Hack steered Coast Guard e-learning users to al Jazeera site

Last summer, hackers manipulated the Coast Guard's E-Learning system so that users were redirected to a Web site operated by al Jazeera, an Arab news organization, said the service's chief information officer.

Field information systems security officers informed the Coast Guard Computer Incident Response Team of the problem, and the service took the E-Learning system offline to mitigate risks to its network while the response team conducted an investigation, said Rear Adm. David Glenn, assistant commandant and chief information officer. He spoke at a meeting of the Armed Forces Communications and Electronics Association in March.

The Coast Guard took down the E-Learning system, used by its 36,000 uniformed and civilian personnel, for 45 days while it conducted the investigation. The service took corrective action to ensure such an incident could not happen again, said Lt.. Nadine Santiago, a Coast Guard spokeswoman. She said the Coast Guard took the system down two hours after it discovered traffic had been re-routed to al Jazeera.

Glenn said the redirection of the traffic going to the E-Learning system was the result of cross-site scripting, a well-known security vulnerability that allows hackers to inject code into Web pages. The application program the E-Learning system uses was vulnerable to the hack because of the way the site was coded.

Santiago said the Coast Guard determined that the vulnerability was with the Inquisiq Learning Management System, developed by ICS Learning Group in Severna Park, Md., and used in the E-Learning system's unit leader development program. Ed Gipple, president of ICS, acknowledged that Inquisiq, which runs on about 50,000 lines of software code, had a bug, which the company now has fixed.

Brian Kleeman, chief technical officer of ICS, said the problem with the E-Learning system started with a Structured Query Language database, which inputs executable code into the system. That eventually executed a cross-site script that directed users to the al Jazeera site. SQL is a standard way to request information from a database.

Kleeman said his company's fixes now ensure that the executable code cannot be entered into the SQL database.

Glenn said the Coast Guard came away from the incident with some valuable "lessons learned," starting with the realization that "applications are now the focus of attack." This means the service needs to conduct a security assessment of all applications running on its network and to adopt new procedures for contracting development of computer applications with a requirement for security testing built in, Glenn said.

Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, said any organization that buys a software application should require testing to uncover bugs before taking delivery. The Coast Guard incident also underscores the need for application developers to hire programmers with knowledge of security vulnerabilities such as cross-site scripting, he added.

Like other federal agencies and departments, the Coast Guard continues to experience network and system attacks, Glenn said. About 15.3 million inbound e-mails pass through the Coast Guard network gateways every month, and 47,000 of those contain infections or malicious payloads. Outbound e-mails, about 2.8 million a month, are relatively virus free, carrying only 10 infections per month, he said.

The Coast Guard experiences 175 information assurance incidents a month, which Glenn did not elaborate on, and has a defense-in-depth strategy against network attacks. This includes firewalls and routers protected by network gateways, which are monitored by dual network intrusion detection systems. The service also uses an Internet content filtering system and Homeland Security Department systems such as network scanning and security auditing, he added.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • The Big Data Campaign Trail

    With everyone so focused on security following recent breaches at federal, state and local government and education institutions, there has been little emphasis on the need for better operations. This report breaks down some of the biggest operational challenges in IT management and provides insight into how agencies and leaders can successfully solve some of the biggest lingering government IT issues.

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download
  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

    Download

When you download a report, your information may be shared with the underwriters of that document.