[ISN] Report: Govt. payroll system open to intruders

From: InfoSec News (isnat_private)
Date: Thu Jul 12 2001 - 03:22:07 PDT

  • Next message: William Knowles: "[ISN] Commentary: The Future of InfoSec News!"

    http://www.usatoday.com/life/cyber/tech/2001-07-10-govt-payroll-computer-security.htm
    
    07/10/2001 
    
    WASHINGTON (AP)  A government payroll computer center in Denver is
    fraught with security problems, raising the possibility that criminals
    could steal or alter records, congressional investigators said
    Tuesday.
    
    The General Accounting Office, the investigative arm of Congress,
    faulted the National Business Center for not adequately securing its
    computer network, not investigating suspicious access patterns and
    having lax physical security.
    
    "The effect of these weaknesses is to place sensitive NBC-Denver
    financial and personnel information at risk of unauthorized
    disclosure, critical financial operations at risk of disruption, and
    assets at risk of loss," the report said.
    
    The center handled more than $12 billion in financial transactions
    last year, including payroll checks for more than 200,000 federal
    employees. It develops and operates financial systems for more than 30
    federal organizations, as well as its parent, the Interior Department.
    
    A deputy to Interior Secretary Gale Norton told investigators he was
    thankful for the audit, and promised the problems will be fixed.
    
    Despite security reviews by Interior's own watchdog office in 1997 and
    1998, many security problems still exist, congressional investigators
    said.
    
    Many of them involved granting too many people access to the most
    sensitive programs and networks, even if their job doesn't require
    that access level. Investigators also easily guessed passwords and
    found ones that had not been changed in three years.
    
    Security experts say computer passwords should be changed frequently
    to protect against earlier breaches and disgruntled ex-employees.
    
    Physical security is also a problem, congressional investigators said.
    Although a special photo identification is required, many people
    entered the building by following a person with an authorized card.
    Guards were posted at the entrances, but they failed to check each
    person.
    
    People who weren't cleared to enter the building could get in
    relatively easily, congressional investigators said, "increasing the
    risk that intruders with malicious intent might obtain access to
    sensitive computer resources or disrupt operations."
    
    Robert Lamb, an acting assistant secretary at Interior, told
    investigators that about half of the recommendations have already been
    fulfilled, and the rest will be finished by the end of the year.
    
    Many federal agencies have had trouble keeping computer systems secure
    from hackers and criminals.
    
    Earlier this year, the GAO reported that it broke into the Internal
    Revenue Service's electronic tax payment system and was able to read
    tax returns filed online.
    
    Computer networks at the Department of Veterans Affairs, Environmental
    Protection Agency, and the agency that controls Medicare have also
    been found to have significant vulnerabilities.
    
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 03:29:37 PDT