Web App Security, not as Sexy as James Bond but Close

I saw a news story last week that was kind of surprising to me but really shouldn't have been. An article posted by the Financial Times discussed the Chinese military hacking into the Pentagon. http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html It surprised me because I never really thought of the military groups from different countries hacking into each other. Call me old school, but I still pictured spying and espionage between countries to be handled by the equivalent of James Bond. Thinking about it just a little and applying a tad of logic makes me realize how foolish that thinking is.

In the article, China was painted as the villain since they hacked into the Pentagon and had previously hacked into some German government computers. However, the article also mentions that the US is assumed to regularly scan Chinese networks. Both of these ideas simply emphasize how much easier it is to hack into a computer system than to directly risk the lives of your "super spies." It might be sexier to seduce foreign agents while stealing top secret documents but it's safer to do it online instead. No need to end up being strapped to a table while a laser preps to slice you in half.

How and where the computer was hacked wasn't mentioned but comments near the end of the article had me thinking it was an email account that was hacked. It could just as easily been via a Web site instead. Hopefully any Web sites being used by the Pentagon are performing some simple input validation. Most Web application vulnerabilities can be avoided by validating the data being entered. If asking for a person's name, accept only letters. If asking for a phone number, accept only numbers. At least block the simple stuff. It might not make you a super spy but you can still be a hero in your office. You can always hope for more excitement when ordering that martini shaken, not stirred.

Comments

I honestly can't believe you fell for this FUD that the news is spreading! Offensive network attack has been occurring from Asia for almost a decade and this is just a slow news week obviously because it has been highlighted by multiple "news" organizations? Why would it be surprising in any way, shape or form that a foreign government employs an offensive info ops capability against government systems that are Internet-facing? Also it should be noted that while some information when gathered in large-scale as a whole could be revealing, most of the information stolen will be totally unclassified (not even FOUO under current guidelines)! This is not as big of a deal as the media has made it out to be. Some people want to cry havoc whenever a govt. site is hacked (even defaced...) saying its unbelievable but seriously give me a break. Its the same cost vs. benefit analysis that everyone else has to go through for employing security... This is not life and death information. Its not even necessarily sensitive information. Its just your atypical info gathering campaign we have seen done through non-technical means for years...

Posted by: R. Kerns | September 14, 2007 at 06:35 PM

Haha great article, Maybe im a spy? :oX

Posted by: KathyC | November 06, 2007 at 01:57 PM