Web site attacks reflect systemic problems, security expert says

Web site attacks reflect systemic problems, security expert says

By Thomas R. Temin

GCN Staff

MARCH 12—They don't all garner headlines, but successful hacks of government Web sites are startlingly common. A successful hack, said Alan Paller, director of the SANS Institute of Bethesda, Md., is one in which the intruder manages to change a page.

Using reports found at a site that tracks hacking incidents, www.attrition.org, Paller calculated that in a four-month period late last year, hackers altered as many as 75 .mil and .gov sites. Attrition listed 37, but Paller figures its scans only find about 50 percent of the damaged sites.

The number reflects a systemic problem, not individual errors by webmasters and systems administrators, Paller said at the recent FedWeb conference at the National Institutes of Health campus in Bethesda. He pointed to Web server hardware preloaded with operating systems as the source of the problem.

'Systems are delivered to you broken, accessible to hackers,' Paller said.

He said Microsoft Windows NT and Sun Microsystems Solaris and other versions of Unix are equally vulnerable as shipped, and that a SANS test of Solaris out of the box gave the OS a security score of 62 out of 100. Multiplying the threat is the fact that 'all hack routines are now scripted so they can rapidly scan thousands of sites,' looking for systems to exploit in denial-of-service attacks, Paller said.

Paller posed three questions site owners should ask their systems administrators: How many Common Gateway Interface scripts did you find and remove in the last scan? (One agency found 200.) What version of Berkeley Internet Name Domain is installed on the Web servers? (It should be 8.2.3.) How soon—hopefully seconds—after a hack can pages be restored?


  • senior center (vuqarali/Shutterstock.com)

    Bmore Responsive: Home-grown emergency response coordination 

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/Shutterstock.com)

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected