Oct 31, 2008 (01:10 PM EDT)
Defense Intelligence Agency Fixes Risky Web Site Code
Read the Original Article at InformationWeek
Security researcher Bipin Gautam sent an e-mail to the Full Disclosure security mailing list earlier this week outlining his concerns.
"It definitely is an issue if the Web site StatCounter.com were ever to get under an attacker's control," he said. "The site itself is not HTTPS, so it's already vulnerable to man-in-the-middle attacks."
The DIA was made aware of the risk following Gautam's initial post.
"This code was brought to DIA's attention by individuals within the agency on Monday," said a DIA spokesperson via e-mail. "Upon further investigation, it was resident only on the one page and was determined to be superfluous coding from a previous page incarnation. The code was deleted and no longer resides on DIA servers."
In response to the suggestion by one participant on the Full Disclosure mailing list that the cookie files used by StatCounter.com might have violated federal guidelines, the DIA spokesperson said that the DIA used session cookies (not persistent cookies) for its employment pages only and that the rest of dia.mil is cookie-free.
The spokesperson said, "DIA has followed and continues to follow Department of Defense policy on cookie usage."