31 Aug 2011

Government sites vulnerable to man-in-the-middle attacks

Fewer than a quarter of all U.S. government websites have taken mandated steps to protect against man-in-the-middle exploits, NextGov.com recently reported.

Under an August, 2008, White House directive, all government sites were supposed to institute domain name system extensions by the end of 2009. These extensions, referred to as DNSSEC, authenticate websites. Hackers can exploit sites that are not protected by DNSSEC by launching a man-in-the-middle attack, redirecting users to a fake version of the site, where victims sometimes provide sensitive information.

Recent cyber operations documents from the White House, the U.S. Department of Defense, the Commerce Department and other agencies have stressed the importance of computer security. Still, Lee Ellis, a program manager for the dot-gov internet domain, told NextGov.com only 23 percent of federal websites are DNSSEC protected.

Ellis said there's no reason why compliance should not be at 100 percent, and he said the Department of Homeland Security has formed a "Tiger Team" to boost adoption rates.

DNSSEC is similar to Secure Sockets Layer certificates, which are another way of authenticating websites. DigiNotar, a Dutch company that makes SSL certificates, was recently hacked, and the attackers managed to create fake certificates to launch man-in-the-middle attacks against Iranian Gmail users.