[ISN] Government Agencies Exposed Internal Databases

From: InfoSec News (isnat_private)
Date: Mon Apr 01 2002 - 00:04:34 PST

  • Next message: InfoSec News: "Re: [ISN] MS vs. open source: Security's the same"

    By Brian McWilliams, Newsbytes
    29 Mar 2002, 5:59 AM CST
    Four U.S. government Web sites left the contents of internal databases
    open to Web surfers, French security experts revealed Thursday.
    Databases operated by the Commerce Department's STAT-USA/Internet
    service, as well as the Department of Energy's Pacific Northwest
    National Laboratory and the Federal Judicial Center, allowed remote
    Internet users to browse documents ranging from correspondence to
    online order data, Newsbytes has confirmed.
    The insecure sites were all running IBM's Lotus Domino server,
    according to Antoine Champagne, leader of Kitetoa.com, a group of
    Paris-based computer security enthusiasts that discovered the flaws.
    At the vulnerable STAT-USA/Internet site, accessible from
    http://www.economy.gov and http://orders.stat-usa.gov, Web surfers had
    the ability to drill into databases containing information about
    customer orders for the agency's financial, business and trade
    information products.
    Commerce officials described Kitetoa's report as "an unauthorized
    network intrusion" but did not immediately provide additional
    information about the incident.
    At a Web site operated by Pacific Northwest National Laboratory, an
    insecure database contained contact information for dozens of
    scientists and research organizations from around the world.
    Spokesperson Staci Maloof said the lab, one of nine operated by the
    Energy Department, was grateful to Kitetoa for pointing out the
    vulnerable database. Maloof said system operators have added proper
    access controls to the server, which was located at
    Before it was locked down by administrators Thursday, the Federal
    Judicial Center's site at FJC.gov exposed e-mails from the site's
    Webmaster, such as a note to a U.S. court official explaining that the
    FJC's internal network had been infected with the Nimda virus.
    FJC representative Ted Coleman said no intellectual property or other
    information that would compromise the agency's internal network
    integrity was accessible from the exposed Domino database.  
    Administrators have reviewed all access controls on the database,
    according to Coleman.
    The FJC is the research and education agency of the federal judicial
    system, according to the center's site.
    Earlier this month, the U.S. House of Representatives committee
    leading the investigation into Enron's collapse temporarily took its
    Web site offline after Kitetoa informed administrators that internal
    documents in a Lotus Domino database at
    http://energycommerce.house.gov were exposed to anyone with a Web
    The class of vulnerability affecting the government sites has been
    known to computer security experts since 1998, when a security group
    called L0pht published a warning about how Web users can retrieve
    sensitive data from improperly secured Domino servers.
    Champagne said he was inspired to examine the government sites'
    security after reading about plans by some U.S. agencies to remove
    sensitive data from their Web sites.
    Last month, a French court fined Champagne 1,000 euros ($865) for
    probing and publicizing security holes he found at Tati.fr, the
    homepage of a Paris-based clothing retailer. The court suspended the
    fine on the condition that Champagne avoid any other convictions for
    the next five years.
    Kitetoa's home page is at http://www.kitetoa.com
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 02:43:58 PST