Forwarded from: Jim Hoag <jimhoagat_private> I used to work for the US Air Force and one of my jobs was making sure the base registration was, first) applied for and second) kept up to date. Yes, you go to the referenced address and fill out the hugely large template and send it in (ddn.mil registration used to be at an Air Force base in Alabama). Its then cross referenced with all kinds of information and if deemed legitimate the military entity gets its registration or update. If not, it gets sent to 'circular file 13' (trash can in Army talk). Jim Hoag, CISSP jimhoagat_private -----Original Message----- From: owner-isnat_private [mailto:owner-isnat_private] On Behalf Of InfoSec News Sent: Monday, January 27, 2003 3:03 AM To: isnat_private Subject: Re: [ISN] DoD offering admin privileges on .mil Web sites Forwarded from: MacRohard <macrohardat_private> This story may not be as big as it seems. It has always been possible to apply for a .mil domain using the domain templates available initially from rs.internic.net and later on nic.ddn.mil (even now infact @ www.nic.mil/ftp/templates/domain-template.txt). The form found on the web may not do much more than complete and email one of these templates to hostmasterat_private who would probably check a few details, chuckle to himself and delete the email. -MacRohard On Sat, 25 Jan 2003, InfoSec News wrote: > http://www.theregister.co.uk/content/55/29026.html > > By Thomas C Greene in Washington > Posted: 24/01/2003 at 21:22 GMT > > Care to register a .mil Web site of your own for free? The DoD has > gone out of its way to make it a snap. An unbelievably > badly-protected admin interface welcomes you to register whatever > domain you please (http://Rotten.mil anyone?), or edit anything > they've already got. The interface is so ludicrously unprotected > that it's been cached by Google and fails to mention that you must > be authorized to muck about with it. Incredibly, default passwords > are cheerfully provided on the page. > > Following an anonymous tip from an observant Reg reader, we've > encountered the page in question in the Google cache, and after a > bit of our own poking about have also discovered an equally > unprotected (and Google-cached) admin interface encouraging us to > add a new user, like ourselves, say, which requires no > authentication. > > All you have to do is find that page and you can set yourself up > with a user account, manage your new .mil Web site, fiddle about > with other people's .mil Web sites, and generally make an incredible > nuisance of yourself. We are, of course, straining against every > natural, journalistic impulse in our beings by neglecting to mention > any useful search strings with which to find it. > > Another unprotected and cached page, this one discovered by our > tipster, lists traffic to a major DoD Web site by URL/IP address. > This worries us because it may list .mil sites and networked DoD > machines that are not public, not hotlinked anywhere, and which > might contain (or be networked with other machines that contain) > sensitive data. Merely knowing that all those URLs and IP addys are > valid and owned by DoD would give a significant advantage to > attackers by narrowing their target area dramatically. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 03:32:50 PST