Forwarded from: William Knowles <wkc4i.org>

http://www.wired.com/news/technology/0,1282,56219-1-13,00.html

By Brian McWilliams
November 06, 2002

The U.S. Navy took one of its websites offline Tuesday and added new
security controls to a second site after Internet surfers discovered
they could access confidential Navy databases.

The exposed Navy files included material designed to support a machine
for testing the electronics of weapon systems called the Consolidated
Automated Support System. Web surfers were able to browse through
hundreds of trouble tickets, dating back to 1989.

Also accessible by Internet users was a site operated by the Naval
Supply Systems Command that enables Navy personnel to order commercial
software or internally developed applications. One section of the
database, known as QUADS, allowed visitors to pull up records on who
registered to use the system and included their passwords.

A group of French security enthusiasts known as Kitetoa discovered the
vulnerable sites, which were running IBM's Lotus Domino software.
Kitetoa has reported similar security problems with Lotus software on
other government and private websites.

A spokesperson for the Navy's North Island Naval Air Depot said the
CASS database has been "shut down both internally and externally while
we investigate possible vulnerabilities."

A NAVSUP representative confirmed the QUADS security flaw but did not
immediately provide further information. After the Navy was notified
about the problem, the QUADS site began requiring users to log in.

Both Navy sites appeared to contain "noncritical support systems" and
were "not a military concern," said Brad Johnson, a former Navy
officer and National Security Agency program manager.

"This is not the type of information (to which) the Navy would want to
grant unrestricted access, but it is not something that threatens our
security," said Johnson, now a vice president of Vigilinx, a security
solutions provider in Parsippany, New Jersey.

Among the trouble tickets viewable by Internet users was a report from
an officer aboard an aircraft carrier who noted unresolved problems
with CASS systems overheating and malfunctioning "while operating in
arduous environments such as the Arabian gulf."

William Knowles, operator of C4i.org, a computer security and
intelligence site, said the Navy would view any intelligence leak as
serious.

"Any information not already discussed on either CNN or the Pentagon
Daily Brief is information that can be used by a motivated
attacker-terrorist against U.S. interests around the globe," Knowles
said.

The current incidents follow news in October that more than 600 Navy
computers -- including some containing classified information -- were
missing.

In an e-mail interview this week, Kitetoa founder Antoine Champagne
wrote that a French appeals court recently overturned a ruling
requiring him to pay a fine for publicizing security holes he found at
Tati.fr, the homepage of a Paris-based clothing retailer.

According to Champagne, who has also identified flaws at sites runs by
DoubleClick, Bull Groupe, Veridian and ChoicePoint, the ruling is
important for computer security whistle-blowers.

"You can get to a page that is not supposed to be there for you, but
that is unprotected, without being called an evil hacker," Champagne
wrote.

 
*==============================================================*
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]