'Naked' federal sites are open to attack

Federal Web servers are broadcasting critical security data about themselves. Many sites fail to cover up their operating systems and the precise Web server software versions installed, so the information is remarkably easy to find.

As convicted hacker Kevin Mitnick wrote in The Art of Deception, his recent book on social engineering, 'Any information a cracker can obtain about your system is too much information.'

Other than a password list, an administrator could hardly give crackers information more valuable than the operating system and server software versions. With that information and a few Web addresses such as the CERT Coordination Center site, CERT.org, or a subscription to a bugtraq mail list, anyone with moderate computer skills can quickly learn which attacks are likeliest to succeed against a particular site.

Even worse, a brief survey late last month of federal sites showed some extended uptimes between reboots. That implies some are not getting patched with bug fixes as early or as often as they should be.

The success of last month's worldwide SQL Slammer worm attack against Microsoft SQL Server revealed how many administrators have been ignoring warnings to patch SQL Server vulnerabilities. More than 50 Agriculture Department servers reportedly went down before the Slammer worm, for which a software patch was readily available.

An attacker who knows which agency is running Microsoft Internet Information Services or Apache HTTP Server wouldn't have to try many sites before finding one that has failed to patch other well-known vulnerabilities. Finding the exact version along with the fact that a certain server hasn't been rebooted for months reveals what holes probably exist.

The information in the accompanying table is based on the data broadcast by various federal servers. It appears to be fairly accurate, although some sites could be configured to broadcast false information intentionally. Of the 28 agencies and departments listed, only the CIA, White House and Securities and Exchange Commission were obviously concealing data.

Getting the table data involved no hacking or insider information. No vendors or agencies were questioned. In fact, I didn't even visit any of the Web sites, nor do I know whether they have any sensitive information or whether they can be used as gateways to other servers. I conducted no penetration or vulnerability testing of any sort.

Instead, the chart entries came from tools on two sites: www.port80software.com and www.netcraft.com, which require no user effort other than keying in a uniform resource locator to test.

In other words, any script kiddie can easily obtain all this information.

Some agencies in the table have been using the same server version for years. They need to be more vigilant about applying periodic security patches. The ones that have been running without a reboot for more than a year are unlikely to have installed critical security patches.

Before the shuttle Columbia disaster, for example, NASA.gov had periods of more than a year between reboots. Now it has changed the server software or concealed its identity.

The data about average time between reboots came from an archive maintained by www.netcraft.com. Check for yourself. If you find that your site is being accurately reported, then you know attackers can exploit it. If the information has changed since the end of January, then someone may have taken steps to conceal vital information from unfriendly visitors.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above