sloth unleashed

The hacking of the websites of the Federal Trade Commission’s Bureau of Consumer Protection on February 17 was the second attack on the agency’s web presence in less than a month. Both of the attacked servers were set up for the FTC by the public relations firm Fleishman-Hilliard under the same contract, and ran on servers the firm provisioned from web hosting and cloud services provider Media Temple. But even after the server for the FTC’s OnGuardOnline.gov site (ironically, a site intended to share tips from the government on computer security and privacy for consumers) was hacked on January 24 using an exploit of security weaknesses in the applications running on it, Fleishman declined to update the software running its other sites, an executive of Media Temple told Ars.

Media Temple chief marketing officer Kim Brubeck told Ars, “we have actually asked Fleishman-Hilliard to remove any [remaining] .gov sites” from Media Temple’s servers. In an email to Fleishman-Hilliard on February 18, Brubeck requested that the company complete the transfer of its remaining government websites to other hosting providers within 48 hours.

Referring to the government’s security regulations, Brubeck explained,”We aren’t a FISMA-certified hosting service,” and added that Media Temple was unaware that Fleishman-Hilliard had intended to use the servers for government accounts. Under the terms of the provisioning service that the servers were provided under, Fleishman-Hilliard was responsible for the administration and security of the servers, including operating system updates, software installations and backups, and had set up the servers—but “had chosen not to update their applications,” Brubeck said.

Fleishman-Hilliard has still not responded to requests from Ars for comment.

[lovely…]