Hack steered Coast Guard e-learning users to al Jazeera site
Incident shows importance of conducting security assessments of applications, CIO says.
Last summer, hackers manipulated the Coast Guard's E-Learning system so that users were redirected to a Web site operated by al Jazeera, an Arab news organization, said the service's chief information officer.
Comment on this article in The Forum.Field information systems security officers informed the Coast Guard Computer Incident Response Team of the problem, and the service took the E-Learning system offline to mitigate risks to its network while the response team conducted an investigation, said Rear Adm. David Glenn, assistant commandant and chief information officer. He spoke at a meeting of the Armed Forces Communications and Electronics Association in March.
The Coast Guard took down the E-Learning system, used by its 36,000 uniformed and civilian personnel, for 45 days while it conducted the investigation. The service took corrective action to ensure such an incident could not happen again, said Lt.. Nadine Santiago, a Coast Guard spokeswoman. She said the Coast Guard took the system down two hours after it discovered traffic had been re-routed to al Jazeera.
Glenn said the redirection of the traffic going to the E-Learning system was the result of cross-site scripting, a well-known security vulnerability that allows hackers to inject code into Web pages. The application program the E-Learning system uses was vulnerable to the hack because of the way the site was coded.
Santiago said the Coast Guard determined that the vulnerability was with the Inquisiq Learning Management System, developed by ICS Learning Group in Severna Park, Md., and used in the E-Learning system's unit leader development program. Ed Gipple, president of ICS, acknowledged that Inquisiq, which runs on about 50,000 lines of software code, had a bug, which the company now has fixed.
Brian Kleeman, chief technical officer of ICS, said the problem with the E-Learning system started with a Structured Query Language database, which inputs executable code into the system. That eventually executed a cross-site script that directed users to the al Jazeera site. SQL is a standard way to request information from a database.
Kleeman said his company's fixes now ensure that the executable code cannot be entered into the SQL database.
Glenn said the Coast Guard came away from the incident with some valuable "lessons learned," starting with the realization that "applications are now the focus of attack." This means the service needs to conduct a security assessment of all applications running on its network and to adopt new procedures for contracting development of computer applications with a requirement for security testing built in, Glenn said.
Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, said any organization that buys a software application should require testing to uncover bugs before taking delivery. The Coast Guard incident also underscores the need for application developers to hire programmers with knowledge of security vulnerabilities such as cross-site scripting, he added.
Like other federal agencies and departments, the Coast Guard continues to experience network and system attacks, Glenn said. About 15.3 million inbound e-mails pass through the Coast Guard network gateways every month, and47,000 of those contain infections or malicious payloads. Outbound e-mails, about 2.8 million a month, are relatively virus free, carrying only 10 infections per month, he said.
The Coast Guard experiences 175 information assurance incidents a month, which Glenn did not elaborate on, and has a defense-in-depth strategy against network attacks. This includes firewalls and routers protected by network gateways, which are monitored by dual network intrusion detection systems. The service also uses an Internet content filtering system and Homeland Security Department systems such as network scanning and security auditing, he added.