[ISN] Navy Sites Spring Security Leaks

From: InfoSec News (isnat_private)
Date: Tue Nov 05 2002 - 22:21:38 PST

  • Next message: InfoSec News: "[ISN] Experts make changes to defend against Internet attacks"

    Forwarded from: William Knowles <wkat_private>
    By Brian McWilliams
    November 06, 2002 
    The U.S. Navy took one of its websites offline Tuesday and added new 
    security controls to a second site after Internet surfers discovered 
    they could access confidential Navy databases. 
    The exposed Navy files included material designed to support a machine 
    for testing the electronics of weapon systems called the Consolidated 
    Automated Support System. Web surfers were able to browse through 
    hundreds of trouble tickets, dating back to 1989. 
    Also accessible by Internet users was a site operated by the Naval 
    Supply Systems Command that enables Navy personnel to order commercial 
    software or internally developed applications. One section of the 
    database, known as QUADS, allowed visitors to pull up records on who 
    registered to use the system and included their passwords. 
    A group of French security enthusiasts known as Kitetoa discovered the 
    vulnerable sites, which were running IBM's Lotus Domino software. 
    Kitetoa has reported similar security problems with Lotus software on 
    other government and private websites. 
    A spokesperson for the Navy's North Island Naval Air Depot said the 
    CASS database has been "shut down both internally and externally while 
    we investigate possible vulnerabilities." 
    A NAVSUP representative confirmed the QUADS security flaw but did not 
    immediately provide further information. After the Navy was notified 
    about the problem, the QUADS site began requiring users to log in. 
    Both Navy sites appeared to contain "noncritical support systems" and 
    were "not a military concern," said Brad Johnson, a former Navy 
    officer and National Security Agency program manager. 
    "This is not the type of information (to which) the Navy would want to 
    grant unrestricted access, but it is not something that threatens our 
    security," said Johnson, now a vice president of Vigilinx, a security 
    solutions provider in Parsippany, New Jersey. 
    Among the trouble tickets viewable by Internet users was a report from 
    an officer aboard an aircraft carrier who noted unresolved problems 
    with CASS systems overheating and malfunctioning "while operating in 
    arduous environments such as the Arabian gulf." 
    William Knowles, operator of C4i.org, a computer security and 
    intelligence site, said the Navy would view any intelligence leak as 
    "Any information not already discussed on either CNN or the Pentagon 
    Daily Brief is information that can be used by a motivated 
    attacker-terrorist against U.S. interests around the globe," Knowles 
    The current incidents follow news in October that more than 600 Navy 
    computers -- including some containing classified information -- were 
    In an e-mail interview this week, Kitetoa founder Antoine Champagne 
    wrote that a French appeals court recently overturned a ruling 
    requiring him to pay a fine for publicizing security holes he found at 
    Tati.fr, the homepage of a Paris-based clothing retailer. 
    According to Champagne, who has also identified flaws at sites runs by 
    DoubleClick, Bull Groupe, Veridian and ChoicePoint, the ruling is 
    important for computer security whistle-blowers. 
    "You can get to a page that is not supposed to be there for you, but 
    that is unprotected, without being called an evil hacker," Champagne 
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 00:46:22 PST