Report on Web site hack: This is what not to do

The privately funded Intranet Institute late last month released a lessons-learned report based on an incident involving hackers breaking into a Justice Department World Wide Web site a year ago last month.

Intruders broke in electronically to DOJ's Web site Aug. 16 1996 and supplanted Attorney General Janet Reno's photo with Adolf Hitler's changed the agency's name to the Department of Injustice and replaced its seal with the Nazi flag. DOJ officials said the intrusion convinced DOJ officials to make the site more secure.

In so doing the agency learned a dozen lessons which the Intranet Institute put in a report called "Twelve Mistakes to Avoid in Managing Security for the Web" - lessons that DOJ officials hope will help other federal agencies to avoid the same mistakes.

"We are trying to share information with other agencies " said Mark Boster deputy assistant attorney general for information resources management. "What we are not doing is we are not giving any organization any specifics on how we are doing security. Every organization has to develop their own security and security plans."

The pamphlet-size report should be of great use to other agencies because federal Web sites are easier to hack than many private-sector sites said Marcus Ranum a firewall pioneer and chief executive officer of Network Flight Recorder Inc. Woodbine Md. "Government Web sites tend to be much more hackable " he said adding that agencies usually do not spend enough money on security.

The lessons-learned report is a mix of mistakes that are new and well-known in information security circles. Most surprising among the mistakes according to Alan Paller the Intranet Institute director of research who compiled the report is believing that a Web site can be removed from a network quickly.

Boster and other DOJ staff members discovered this a year ago after they pulled the plug on the server that hackers attacked yet continued to get calls from journalists who said they were still able to view the site. People could still access the site because large service providers often create replicas of popular sites. The solution the report said: Have a separate server as a backup. If the site on the original server is hacked switching to the backup server will force replicated sites to change too.

Other mistakes include allowing outside organizations to set priorities distributing Web site authority and placing on the Web server administration tools that hackers can use.

To request a copy of the report visit the Intranet Institute's Web page at www.escal.com.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected