AOH :: IS1315.HTM

Defense Intelligence Agency Fixes Risky Web Site Code




Defense Intelligence Agency Fixes Risky Web Site Code
Defense Intelligence Agency Fixes Risky Web Site Code



http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=211800622 

By Thomas Claburn
InformationWeek
October 31, 2008 05:05 PM

The Defense Intelligence Agency Web site, until earlier this week, 
exposed job applicants to potential privacy and security risks because 
it included a link to JavaScript code hosted on a third-party Web site.

While there's no evidence that the site leaked personal information, the 
presence of a call to execute JavaScript code that resides on a 
Statcounter.com server in Ireland provided a weak link in the security 
chain that could have been exploited to provide potentially valuable 
foreign intelligence about future DIA personnel.

Security researcher Bipin Gautam sent an e-mail to the Full Disclosure 
security mailing list earlier this week outlining his concerns.

In a follow-up e-mail to InformationWeek, he explained the issue. "If a 
Web site includes third-party JavaScript like stat counters, 
advertisement scripts, [or] banners called from third-party servers, the 
Web site is at risk of having to rely on the third party as well for 
overall security assurance of its Web site," he said.

[...]


______________________________________________      
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods