Several U.S. government Web sites have allowed information from internal databases to be accessible to anyone with a Web browser, according to Paris-based Kitetoa.com, a group of French security experts.
According to the group, databases that allowed Web surfers access to internal documents were those controlled by the U.S. Department of Commerce's STAT-USA/Internet service, which offers one-stop Internet browsing for business, trade and economic information, as well as those operated by the U.S. Department of Energy's Pacific Northwest National Laboratory (PNNL) and the Federal Judicial Center.
In a telephone interview, Antoine Champagne, a member of Kitetoa, said the sites were all running on the same server, IBM Corp.'s Lotus Domino server.
The flaw in the Domino server was discovered in 1998 by L0pht Industries, now @Stake Inc. in Cambridge, Mass. At the time, L0pht issued a warning about the security problem, saying users could access sensitive information from Domino servers that weren't properly secured.
"Securing a Lotus Domino [server] is very hard," Champagne said. "There are lots of known bugs that will do the same thing [as this one]."
According to Kitetoa, the Federal Judicial Center's Web site exposed e-mail messages from the research and education agency's webmaster to U.S. courts saying the center's site had been infected with the Nimda virus.
But Ted Coleman, a spokesman for the Federal Judicial Center, said that no sensitive data was left unprotected.
"Routing of the webmaster mail was changed in late December 2001 to be routed to a server database inside our firewall so that the database containing e-mail sent by the webmaster cannot be accessed from the Internet," Coleman said. "The nine old messages in the webmaster mail database, dating from October 2001 to December 2001, were inadvertently left in this database on the Internet server outside our firewall, and they have been removed."
Coleman said that database contained nonsensitive unencrypted e-mail that was sent out over the Internet by the webmaster in response to questions posed over the Internet.
Another site affected by the glitch was the STAT-USA/Internet site. Kitetoa said that site allowed Web browsers to have access to information about customer orders -- from February 2001 -- for the agency's products.
"We take this seriously," said E.R. Gregory, a spokeswoman for the agency. "I promised our customers that their information was [secure]. We have taken down our order area, and we are trying to find out if he just accessed the information now or if he did this a year ago and the security procedures we put in place since then [have protected the information]. We're going over this with a fine-toothed comb."
Champagne acknowledged that he did, in fact, access the agency's internal database last year, but he said he accessed the other agencies' databases recently.
Kitetoa said the Web site operated by the PNNL allowed Internet users to access a database containing information about scientists and research groups around the world.
PNNL spokeswoman Staci Maloof said the agency appreciated the fact that Kitetoa alerted it to the vulnerability, but said no sensitive information was left unprotected. "We were in the process of retiring that server, and there was nothing sensitive there," she said.
"What is important is that we did not hack the servers," Champagne said. "We just asked the server to show us something which we knew was there."
According to Kitetoa's Web site, a French court in February fined Champagne $865 for finding and disclosing security vulnerabilities at Tata.fr, the home page of a clothing retailer in Paris.