It's no secret that California is not the Bush Administration's favorite state, but did the General Services Administration overreact when it moved to shut off California's ca.gov domain to prevent a hijacked county Web site from pointing to a porn site?
That's what happened on October 2. When GSA officials realized that the Transportation Authority of Marin site -- at www.tam.ca.gov -- had been compromised and was redirecting visitors to porn sites, it moved to cut off access to the entire ca.gov domain. That sent state officials scrambling to repair the damage.
Jim Hanacek, acting deputy director for the state I.T. department's policy and planning division, said the GSA not only shut down the domain, but also didn't notify his office or even alert the right person after the fact. The GSA sent e-mail to a staffer who handles normal -- not critical communications -- and that person didn't see the e-mail for more than 24 hours.
"We apologize for any inconvenience to the citizens of California. ... The potential exposure of pornographic material to the citizens -- and tens of thousands of children -- in California was a primary motivator for GSA to request immediate corrective action," the agency said in a statement.
The GSA has revised its policies to find more targeted ways to dealing with corrupt sites, the agency said. "GSA recognizes there must be a balance between protecting citizens while not, at the same time, adversely affecting government's ability to serve citizens via the Internet. We have therefore revised our policies to now include more internal checks and balances before a site is shut down and to find better ways to more precisely eliminate offending government sites without having to shut down the primary site."
Alex Eckelberry, CEO of Sunbelt Software, said in an e-mail that while GSA shouldn't have shut down ca.gov, "I was privately quite happy to see it done, because our level of frustration with seeing these constant attacks is quite high. At least something was done, even if it was throwing out the baby with the bathwater."
While it's appropriate for GSA to take time to investigate these events, Eckelberry said, "it's also good for them to have the flexibility to take fast action in the event of something serious, such as a massive worm outbreak or terrorist threat." The GSA should continue to have the flexibility to "shut things off," he added.
Failure To Respond
As of this writing, the Marin Web site is unavailable. The site is now clean but "still has some dirt under its fingernails," Eckelberry said, adding that he discovered that the Madera County courts Web site and the Bank of Ghana Web site also were hacked and were serving porn. Tulare County, California, also appears to be inundated with links to drug and porn sites.
What should Web operators -- be they government entities or corporate enterprises -- do to prevent getting hacked? Four things, said Eckelberry. For outsourced sites, "require and have documentation as to the hosting companies' security practices -- especially as regards their patching strategies." For in-house sites, religiously patch software and use best practices. Regularly test for vulnerabilities. And, finally, "respond to security researchers when they contact you."
Eckelberry said that his firm, as well as other researchers, alerted the transportation agency as far back as September 12, but the agency failed to take any action. E-mails and calls to the agency were ignored. Dianne Steinhauser, executive director of the Marin Transportation Authority, said the I.T. team was afraid the messages were phishing attempts.
Marin's failure to respond to Sunbelt's warnings were "tragic," said Eckelberry. In a press report, California's Hanacek said that the state does not take responsibility for local governments' online activities.
"My personal feeling is that it's a bit scary to have small local governments and departments (the TAM group at Marin is only 10 people) running their own Web sites, and I do think there should be some centralized oversight," Eckelberry said, suggesting an omnibus security team could easily identify and fix problem sites.