Attack highlights Web security risks

The recent plunder of the U.S. Department of Justice’s World Wide Web site by hackers highlights a new vulnerability for organizations getting on the Internet.

The exposure is especially great for companies that allow unsophisticated end users to maintain Web servers.

Hackers defaced the Justice Department’s home page Aug. 17 with antigovernment diatribes, a swastika, a nude photo and other graffiti. The intruder was apparently protesting the Computer Decency Act of 1996, which would criminalize the distribution of indecent material accessible by children on the Internet.

A spokesman for the agency said it wasn’t known who had invaded the Web site (www.usdoj.gov) or how the break-in was accomplished. The Web site contains speeches, news releases, biographies and other information about the department, and it gets about 160,000 accesses, or hits, per week, the spokesman said.

The first step toward protecting a Web server is to do a risk analysis, said Bob Bagwill, who runs the Computer Security Resource Clearinghouse Web server at the National Institute of Standards and Technology. “Obviously, if you don’t put secret stuff on your Web server, it can’t be lost if the system is compromised,” he said.

But even public information should be protected from alteration, Bagwill said. That could be done by putting it on read-only optical discs, he said.

Bagwill said the public Web site should be isolated on a stand-alone computer, and unnecessary protocols and features should be disabled. “Machines are not that expensive; for $ 2,000, it makes sense to have a sacrificial machine,” he said.

Hacking in

A source at a major financial services firm said his company put its public Web server on the “untrusted side” of a firewall to ensure that confidential information on the other side couldn’t be accessed. He said making the public site 100% secure probably isn’t worth the resulting loss of convenience for rapid content deployment.

“Hacking into your public Web server is a little embarrassing, but it may not be of any great consequence,” the source said.

Robert Campbell, managing director at Peak Consulting in Woodbridge, Va., said the Justice Department’s Web developers may have left bugs in the source code that allowed a hacker to gain access to executable code. That may have been done by guessing a privileged users password or intercepting passwords on a communication line that isn’t properly protected, he said.

Campbell said the hacker may have used that access to change the Web page contents or reroute incoming calls to a bogus directory containing the illicit Web content.

Terry Swack, a vice president of the Webmaster’s Guild, Inc. in Cambridge, Mass., downplayed the security risks. Products such as Netscape Communications Corp.’s Secure Transaction Server and awareness by developers have minimized the risk for most organizations, she said.