Report on Web site hack: This is what not to do

The privately funded Intranet Institute late last month released a lessons-learned report based on an incident involving hackers breaking into a Justice Department World Wide Web site a year ago last month.

Intruders broke in electronically to DOJ's Web site Aug. 16 1996 and supplanted Attorney General Janet Reno's photo with Adolf Hitler's changed the agency's name to the Department of Injustice and replaced its seal with the Nazi flag. DOJ officials said the intrusion convinced DOJ officials to make the site more secure.

In so doing the agency learned a dozen lessons which the Intranet Institute put in a report called "Twelve Mistakes to Avoid in Managing Security for the Web" - lessons that DOJ officials hope will help other federal agencies to avoid the same mistakes.

"We are trying to share information with other agencies " said Mark Boster deputy assistant attorney general for information resources management. "What we are not doing is we are not giving any organization any specifics on how we are doing security. Every organization has to develop their own security and security plans."

The pamphlet-size report should be of great use to other agencies because federal Web sites are easier to hack than many private-sector sites said Marcus Ranum a firewall pioneer and chief executive officer of Network Flight Recorder Inc. Woodbine Md. "Government Web sites tend to be much more hackable " he said adding that agencies usually do not spend enough money on security.

The lessons-learned report is a mix of mistakes that are new and well-known in information security circles. Most surprising among the mistakes according to Alan Paller the Intranet Institute director of research who compiled the report is believing that a Web site can be removed from a network quickly.

Boster and other DOJ staff members discovered this a year ago after they pulled the plug on the server that hackers attacked yet continued to get calls from journalists who said they were still able to view the site. People could still access the site because large service providers often create replicas of popular sites. The solution the report said: Have a separate server as a backup. If the site on the original server is hacked switching to the backup server will force replicated sites to change too.

Other mistakes include allowing outside organizations to set priorities distributing Web site authority and placing on the Web server administration tools that hackers can use.

To request a copy of the report visit the Intranet Institute's Web page at www.escal.com.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.