Hackers embarrassed the European Commission this week by identifying two security holes in SaferInternet.org, a Commission-sponsored Web site promoting a safer Internet.
One of the holes allowed the hackers to get administrator privileges on the server, a security expert who requested anonymity told the IDG News Service. The other leak involved an e-mail distribution list that was left unsecured, allowing anyone to retrieve the names and e-mail addresses of the people on the list.
"Both holes were plugged on Wednesday morning. We are investigating the leaks and will report to the European Commission," said Tara Morris, project manager for the SaferInternet.org Web site, declining to detail how far the hackers were able to penetrate the server. He did say about 600 people subscribe to the e-mail list in question.
Morris didn't specify the security flaw in the e-mail distribution list, but did say the other hole was linked to a known vulnerability in Microsoft Corp.'s Index Server, which runs on Microsoft's Internet Information Server (IIS) software widely used to run Web sites.
Morris works for Ecotec Research and Consulting Ltd., the firm contracted by the European Commission, the European Union's executive body, to maintain the Web site.
SaferInternet.org, which isn't targeted at the general public but designed to function as a hub for awareness-raising organizations such as the Internet Watch Foundation and the United Nations Children's Fund (UNICEF), was officially launched about two weeks ago. The site is part of a broad European Commission campaign to make the Internet safer for citizens and businesses. SaferInternet.org specifically is meant to help eradicate illegal and harmful Internet content, Morris said.
The news of the security flaws is extra spicy as the Commission on Wednesday said it has started work on an anti-hacking law in an effort to raise the level of online security in the European Union. Also the Commission plans to fight computer viruses, is preparing a publicity campaign, and will help to strengthen cooperation between national computer emergency response teams. Security issues like the one the European Commission had to deal with are damaging to an organization, said one expert.
"Exploiting these types of vulnerabilities can result in a loss of confidentiality and integrity. If unauthorized persons were to gain access to a password file, they could steal, add, delete or modify important records or system accounts," said Dan Morrison, a partner in risk consulting with integrated services firm Andersen in Ottawa.