[ISN] County cuts off computer network

From: InfoSec News (isnat_private)
Date: Fri Mar 22 2002 - 00:04:55 PST

  • Next message: InfoSec News: "[ISN] Government to Scrub 'Sensitive' Web Information"

    Houston Chronicle
    March 21, 2002
    Harris County District Clerk Charles Bacarisse shut down a wireless
    computer network in his office this week after officials found it
    could be vulnerable to high-tech vandals.
    The decision was made Tuesday, after a computer security analyst
    demonstrated to Steve Jennings, head of the county's Central
    Technology Department, and the Houston Chronicle how the system could
    be compromised.
    Bacarisse and his staff downplayed the weakness, saying hackers,
    terrorists or anyone else intending harm would be detected long before
    they could do any damage or use the system illegally.
    Stefan Puffer, a computer security analyst, met with Jennings on
    Monday and used a laptop computer and a $60 to $75 wireless card to
    show him how to tap into Bacarisse's system. Puffer said the
    demonstration showed the county's wireless networks are vulnerable to
    those with the know-how and the intent to break in.
    Bacarisse said their wireless system was being tested at the time and
    was not in full use, but he ordered a review of the office's
    wireless-security procedures.
    He also questioned Puffer's motives, noting that the analyst was a
    former employee who quit the office after a short unpleasant tenure,
    and he criticized Jennings for not pointing out the problem sooner.
    Bacarisse was told about the problem Tuesday, a day after Monday's
    "We're glad we found out about this, and we're very concerned about
    network security," said Bacarisse. "But my concern was how this was
    Jennings said he was concerned that the system could be accessed from
    the outside and that he wanted to learn more about the problem before
    alerting Bacarisse.
    Leaving the county's wireless systems unprotected from hackers creates
    a serious potential for vandalism and more serious problems, Jennings
    Jennings and Puffer said someone gaining access to the county's system
    could use it as a platform to hack other systems, including those of
    government agencies and businesses, leaving few traces of who they
    Such acts are of special concern to security experts since the
    terrorist attacks of Sept. 11. Puffer and Jennings cited NASA as an
    example of a nearby federal agency that could be targeted for hacking.
    Once tapped into the county system, a hacker could conceivably send
    e-mails appearing to come from county officials that could not be
    traced to the true author.
    "If you're in electronic systems, there's always a potential for
    problems if someone has the time, the tools, the talent and the
    intent," said Jennings, who thinks the county should establish a
    wireless-technology policy.
    Just as worrisome, officials say, is the potential for someone to
    crash county computers, re-route printers, change, alter or delete
    records, or post illegal material on a network computer server.
    That would interfere with taxpayer services, Jennings said.
    Computer publications are full of warnings about the wireless systems'
    security because they can be compromised so cheaply.
    The wireless system used by the county also is popular in homes, and
    consumers often install them on their own systems without turning on
    built-in security features.
    Anyone with a laptop computer can buy a wireless card, slide it into
    his or her computer and use software to scan for and capture radio
    waves linking computers on a wireless system.
    The practice, called "wardriving," is easier if the victim has not
    taken the simple step of activating the security features to encrypt
    the airwaves.
    Essentially, wardrivers use the wireless signals to ride into the
    computer network, which is what Puffer did to the one being operated
    by Bacarisse's office.
    Officials said the security feature on Bacarisse's network was not
    enabled because it was only being tested.
    Puffer said he noticed he could access the county network in early
    March, while using his equipment to scan for such weaknesses
    throughout Houston.
    He said he found more than 250 ways into systems at businesses, homes,
    universities and governments -- something Jennings said proves that
    the district clerk's office is not alone in its vulnerability.
    Bacarisse's staffers said they were planning to use wireless
    technology to connect court clerks in the old Civil Courts Building at
    301 Fannin to their larger computer system, which is separate from the
    one operated by Jennings' office.
    The network had not yet been set up, they said, and neither Puffer nor
    anyone else could have done any damage.
    Bacarisse's staffers have learned that someone tried to access their
    system as early as March 8. The system also alerted them to an
    intrusion Monday, the day Puffer did his demonstration. But if Puffer
    had tried to alter any programs, they said, security safeguards and
    software would have blocked him and alerted them immediately.
    Bacarisse said Puffer's demonstration was a "low-level intrusion" and
    he and his staff equated it to stumbling around a dark house, knocking
    over furniture.
    But because the county's main system and the independent one run by
    Bacarisse are connected, Puffer was able to show Jennings that he
    could get information about the county computer network.
    That worried Jennings enough that he ordered his staff to tighten
    security between the two systems. He also has plans to spend as much
    as $40,000 for other security enhancements.
    Bacarisse said his staff found a pornographic picture on one of its
    servers Tuesday that he suspected was planted by Puffer. He said he
    would refer the incident to the District Attorney's Office.
    Puffer, who conceded that he quit his job with the district clerk's
    office after a short and stormy tenure, denied installing the picture.  
    He said he could prove he had nothing to do with it and welcomed any
    Bacarisse accused Jennings of giving Puffer information to help him
    access the system and hinted that Jennings was trying to use the
    demonstration to increase his authority over systems that he didn't
    Jennings and Puffer vehemently denied that.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 04:22:54 PST