WASHINGTON (ZDNet By: Brock Meeks 5.19.98) - Computers at the State Department containing sensitive, but unclassified, information were routinely "hacked" and found vulnerable to outside intrusion according to a government study obtained by MSNBC. A similar government report exposes critical weaknesses in the Federal Aviation Administration's air traffic control system computers that could jeopardize the flying public's safety, according to the report obtained by MSNBC. The reports are scheduled to be made public Tuesday during a Senate panel hearing on the issue of government computer security. More bad news: the computer break-ins at the State Department were done by rank amateurs; auditors from the General Accounting Office, which conducted the studies, were trained to use common hacking tools downloaded from the Internet, according to a congressional staffer for Sen. Fred Thompson (R-Tenn.), who requested the studies from the GAO and whose governmental affairs committee will hold the hearings Tuesday. According to the State Department study, "Computer Security: Pervasive, Serious Weaknesses Jeopardizes State Department Operations," the department's computer systems are "vulnerable to access, change, disclosure, disruption or even denial of service by unauthorized individuals." The newly minted GAO hackers found they could gain access to the most critical functions of the computer system the "system administrator" or "root" access that allowed them to "download, delete, and modify these data, add new data, shut down servers, and monitor network traffic. Worse: the hacking attempts "went largely undetected," the report says. A State Department spokesman said no comment would be available until the department had a chance to read the official report. The report obtained by MSNBC notes that the State Department has read a classified version and is implementing steps "beginning to address the lack of a central focus for computer security" and is correcting weaknesses highlighted in the report. Exploitation at State The GAO said that "individuals or organizations seeking to damage State operations, commit terrorism, or obtain financial gain could possibly exploit the department's" computer security flaws, including disruption of diplomatic negotiations and agreements. Deletion or alteration of data in States' computers "could enable dangerous individuals to enter the United States," the report says. And confidential background material, gathered on potential employees being considered for security clearances, are kept on State's unclassified network. The computer attacks were first cleared with top State department officials; GAO hackers operated under strict "rules of engagement" that included no hacking attempts on classified State computer systems. GAO also found that the human element was a big security risk, as well. Unlocked work areas were accessed because no one asked for identification. Computer terminals in these unlocked areas were found logged in and ready to use, GAO said. In one instance the user ID and password were taped to the computer terminal. The report found no central office inside State to deal with computer security issues, with such duties having become "fragmented" among three offices. The State Department's own Internet risk analysis, quoted in the report, admits "it is extremely difficult to detect when information is lost, misdirected, intercepted or spoofed." The State Department did get high marks for its Internet security. Though the GAO team tried to gain access to internal State networks by "going through and around State's Internet gateways or exploiting information servers from the outside via the Internet, we were not able to gain access," the report says. The GAO hackers made their successful intrusions on regular dial up modem lines, right into the State department network itself, bypassing the Internet. Failure at the FAA Failure to adequately protect the nation's air traffic control computer systems, as well as the buildings that house them, "could cause nationwide disruption of air traffic or even loss of life due to collisions," says the GAO report "Air Traffic Control: Weak Computer Security Practices Jeopardize Flight Safety." The GAO team studying the FAA said the agency "is ineffective in all critical areas included in our computer security review-facilities physical security, operational systems information security, future systems modernization security and management structure and policy implementation." The report found 13 physical security weaknesses at just one aircraft controlling facility last year. The FAA is unaware of similar concerns among its other 187 similar aircraft controlling facilities because the agency hasn't conducted a risk assessment of those operations since 1993, the study said. Further, only 3 of 90 air traffic control computer systems has had a risk assessment done to ferret out vulnerabilities, the report said. Without knowing if the others are vulnerable, said the GAO, the agency "cannot adequately protect them." In addition, only one of the nine crucial air traffic control telecommunications networks has been analyzed, according to the report. The FAA did not return calls for comment; however, the report notes that the agency didn't agree with all its findings. The FAA disagreed that its management of computer security is inappropriate or that ATC systems "are vulnerable to the point of jeopardizing flight safety." The GAO report says it doesn't agree with the FAA's "alternative interpretations" of its findings. The FAA has "for years" known that its vulnerabilities could "jeopardize, and have already jeopardized, flight safety," the report says. In a classified version of the FAA report, the GAO says it detailed those instances were FAA vulnerabilities put the public at risk. In a parting shot, the report notes that the FAA has "invested billions of dollars in failed efforts to modernize its ATC systems while critical security vulnerabilities went uncorrected." == There's a compelling reason to master information & news. Clearly there will be better job and financial opportunites. Other high stakes will be missed by people if they don't master and connect information. -- Everette Dennis == http://www.dis.org/erehwon/ -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:53:57 PDT