'

Hacker fear scares US government agency offline

Two years after admitting that its Net security was 'non-existent', the US EPA pulls down its Web site in fear of hackers

The US Environmental Protection Agency (EPA) suffered another security embarrassment on Thursday when it shut down its Web site because of fear of computer hacker attacks. The decision came just a week after eight major Web sites, including ZDNet, were knocked offline by Denial of Service attacks. However, the EPA site has been known to be vulnerable to hacker attacks since at least September 1997.

The EPA said that its site will be down for a week or two until an ongoing security upgrade program is complete. "The agency has been working with the General Accounting Office (GAO) and the Office of Inspector General for several months to strengthen the security of our Web site," an agency spokesperson said on Thursday. "The decision to temporarily close access to the Web site was made after a meeting on Wednesday with computer security experts." The experts told EPA officials that recent public attention on the agency's computer vulnerabilities made the site a likely target for hackers.

As reported on ZDNet News, ZDNet UK's online sister publication, the GAO met with EPA officials last December after it had found that the agency's information systems were at risk. "These weaknesses pose a serious threat to the integrity of the EPA's information systems and, if uncorrected, could allow unauthorised users to take control of the EPA's network operations," wrote David McClure, associate director for the GAO's accounting and information management division, in December.

At the time, the EPA's lax security came in for heavy criticism from Republican Thomas J Bliley Jr, chairman of the House Commerce Committee, who called the situation "unacceptable" in a December 1999 letter to the EPA chief administrator Carol M Browner.

Bliley also blasted the agency's "poor track record" -- referring to the fact that in September 1997, the EPA inspector general admitted that the site was vulnerable to hacker attacks, and in December 1998, the EPA told Congress in its annual report that its information security plans were "deficient or non-existent".

On Wednesday, Bliley was after the EPA again, rereleasing a scathing letter he wrote to Browner last year and laying the blame at her feet for the site's unplugging. "It is unfortunate that the American people temporarily will not have access to the important public information contained on the EPA Web site," Bliley said in a statement. "That sad fact is the fault of no-one other than EPA administrator, Carol Browner, and her management team. Had they heeded seven years of warnings by security experts and performed their duties with even a modicum of responsibility over this time, last night's shutdown would not have been necessary."

EPA spokesman, Dave Cohen, said the agency was "saddened" by having to take the Web site down, noting it is a popular outlet for the public to access all types of information on air and water pollution in local communities. "We were afraid it had become a real target," Cohen said.

In other news, the official Web site of the California State Assembly was hacked early on Thursday morning. California legislative counsel, Bion Gregory, told ZD Radio that an unknown intruder temporarily defaced the site, which was restored to normal operations at about 15:20 GMT. Gregory declined to comment on the nature of the hack, whether anyone had claimed responsibility for the attack, or whether any new security measures would be put in place to prevent future intrusions.

Observers said the hacker had replaced the contents of the page with the message, "Don't put this back up. Hee, hee, hee".

Take me to the Hackers News Special

For full coverage, see the Denial of Service Roundup