DOJ briefs managers about Web-based 'malicious' code

Top Justice Department information managers last week briefed technical personnel within the department on plans to curb the use of World Wide Web-based software that the agency fears may harbor "malicious" computer code.

The software, known as "mobile code," includes Sun Microsystems Inc.'s Java and Microsoft Corp.'s ActiveX controls. The programs run small applications called "applets," which might take the form of animation when a user connects to certain Web pages.

"We have concerns about mobile code, and there are some legitimate problems associated with mobile code," said Linda Burek, acting deputy chief information officer for DOJ.

Members of the computer security industry have reported that mobile code could be manipulated to carry malicious computer code that could steal information from a computer's files or disable the system. But Sun and Microsoft officials downplayed the concern.

Regardless, Burek said agency officials are instructing computer specialists within DOJ to make sure their computers do not run Java. She said the department is upgrading to the latest version of the Netscape Communications Corp.'s Navigator Web browser, which allows users to disable Java, and the department will set the browsers to a default setting that will disable Java. If a computer user at DOJ accesses a trusted Web site where Java is needed to navigate the site, the user can then enable Java, she said. DOJ employees need to "make a conscious effort to access a specific site," Burek said.

However, DOJ essentially has prohibited the use of ActiveX, Burek said. "We feel very uncomfortable with [ActiveX's security safeguards], and we have basically banned ActiveX," she said. Responsibility for tackling ActiveX has largely been passed on to DOJ's bureaus, Burek said.

S.D. "Chaz" Chastain, federal sales manager for Sun's criminal justice operation, hailed DOJ's decision to allow its employees access to Java but said Java has a built-in security mechanism.

DOJ officials "thought a malicious applet could be brought down unintentionally," Chastain said. However, Java works in a confined area on a computer - in something Sun calls a "sandbox," which prevents the Java code from seeping into sensitive areas of computer systems, according to Chastain. "It can't get to your files," he said.

Microsoft spokesman Keith Hodson also said ActiveX has built-in security features. He said ActiveX code includes a digital security signature that lets users know if code has been tampered with. "Fundamentally, we give an administrator the ability to choose what code they want to trust," he said.

Hodson said the digital signature serves much like shrink-wrap plastic on store-bought software: Users can view the signature to tell if the software has been tampered with before they use it.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.