DOT Computers Vulnerable to AttackIG: Websites Showing How Stimulus Money Is Spent at Risk
"By exploiting the high-risk vulnerabilities, hackers could attack the computers used by the public to access the websites and gain access to sensitive data, such as password files stored on servers, take control of a server and attack other computers on DOT's networks," Louis King, the DOT IG program director of IT audit, wrote in the 12-page report.
King explained the vulnerabilities exist because DOT failed to configure the websites, databases and servers in compliance with its configuration security standards.
In February 2009, President Barack Obama signed the American Recovery and Reinvestment Act with the aim to stimulate the economy through government spending. To provide an unprecedented levels of transparency and accountability required by the law, DOT deployed a number of public websites to allow taxpayers to see how the money is being spent.
In pointing out the vulnerabilities these websites face, King cited the July 5, 2009, denial-of-service attack that targeted DOT's main website that resulted in the public's inability to access DOT information.
According to the inspector general, DOT websites, servers and databases hosting stimulus-related information contain 1,822 high-risk, 3,550 medium-risk and 3,759 low-risk security vulnerabilities. These vulnerabilities exist because the Websites, servers, and database systems are not configured in compliance with DOT's configuration security standards. "These vulnerable websites could put users' computers in danger by allowing hackers to gain access to the users' computer and their personal information, thus diminishing the public's trust in the agency," King wrote, "One particular vulnerability, found on eight of the 13 websites, could allow hackers to use the Websites to launch attacks on users' computers."
The IG also found high-risk vulnerabilities on the computer servers hosting stimulus information. "By exploiting these vulnerabilities, we obtained password and system configuration files from one server," King said. "If an inside attacker were able to exploit the same vulnerability, he or she could potentially crack the passwords, take control of the server, and do harm, such as introducing viruses, to DOT's network."
Because of the sensitivity of the fixes, the IG did not publicly disclose its recommendations to DOT Chief Information Officer Nitin Pradhan and Chief Information Security Officer Andrew Orndorff. In a letter to King prepared by Orndorff for Pradhan, the DOT officials said they would immediately correct the high-risk vulnerabilities and ensure that the planned correction of other weaknesses identified in the audit be monitored by its Plan of Actions and Milestones tracking system.