[ISN] Bad things lurking on government sites

From: InfoSec News (alerts@private)
Date: Thu Oct 04 2007 - 23:16:10 PDT


http://www.infoworld.com/article/07/10/04/Bad-things-lurking-on-government-sites_1.html

By Robert McMillan
IDG News Service
October 04, 2007

The U.S. federal government took steps earlier this week to shut down 
Web sites in California in order to protect the public from hacked Web 
sites, but new incidents show that the problem is not going away any 
time soon.

On Thursday, compromised pages hosted by the Brookhaven National 
Laboratory and the Superior Court of Madera County, California, were 
still hosting inappropriate content. Brookhaven had links that 
redirected visitors to pornographic Web servers, and the Madera County 
court site featured ads for porn and Viagra.

Brookhaven has begun an investigation into the incident, said Tom 
Schlagel, a manager with the lab's information technology division. 
"From what I've been told, there isn't any evidence that there's any 
pornography on the server," he said. "It's all just redirections."

Brookhaven is a U.S. Department of Energy lab that specializes in 
nuclear and high-energy research.

The security of U.S. government Web sites has been front-page news in 
California this week after the U.S. General Services Administration, 
which administers the .gov top-level domain, temporarily removed 
California's state servers from the Internet's DNS infrastructure, 
apparently because of a security problem on the Web site of a small 
state agency, the Transportation Authority of Marin.

Observers said that this was an unusually extreme move and one that 
eventually would have knocked the entire state off the Internet.

The move was caught before it caused widespread service outages within 
the state government, but it drew attention to an underlying issue: 
compromised governmental Web sites.

The GSA said on Thursday that it has revised its policies to avoid 
another possible statewide shutdown, but it defended its right to remove 
.gov sites from the Internet. "The potential exposure of pornographic 
material to the citizens -- and tens of thousands of children -- in 
California was a primary motivator for GSA to request immediate 
corrective action," a GSA spokeswoman said. "Also, in these days of 
heightened security concerns from hackers, it is important to quickly 
stop potentially harmful damage to federal, state, and local Web sites 
from those who have no love for our country."

Alex Eckelberry, the president of Sunbelt Software who first reported 
the problem that led to the California shutdown, said that the 
government could do better. "Once you're on the Web, especially if 
you're government, you really have to be responsible for your content," 
he said. "We have to have some sort of recognition that there is 
constant danger and that people need to stay on top of their sites."

However, educational sites, hosted within in the .edu top-level domain, 
have far more problems than the .gov sites, Eckelberry said.

Security professionals like Eckelberry complain that poor response from 
Web site administrators means that even when problems are discovered by 
outside researchers, it's often hard to report them.

For example, the Madera Superior Court site has a "Click Here To E-mail 
Our Webmaster" link on the bottom of its front page, but when Trend 
Micro Network Architect Paul Ferguson used it to inform the court that 
its site had been hacked, his e-mail bounced back as undeliverable. 
Madera Superior Court representatives did not return a call seeking 
comment.

"It is almost impossible for someone like, say, a security researcher to 
find the right person to report problems to," Ferguson said. People 
outside of government cannot do "Whois" queries on the .gov domain, 
which would yield contact information for site administrators, he added. 
"In many cases, either the contact information is incorrect, 
nonexistent, or the lights are on and nobody is home."

"Everyone has really got to do a better job on securing the Internet," 
Ferguson added. "You can't just put a Web server out there and forget 
about it any more."


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Oct 04 2007 - 23:38:18 PDT