[ISN] Alert preceded Indian trust hacker breach

From: InfoSec News (isnat_private)
Date: Sat Jan 19 2002 - 21:02:46 PST

  • Next message: InfoSec News: "Re: [ISN] Italian Police Nab Hacker Group"

    By Bill McAllister 
    Denver Post Washington Bureau Chief
    Friday, January 18, 2002  
    WASHINGTON - Three months before a computer hacker broke into Indian
    trust records maintained on a Denver computer system, Interior
    Secretary Gale Norton was warned that her department's major computer
    system, also based in the Colorado capital, was vulnerable to
    That warning, from the General Accounting Office, was greeted by
    promises to make quick changes - a promise that one Interior official
    has since conceded may have been incorrect.
    In recent court testimony, Bob Lamb, who was then an acting assistant
    secretary, said he had relied on information from a subordinate who
    assured him nothing was wrong with the computer system.
    Like the ineffective computer system that maintained the Indian trust
    records, Interior's National Business Center in Denver also is
    seriously flawed, the GAO told Norton in a report dated July 3. The
    report said that the system, which maintains the department's
    personnel and payroll records, property records and others financial
    accounts, lacked adequate security to prevent outsiders from breaking
    into the system and altering records.
    "These weaknesses placed sensitive NBC-Denver financial and personnel
    information at the risk of disclosure, critical financial operations
    at the risk of disruption and assets at the risk of loss," said the
    GAO, Congress's investigative agency. In addition, the report noted
    the problem could also affect the 30 other government agencies that
    the Denver center serves.
    Specially, the GAO said, Denver officials did not have adequate
    controls over passwords and user identifications, dial-in access or
    had properly configured its network.
    In Interior's response, Lamb acknowledged the problems and declared
    that the department is moving "aggressively to correct all of the
    weaknesses identified." All, he said, would be resolved by Dec. 31.
    However, that response apparently did not cover the trust records. In
    September, a court-approved computer expert was able to hack into the
    Denver-based computer system - which maintains trust records for about
    300,000 American Indians - and alter them without detection. That
    embarrassing episode is one of the major issues in a contempt of court
    trial Norton is currently facing in a Washington court.
    The link between the two Denver-based computer systems and their
    similar problems was disclosed Thursday by www.Indianz.com., a website
    on the Internet that has been closely following the Norton trial.
    Computer security has emerged as a key issue for the department and
    its employees, many of whose access to the Internet has been removed
    by a court order that U.S. District Judge Royce C. Lamberth issued in
    the Norton case. Citing the hacker, he told Interior officials to deny
    Internet access to any Interior computers that have access to trust
    The result has been that many Interior agencies no longer have
    websites open to the public, and many agency employees cannot use
    e-mail to respond to the public.
    The NBC-Denver computer system is directed by Norton's office. It
    links the department's 14 bureaus and offices with the computer
    mainframes in Colorado. At the time of the GAO report, it said there
    about 37,000 users with access to the Denver computers.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Sun Jan 20 2002 - 01:15:39 PST