[ISN] U.S. Agency's Computers Didn't Protect Indian Fund

From: InfoSec News (isnat_private)
Date: Wed Feb 27 2002 - 00:19:38 PST

  • Next message: InfoSec News: "[ISN] Last Call for Papers RAID 2002"

    Forwarded from: Elyn Wollensky <elynat_private>
    February 26, 2002
    Instructed by a federal district judge to determine whether the
    computer network at the Bureau of Indian Affairs was secure from
    malicious intruders, Alan Balaran decided to infiltrate it.
    He did this not once, but three times, and determined among other
    things that skilled hackers would be able to bilk Indian funds in
    trust at the bureau by having checks sent to themselves.
    First Mr. Balaran went to a bureau building in Virginia, walked in
    through a loading platform and asked directions to the computing nerve
    center, where he plucked from a shredder a lengthy printout of data on
    some of the trust fund accounts that the agency manages for half a
    million Indians. Nobody stopped him.
    Then he hired a team of hackers to break into the bureau's computers,
    using commonly available software.
    Finally, after the bureau complained that the computer assault had
    been unfair because it relied on inside knowledge of the agency's
    network, Mr. Balaran's team broke in again, without such help, even
    setting up a trust fund account in his name.
    Mr. Balaran is no computer rogue. He is a Washington lawyer appointed
    as a special master by the federal judge, Royce C. Lamberth, who,
    hearing the largest class-action suit ever filed by Indians, has
    already determined that for more than a century the government has
    mismanaged accounts held in trust for them. Judge Lamberth, who sits
    in Washington, will now determine whether the government should be
    held in contempt for failure to abide by past orders to repair its
    Mr. Balaran, appointed by the judge in 2000 to oversee a variety of
    issues related to the suit, began looking into computer security at
    the bureau early last year. The effort intensified when a group of
    plaintiffs discovered, in the April 2001 issue of Government Executive
    magazine, an interview in which the agency's chief information
    officer, Dominic Nessi, confessed that its systems were vulnerable to
    "For all practical purposes, we have no security," Mr. Nessi said in
    that interview.
    Computer security experts say that although the problems at the bureau
    are particularly striking, they are not isolated. Many federal
    agencies are vulnerable, they say, despite years of public concern.
    Mr. Balaran declined to comment publicly on his investigation, citing
    his continuing role in the court case. But the report on what he
    found, filed with the court in November, is a litany of security
    lapses stemming from what the report portrays as official neglect for
    over a decade.
    A spokesman for the Interior Department, parent of the Bureau of
    Indian Affairs, defended the bureau's computer security efforts,
    saying it had tried to deal with vulnerabilities long before the
    report. "I don't propose to defend all of the shortcomings," said the
    spokesman, John Wright. But "it's not like they didn't try to fix the
    problems. There were a number of attempts. We were led to believe" by
    consultants that the bureau's systems worked, "and they didn't work."
    Mr. Balaran's infiltration began last February, when, accompanied by a
    Justice Department lawyer, he drove to the bureau's supposedly secure
    data processing center in Reston, Va. After Mr. Balaran asked his
    companion to remove his tie so as to attract less attention, they
    entered the building from the loading dock. Although they wore no
    badges, they were able to walk past a guard at the entrance - twice,
    simply to make the point - without being questioned.
    Once inside and searching for the secure computing area responsible
    for processing and storing data related to Indian trust funds, Mr.  
    Balaran asked directions from a passer-by. He was escorted to the
    computing room on the second floor. There he was able to walk to a
    shredder and pick up a voluminous computer printout with detailed
    information about trust funds - money controlled by the government for
    the benefit of Indians whose property, descended from a system of
    tribal ownership and managed by Washington, is generally leased to
    oil, gas or timber companies.
    Mr. Balaran filed a report in March alerting the court to the break-in
    and the outcome, and then struck again a few months later. He hired
    Predictive Systems Inc. a computer security company based in New York,
    to perform a "pen test" - industry jargon for any electronic effort to
    penetrate the defenses of a computer system. When the Predictive
    Systems team examined the bureau's network, it was immediately
    apparent that it would be possible to gain access to sensitive data
    via the Internet using readily available software tools.
    Once the company penetrated the network and reported its findings to
    Mr. Balaran, the bureau protested the results, saying that the pen
    test ordinarily would have failed but that the Predictive Systems
    penetration team, as part of the exercise, had had detailed
    information about the agency's network.
    So Mr. Balaran asked the company on Aug. 30 to attack the agency's
    computers again. This time he authorized the consultants to create a
    trust account in his name.
    In October, Predictive Systems supplied a report reiterating its
    findings that the bureau's computer systems were vulnerable to attack.  
    In the second test, conducted without any prior reference material,
    the consultants used a completely different computer network to gain
    As instructed, they also set up an account in Mr. Balaran's name.  
    Since the attack took place during the middle of the trust fund
    billing cycle, no check was issued. But Mr. Balaran said the group had
    proved to his satisfaction that it would be possible to send money to
    any address.
    After reading Mr. Balaran's report, Judge Lamberth forced the entire
    Interior Department in December to shut down virtually all its
    computer systems, since access to the systems of the Indian affairs
    bureau could be gained through the systems of other Interior agencies.  
    This month, with Mr. Balaran's oversight and the help of Predictive
    Systems, the department finally began restoring the interrupted
    operations, among other things sending checks to thousands of Indians
    to whom trust-fund payments had been suspended as a result of the
    Mr. Wright, the Interior Department spokesman, says that 52 percent of
    the department's systems are now back online and that Interior is
    working with Mr. Balaran, system by system, to return to complete
    operation. He could not say when that would be.
    Mr. Balaran's report noted that there had been at least four earlier
    ones indicating computer security weaknesses at the bureau. Those
    warnings date from 1989, when the accounting firm of Arthur Andersen
    first raised concerns.
    Most recently, in late 1999, Mr. Nessi, then special adviser to the
    assistant interior secretary for Indian affairs, commissioned such a
    report from SeNet International, a computer security company. The
    evaluation, completed in the spring of 2000, cost nearly $1 million
    and identified hundreds of weaknesses.
    But Mr. Balaran noted in his report that when he interviewed Mr. Nessi
    in June of last year, he discovered that the SeNet report had been
    read by neither Mr. Nessi nor any other Indian affairs official.
    Mr. Balaran's report quoted Mr. Nessi as saying, "You know, with all
    the duties that I have, I would not be able to get to each of them."
    Reached last night at his Virginia home, Mr. Nessi, who now has
    another job at Interior, said he had in fact read part of the report
    and in any case had been briefed by SeNet on all of it. He said he had
    spent his time at the bureau trying to address the very problems Mr.  
    Balaran ultimately identified.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 04:44:58 PST