U.S. National Vulnerability Database Is, Apparently, Very Vulnerable

By | March 15, 2013

Posted in: Network Security Trends

No one noticed until yesterday, but administrators of the U.S. National Vulnerability Database (NVD) -- an online/searchable repository of known security flaws and vulnerabilities -- took the site down after they noticed some suspicious activity.

That was on March 8th.

As of this morning, here is what you see when you log on:

Vulnerability Database

Kim Halavakoski, chief security officer at Crosskey Banking Solutions, first discovered the site was down after trying to retrieve some vulnerability information. He dashed off an email to the National Institute of Standards and Technology (NIST), posting the exchange on his Google+ page. NIST spokesperson Gail Porter confirmed that on "Friday March 8, a NIST firewall detected suspicious activity and took steps to block unusual traffic from reaching the Internet. NIST began investigating the cause of the unusual activity and the servers were taken offline. Malware was discovered on two NIST Web servers and was then traced to a software vulnerability."

Halavakoski noted in a subsequent post that the NVD "at the time of the breach they were running IIS 7.5," which according to Netcraft has a 0/10 risk rating.

Noting the obvious irony, Halavakoski said that "hacking the NVD and planting malware on the very place where we get our vulnerability information, that is just pure evil!"

You May Also Be Interested In: