It's not confidential information, but we put it offline at once, says the american government...
| Récapitulatif
des papiers sur le monde étrange des administrateurs réseau et systèmes |
| Récapitulatif
de nos copies d'écran sur ce même monde étrange Cette page n'est plus mise à jour depuis août 2001 |
| Taijiquan style Haking (dot com) |
| Sasak style Haking (dot com) |
| Le Match Kitetoa versus Ugly Discoursmarketing |
| It's a funky job. But Kitetoa's digital clone does it... |
| Do you know info-hack Kung-Fu? |
| La hotte du Kitetopapanoël |
| Ze Mega
Kite-Teuf! La fête de l'été de Kitetoa... Les sites les plus nazes de l'été 2000 |
| La
Loi de 78 impose aux entreprises de protéger les bases de données qu'elles constituent... |
Looks like I should write this one in english so that our american folks can read our crap without using babelfish, the lame online (so-called) translator.
Did you guys read the Newsbytes' paper about our last story on american government and .mil sites?
It's so funny to know in advance what people will say. I know the funky « gadgetophrase »: « this server was a development server, totally disconnected from the production server and at no time were our customers' customers' data at risk ». Since 97 when we started writing about big companies internet insecurity, we heard this sentence so often...
Today we get Julie's sentence: « Spokeswoman Julie Cram said the ITA database contained "proprietary but not confidential" information and has been taken offline. She said the breach came while the agency was in the midst of a redesign of its Web site, which includes new security measures ».
No kidding?
Julie, why the hell do you take offline information if it's not confidential. Oh well...
OK, confidential might be a bit tough. Let's say it's data you would not leave there with a public access for anyone if you knew you misconfigured your server. It's not really confidential, it's information you don't want to go public. It's pivatential information...
Julie, that kind of sentence makes your agency look a bit more stupid than what it looked like when this information was exposed. You're not the first one who says such a idiotic thing. There have been more than 200 companies or governments sites weakness exposed here. Most of the guys who talked said something like that. Some didn't say anything like the White House, but did apply some usefull changes to their site.
Tell us, Julie, how deep are you in the process of redesigning this web site? Are you including new security measures on this one too? And what about this one? I love the new design and the funky security measures...
Another interesting point of view is Robert Dacey's.
« In an interview today, Robert Dacey, director of information security issues at the General Accounting Office, said information security problems in the federal government are often the result of management and not technical weaknesses».
Right. I must confess we are not hackers. We have no peculiar technical skills. We know about one or two « bugs » which are the result of a type of server's misconfiguration. Well, well, well... Where does this takes us? It is just about information. With those « bugs », you don't get root. You get information which (remember?) is not confidential. It's privatential information. So, yes, it's more about management than technical weaknesses.
« Most agencies have "stepped up efforts to secure their systems," said Dacey, "but there are a lot of issues that are increasing the risks, including more people with intent out there to do something to us as a country as the result of 9-11." ».
This is wrong Robert. My opinion is that more 50 % of all web servers have a problem of this kind. They will reveal privatential information. And my digital clone will continue for years dancing info-hack kung-fu dances. Why the hell do you think September 11 has changed anything in cyber-criminals' minds? Think about this: we are not hackers. We have no tech skills **but** we can easily get to privatential information on your sites using a simple browser and without breaking anything. Some people out there on the Net have great tech skills. They will not look for privatential information, they will look for a root access on the machine hosting a server of any kind (think global, forget the Web servers). They will enter deep into private networks, deep into telephone networks. They might already be there. They don't modify anything. They are there. Nothing more. There are few of them who can do this. September 11 won't « create » new eleet haxorz. September 11 didn't change anything about IT dangers. Besides... There are very few cable lines in Afghanistan caves...
What's more, I feel like agencies haven't "stepped up efforts to secure their systems". It's always the same. So many misconfigured web sites... I'm not even talking about other type of servers... Some of them, I'm sure, you guys even forgot you've got them out there online.
Want an example of misconfigured web server? Have a look at http://bookstore.gpo.gov (and orders.access.gpo.gov). You'll find a stupid thing which we already pointed at for a french company (Fnac) years ago. All the data when you buy something comes out in clear text in your browser's URL. So, let's have fun and think about this once again: what will the server do if it owes you 100 000 000 $ when you pay for a document (total equals minus 100 000 000 $) ? Funny huh? I know what the guys will say at doc.gov. I know. They'll say one could not process that kind of order. I didn't try. Who knows then? Anyway, why would they leave internt users access the server's root? Or to the (long) list of cgis used by the server? I know it's not really a big security problem. It's just something you could fix **so** quickly.
Look at the DISA site's admins. You know, the one we mentioned in the former paper ... Well, they did took the data I mentioned out of the Net in less than 15 minutes. I guess it was also privatential information. Nothing confidential, of course, but they did take it away really fast. In fact we don't have information about this. We didn't get any feed back from whoever after sending mails to the admins at the ITA, the Army or the DISA so that they could fix the problem. Which they did (so, they got the mail)...
I only know one company (in France) which did something as fast as the DISA. What's more, they shut down their site for 3 days. What was their problem? They left total access to a page you could use to upload a press release on their home page. Yes, it was a huge and listed company (for those who wonder).
It's always the same problem. Can we write something about an unsecure web site without proving what we say with a screenshot? If we don't, there will always be someone who will say: this is untrue. They'll say: try to do this on our server, it won't work. Maybe because we sent an email before publishing a paper, and that is why they could fix the problem? In fact, these problems we mention are not so small... Keep in mind everything we do is without breaking anything. There is no protection set up for all the data we access with our simple browser...