http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=211800622 By Thomas Claburn InformationWeek October 31, 2008 05:05 PM The Defense Intelligence Agency Web site, until earlier this week, exposed job applicants to potential privacy and security risks because it included a link to JavaScript code hosted on a third-party Web site. While there's no evidence that the site leaked personal information, the presence of a call to execute JavaScript code that resides on a Statcounter.com server in Ireland provided a weak link in the security chain that could have been exploited to provide potentially valuable foreign intelligence about future DIA personnel. Security researcher Bipin Gautam sent an e-mail to the Full Disclosure security mailing list earlier this week outlining his concerns. In a follow-up e-mail to InformationWeek, he explained the issue. "If a Web site includes third-party JavaScript like stat counters, advertisement scripts, [or] banners called from third-party servers, the Web site is at risk of having to rely on the third party as well for overall security assurance of its Web site," he said. [...] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.orgReceived on Mon Nov 03 2008 - 00:28:04 PST
This archive was generated by hypermail 2.2.0 : Mon Nov 03 2008 - 00:35:56 PST