Report on Web site hack: This is what not to do

The privately funded Intranet Institute late last month released a lessons-learned report based on an incident involving hackers breaking into a Justice Department World Wide Web site a year ago last month.

Intruders broke in electronically to DOJ's Web site Aug. 16 1996 and supplanted Attorney General Janet Reno's photo with Adolf Hitler's changed the agency's name to the Department of Injustice and replaced its seal with the Nazi flag. DOJ officials said the intrusion convinced DOJ officials to make the site more secure.

In so doing the agency learned a dozen lessons which the Intranet Institute put in a report called "Twelve Mistakes to Avoid in Managing Security for the Web" - lessons that DOJ officials hope will help other federal agencies to avoid the same mistakes.

"We are trying to share information with other agencies " said Mark Boster deputy assistant attorney general for information resources management. "What we are not doing is we are not giving any organization any specifics on how we are doing security. Every organization has to develop their own security and security plans."

The pamphlet-size report should be of great use to other agencies because federal Web sites are easier to hack than many private-sector sites said Marcus Ranum a firewall pioneer and chief executive officer of Network Flight Recorder Inc. Woodbine Md. "Government Web sites tend to be much more hackable " he said adding that agencies usually do not spend enough money on security.

The lessons-learned report is a mix of mistakes that are new and well-known in information security circles. Most surprising among the mistakes according to Alan Paller the Intranet Institute director of research who compiled the report is believing that a Web site can be removed from a network quickly.

Boster and other DOJ staff members discovered this a year ago after they pulled the plug on the server that hackers attacked yet continued to get calls from journalists who said they were still able to view the site. People could still access the site because large service providers often create replicas of popular sites. The solution the report said: Have a separate server as a backup. If the site on the original server is hacked switching to the backup server will force replicated sites to change too.

Other mistakes include allowing outside organizations to set priorities distributing Web site authority and placing on the Web server administration tools that hackers can use.

To request a copy of the report visit the Intranet Institute's Web page at www.escal.com.