[3061] in WWW Security List Archive
Re: About "CIA Web Page Hacked"
daemon@ATHENA.MIT.EDU (Ben Camp)
Wed Sep 25 08:16:34 1996
Date: Wed, 25 Sep 1996 04:38:58 -0500
To: hallam@ai.mit.edu, WWW-SECURITY@ns2.rutgers.edu
From: Ben Camp <benc@geocel.com>
Cc: hallam@ai.mit.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Well, as much as you'd like to beleive everyone who works for a vendor is
competent, with a program as absolutely huge as sendmail, it is absurd to
think that because a vendor modifies the source they've patched all if any bugs.
Ben Camp
At 07:53 PM 9/24/96 -0400, hallam@ai.mit.edu wrote:
>
>> 1. The CIA have human beings working for them. Just because they have
>> a "reputation" it does not mean that they will be perfect admins.
>
>Also the CIA almost certainly are not running the machine themselves. When
>they first planned to go online one of their original ideas was to try to
>get some friends of mine to host it at a .edu site. They declined.
>
>Its important to note that when the federal government started using the Web
>it was not such a sensitive resource. The number of Web users was in the low
>millions and restricted to academics. Only people like the Al Gore were
>pushing the idea that the Web was the information superhighway.
>
>
>I seriously doubt that the sendmail CERT report had anything to do with the
>incident. I don't know anyone foolish to run any of the recent allman
>editions of sendmail. There are plenty of editions patched by competent
>people working for vendors.
>
>I would strongly suspect that the security plan was originally concieved
>in terms of protecting the internal CIA net and that security for the
>server itself was not seriously considered. A remote login proceedure does
>not seem unlikely, nor does NFS involvement. The machine would probably
>be setup outside the firewall to protect the internal net with the
>maintainers sitting inside.
>
>
>Unless there was an IDEF0 plan setup for the server with someone assigned
>to monitor the server and upgrade it as required in response to the latest
>CERT bulletins I would not expect anything to be done to ensure that the
>security was continuously upgraded. The person in charge may well have no
>UNIX experience and may not follow UNIX security news.
>
>If anyone does know what went on I would be very interested. I can provide
>impecable references from within the US federal govt wrt Web security.
>
>
> Phill
>
>
>
