The security of data held by the CIA, the FBI and the US Department of Defense was compromised earlier this year after a partner agency allowed zone transfer access of its Domain Name Services.
Professor John Walker, managing director of forensics consultancy Secure-Bastion, revealed the security blunder during the International Crime Science conference in London last week.
Professor Walker had been testing DNS environments as part of his academic research.
“In one case an organisation in the US, working with some government agencies, allowed me to get into their systems to see their servers named for their clients. Their servers were called ‘CIA’, ‘FBI’ and ‘DoD’,” he said.
“The DNS is a logical map of all the assets of a company. If you can take the logical map of the assets out (IP addresses, system names) you’ve got an awful lot of intelligence to work on,” he said.
“And you can work quietly because you no longer have to go to the organisation to get the data because it’s sitting on your PC.”
When Professor Walker reported the security flaw, the organisation said ” Thank God you’ve found it” and closed it down. “I didn’t go down any further because I valued my liberty,” he said.
“In my work I get the pleasure of seeing other people’s systems. I invariably walk away not believing what I’ve seen. It’s not that the criminals are so clever, but that we’re so stupid.”
The International Crime Science Conference was organised by the Centre for Security and Crime Science at University College London.