recommended reading

Hack steered Coast Guard e-learning users to al Jazeera site

Last summer, hackers manipulated the Coast Guard's E-Learning system so that users were redirected to a Web site operated by al Jazeera, an Arab news organization, said the service's chief information officer.

Comment on this article in The Forum.Field information systems security officers informed the Coast Guard Computer Incident Response Team of the problem, and the service took the E-Learning system offline to mitigate risks to its network while the response team conducted an investigation, said Rear Adm. David Glenn, assistant commandant and chief information officer. He spoke at a meeting of the Armed Forces Communications and Electronics Association in March.

The Coast Guard took down the E-Learning system, used by its 36,000 uniformed and civilian personnel, for 45 days while it conducted the investigation. The service took corrective action to ensure such an incident could not happen again, said Lt.. Nadine Santiago, a Coast Guard spokeswoman. She said the Coast Guard took the system down two hours after it discovered traffic had been re-routed to al Jazeera.

Glenn said the redirection of the traffic going to the E-Learning system was the result of cross-site scripting, a well-known security vulnerability that allows hackers to inject code into Web pages. The application program the E-Learning system uses was vulnerable to the hack because of the way the site was coded.

Santiago said the Coast Guard determined that the vulnerability was with the Inquisiq Learning Management System, developed by ICS Learning Group in Severna Park, Md., and used in the E-Learning system's unit leader development program. Ed Gipple, president of ICS, acknowledged that Inquisiq, which runs on about 50,000 lines of software code, had a bug, which the company now has fixed.

Brian Kleeman, chief technical officer of ICS, said the problem with the E-Learning system started with a Structured Query Language database, which inputs executable code into the system. That eventually executed a cross-site script that directed users to the al Jazeera site. SQL is a standard way to request information from a database.

Kleeman said his company's fixes now ensure that the executable code cannot be entered into the SQL database.

Glenn said the Coast Guard came away from the incident with some valuable "lessons learned," starting with the realization that "applications are now the focus of attack." This means the service needs to conduct a security assessment of all applications running on its network and to adopt new procedures for contracting development of computer applications with a requirement for security testing built in, Glenn said.

Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, said any organization that buys a software application should require testing to uncover bugs before taking delivery. The Coast Guard incident also underscores the need for application developers to hire programmers with knowledge of security vulnerabilities such as cross-site scripting, he added.

Like other federal agencies and departments, the Coast Guard continues to experience network and system attacks, Glenn said. About 15.3 million inbound e-mails pass through the Coast Guard network gateways every month, and47,000 of those contain infections or malicious payloads. Outbound e-mails, about 2.8 million a month, are relatively virus free, carrying only 10 infections per month, he said.

The Coast Guard experiences 175 information assurance incidents a month, which Glenn did not elaborate on, and has a defense-in-depth strategy against network attacks. This includes firewalls and routers protected by network gateways, which are monitored by dual network intrusion detection systems. The service also uses an Internet content filtering system and Homeland Security Department systems such as network scanning and security auditing, he added.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download

When you download a report, your information may be shared with the underwriters of that document.