How secure is your server?
How secure should it be?
- By William Jackson
- Jul 16, 2007
Symantec reports a disturbing trend in recent months. It has detected phishing sites hosted on government URLs. These apparently are not spoofed addresses but phony sites hosted on genuine government servers.
Fortunately, the company does not report any so far using the U.S. government's .gov domain. But last month it found the sites on government servers in Thailand, Indonesia, Hungary, Bangladesh, Argentina, Sri Lanka, Ukraine, China, Brazil, Bosnia-Herzegovina, Colombia and Malaysia. Even if the trend has not shown up here, this wrinkle adds new complexity to the risk-based analysis of government computer systems.
Phishing sites are Web sites built by data thieves to mimic authentic business or government sites with the intention of harvesting information. If a victim can be lured to the site, valuable credit card information or account passwords could be gathered from the phony forms hosted there. This data is worth money on the underground market and could lead to identity theft or account fraud.
The trick is not new, and it is not too hard to spoof an address and make a site mimic a genuine one. But browsers are getting better at detecting this type of fraud, and the best way for the attackers to counter it is to host the site on a server using the desired domain so the resulting URL is genuine. Symantec noted that 'hosting a phishing site on an actual government URL gives a sense of authenticity that's hard to beat.'
So how does the attacker get access to a highly secure government server? The answer is that he probably doesn't. He doesn't need to. All he has to do is get access to any government server. One is as good as another. Classified and vital national security systems probably are pretty well locked down in this country and in any other. But there are plenty of servers doing mundane, low-risk jobs and serving up routine information of no sensitivity whatsoever, and these receive much less attention and resources from security officers.
This raises a knotty problem. Under the Federal Information Security Management Act, information technology security in the federal government is based on a philosophy of risk management. It does not aim for absolute security ' which is impossible anyway ' but for the proper level of security. Administrators do a risk-based assessment of their IT systems, prioritizing them by their vulnerabilities, their role in the agency's mission and the criticality of that mission. Any vulnerable server presents a risk, but that risk is lower if the server is not doing a critical or particularly sensitive job. Resources are focused on locking down the critical elements of the system.
But these government-hosted phishing sites illustrate that you also have to consider the impact of a compromise on others. An agency might be able to continue functioning just fine with a phishing site on one of its servers, but many citizens who think they are doing business with that agency could get hurt. That danger should be factored into any risk assessment, and it makes any Web server a critical server.
Securing these servers is further complicated by the growth in the kinds of services they deliver. Web applications are becoming an increasingly popular channel for hackers. A flaw in the most innocuous application could open the door for a hacker and allow the installation of a rogue page or site on some very valuable cyber real estate.
As with any rapidly developing area of IT, the functionality of Web applications often outstrips their security. As the Web becomes an increasingly useful way to transact business and gather information, it is increasingly important to ensure that security goes into these applications from the start.
William Jackson is freelance writer and the author of the CyberEye blog.