Forwarded from: William Knowles <wkat_private> http://www.wired.com/news/technology/0,1282,56219-1-13,00.html By Brian McWilliams November 06, 2002 The U.S. Navy took one of its websites offline Tuesday and added new security controls to a second site after Internet surfers discovered they could access confidential Navy databases. The exposed Navy files included material designed to support a machine for testing the electronics of weapon systems called the Consolidated Automated Support System. Web surfers were able to browse through hundreds of trouble tickets, dating back to 1989. Also accessible by Internet users was a site operated by the Naval Supply Systems Command that enables Navy personnel to order commercial software or internally developed applications. One section of the database, known as QUADS, allowed visitors to pull up records on who registered to use the system and included their passwords. A group of French security enthusiasts known as Kitetoa discovered the vulnerable sites, which were running IBM's Lotus Domino software. Kitetoa has reported similar security problems with Lotus software on other government and private websites. A spokesperson for the Navy's North Island Naval Air Depot said the CASS database has been "shut down both internally and externally while we investigate possible vulnerabilities." A NAVSUP representative confirmed the QUADS security flaw but did not immediately provide further information. After the Navy was notified about the problem, the QUADS site began requiring users to log in. Both Navy sites appeared to contain "noncritical support systems" and were "not a military concern," said Brad Johnson, a former Navy officer and National Security Agency program manager. "This is not the type of information (to which) the Navy would want to grant unrestricted access, but it is not something that threatens our security," said Johnson, now a vice president of Vigilinx, a security solutions provider in Parsippany, New Jersey. Among the trouble tickets viewable by Internet users was a report from an officer aboard an aircraft carrier who noted unresolved problems with CASS systems overheating and malfunctioning "while operating in arduous environments such as the Arabian gulf." William Knowles, operator of C4i.org, a computer security and intelligence site, said the Navy would view any intelligence leak as serious. "Any information not already discussed on either CNN or the Pentagon Daily Brief is information that can be used by a motivated attacker-terrorist against U.S. interests around the globe," Knowles said. The current incidents follow news in October that more than 600 Navy computers -- including some containing classified information -- were missing. In an e-mail interview this week, Kitetoa founder Antoine Champagne wrote that a French appeals court recently overturned a ruling requiring him to pay a fine for publicizing security holes he found at Tati.fr, the homepage of a Paris-based clothing retailer. According to Champagne, who has also identified flaws at sites runs by DoubleClick, Bull Groupe, Veridian and ChoicePoint, the ruling is important for computer security whistle-blowers. "You can get to a page that is not supposed to be there for you, but that is unprotected, without being called an evil hacker," Champagne wrote. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 00:46:22 PST