Defense Intelligence Agency Fixes Risky Web Site CodeDefense Intelligence Agency Fixes Risky Web Site Code
October 31, 2008
Security researcher Bipin Gautam sent an e-mail to the Full Disclosure security mailing list earlier this week outlining his concerns.
In an e-mail, Robert "RSnake" Hansen, CEO of SecTheory and contributor to TechWeb security site Dark Reading, confirmed that the DIA Web site was unnecessarily vulnerable.
"It definitely is an issue if the Web site StatCounter.com were ever to get under an attacker's control," he said. "The site itself is not HTTPS, so it's already vulnerable to man-in-the-middle attacks."
The DIA was made aware of the risk following Gautam's initial post.
"This code was brought to DIA's attention by individuals within the agency on Monday," said a DIA spokesperson via e-mail. "Upon further investigation, it was resident only on the one page and was determined to be superfluous coding from a previous page incarnation. The code was deleted and no longer resides on DIA servers."
In response to the suggestion by one participant on the Full Disclosure mailing list that the cookie files used by StatCounter.com might have violated federal guidelines, the DIA spokesperson said that the DIA used session cookies (not persistent cookies) for its employment pages only and that the rest of dia.mil is cookie-free.
The spokesperson said, "DIA has followed and continues to follow Department of Defense policy on cookie usage."
About the Author(s)
You May Also Like
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023