MOBILE, Alabama -- When a hacktivist group broke into computer servers at Dogwood Productions last week and accessed Mobile government records, it wasn’t the first time someone exploited a security hole at the company.
Mobile County’s website, which is also managed and hosted by Dogwood, has also been compromised in the past, though officials said that no sensitive information has been accessed.
The hacks appear to have been acts of digital vandalism rather than more sinister attempts to steal records or spread malicious software.
In one instance, someone broke into the county’s online calendar of events to declare it "Owned by the Kurd!sh Sniper TeaM."
In another instance, links in the calendar were changed to direct users to what appeared to be an Arabic social networking website.
A third hack inserted an anti-Semitic screed into the calendar, according to Nancy Johnson, who is in charge of the county’s communications strategy, including the website.
The hackers were able to deface the website by exploiting a security flaw in the calendar, a bit of the site developed by a third party and plugged into the larger website, said John Strope, Dogwood’s director.
In order to save time, developers often use such third-party web apps for common functions such as calendars or message boards rather than developing them from the ground up.
The shortcut can backfire, though, because hundreds or even thousands of websites might use the same web app. If a security flaw in the app is discovered, hackers can exploit the flaw to gain access to all the websites that used the app.
It can even draw hackers to websites they might have otherwise left alone.
In the case of the records stolen from the city of Mobile, it appears that hackers associated with the group Anonymous intentionally targeted Mobile in response to Alabama’s immigration law. But Mobile County’s site was probably only hit because the calendar app made it an easy target, Strope said.
When a flaw is discovered in a popular web app, hackers share the information and then use programs to sniff the Internet looking for websites that use the app, he said.
The process is akin to a car burglar walking down the street trying door handles until he finds one that’s unlocked.
So far, it seems that the security liability was limited to the calendar itself and not to the wider website.
Even if hackers were able to access the entire site, Johnson said, it is segregated from the county’s internal network and servers, which house sensitive information.
"We don’t have anything on there that can’t go public," she said.
Because the calendar was developed by a third party, Strope said, it was difficult for Dogwood to address the security flaw without jettisoning it and either finding another third-party app or developing one from scratch.
In light of the recent hacking of the city’s information, however, the county is playing it safe, shutting down the calendar app until a solution can be found, he said.
Johnson said that the county will continue to use Dogwood. "They’ve actually done a good job for us," she said.
Strope said that security risks can be mitigated but never eliminated. As soon as one security hole is patched, hackers are on to the next one, he said.
"It’s just an ongoing battle. We don’t want the perception that we are being lax on security," Strope said.
No comments:
Post a Comment