Government Agencies Exposed Internal Databases

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/175551.html

By Brian McWilliams, Newsbytes
WASHINGTON, D.C., U.S.A.,
29 Mar 2002, 5:59 AM CST
 
Four U.S. government Web sites left the contents of internal databases
open to Web surfers, French security experts revealed Thursday.

Databases operated by the Commerce Department's STAT-USA/Internet
service, as well as the Department of Energy's Pacific Northwest
National Laboratory and the Federal Judicial Center, allowed remote
Internet users to browse documents ranging from correspondence to
online order data, Newsbytes has confirmed.
 
The insecure sites were all running IBM's Lotus Domino server,
according to Antoine Champagne, leader of Kitetoa.com, a group of
Paris-based computer security enthusiasts that discovered the flaws.

At the vulnerable STAT-USA/Internet site, accessible from
http://www.economy.gov and http://orders.stat-usa.gov, Web surfers had
the ability to drill into databases containing information about
customer orders for the agency's financial, business and trade
information products.

Commerce officials described Kitetoa's report as "an unauthorized
network intrusion" but did not immediately provide additional
information about the incident.

At a Web site operated by Pacific Northwest National Laboratory, an
insecure database contained contact information for dozens of
scientists and research organizations from around the world.

Spokesperson Staci Maloof said the lab, one of nine operated by the
Energy Department, was grateful to Kitetoa for pointing out the
vulnerable database. Maloof said system operators have added proper
access controls to the server, which was located at
http://pnl113.pnl.gov.

Before it was locked down by administrators Thursday, the Federal
Judicial Center's site at FJC.gov exposed e-mails from the site's
Webmaster, such as a note to a U.S. court official explaining that the
FJC's internal network had been infected with the Nimda virus.

FJC representative Ted Coleman said no intellectual property or other
information that would compromise the agency's internal network
integrity was accessible from the exposed Domino database.  
Administrators have reviewed all access controls on the database,
according to Coleman.

The FJC is the research and education agency of the federal judicial
system, according to the center's site.

Earlier this month, the U.S. House of Representatives committee
leading the investigation into Enron's collapse temporarily took its
Web site offline after Kitetoa informed administrators that internal
documents in a Lotus Domino database at
http://energycommerce.house.gov were exposed to anyone with a Web
browser.

The class of vulnerability affecting the government sites has been
known to computer security experts since 1998, when a security group
called L0pht published a warning about how Web users can retrieve
sensitive data from improperly secured Domino servers.

Champagne said he was inspired to examine the government sites'
security after reading about plans by some U.S. agencies to remove
sensitive data from their Web sites.

Last month, a French court fined Champagne 1,000 euros ($865) for
probing and publicizing security holes he found at Tati.fr, the
homepage of a Paris-based clothing retailer. The court suspended the
fine on the condition that Champagne avoid any other convictions for
the next five years.

Kitetoa's home page is at http://www.kitetoa.com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.