http://www.chron.com/cs/CDA/story.hts/topstory/1302663 By STEVE BREWER Houston Chronicle March 21, 2002 Harris County District Clerk Charles Bacarisse shut down a wireless computer network in his office this week after officials found it could be vulnerable to high-tech vandals. The decision was made Tuesday, after a computer security analyst demonstrated to Steve Jennings, head of the county's Central Technology Department, and the Houston Chronicle how the system could be compromised. Bacarisse and his staff downplayed the weakness, saying hackers, terrorists or anyone else intending harm would be detected long before they could do any damage or use the system illegally. Stefan Puffer, a computer security analyst, met with Jennings on Monday and used a laptop computer and a $60 to $75 wireless card to show him how to tap into Bacarisse's system. Puffer said the demonstration showed the county's wireless networks are vulnerable to those with the know-how and the intent to break in. Bacarisse said their wireless system was being tested at the time and was not in full use, but he ordered a review of the office's wireless-security procedures. He also questioned Puffer's motives, noting that the analyst was a former employee who quit the office after a short unpleasant tenure, and he criticized Jennings for not pointing out the problem sooner. Bacarisse was told about the problem Tuesday, a day after Monday's demonstration. "We're glad we found out about this, and we're very concerned about network security," said Bacarisse. "But my concern was how this was handled." Jennings said he was concerned that the system could be accessed from the outside and that he wanted to learn more about the problem before alerting Bacarisse. Leaving the county's wireless systems unprotected from hackers creates a serious potential for vandalism and more serious problems, Jennings said. Jennings and Puffer said someone gaining access to the county's system could use it as a platform to hack other systems, including those of government agencies and businesses, leaving few traces of who they were. Such acts are of special concern to security experts since the terrorist attacks of Sept. 11. Puffer and Jennings cited NASA as an example of a nearby federal agency that could be targeted for hacking. Once tapped into the county system, a hacker could conceivably send e-mails appearing to come from county officials that could not be traced to the true author. "If you're in electronic systems, there's always a potential for problems if someone has the time, the tools, the talent and the intent," said Jennings, who thinks the county should establish a wireless-technology policy. Just as worrisome, officials say, is the potential for someone to crash county computers, re-route printers, change, alter or delete records, or post illegal material on a network computer server. That would interfere with taxpayer services, Jennings said. Computer publications are full of warnings about the wireless systems' security because they can be compromised so cheaply. The wireless system used by the county also is popular in homes, and consumers often install them on their own systems without turning on built-in security features. Anyone with a laptop computer can buy a wireless card, slide it into his or her computer and use software to scan for and capture radio waves linking computers on a wireless system. The practice, called "wardriving," is easier if the victim has not taken the simple step of activating the security features to encrypt the airwaves. Essentially, wardrivers use the wireless signals to ride into the computer network, which is what Puffer did to the one being operated by Bacarisse's office. Officials said the security feature on Bacarisse's network was not enabled because it was only being tested. Puffer said he noticed he could access the county network in early March, while using his equipment to scan for such weaknesses throughout Houston. He said he found more than 250 ways into systems at businesses, homes, universities and governments -- something Jennings said proves that the district clerk's office is not alone in its vulnerability. Bacarisse's staffers said they were planning to use wireless technology to connect court clerks in the old Civil Courts Building at 301 Fannin to their larger computer system, which is separate from the one operated by Jennings' office. The network had not yet been set up, they said, and neither Puffer nor anyone else could have done any damage. Bacarisse's staffers have learned that someone tried to access their system as early as March 8. The system also alerted them to an intrusion Monday, the day Puffer did his demonstration. But if Puffer had tried to alter any programs, they said, security safeguards and software would have blocked him and alerted them immediately. Bacarisse said Puffer's demonstration was a "low-level intrusion" and he and his staff equated it to stumbling around a dark house, knocking over furniture. But because the county's main system and the independent one run by Bacarisse are connected, Puffer was able to show Jennings that he could get information about the county computer network. That worried Jennings enough that he ordered his staff to tighten security between the two systems. He also has plans to spend as much as $40,000 for other security enhancements. Bacarisse said his staff found a pornographic picture on one of its servers Tuesday that he suspected was planted by Puffer. He said he would refer the incident to the District Attorney's Office. Puffer, who conceded that he quit his job with the district clerk's office after a short and stormy tenure, denied installing the picture. He said he could prove he had nothing to do with it and welcomed any investigation. Bacarisse accused Jennings of giving Puffer information to help him access the system and hinted that Jennings was trying to use the demonstration to increase his authority over systems that he didn't control. Jennings and Puffer vehemently denied that. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 04:22:54 PST