Forwarded from: Elyn Wollensky <elynat_private> http://www.nytimes.com/2002/02/26/technology/26INDI.html February 26, 2002 By JOHN MARKOFF Instructed by a federal district judge to determine whether the computer network at the Bureau of Indian Affairs was secure from malicious intruders, Alan Balaran decided to infiltrate it. He did this not once, but three times, and determined among other things that skilled hackers would be able to bilk Indian funds in trust at the bureau by having checks sent to themselves. First Mr. Balaran went to a bureau building in Virginia, walked in through a loading platform and asked directions to the computing nerve center, where he plucked from a shredder a lengthy printout of data on some of the trust fund accounts that the agency manages for half a million Indians. Nobody stopped him. Then he hired a team of hackers to break into the bureau's computers, using commonly available software. Finally, after the bureau complained that the computer assault had been unfair because it relied on inside knowledge of the agency's network, Mr. Balaran's team broke in again, without such help, even setting up a trust fund account in his name. Mr. Balaran is no computer rogue. He is a Washington lawyer appointed as a special master by the federal judge, Royce C. Lamberth, who, hearing the largest class-action suit ever filed by Indians, has already determined that for more than a century the government has mismanaged accounts held in trust for them. Judge Lamberth, who sits in Washington, will now determine whether the government should be held in contempt for failure to abide by past orders to repair its work. Mr. Balaran, appointed by the judge in 2000 to oversee a variety of issues related to the suit, began looking into computer security at the bureau early last year. The effort intensified when a group of plaintiffs discovered, in the April 2001 issue of Government Executive magazine, an interview in which the agency's chief information officer, Dominic Nessi, confessed that its systems were vulnerable to hacking. "For all practical purposes, we have no security," Mr. Nessi said in that interview. Computer security experts say that although the problems at the bureau are particularly striking, they are not isolated. Many federal agencies are vulnerable, they say, despite years of public concern. Mr. Balaran declined to comment publicly on his investigation, citing his continuing role in the court case. But the report on what he found, filed with the court in November, is a litany of security lapses stemming from what the report portrays as official neglect for over a decade. A spokesman for the Interior Department, parent of the Bureau of Indian Affairs, defended the bureau's computer security efforts, saying it had tried to deal with vulnerabilities long before the report. "I don't propose to defend all of the shortcomings," said the spokesman, John Wright. But "it's not like they didn't try to fix the problems. There were a number of attempts. We were led to believe" by consultants that the bureau's systems worked, "and they didn't work." Mr. Balaran's infiltration began last February, when, accompanied by a Justice Department lawyer, he drove to the bureau's supposedly secure data processing center in Reston, Va. After Mr. Balaran asked his companion to remove his tie so as to attract less attention, they entered the building from the loading dock. Although they wore no badges, they were able to walk past a guard at the entrance - twice, simply to make the point - without being questioned. Once inside and searching for the secure computing area responsible for processing and storing data related to Indian trust funds, Mr. Balaran asked directions from a passer-by. He was escorted to the computing room on the second floor. There he was able to walk to a shredder and pick up a voluminous computer printout with detailed information about trust funds - money controlled by the government for the benefit of Indians whose property, descended from a system of tribal ownership and managed by Washington, is generally leased to oil, gas or timber companies. Mr. Balaran filed a report in March alerting the court to the break-in and the outcome, and then struck again a few months later. He hired Predictive Systems Inc. a computer security company based in New York, to perform a "pen test" - industry jargon for any electronic effort to penetrate the defenses of a computer system. When the Predictive Systems team examined the bureau's network, it was immediately apparent that it would be possible to gain access to sensitive data via the Internet using readily available software tools. Once the company penetrated the network and reported its findings to Mr. Balaran, the bureau protested the results, saying that the pen test ordinarily would have failed but that the Predictive Systems penetration team, as part of the exercise, had had detailed information about the agency's network. So Mr. Balaran asked the company on Aug. 30 to attack the agency's computers again. This time he authorized the consultants to create a trust account in his name. In October, Predictive Systems supplied a report reiterating its findings that the bureau's computer systems were vulnerable to attack. In the second test, conducted without any prior reference material, the consultants used a completely different computer network to gain access. As instructed, they also set up an account in Mr. Balaran's name. Since the attack took place during the middle of the trust fund billing cycle, no check was issued. But Mr. Balaran said the group had proved to his satisfaction that it would be possible to send money to any address. After reading Mr. Balaran's report, Judge Lamberth forced the entire Interior Department in December to shut down virtually all its computer systems, since access to the systems of the Indian affairs bureau could be gained through the systems of other Interior agencies. This month, with Mr. Balaran's oversight and the help of Predictive Systems, the department finally began restoring the interrupted operations, among other things sending checks to thousands of Indians to whom trust-fund payments had been suspended as a result of the shutdown. Mr. Wright, the Interior Department spokesman, says that 52 percent of the department's systems are now back online and that Interior is working with Mr. Balaran, system by system, to return to complete operation. He could not say when that would be. Mr. Balaran's report noted that there had been at least four earlier ones indicating computer security weaknesses at the bureau. Those warnings date from 1989, when the accounting firm of Arthur Andersen first raised concerns. Most recently, in late 1999, Mr. Nessi, then special adviser to the assistant interior secretary for Indian affairs, commissioned such a report from SeNet International, a computer security company. The evaluation, completed in the spring of 2000, cost nearly $1 million and identified hundreds of weaknesses. But Mr. Balaran noted in his report that when he interviewed Mr. Nessi in June of last year, he discovered that the SeNet report had been read by neither Mr. Nessi nor any other Indian affairs official. Mr. Balaran's report quoted Mr. Nessi as saying, "You know, with all the duties that I have, I would not be able to get to each of them." Reached last night at his Virginia home, Mr. Nessi, who now has another job at Interior, said he had in fact read part of the report and in any case had been briefed by SeNet on all of it. He said he had spent his time at the bureau trying to address the very problems Mr. Balaran ultimately identified. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 04:44:58 PST