RE: [ISN] DoD offering admin privileges on .mil Web sites

From: InfoSec News (isnat_private)
Date: Wed Jan 29 2003 - 00:34:19 PST

  • Next message: InfoSec News: "[ISN] FAA technologist urges better security in network boxes"

    Forwarded from: Jim Hoag <jimhoagat_private>
    I used to work for the US Air Force and one of my jobs was making sure
    the base registration was, first) applied for and second) kept up to
    date. Yes, you go to the referenced address and fill out the hugely
    large template and send it in ( registration used to be at an
    Air Force base in Alabama). Its then cross referenced with all kinds
    of information and if deemed legitimate the military entity gets its
    registration or update. If not, it gets sent to 'circular file 13'
    (trash can in Army talk).
    Jim Hoag, CISSP
    -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private] On Behalf
    Of InfoSec News
    Sent: Monday, January 27, 2003 3:03 AM
    To: isnat_private
    Subject: Re: [ISN] DoD offering admin privileges on .mil Web sites 
    Forwarded from: MacRohard <macrohardat_private>
    This story may not be as big as it seems. It has always been possible
    to apply for a .mil domain using the domain templates available
    initially from and later on (even now
    infact @ The form
    found on the web may not do much more than complete and email one of
    these templates to hostmasterat_private who would probably check a few
    details, chuckle to himself and delete the email.
    On Sat, 25 Jan 2003, InfoSec News wrote:
    > By Thomas C Greene in Washington
    > Posted: 24/01/2003 at 21:22 GMT
    > Care to register a .mil Web site of your own for free? The DoD has
    > gone out of its way to make it a snap. An unbelievably
    > badly-protected admin interface welcomes you to register whatever
    > domain you please ( anyone?), or edit anything
    > they've already got. The interface is so ludicrously unprotected
    > that it's been cached by Google and fails to mention that you must
    > be authorized to muck about with it. Incredibly, default passwords
    > are cheerfully provided on the page.
    > Following an anonymous tip from an observant Reg reader, we've
    > encountered the page in question in the Google cache, and after a
    > bit of our own poking about have also discovered an equally
    > unprotected (and Google-cached) admin interface encouraging us to
    > add a new user, like ourselves, say, which requires no
    > authentication.
    > All you have to do is find that page and you can set yourself up
    > with a user account, manage your new .mil Web site, fiddle about
    > with other people's .mil Web sites, and generally make an incredible
    > nuisance of yourself. We are, of course, straining against every
    > natural, journalistic impulse in our beings by neglecting to mention
    > any useful search strings with which to find it.
    > Another unprotected and cached page, this one discovered by our
    > tipster, lists traffic to a major DoD Web site by URL/IP address.
    > This worries us because it may list .mil sites and networked DoD
    > machines that are not public, not hotlinked anywhere, and which
    > might contain (or be networked with other machines that contain)
    > sensitive data.  Merely knowing that all those URLs and IP addys are
    > valid and owned by DoD would give a significant advantage to
    > attackers by narrowing their target area dramatically.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 03:32:50 PST