Forwarded From: Kjell Wooding <kwoodingat_private> http://www.codetalker.com/ http://www.msnbc.com:80/news/168969.asp Internal study at Department of Energy finds huge lapses By Brock N. Meeks MSNBC WASHINGTON, May 30 - An internal review of unclassified computer systems throughout all major Department of Energy facilities found serious security lapses, including the presence of classified and sensitive nuclear weapons information on systems open to anyone with an Internet connection. MSNBC has learned the study has prompted administrators to scramble to implement a time-consuming "contamination clean-up," to remove classified information from Net-accessible computers. "VIRTUALLY ANYONE on the Internet," using readily obtainable hacking tools, could gain access to "at a minimum, password files and, more disconcerting, classified and sensitive data," the report says. Worse, it adds, "hackers can and have compromised DOE systems." "The Department of Energy takes the report very seriously," said Larry Altenburg a member of DOE's Critical Infrastructure Protection Task Force in the Office of Nonproliferation and National Security. "As the oversight office noted, our sites have acted on issues raised by the interim report," he said. The report covers 64,000 unclassified department computer systems, 1,400 of which are accessible to anyone on the Internet. The final review, due in October, will have reviewed double that number of publicly available systems, the official said. The measured tone of the report belies its conclusions. The Los Alamos National Laboratory alone, charged with safekeeping America's nuclear weapons stockpile, has had 15 security breaches since November. MSNBC has learned one of those incidents, involving the transfer of classified information via the Internet, is now under investigation by the FBI. "These findings raised quite a few eyebrows in the department," said one DOE computer administrator, who spoke on condition of anonymity. "The DOE has concerns about our ability to protect classified information. We're not doing that very well at all," said Stan Busboom, Security and Safeguards Division director at Los Alamos National Laboratory in the lab's May 13 newsletter. HACKER'S PLAYGROUND The main problem involves computer systems that allow anonymous public access for file transfers. The report found that security measures weren't adequate to protect files stored on those systems. Some systems were found to be susceptible to being used as covert hacker "drop off" sites for storing illegal software. "Once a server is used for this purpose, it is often referenced in a 'pirate list' ... distributed through the Internet 'underground,' " the report says. It also notes that the security evaluation team found such illegal software at one DOE site. Many of the systems weren't configured properly, allowing anonymous users to alter information, if they wanted to. In addition, department investigators were able to access personal directories of DOE employees in which they found "sensitive working documents, e-mail, passwords and other potentially sensitive information that could be downloaded." EXTREME OPEN ACCESS One of the "most significant" problems the report cites is the lack of an effective way to ensure that classified and sensitive information is not placed on department unclassified systems. "In many cases, the computer system users have no controls and little training as to what can and cannot be placed on a particular system," the report says. At one site, department investigators found what appeared to be "highly sensitive information" available for downloading. After an internal review by the department's Office of Declassification, it was determined that one of the documents was classified and should never have been publicly available. In all cases where sensitive or classified information was found, the systems have since been modified, the report says, so that the documents are no longer publicly accessible. The report notes that "unclassified controlled nuclear information" was found available to the public, including "documents providing detailed descriptions (hundreds of pages) of a facility containing special nuclear material, including building configurations, process descriptions, and routes by which materials are moved." System password files were downloaded and "cracked, granting full access to user files and programs," the report says. In addition, e-mail passwords were compromised, "some of which allowed interactive access to large e-mail servers where user data directories were available for downloading." The password file violations was especially troubling to investigators, who noted that by using the compromised accounts "an intruder could migrate through the network and obtain sensitive information." ALL WE KNOW IS WE DON'T KNOW An interim report, published in March, was issued despite the fact the the review was only 50 percent complete because the security vulnerabilities were so great, the report says. Lists of "vulnerable" computers have been provided to each department site reviewed so that corrective measures can be implemented, the report says. "How, when, how often, or by whom these vulnerabilities and data may have already been exploited via the worldwide Internet can only be conjectured," the report's conclusion says. Although the DOE investigators operated under self-imposed constraints, they didn't alter files, for example, "it is unknown what malicious activities may have already occurred in terms of the observed vulnerabilities," the report says. -- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:48 PDT