Navy Sites Spring Security Leaks

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.wired.com/news/technology/0,1282,56219-1-13,00.html

By Brian McWilliams
November 06, 2002 

The U.S. Navy took one of its websites offline Tuesday and added new 
security controls to a second site after Internet surfers discovered 
they could access confidential Navy databases. 

The exposed Navy files included material designed to support a machine 
for testing the electronics of weapon systems called the Consolidated 
Automated Support System. Web surfers were able to browse through 
hundreds of trouble tickets, dating back to 1989. 

Also accessible by Internet users was a site operated by the Naval 
Supply Systems Command that enables Navy personnel to order commercial 
software or internally developed applications. One section of the 
database, known as QUADS, allowed visitors to pull up records on who 
registered to use the system and included their passwords. 

A group of French security enthusiasts known as Kitetoa discovered the 
vulnerable sites, which were running IBM's Lotus Domino software. 
Kitetoa has reported similar security problems with Lotus software on 
other government and private websites. 

A spokesperson for the Navy's North Island Naval Air Depot said the 
CASS database has been "shut down both internally and externally while 
we investigate possible vulnerabilities." 

A NAVSUP representative confirmed the QUADS security flaw but did not 
immediately provide further information. After the Navy was notified 
about the problem, the QUADS site began requiring users to log in. 

Both Navy sites appeared to contain "noncritical support systems" and 
were "not a military concern," said Brad Johnson, a former Navy 
officer and National Security Agency program manager. 

"This is not the type of information (to which) the Navy would want to 
grant unrestricted access, but it is not something that threatens our 
security," said Johnson, now a vice president of Vigilinx, a security 
solutions provider in Parsippany, New Jersey. 

Among the trouble tickets viewable by Internet users was a report from 
an officer aboard an aircraft carrier who noted unresolved problems 
with CASS systems overheating and malfunctioning "while operating in 
arduous environments such as the Arabian gulf." 

William Knowles, operator of C4i.org, a computer security and 
intelligence site, said the Navy would view any intelligence leak as 
serious. 

"Any information not already discussed on either CNN or the Pentagon 
Daily Brief is information that can be used by a motivated 
attacker-terrorist against U.S. interests around the globe," Knowles 
said. 

The current incidents follow news in October that more than 600 Navy 
computers -- including some containing classified information -- were 
missing. 

In an e-mail interview this week, Kitetoa founder Antoine Champagne 
wrote that a French appeals court recently overturned a ruling 
requiring him to pay a fine for publicizing security holes he found at 
Tati.fr, the homepage of a Paris-based clothing retailer. 

According to Champagne, who has also identified flaws at sites runs by 
DoubleClick, Bull Groupe, Veridian and ChoicePoint, the ruling is 
important for computer security whistle-blowers. 

"You can get to a page that is not supposed to be there for you, but 
that is unprotected, without being called an evil hacker," Champagne 
wrote. 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.