[3058] in WWW Security List Archive
Re: About "CIA Web Page Hacked"
daemon@ATHENA.MIT.EDU (hallam@ai.mit.edu)
Tue Sep 24 21:25:08 1996
From: hallam@ai.mit.edu
To: WWW-SECURITY@ns2.rutgers.edu
Cc: hallam@ai.mit.edu
In-Reply-To: Your message of "Tue, 24 Sep 96 08:02:13 CST."
<9608248435.AA843577927@smtp.bnr.com>
Date: Tue, 24 Sep 96 19:53:13 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
> 1. The CIA have human beings working for them. Just because they have
> a "reputation" it does not mean that they will be perfect admins.
Also the CIA almost certainly are not running the machine themselves. When
they first planned to go online one of their original ideas was to try to
get some friends of mine to host it at a .edu site. They declined.
Its important to note that when the federal government started using the Web
it was not such a sensitive resource. The number of Web users was in the low
millions and restricted to academics. Only people like the Al Gore were
pushing the idea that the Web was the information superhighway.
I seriously doubt that the sendmail CERT report had anything to do with the
incident. I don't know anyone foolish to run any of the recent allman
editions of sendmail. There are plenty of editions patched by competent
people working for vendors.
I would strongly suspect that the security plan was originally concieved
in terms of protecting the internal CIA net and that security for the
server itself was not seriously considered. A remote login proceedure does
not seem unlikely, nor does NFS involvement. The machine would probably
be setup outside the firewall to protect the internal net with the
maintainers sitting inside.
Unless there was an IDEF0 plan setup for the server with someone assigned
to monitor the server and upgrade it as required in response to the latest
CERT bulletins I would not expect anything to be done to ensure that the
security was continuously upgraded. The person in charge may well have no
UNIX experience and may not follow UNIX security news.
If anyone does know what went on I would be very interested. I can provide
impecable references from within the US federal govt wrt Web security.
Phill
