The Complex

The government's cyber vulnerabiity database was infected with malware (Updated)

The National Institute for Standards and Technology or NIST -- the government institute responsible for bringing together critical infrastructure providers to decide the minimum cyber security standards they should adhere to under President Obama's cyber security executive order -- had to take its list of cyber vulnerabilities offline after it was discovered to be infected with malware.

(That's a photo of NIST' advanced measurement Lab above.)

According numerous reports in the tech press, two of NIST's servers hosting the U.S. government's National Vulnerability Database were infected with malware that took advantage of security gaps in Adobe's ColdFusion software. The kicker: the site was infected for two months before the malware was noticed and NIST took it offline last Friday.

The National Vulnerability Database is supposed to be the government's resource to give the IT security community a running list of known cyber vulnerabilities.

"Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST Web sites," a NIST spokeswoman said in a March 14 statement posted to  Google+ by Kim Halavakoski, chief security officer at Crosskey Banking Solutions, which noticed the database was offline while trying to research cyber vulnerabilities.

As noted by The Register, Adobe issued a warning about the flaw in ColdFusion on January 4 and a software patch for it on January 15.

So yeah, it looks like the government agency charged with helping develop cyber security best practices didn't follow a key best practice; regularly updating its software.

When looking for a photo for this piece, Killer Apps noticed that NIST's photo gallery is also unavailable, let's hope it wasn't infected too.

We've got a phone call in to NIST, we'll let you know when we hear back.

 UPDATE : A NIST spokeswoman just emailed Killer Apps to say that the database and several other NIST sites are back up and running.

Please note that the following web sites are now back up.  There may be some associated web sites or aliases that are not yet up, however.



Load More Comments