TRENDING:

DOT Computers Vulnerable to Attack

IG: Websites Showing How Stimulus Money Is Spent at Risk Eric Chabrow (GovInfoSecurity) • October 28, 2010    
DOT Computers Vulnerable to Attack
In an attempt to be transparent on how $48.1 billion in stimulus money is being spent, Department of Transportation computers are exposed to vulnerabilities through public websites, the DOT inspector general says in a report on DOT computers vulnerable to attack.

"By exploiting the high-risk vulnerabilities, hackers could attack the computers used by the public to access the websites and gain access to sensitive data, such as password files stored on servers, take control of a server and attack other computers on DOT's networks," Louis King, the DOT IG program director of IT audit, wrote in the 12-page report.

King explained the vulnerabilities exist because DOT failed to configure the websites, databases and servers in compliance with its configuration security standards.

In February 2009, President Barack Obama signed the American Recovery and Reinvestment Act with the aim to stimulate the economy through government spending. To provide an unprecedented levels of transparency and accountability required by the law, DOT deployed a number of public websites to allow taxpayers to see how the money is being spent.

In pointing out the vulnerabilities these websites face, King cited the July 5, 2009, denial-of-service attack that targeted DOT's main website that resulted in the public's inability to access DOT information.

According to the inspector general, DOT websites, servers and databases hosting stimulus-related information contain 1,822 high-risk, 3,550 medium-risk and 3,759 low-risk security vulnerabilities. These vulnerabilities exist because the Websites, servers, and database systems are not configured in compliance with DOT's configuration security standards. "These vulnerable websites could put users' computers in danger by allowing hackers to gain access to the users' computer and their personal information, thus diminishing the public's trust in the agency," King wrote, "One particular vulnerability, found on eight of the 13 websites, could allow hackers to use the Websites to launch attacks on users' computers."

The IG also found high-risk vulnerabilities on the computer servers hosting stimulus information. "By exploiting these vulnerabilities, we obtained password and system configuration files from one server," King said. "If an inside attacker were able to exploit the same vulnerability, he or she could potentially crack the passwords, take control of the server, and do harm, such as introducing viruses, to DOT's network."

Because of the sensitivity of the fixes, the IG did not publicly disclose its recommendations to DOT Chief Information Officer Nitin Pradhan and Chief Information Security Officer Andrew Orndorff. In a letter to King prepared by Orndorff for Pradhan, the DOT officials said they would immediately correct the high-risk vulnerabilities and ensure that the planned correction of other weaknesses identified in the audit be monitored by its Plan of Actions and Milestones tracking system.

Previous
Chip & PIN Needs PCI
Next
Gates Reaffirms Takai as Next DoD CIO

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.