7:01 AM, Mar 10, 2014 • By JERYL BIER
Less than a month after the exposure of a widespread vulnerability on government "open data" websites, another perhaps even more insidious opening for abuse of government websites has come to light. The problem is known as an "unvalidated redirect," and has been found on the websites of the Environmental Protection Agency, the Treasury Department, and even the Senate, among others. The vulnerability is not a new one and could extend back months if not years, and is not an uncommon problem on commercial websites either.
A "redirect" is a web address that automatically opens a webpage or, in many cases, even a completely different website that the original address, or URL, indicated. Generally when a government website directs a user to an external site, a warning or disclaimer appears alerting the user. For instance, the Centers for Medicare and Medicaid Services website places a small "world" icon next to external links, and the site has a page explaining the disclaimer:
Other government sites follow a different protocol where a special disclaimer page is displayed for several seconds after the external link is clicked before the users is automatically taken to the new page or site. While this protocol is not a problem in and of itself, if the website code does not restrict the ability to redirect only to sites approved by host sites, any web address can be substituted. This can allow unscrupulous website operators to provide a link in a website or an email that begins with a legitimate government address, such as senate.gov or epa.gov, but then quickly and automatically transport users to any website they choose.
The website for the Senate is an especially serious example of this vulnerability because of the complete lack of a disclaimer on the "exit" page before the redirect takes place. Senators often will direct website users to pertinent news articles, stories concerning constituent issues, or government services on other federal websites. However, the following screen is all that users see before they are bounced to the new page or site:
Since the script for the exit page is not restricted, anyone can establish a link by entering a [web address] after this prefix: http://www.senate.gov/cgi-bin/exitmsg?url=[web address] For example, this link directs users to Google.com after bouncing off of Senate.gov: <http://www.senate.gov/cgi-bin/exitmsg?url=http://www.google.com> But replacing "www.google.com" with any website works just the same way to direct users to that site. This opening could easily be exploited by inserting this type of link in a phishing email or a website and inviting users to simply click on what appears to be a Senate website address but in reality is a redirect to a phishing site. At that point, personal information could be solicited with the apparent endorsement of the Senate.
A bold scammer could even explicitly tell users, for example, that "you will see a message that you are exiting the Senate web server system and being transferred to our secure data collection site." Without a restriction on redirect links or even a disclaimer, there is nothing to warn an unsuspecting user that the Senate is in no way connected with the linked site.
8:07 AM, Feb 20, 2014 • By JERYL BIER
At first glance, a page on the Health and Human Services (HHS) website seems to be giving that agency's official advice on the "The Health Benefits of Nootropics," a classification of purportedly memory-enhancing drugs. The page is found on the website's subdomain of the Assistant Secretary for Planning and Evaluation (ASPE) as part of the Health System Measurement Project.
10:07 AM, Jan 19, 2014 • By DANIEL HALPER
According to a cyber security expert, security for the Obamacare website, Healthcare.gov, is "much worse off" now than before:
1:23 PM, Oct 4, 2013 • By JERYL BIER
A portion of the website of the Substance Abuse and Mental Health Services Administration (SAMHSA) was apparently hacked as long as two months ago. SAMHSA is an agency of the Department of Health and Human Services (HHS). HHS also runs the new Obamacare insurance marketplace, Healthcare.gov.
11:02 AM, Aug 27, 2013 • By DANIEL HALPER
Senator Mary Landrieu, a Democrat from Louisiana, is making the case that some "cyber" jobs need to be moved away from the Washington, D.C. area -- and to Louisiana, where those people might be physically safer.
“Those jobs can’t all be based inside Washington, D.C., and Arlington, Va.,” she explained to a local paper. "Some of those jobs need to be located outside the blast zone."
Landrieu did not explain what blasts she expects to hit the Washington, D.C. area, or when those blasts might hit.
12:00 AM, Jun 15, 2013 • By IRWIN M. STELZER
Chinese president Xi Jinping and U.S. President Barack Obama doffed their ties, rolled up their sleeves (well, at least Obama did), and even took the now-obligatory stroll around the Sunnylands Estate in Rancho Mirage, California, in the manner of Eisenhower and Khrushchev at Camp David, and Reagan and Gorbachev in Switzerland. This enabled the leaders to “establish and deepen their personal relationship,” according to Tom Donilon, Obama’s national security adviser at the time of the meeting.
10:32 AM, Jun 3, 2013 • By KEN JENSEN
Over the past few weeks things cyber have blown up in our faces once again. While some of the media noticed, the gist of the reporting was on who was doing what to us now, not the growing scandal of our essentially supine reaction to it.
11:11 AM, Jun 1, 2013 • By DANIEL HALPER
Defense Secretary Chuck Hagel had some words about the cyber threat from China while speaking today in Singapore. But a Chinese general, in the room for the speech, immediately responded by saying, "China is not convinced."
"Even as we seek to uphold principles in well-established areas, we must also recognize the need for common rules of the road in new domains," Hagel said, according to an official transcript of his remarks.
1:21 PM, May 13, 2013 • By KEN JENSEN
On May 6, the media was full of warnings about an immediately pending cyberattack called “OpUSA.” Homeland Security said “The attacks will likely result in limited disruptions and mostly consistent of nuisance-level attacks against publicly accessible web pages and possibly data exploitation.”
9:07 AM, Mar 8, 2013 • By KEN JENSEN
Since the hacking of the New York Times, the Wall Street Journal, the Washington Post, etc., and the Mandiant revelations about China’s PLA Unit 61398, the media and Internet have exploded with talk of our reaching a “tipping point” in cybersecurity (or not, depending on the point of view). We’re, in fact, long past the “tipping point”: what Mandiant had to say about Chinese hacking was actually old news to those who follow things cyber.
9:16 PM, Feb 12, 2013 • By DANIEL HALPER
At tonight's State of the Union Address, President Obama will announce that he has signed a cyber security executive order.
Webcraft as spycraft.Jun 11, 2012, Vol. 17, No. 37 • By JONATHAN V. LAST
Last April, the Iranian Oil Ministry and the National Iranian Oil Company noticed a problem with some of their computers: A small number of machines were spontaneously erasing themselves. Spooked by the recent Stuxnet attack, which had wrecked centrifuges in their nuclear labs, the Iranians suspected a piece of computer malware was to blame. They went to the United Nations’ International Telecommunications Union and asked for help.
3:05 PM, Jun 1, 2012 • By DANIEL HALPER
Elliott Abrams is rightly and eloquently outraged about this morning's New York Times article, which features Obama administration officials discussing sensitive and classified national security matters, for the sake of making the president look tough. The leakers—none of whom "would allow their names to be used because the effort remains highly classified, and parts of it continue to this day"—did no favor to our national security, or to efforts to stop Iran's nuclear program.