, DC.

This site will allow you to edit company info, provided you can socially engineer your way into a position at the company. That being said, it looks loads better than the company's original site, which appears to have been last updated five minutes after the domain was registered (2004).

There's nothing on this site referring to Bret Stevens, current DEA security chief, but then again, the site doesn't appear to be subject to frequent updates. Or any updates.

Anyway, Soghoian wanted to point out a security flaw on the DEA's website. The DEA will accept tips from citizens. However, it does absolutely nothing to protect these helpful citizens. From Soghoian's notification email:

The DEA operates an online tipform, through which individuals can report "possible violation of controlled substances laws and regulations. Violations may include the growing, manufacture, distribution or trafficking of controlled substances."

See: http://www.dea.gov/ops/submit.php

This website does not use HTTPS to protect the transmission of information. It should.

Quite correct. Not only has the Office of Management and Budget stated every agency must use HTTPS on all public-facing websites by the end of 2016, but you'd think a form that collects personal info about members of the public -- especially in conjunction with info about possibly armed and violent criminals -- would be given an extra layer of security. Apparently, the DEA is not all that concerned about its tips being scooped by criminals, or criminals intercepting unsecured tips in order to target do-gooders.

Soghoian's email also suggests the agency be a little more transparent about its security staff.

On a more general note, I would also like to encourage you to post publicly contact information for your information security team, so that researchers and other individuals can responsibly disclose flaws such as this issue. This is a best practice followed by some federal agencies, widely adopted by those in the private sector, and promoted as a best practice by the Federal Trade Commission.

If this email manages to reach Bret Stevens, it will likely be sneered/groused at before being discarded as the imperious communications of a meddling motormouth representing an entity far too concerned about the rights of all Americans, especially the guilty, drug-dealing ones. As for its unsecured tip form, it will likely remain unsecured until the DEA is finally forced into compliance with the OMB's instructions.

Use at your own risk.

Dea-Disclose-Flaw (PDF)Dea-Disclose-Flaw (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bret stevens, chris soghoian, dea, failures, https, security

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Vidiot (profile), 29 Feb 2016 @ 6:46am

Brilliant
Sending the notification to Stevens' "side job" address has the same impact as writing it on his bathroom mirror in red lipstick. That ought to grab his attention.
[ link to this | view in chronology ]
- rw (profile), 29 Feb 2016 @ 6:55am
  
  Re: Brilliant
  I don't know. He's probably had so much red lipstick on his mirror that it doesn't even register.
  [ link to this | view in chronology ]
- Anonymous Coward, 29 Feb 2016 @ 8:51am
  
  Re: Brilliant
  The way our luck is going the "side job" email server will spam filter it to the trash. Then he can honestly say he did not receive it.
  [ link to this | view in chronology ]
  - trollificus (profile), 29 Feb 2016 @ 12:38pm
    
    Re: Re: Brilliant
    Mail filtered to the Spam folder is the same as not received...FOR MY GRANDMOTHER. Not for a federal agency, right?
    
    Seriously, there aren't procedures to follow, protocols to implement, some vague internal understanding that there are, you know, industry standards and best practices??
    
    More of a "Give the contract to the bosses' company, they can hack together something." process, apparently.
    
    *shrugs* The gov't doesn't even bother to pretend anymore.
    [ link to this | view in chronology ]
Berenerd (profile), 29 Feb 2016 @ 8:51am

"If this email manages to reach Bret Stevens, it will likely be sneered/groused at before being discarded as the imperious communications of a meddling motormouth representing an entity far too concerned about the rights of all Americans, especially the guilty, drug-dealing ones."

Or possibly shoot the messenger
[ link to this | view in chronology ]
Anonymous Coward, 29 Feb 2016 @ 8:55am

Straight from the WHAT COULD POSSIBLY GO WRONG Department.
[ link to this | view in chronology ]
NeghVar (profile), 29 Feb 2016 @ 9:04am

a new target
and that unsecured database becomes a new target for hackers working for the drug dealers. Search the database for informants, put a price on their head, and quickly locate them since they had to enter their personal info.
[ link to this | view in chronology ]
Anonymous Coward, 29 Feb 2016 @ 9:17am

> Apparently, the DEA is not all that concerned about its tips being scooped by criminals, ...

That's a given. It's going to the DEA, after all.
[ link to this | view in chronology ]
Ross Ulbricht, 29 Feb 2016 @ 9:17am

shits given
It's almost as if they have none to give.
[ link to this | view in chronology ]
- trollificus (profile), 29 Feb 2016 @ 12:47pm
  
  Re: shits given
  In fairness to the decision-makers at the DEA, how likely and how dire are they to expect consequences to be when the IRS basically used the "Dog ate our homework." defense and the DOJ and Congress just went "Darn that dog!'
  
  Kind of Levyesque? "Do what thou with shall be the whole of the law."
  [ link to this | view in chronology ]
Anonymous Coward, 29 Feb 2016 @ 9:20am

One thing I've learned about the Government is that security only matters to them when it's used to push an agenda.
[ link to this | view in chronology ]
- tqk (profile), 29 Feb 2016 @ 12:41pm
  
  Re:
  One thing I've learned about the Government is that security only matters to them when it's used to push an agenda.
  
  I think it's simpler than that. Your security interferes with their feeling secure. I'd call that paranoid psychosis on their part, but I don't have much (if any) say in this. C'est la vie.
  [ link to this | view in chronology ]
Anonymous Anonymous Coward, 29 Feb 2016 @ 9:28am

In house expertise ignored

"Not only has the Office of Management and Budget stated every agency must use HTTPS on all public-facing websites by the end of 2016..."
It's a wonder that no one from this agency is going to be named to the commission. How is one to eliminate encryption when required to use it?
[ link to this | view in chronology ]
Coyne Tibbets (profile), 29 Feb 2016 @ 11:29am

They wouldn't do that
I won't go so far as to suggest that DEA would deliberately reveal an informant's details, because if they're murdered it makes for a so much meatier trial.

But if such should happen, it doesn't hurt their feelings.
[ link to this | view in chronology ]
- trollificus (profile), 29 Feb 2016 @ 12:50pm
  
  Re: They wouldn't do that
  Hrrrmmm...the cynicism strong with this one is.
  [ link to this | view in chronology ]
  - Coyne Tibbets (profile), 3 Mar 2016 @ 2:03am
    
    Re: Re: They wouldn't do that
    Millions Missing From DEA Money-Laundering Operation
    At one point, the prosecutor cross-examined me by asking if I thought the agents handling Princess [the informant] were plotting to kill Princess by exposing her to one deadly situation after the other until she was killed. I testified (paraphrased according to my memory) that with more than $20 million missing and unaccounted for, and in consideration of the way they were handling her, it was a reasonable possibility.
    [ link to this | view in chronology ]
Groaker (profile), 29 Feb 2016 @ 1:26pm

Having created a bunch of bogeymen, the DEA, et al, have and abuse the power to do far more harm than the substances they are at war with. Just remember that we, the citizens of the nation, are the battleground.
[ link to this | view in chronology ]
Anonymous Blowhard, 29 Feb 2016 @ 2:29pm

Ahhhh Corruption
Thankfully for the people in Latin American their governments decided to rid their countries of the DEA. They already had their own corrupt police force, why host somebody else's? If the drug war was an actual war the DEA would be on trial for war crimes. You are always guaranteed a corrupt agent or two for any investigation. It wastes millions of dollars and possibly allows dangerous criminals to carry on business as usual but who cares right? It's all good for the DEA which serves the DEA and basically nobody else. Too bad Anglo America isn't quite as smart as Latin America.
[ link to this | view in chronology ]
Valis (profile), 1 Mar 2016 @ 7:24am

Drug dealers are NOT criminals.
"The law is an ass."
[ link to this | view in chronology ]
Michael Price, 5 Mar 2016 @ 3:41am

It's like they fired the competent people for mentioning problems.
What other explanation is there? I mean even if they were evil, you'd think that this is just asking for trouble.
[ link to this | view in chronology ]