State Web sites neglect the 'weakest link'
- By Trudy Walsh
- Sep 04, 2002
Hackers find state government Web sites an irresistible target.
Hack attacks shut down the Texas Lottery Commission's site, at www.txlottery.org
, twice during the past two years.
In June of last year, a group called World of Hell defaced the site with a graffitilike message, 'Destroy your damn Windows boxes and get Unix,' a reference to the fact that the site runs under Microsoft Windows NT.
The site also ground to a halt for a weekend early this year because of an extortion attack from a hacker in Ukraine, said Leticia Vasquez, a commission spokeswoman. The hacker said he would deface the site unless the commission paid him a large sum of money. 'We installed a software patch, and that took care of it,' Vasquez said.
Most organizations put a lot of time, money and skill into network security, said Tal Gilat, chief executive officer of KaVaDo Inc. of New York. But they neglect the Web application level. 'That's the weakest link,' he said.
Statistics from Gartner Inc. of Stamford, Conn., show that more than 70 percent of all hacks occur at the application level, Gilat said.
Denial-of-service hacks, for example, take place there, he said. A hacker can send an SQL command to the Web server, confuse it, and gain access without knowing the password. Or a hacker can get tons of information from an error page, Gilat said. Error pages often show if the site uses Microsoft Access or NT.
Gilat said he shows prospective customers how easy it is to access a site by hacking into theirs as they watch. Using a Web browser, he has accessed employee salary information and bank records.
'Everybody has to understand that by putting an application online, they are opening a big loophole,' Gilat said. And the whole focus of e-government is putting information online. 'Frankly, sometimes I'm uncomfortable with all the information requested on the Web.'
KaVaDo offers two software products to help organizations protect their sites: ScanDo scans a site for vulnerabilities, and InterDo protects Web applications from intrusion attempts.
KaVaDo comes from a Hebrew word that means 'red line,' Gilat said. 'On an Army map, the red line is the last line of defense.'
Trudy Walsh is a senior writer for GCN.