DOT Web Site Vulnerability
In response to recent hacking attacks on government computers, we evaluated the vulnerability of DOT web sites. We scanned 142 DOT web servers and identified potential vulnerabilities on 86 servers in 8 DOT Operating Administrations. We categorized 68 servers as being highly vulnerable to hackers, 42 with medium vulnerability and 64 categorized as having a low vulnerability. DOT should assign a priority to determine whether, and what, corrective actions are needed for: (1) all high potential vulnerabilities we identified, (2) the four of the medium vulnerabilities we identified which enabled OIG to copy the password files from the web servers, and (3) the 23 of the low potential vulnerabilities we identified which allow access to DOT computers through special network services. We also recommended that DOT fix all confirmed vulnerabilities by June 8, 2001, and expedite issuance of the web configuration checklist to ensure web servers are secured before they go into use.