[ISN] Internal study at Department of Energy finds huge lapses

From: mea culpa (jerichoat_private)
Date: Sat May 30 1998 - 11:32:43 PDT

  • Next message: mea culpa: "[ISN] Data Fellows to Announce Very Strong Crypto Program"

    Forwarded From: Kjell Wooding <kwoodingat_private>
    Internal study at Department of Energy finds huge lapses
    By Brock N. Meeks
    WASHINGTON, May 30 - An internal review of unclassified computer
    systems throughout all major Department of Energy facilities found
    serious security lapses, including the presence of classified and
    sensitive nuclear weapons information on systems open to anyone with
    an Internet connection. MSNBC has learned the study has prompted
    administrators to scramble to implement a time-consuming
    "contamination clean-up," to remove classified information from
    Net-accessible computers.
    "VIRTUALLY ANYONE on the Internet," using readily obtainable
    hacking tools, could gain access to "at a minimum, password files
    and, more disconcerting, classified and sensitive data," the report
    says. Worse, it adds, "hackers can and have compromised DOE
    "The Department of Energy takes the report very seriously," said
    Larry Altenburg a member of DOE's Critical Infrastructure
    Protection Task Force in the Office of Nonproliferation and National
    Security. "As the oversight office noted, our sites have acted on
    issues raised by the interim report," he said.
    The report covers 64,000 unclassified department computer systems,
    1,400 of which are accessible to anyone on the Internet. The final
    review, due in October, will have reviewed double that number of
    publicly available systems, the official said.
    The measured tone of the report belies its conclusions.  The Los
    Alamos National Laboratory alone, charged with safekeeping
    America's nuclear weapons stockpile, has had 15 security breaches
    since November.
    MSNBC has learned one of those incidents, involving the transfer of
    classified information via the Internet, is now under investigation by
    the FBI. "These findings raised quite a few eyebrows in the
    department," said one DOE computer administrator, who spoke on
    condition of anonymity.
    "The DOE has concerns about our ability to protect classified
    information. We're not doing that very well at all," said Stan
    Busboom, Security and Safeguards Division director at Los Alamos
    National Laboratory in the lab's May 13 newsletter.
    The main problem involves computer systems that allow anonymous public
    access for file transfers. The report found that security measures
    weren't adequate to protect files stored on those systems. Some
    systems were found to be susceptible to being used as covert hacker
    "drop off" sites for storing illegal software.
    "Once a server is used for this purpose, it is often referenced in a
    'pirate list' ... distributed through the Internet
    'underground,' " the report says. It also notes that the security
    evaluation team found such illegal software at one DOE site.
    Many of the systems weren't configured properly, allowing anonymous
    users to alter information, if they wanted to. In addition, department
    investigators were able to access personal directories of DOE
    employees in which they found "sensitive working documents, e-mail,
    passwords and other potentially sensitive information that could be
    One of the "most significant" problems the report cites is the lack of
    an effective way to ensure that classified and sensitive information
    is not placed on department unclassified systems. "In many cases, the
    computer system users have no controls and little training as to what
    can and cannot be placed on a particular system," the report says.
    At one site, department investigators found what appeared to be
    "highly sensitive information" available for downloading. After an
    internal review by the department's Office of Declassification, it was
    determined that one of the documents was classified and should never
    have been publicly available. In all cases where sensitive or
    classified information was found, the systems have since been
    modified, the report says, so that the documents are no longer
    publicly accessible.
    The report notes that "unclassified controlled nuclear information"
    was found available to the public, including "documents providing
    detailed descriptions (hundreds of pages) of a facility containing
    special nuclear material, including building configurations, process
    descriptions, and routes by which materials are moved."
    System password files were downloaded and "cracked, granting full
    access to user files and programs," the report says. In addition,
    e-mail passwords were compromised, "some of which allowed interactive
    access to large e-mail servers where user data directories were
    available for downloading."
    The password file violations was especially troubling to
    investigators, who noted that by using the compromised accounts "an
    intruder could migrate through the network and obtain sensitive
    An interim report, published in March, was issued despite the fact the
    the review was only 50 percent complete because the security
    vulnerabilities were so great, the report says.
    Lists of "vulnerable" computers have been provided to each department
    site reviewed so that corrective measures can be implemented, the
    report says.  "How, when, how often, or by whom these vulnerabilities
    and data may have already been exploited via the worldwide Internet
    can only be conjectured," the report's conclusion says.  Although the
    DOE investigators operated under self-imposed constraints, they didn't
    alter files, for example, "it is unknown what malicious activities may
    have already occurred in terms of the observed vulnerabilities," the
    report says.
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:48 PDT