A while ago, I received an email from someone asking if they could post a link to my CGI course at a military site. I said that was okay and today I happened to stumble across the link at Naval Surface Warfare Center - Dahlgren Lab. The link is under "Writing Secure CGI Applications" (my real name is Curtis Poe) and it's listed as a "good starting point". That's fair. I think it is a good starting point and nothing more, but I did notice a disturbing quote on the page regarding writing those applications:

Terribly little is included in DoD guidance on how to do this other than that you should do it.

Well, that's interesting. On one hand, it's good to know that someone over there is taking this issue seriously, but it does suggest to me that the DoD may not being doing all it can to adequately deal with this issue. I can't help but wonder if they are spending so much time hardening their servers and beefing up their firewalls that they might let crackers slip in the back door?

Does anyone have any real world experience with this? My impression has been that more people get cracked due to a poor configuration than through CGI scripts. However, if the server configuration is rock-solid, then a determined cracker is going to check out those scripts. Thus, the above quote is quite worrisome.

It's also nice to note that Perlmonks is listed as a resource :)

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Replies are listed 'Best First'.
Re: US National Security
by sparkyichi (Deacon) on Jan 05, 2002 at 04:21 UTC
    It has been my experience (ex DoD) that it takes an incident to set the wheels change in motion. For instance, I was in charge of a large and newly installed WAN a couple of years ago. I had noticed that there was a default password still in place on all of the routers and switches. Not only was this bad but I could use the default passwords on the upstream routers as well. All of the cryptography and VPN's in the world are useless when you have access to trusted ports on the network. After all of the fussing I made with my commanding officer I could not get authorization change the default passwords, they wanted to leave it up to the contractors that installed it the system. As it turned out they wanted to be able to remotely access the system. I still think it is a bad idea.

    So it does not surprise me that they are bit lax on CGI security, but it will not take long for something to happen that will shock the upper brass in getting the Commands to fix their web security.

    Sparky
[reply]
Re: US National Security
by footpad (Abbot) on Jan 05, 2002 at 10:46 UTC

    Hm. Navy Site. Lessee.... Goes to google and searches for "DOD CGI security FAQ"

    Odd. That first hit (The lucky one) points to an Army site. Coincidence? Cues eerie theme music.

    Seriously, your Navy friend may want to hit the search engine a wee bit. After puttering around on the Army site for a few moments, I stumbled across a link to NIST's Federal Agency Security Practices pages. In turn, this lead me to Carnegie Mellon Software Engineering Institute's CERT Coordination Center. Using their search engine to find documents containing "Perl CGI" resulted in 81 hits. Now, the same search on Security Focus yields 107 hits (at this moment). I imagine there is some crossover between the two, but didn't see too many in my (admittedly brief) scan of the results.

    Duplicates or not, the stuff is out there...

    Besides, would you really want to take coding guidelines from the DoD? Think about it.

    --f

[reply]
Re: US National Security
by vladb (Vicar) on Jan 05, 2002 at 06:43 UTC
    Very interesting...

    First thing, their Perlmonks link is also pointing to your tutorial. Someone has to get enough courange and tell the Commandos of the little slip ;-)).

    In terms of security, abusing a CGI script is one sure way of hacking into a server. Check out this page, for example. I also have numerous links on my box to sites that discuss various exploits.. as far as I can tell cracking a server script (CGI, etc) is very much favoured by many hackers. Therefore, of course, DoD should get _absolutely_ concerned with their security as in this day and age, those kind of IT attacks could prove more damaging than any direct military action. Soon (and I don't even claim to be a visionary), the first thing a foe country would do prior to launching a 'physical' attack is hack opponent's servers in order to establish immediate strategic superiority and thereby assure seamless conquest.



    "There is no system but GNU, and Linux is one of its kernels." -- Confession of Faith
[reply]
Re: US National Security
by Trimbach (Curate) on Jan 05, 2002 at 21:22 UTC
    My Day Job right now is employed full-time by a Federal Agency (the USGS, a component of DOI) and the big mistake that most people have when dealing with Federal IT is assuming that agencies have centralized, monolithic, highly coordinated IT resources that are tightly controlled by some uber-IT group. In most agencies that's just completely false: a single agency might have (literally) hundreds of servers managed by hundreds of people with a huge range of skill levels, everything from your standard highly-competent server god to some bozo who decided to buy a cheap Linux box and throw it onto the web.

    In my agency, for example, the "powers that be" (that is, the IT management for the agency) once did a port-scan of the entire agency and discovered that there were 1,300 servers responding to port 80 (i.e., webservers). Problem was, there was only supposed to be around 300. The other 1,000 (!!!) just popped into existence without any assurance that they were brought up securely or correctly. Yee ha.

    Even DOD agencies, which are known for their top-down, military-like organization is susceptible to this. It's not hard to have a base somewhere with, shall we say, less than optimal security even though the main www.army.mil type sites are well-maintained. It's a big government... and by it's very nature it's almost impossible to keep everything in control. It's a fairly deadly combination of lack of skill, lack of organization, and lack of control combined with a whole lotta money.

    Gary Blackburn
    Trained Killer

[reply]
Re: US National Security
by IlyaM (Parson) on Jan 05, 2002 at 04:46 UTC
    It's also nice to note that Perlmonks is listed as a resource :)

    But the link on it is broken on that page ;)

    --
    Ilya Martynov (http://martynov.org/)

[reply]
Re: US National Security
by dru145 (Friar) on Jan 06, 2002 at 07:53 UTC
    Folks,

    I'm not one to stick up for the government, but the NSWC have actually made a name for themselves in the Security world, most notably with Intrusion Detection. They developed one of the first open source intrusion detection systems, <a href="http://www.nswc.navy.mil/ISSEC/CID/index.html" "target="_blank"> Shadow.  Stephen Northcutt was one of the original developers for Shadow and he was chief security officer at NSWC. He is now one of the most respected instructors for SANS and I feel if it wasn't for him, Intrusion Detection would not be what it is today. Everybody in the security world has probably heard of him. So, my point is yeah, the majority of the government/military people are clueless (I was in the Air Force for 4 years, so I know), but every once in awhile they produce someone who benefits either the Open Source community or the Security community.

    Thanks,
    Dru
    Another satisfied monk.
[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.

Back to Meditations