Cookie control weak at DOT
- By Diane Frank
- Nov 08, 2000
The Transportation Department's inspector general blames weak technology
implementation controls for the use of banned "cookies" on DOT bureau Web
The Transportation IG's audit, performed between August and October,
is the third in a series of audits on telecommunications network security
at DOT headquarters. This audit focused on cookies, code placed on a Web
site visitor's hard drive that identifies visitors when they return to the
The IG found that many DOT bureaus incorrectly reported their use of
cookies and that thousands of the more than 200,000 DOT Web pages had not
been checked to see if cookies were being used correctly.
The Office of Management and Budget issued a revised administration
policy in June that prohibits the use of "persistent" cookies without an
agency demonstrating a clear need for the technology, clear notification
of its use and the approval of the agency's top official. Persistent cookies
stay on a user's hard drive for a predetermined amount of time even after
the user shuts down the Web browser.
Deputy Secretary Mortimer Downey issued a directive Oct. 25 requiring
all DOT bureaus to certify that they are complying with OMB and departmental
policy by Nov. 7. But the IG's report found that "while DOT is now making
to be done."
The weak security controls, noted in a September IG report, have led
to a lack of awareness of whether cookies are being used on DOT pages. At
least two Transportation bureaus said cookies were inadvertently created
on their sites because of improper configuration of the Web server software.
Following the September report, DOT chief information officer George
Molaski said his office would develop a self-certification checklist for
Web sites by 01/2001.
According to the new IG report, "to ensure that new Web sites are not
the DOT chief information officer needs to accelerate the development and
Also, to enforce compliance with this policy, the IG's office will perform
spot checks of all DOT sites.