Websites launched to collect and disseminate data for American Recovery and Reinvestment Act of 2009 projects are vulnerable to hacking and contain inherent security risks, according to a report dated Oct. 22, from the Transportation Department's Office of Inspector General.

Transportation's ARRA-related websites and databases contain vulnerabilities of varying severity, but the high-risk vulnerabilities could be exploited by hackers, says the report. A cyber attack could not only affect ARRA reporting, but also interrupt DOT's day-to-day operations--allowing hackers to access passwords or even gain control of servers, which could be used to attack other computers in the DOT network.

"These vulnerabilities exist because the websites, databases and servers are not configured in compliance with DOT configuration security standards," wrote Earl Hedges, acting assistant inspector general for Financial and Information Technology Audits at DOT, in a memo.

Vulnerability Assessment Results

Source: DOT OIG

Most of the high-risk vulnerabilities are associated with 13 websites, which contain web pages used to post ARRA-related information for public use, said the report. The report does not disclose specific security gaps but DOT officials have been briefed on the vulnerabilities.

The OIG recommends DOT take immediate corrective action, on the vulnerabilities. A memo from DOT CIO Nitin Pradhan, says he has begun working with administration information system security officers and information system security managers. All critical and high-risk vulnerabilities will have a specific plan for remediation by Nov. 8, 2010, wrote Pradhan.

For more:
- see the DOT OIG report (.pdf)

Related Articles:
GAO: 'Significant' cybersecurity weaknesses at NARA
DHS could rate software manufacturers according to their supply chain TIGTA: 'Significant' risks remain with IRS modernization
Smart grid cybersecurity encompasses IT and the power grid itself
Political motives behind cyber attacks, say critical infrastructure operators