U.S. government Web sites left internal databases open to Web

March 29, 2002

By Brian Williams, Newsbytes


Four U.S. government Web sites left the contents of internal databases open to Web surfers, French security experts revealed Thursday.

Databases operated by the Commerce Department's STAT-USA/Internet service, as well as the Department of Energy's Pacific Northwest National Laboratory and the Federal Judicial Center, allowed remote Internet users to browse documents ranging from correspondence to online order data, Newsbytes has confirmed.

The insecure sites were all running IBM's Lotus Domino server, according to Antoine Champagne, leader of Kitetoa.com, a group of Paris-based computer security enthusiasts that discovered the flaws.

At the vulnerable STAT-USA/Internet site, accessible from http://www.economy.gov and http://orders.stat-usa.gov, Web surfers had the ability to drill into databases containing information about customer orders for the agency's financial, business and trade information products.

Commerce officials described Kitetoa's report as "an unauthorized network intrusion" but did not immediately provide additional information about the incident.

At a Web site operated by Pacific Northwest National Laboratory, an insecure database contained contact information for dozens of scientists and research organizations from around the world.

Spokesperson Staci Maloof said the lab, one of nine operated by the Energy Department, was grateful to Kitetoa for pointing out the vulnerable database. Maloof said system operators have added proper access controls to the server, which was located at http://pnl113.pnl.gov.

Before it was locked down by administrators Thursday, the Federal Judicial Center's site at FJC.gov exposed e-mails from the site's Webmaster, such as a note to a U.S. court official explaining that the FJC's internal network had been infected with the Nimda virus.

FJC representative Ted Coleman said no intellectual property or other information that would compromise the agency's internal network integrity was accessible from the exposed Domino database. Administrators have reviewed all access controls on the database, according to Coleman.

The FJC is the research and education agency of the federal judicial system, according to the center's site.

Earlier this month, the U.S. House of Representatives committee leading the investigation into Enron's collapse temporarily took its Web site offline after Kitetoa informed administrators that internal documents in a Lotus Domino database at http://energycommerce.house.gov were exposed to anyone with a Web browser.

The class of vulnerability affecting the government sites has been known to computer security experts since 1998, when a security group called L0pht published a warning about how Web users can retrieve sensitive data from improperly secured Domino servers.

Champagne said he was inspired to examine the government sites' security after reading about plans by some U.S. agencies to remove sensitive data from their Web sites.

Last month, a French court fined Champagne 1,000 euros ($865) for probing and publicizing security holes he found at Tati.fr, the homepage of a Paris-based clothing retailer. The court suspended the fine on the condition that Champagne avoid any other convictions for the next five years.

main page ATTRITION feedback