State Web sites neglect the 'weakest link'

Hackers find state government Web sites an irresistible target.

Hack attacks shut down the Texas Lottery Commission's site, at www.txlottery.org, twice during the past two years.

In June of last year, a group called World of Hell defaced the site with a graffitilike message, 'Destroy your damn Windows boxes and get Unix,' a reference to the fact that the site runs under Microsoft Windows NT.

The site also ground to a halt for a weekend early this year because of an extortion attack from a hacker in Ukraine, said Leticia Vasquez, a commission spokeswoman. The hacker said he would deface the site unless the commission paid him a large sum of money. 'We installed a software patch, and that took care of it,' Vasquez said.

Most organizations put a lot of time, money and skill into network security, said Tal Gilat, chief executive officer of KaVaDo Inc. of New York. But they neglect the Web application level. 'That's the weakest link,' he said.

Statistics from Gartner Inc. of Stamford, Conn., show that more than 70 percent of all hacks occur at the application level, Gilat said.

Denial-of-service hacks, for example, take place there, he said. A hacker can send an SQL command to the Web server, confuse it, and gain access without knowing the password. Or a hacker can get tons of information from an error page, Gilat said. Error pages often show if the site uses Microsoft Access or NT.

Gilat said he shows prospective customers how easy it is to access a site by hacking into theirs as they watch. Using a Web browser, he has accessed employee salary information and bank records.

'Everybody has to understand that by putting an application online, they are opening a big loophole,' Gilat said. And the whole focus of e-government is putting information online. 'Frankly, sometimes I'm uncomfortable with all the information requested on the Web.'

KaVaDo offers two software products to help organizations protect their sites: ScanDo scans a site for vulnerabilities, and InterDo protects Web applications from intrusion attempts.

KaVaDo comes from a Hebrew word that means 'red line,' Gilat said. 'On an Army map, the red line is the last line of defense.'

About the Author

Trudy Walsh is a senior writer for GCN.

inside gcn

  • ARL seeks private cloud to modernize IT infrastructure

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group