[ISN] GAO: Hacks put public at risk

From: William Knowles (erehwonat_private)
Date: Tue May 19 1998 - 22:04:02 PDT

  • Next message: mea culpa: "[ISN] W3C Publishes First Public Working Draft of P3P 1.0"

    WASHINGTON (ZDNet By: Brock Meeks 5.19.98) - Computers at the State 
    Department containing sensitive, but unclassified, information were 
    routinely "hacked" and found vulnerable to outside intrusion according 
    to a government study obtained by MSNBC.
    A similar government report exposes critical weaknesses in the Federal
    Aviation Administration's air traffic control system computers that
    could jeopardize the flying public's safety, according to the report
    obtained by MSNBC.
    The reports are scheduled to be made public Tuesday during a Senate
    panel hearing on the issue of government computer security.
    More bad news: the computer break-ins at the State Department were
    done by rank amateurs; auditors from the General Accounting Office,
    which conducted the studies, were trained to use common hacking tools
    downloaded from the Internet, according to a congressional staffer for
    Sen. Fred Thompson (R-Tenn.), who requested the studies from the GAO
    and whose governmental affairs committee will hold the hearings
    According to the State Department study, "Computer Security:
    Pervasive, Serious Weaknesses Jeopardizes State Department
    Operations," the department's computer systems are "vulnerable 
    to access, change, disclosure, disruption or even denial of 
    service by unauthorized individuals."
    The newly minted GAO hackers found they could gain access to the most
    critical functions of the computer system the "system administrator"
    or "root" access that allowed them to "download, delete, and modify
    these data, add new data, shut down servers, and monitor network
    traffic. Worse: the hacking attempts "went largely undetected," 
    the report says.
    A State Department spokesman said no comment would be available 
    until the department had a chance to read the official report. 
    The report obtained by MSNBC notes that the State Department has 
    read a classified version and is implementing steps "beginning 
    to address the lack of a central focus for computer security" 
    and is correcting weaknesses highlighted in the report.
    Exploitation at State
    The GAO said that "individuals or organizations seeking to damage
    State operations, commit terrorism, or obtain financial gain could
    possibly exploit the department's" computer security flaws, including
    disruption of diplomatic negotiations and agreements.
    Deletion or alteration of data in States' computers "could enable
    dangerous individuals to enter the United States," the report says.
    And confidential background material, gathered on potential employees
    being considered for security clearances, are kept on State's
    unclassified network.
    The computer attacks were first cleared with top State department
    officials; GAO hackers operated under strict "rules of engagement"
    that included no hacking attempts on classified State computer
    GAO also found that the human element was a big security risk, as
    well. Unlocked work areas were accessed because no one asked for
    identification. Computer terminals in these unlocked areas were 
    found logged in and ready to use, GAO said. In one instance the 
    user ID and password were taped to the computer terminal.
    The report found no central office inside State to deal with 
    computer security issues, with such duties having become 
    "fragmented" among three offices. The State Department's own 
    Internet risk analysis, quoted in the report, admits "it is 
    extremely difficult to detect when information is lost, 
    misdirected, intercepted or spoofed."
    The State Department did get high marks for its Internet security.
    Though the GAO team tried to gain access to internal State networks by
    "going through and around State's Internet gateways or exploiting
    information servers from the outside via the Internet, we were not
    able to gain access," the report says. The GAO hackers made their
    successful intrusions on regular dial up modem lines, right into 
    the State department network itself, bypassing the Internet.
    Failure at the FAA
    Failure to adequately protect the nation's air traffic control
    computer systems, as well as the buildings that house them, "could
    cause nationwide disruption of air traffic or even loss of life due 
    to collisions," says the GAO report "Air Traffic Control: Weak 
    Computer Security Practices Jeopardize Flight Safety."
    The GAO team studying the FAA said the agency "is ineffective in all
    critical areas included in our computer security review-facilities
    physical security, operational systems information security, future
    systems modernization security and management structure and policy
    The report found 13 physical security weaknesses at just one aircraft
    controlling facility last year. The FAA is unaware of similar concerns
    among its other 187 similar aircraft controlling facilities because
    the agency hasn't conducted a risk assessment of those operations
    since 1993, the study said.
    Further, only 3 of 90 air traffic control computer systems has had a
    risk assessment done to ferret out vulnerabilities, the report said.
    Without knowing if the others are vulnerable, said the GAO, the agency
    "cannot adequately protect them."
    In addition, only one of the nine crucial air traffic control
    telecommunications networks has been analyzed, according to the
    The FAA did not return calls for comment; however, the report notes
    that the agency didn't agree with all its findings. The FAA disagreed
    that its management of computer security is inappropriate or that ATC
    systems "are vulnerable to the point of jeopardizing flight safety."
    The GAO report says it doesn't agree with the FAA's "alternative
    interpretations" of its findings.
    The FAA has "for years" known that its vulnerabilities could
    "jeopardize, and have already jeopardized, flight safety," the 
    report says. In a classified version of the FAA report, the GAO 
    says it detailed those instances were FAA vulnerabilities put 
    the public at risk.
    In a parting shot, the report notes that the FAA has "invested
    billions of dollars in failed efforts to modernize its ATC 
    systems while critical security vulnerabilities went uncorrected."
    There's a compelling reason to master information & news.
    Clearly there will be better job and financial opportunites.
    Other high stakes will be missed by people if they don't
    master and connect information.  --  Everette Dennis
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:53:57 PDT