Friday, March 15, 2013

Ironic hack is ironic

The National Vulnerability Database is the world's most complete repository for information about security bugs.  The database contains information on tens of thousands of security issues across all operating systems and applications.  As you'd imagine, it's an enormously useful resource for folks in my line of work.

The NVD is currently off-line.  It's off-line because they got hacked:
The federal government's official catalog of software vulnerabilities was taken offline after administrators discovered two of its servers had been compromised. By malware. That exploited a software vulnerability.

The National Vulnerability Database is maintained by the National Institute of Standards and Technology and has been unavailable since late last week, according to an e-mail sent by NIST official Gail Porter published on Google+. At the time of this article on Thursday afternoon, the database remained down and there was no indication when service would be restored.

"On Friday March 8, a NIST firewall detected suspicious activity and took steps to block unusual traffic from reaching the Internet," Porter wrote in the March 14 message. "NIST began investigating the cause of the unusual activity and the servers were taken offline. Malware was discovered on two NIST Web servers and was then traced to a software vulnerability."

Actually this picture is a bit unfair.  This situation shows how pretty much anyone can get hacked these days.  If you're sloppy you'll get hacked faster, but even if you're good you are at risk to persistent attackers.  I don't know the folks at NIST and the NVD but I expect that this describes them: They understand the importance of security, they know the impact of a security breach to their organization's reputation, and they invest in security technology and staff.

And they still got hacked.  What's new in the last couple years is that people who have a clue are now getting owned.  That shouldn't give anyone the warm fuzzies.

1 comment:

Rick C said...

Is there an image macro for people who can't spell "completely?"