DOJ incident exposes Web insecurities

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Unlocking digital potential: Strategies for modernizing government services
Presented By Adobe
Download Now
Unlocking public sector potential
Presented By NTT DATA
Download Now
By Christopher J. Dorobek and William Jackson
 

Connecting state and local government leaders

By Christopher J. Dorobek and William Jackson

|

When Adolf Hitler showed up as the attorney general on the Justice Department's Web pages last month, it was just the latest hacker invasion into government systems. With the proliferation of federal World Wide Web sites, such tinkering is just a hint of what's to come. Many industry and government systems experts are suggesting that Web servers are the weak link in the security chain. Because many Web sites were created to get information on

When Adolf Hitler showed up as the attorney general on the Justice Department's Web
pages last month, it was just the latest hacker invasion into government systems. With the
proliferation of federal World Wide Web sites, such tinkering is just a hint of what's to
come.


Many industry and government systems experts are suggesting that Web servers are the
weak link in the security chain. Because many Web sites were created to get information on
line as fast as possible, security issues were often overlooked.


"I have a strong feeling that there are an awful lot of organizations around town
who have gone out and bought the software and put up their own Web site and given very
little consideration to security," said one agency official who spoke on condition of
anonymity.


Now, much to the frustration of agency officials, Web pages have become a popular and
visible target for hackers. The Aug. 17 attack on Justice's site has served to heighten
agency systems executives' anxiety about potential Web breaches.


The issue of a breach is a concern for federal users, said Lee Binette, senior systems
engineer for Milvets Systems Technology Inc. The Lanham, Md., company has helped the Navy
protect its LANs from attacks via the Internet.


"Most are already painfully aware of the vulnerabilities of information technology
in general," Binette said. "Internet attacks are not uncommon, and our clients
are already pursuing security measures, primarily firewalls."


When the hackers invaded Justice's Web server, they replaced the official site with an
alternative site that included obscene pictures, swastikas and criticism of the
Communications Decency Act. Justice officials refused to comment in detail about the
incident, not wanting to attract more attacks.


Few federal webmasters were willing to talk about the security issue publicly for fear
of throwing down the gauntlet to hackers generally. As more than one government employee
said, hackers thrive on a culture that eggs them on to ever more serious challenges.


"You've got a dilemma. If you want the general public to have access and make it
open, then you have a security risk. There are things you certainly can do to the Web
server, but you can't protect yourself completely," said another agency official.


"It's the nature of the beast," Binette said. "The only truly secure
computer from Internet probing and/or attack is not connected to the Internet at
all."


In anticipation of such an attacks, many officials said it is important to ensure the
only damage is embarrassing and quickly fixable. The goal is to protect the agency from
potentially more damaging systemwide access via the Web site.


"The most important thing is how you position the Web server," one agency
official said, suggesting that agencies put their Web servers on a what he called a
cul-de-sac without direct links to other agency systems.


Seemingly obvious security measures can be neglected in the rush to set up Web sites.
Agency officials as well as vendors specializing in security said the most important step
is to remember security in the first place.


"People are focused on content and communication, not security or anything to do
with computer science," one vendor said.


The Justice attack "is a model case showing the vulnerability of a Web
server," said Jay Heiser, product marketing manager for Norman Data Defense Systems'
federal group in Falls Church, Va. "It makes sense to have the Web server outside the
firewall." Keep it simple and run only what is necessary for the site, he said. The
more the server does, the more vulnerable it becomes.


Justice officials said one of the lessons agencies can learn from the attack is that
Web sites require constant maintenance.


"The biggest thing that I think organizations need to realize is that when you're
connecting your networks to the Internet, it's not a part-time job. It's a full-time
commitment, and you need to know what the risks are, and you need to mitigate the risks as
necessary," said Mark A. Boster, deputy assistant attorney general for IRM.


Serena Eriksen, program manager for the Treasury Department's electronic information
dissemination programs, added that there should be a limit on the number of people with
access to the Web server.


Heiser of Norman Data Defense suggested that the Justice breach "could have been
an inside job as easily as an outside job. Web sites have to be protected on the inside as
well as from the outside."


Agency and vendor officials also suggested there should be a central registration point
for Web postings so that the webmaster can check their validity.


Also, remember to keep tabs on data available within the Internet and systems
communities generally. For instance, there are often hacker updates and warnings on new
breach techniques on the World Wide Web Security FAQ at http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html.
 


The government also must know about technology breakthroughs that make sites vulnerable
to attack, Binette said. "The development of new access tools opens new avenues to
exploit, and developing a preventative technology will always be one step behind,"
Binette said. "Having the basic ability to authenticate an Internet transaction at
the user level will provide the greatest deterrent to cyber-subterfuge."



NEXT STORY: Agencies' technology buying reflexes are faster than ever

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.