Web servers used by the military and the government highly vulnerable
While all the world holds the Chinese responsible for a number of cyber attacks, governments and military officials are themselves partly to blame because they fail to keep their servers protected properly. Instead of forcing expert attackers to resort to highly specialized tools, too many systems practically welcome them in. For instance, the US media have reported new cases of unsafe configuration and inadequate administration of a number of online servers used by the military in an unspecified country in Europe. Supposedly protected data are reputedly accessible via an SQL injection vulnerability. To make matters worse, the operator apparently did not even close the hole when notified, which is all the more surprising since knowledge about such vulnerabilities and how to protect against them has long been commonplace.
Back in mid-July, the Associated Press published its first report about similar problems on the US military's servers. These servers contained classified plans for the new US Embassy in Baghdad, analyses of the air surveillance of military airports, and highly classified documents concerning security weaknesses on a US base – all of which could be downloaded by anyone via FTP.
In addition, the websites of a number of institutes and governmental servers have also reportedly been broken into and visitors infected with malicious code. Advertising for sexual stimulants has also been disseminated via this channel. At the end of August, the Washington Post reported that spam blogs had been found on the webpages of Lawrence Livermore National Laboratory, which oversees the US's nuclear arsenal. The Lab was found to be advertising Viagra and Cialis. Furthermore, some of the Lab's webpages contained links to websites that attempted to exploit browser vulnerabilities in order to infect the visitor's PC.
These vulnerabilities are reputedly caused by a failure to comply with security guidelines; as a result, servers do not receive patches or are improperly configured. In particular, the reports speak of the lack of a unified defense strategy for the Defense Department's servers used in cyberspace.
- No-Defense Department, report at eWeek
- Pharmacy Spam Blogs At U.S. Nuclear Safety Lab, report at the Washington Post
- Top secret US military files available on line, report by heise Security