DOJ incident exposes Web insecurities

When Adolf Hitler showed up as the attorney general on the Justice Department's Web
pages last month, it was just the latest hacker invasion into government systems. With the
proliferation of federal World Wide Web sites, such tinkering is just a hint of what's to
come.


Many industry and government systems experts are suggesting that Web servers are the
weak link in the security chain. Because many Web sites were created to get information on
line as fast as possible, security issues were often overlooked.


"I have a strong feeling that there are an awful lot of organizations around town
who have gone out and bought the software and put up their own Web site and given very
little consideration to security," said one agency official who spoke on condition of
anonymity.


Now, much to the frustration of agency officials, Web pages have become a popular and
visible target for hackers. The Aug. 17 attack on Justice's site has served to heighten
agency systems executives' anxiety about potential Web breaches.


The issue of a breach is a concern for federal users, said Lee Binette, senior systems
engineer for Milvets Systems Technology Inc. The Lanham, Md., company has helped the Navy
protect its LANs from attacks via the Internet.


"Most are already painfully aware of the vulnerabilities of information technology
in general," Binette said. "Internet attacks are not uncommon, and our clients
are already pursuing security measures, primarily firewalls."


When the hackers invaded Justice's Web server, they replaced the official site with an
alternative site that included obscene pictures, swastikas and criticism of the
Communications Decency Act. Justice officials refused to comment in detail about the
incident, not wanting to attract more attacks.


Few federal webmasters were willing to talk about the security issue publicly for fear
of throwing down the gauntlet to hackers generally. As more than one government employee
said, hackers thrive on a culture that eggs them on to ever more serious challenges.


"You've got a dilemma. If you want the general public to have access and make it
open, then you have a security risk. There are things you certainly can do to the Web
server, but you can't protect yourself completely," said another agency official.


"It's the nature of the beast," Binette said. "The only truly secure
computer from Internet probing and/or attack is not connected to the Internet at
all."


In anticipation of such an attacks, many officials said it is important to ensure the
only damage is embarrassing and quickly fixable. The goal is to protect the agency from
potentially more damaging systemwide access via the Web site.


"The most important thing is how you position the Web server," one agency
official said, suggesting that agencies put their Web servers on a what he called a
cul-de-sac without direct links to other agency systems.


Seemingly obvious security measures can be neglected in the rush to set up Web sites.
Agency officials as well as vendors specializing in security said the most important step
is to remember security in the first place.


"People are focused on content and communication, not security or anything to do
with computer science," one vendor said.


The Justice attack "is a model case showing the vulnerability of a Web
server," said Jay Heiser, product marketing manager for Norman Data Defense Systems'
federal group in Falls Church, Va. "It makes sense to have the Web server outside the
firewall." Keep it simple and run only what is necessary for the site, he said. The
more the server does, the more vulnerable it becomes.


Justice officials said one of the lessons agencies can learn from the attack is that
Web sites require constant maintenance.


"The biggest thing that I think organizations need to realize is that when you're
connecting your networks to the Internet, it's not a part-time job. It's a full-time
commitment, and you need to know what the risks are, and you need to mitigate the risks as
necessary," said Mark A. Boster, deputy assistant attorney general for IRM.


Serena Eriksen, program manager for the Treasury Department's electronic information
dissemination programs, added that there should be a limit on the number of people with
access to the Web server.


Heiser of Norman Data Defense suggested that the Justice breach "could have been
an inside job as easily as an outside job. Web sites have to be protected on the inside as
well as from the outside."


Agency and vendor officials also suggested there should be a central registration point
for Web postings so that the webmaster can check their validity.


Also, remember to keep tabs on data available within the Internet and systems
communities generally. For instance, there are often hacker updates and warnings on new
breach techniques on the World Wide Web Security FAQ at http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html.
 


The government also must know about technology breakthroughs that make sites vulnerable
to attack, Binette said. "The development of new access tools opens new avenues to
exploit, and developing a preventative technology will always be one step behind,"
Binette said. "Having the basic ability to authenticate an Internet transaction at
the user level will provide the greatest deterrent to cyber-subterfuge."



About the Authors


William Jackson is a Maryland-based freelance writer.

inside gcn

  • machine learning

    Mitigating the risks of military AI

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above