NVD US National Vulnerability Database Hacked

NVD Hacked

The US National Vulnerability Database (NVD)  was hacked and has been offline since last Friday. According to Business Insider, security researchers found malware on two NIST servers.

Interestingly, the NVD site that warns about security problems, didn’t warn the world about its own.

Chris Wysopal, Veracode CTO & co-founder was the first to ask about NVD downtime on Twitter:

Hacked NVD Chris Wysopal

Security researcher, Kim Halavakoski initially reported the hack on G+ and the Register was the first to post in the security realm that the US government’s online catalog of cyber-vulnerabilities was offline and hacked.

The National Institute of Standards and Technology’s National Vulnerability Database’s (NVD) public-facing website and other services have been offline since Friday due to a malware infection on two web servers, it emerged on Wednesday.

The Register received an anonymous tip-off about the infection on Wednesday afternoon, which led us to a Google+ post containing information from NIST.

The Irony!

The irony of the recent NVD hack is equivalent to the March 2011 MySQL.com, SQL injection hack.

Hacking the NVD and planting malware on the very place where we get our vulnerability information, that is just pure evil! –Kim Halavakoski

NVD irony

Why?

It will be interesting to find out what motivated the hackers to plant malware on NIST and what software vulnerability was present. Brian Honan recently wrote an article for InSecure [Issue 37, March 2013, p52-53], stressing the importance of one powerful three-letter word that should be used as a tool in the vocabulary of information security professionals:

We see an ever increasing number of news stories about the threat of cyber-war, the need for cyber-warriors and cyber-weapons, the rise of the Advanced Persistent Threat (APT), the risks that Bring Your Own Device raises,and the security issues with Cloud computing. If we simply consume these stories without asking “why?”, we may never learn to understand the motives of those behind the story.

As of this writing (March 14, 2013) the NVD site is still offline.

The NIST National Vulnerability Database (NVD) has experienced an issue with its Web Services and is currently not available. We are working to restore service as quickly as possible. We will provide updates as soon as new information is available.test

Any guesses as to the software vulnerability/malware planted?

Leave a reply