[ISN] Sleuths Invade Military PCs With Ease

From: InfoSec News (isnat_private)
Date: Thu Aug 15 2002 - 23:33:22 PDT

  • Next message: InfoSec News: "[ISN] FC: More on FBI advisory on 802.11-spotting "wardriving""

    Forwarded from: William Knowles <wkat_private>
    By Robert O'Harrow Jr.
    Washington Post Staff Writer
    Friday, August 16, 2002; Page A01 
    SAN DIEGO, Aug. 15 -- Security consultants entered scores of 
    confidential military and government computers without approval this 
    summer, exposing vulnerabilities that specialists say open the 
    networks to electronic attacks and spying.
    The consultants, inexperienced but armed with free, widely available 
    software, identified unprotected PCs and then roamed at will through 
    sensitive files containing military procedures, personnel records and 
    financial data.
    One computer at Fort Hood in Texas held a copy of an air support 
    squadron's "smart book" that details radio encryption techniques, the 
    use of laser targeting systems and other field procedures. Another 
    maintained hundreds of personnel records containing Social Security 
    numbers, security clearance levels and credit card numbers. A NASA 
    computer contained vendor records, including company bank account and 
    financial routing numbers.
    Available on other machines across the country were e-mail messages, 
    confidential disciplinary letters and, in one case, a memo naming 
    couriers to carry secret documents and their destinations, according 
    to records maintained by ForensicTec Solutions Inc., the 
    four-month-old security company that discovered the lapses.
    ForensicTec officials said they first stumbled upon the accessible 
    military computers about two months ago, when they were checking 
    network security for a private-sector client. They saw several of the 
    computers' online identifiers, known as Internet protocol addresses. 
    Through a simple Internet search, they found the computers were linked 
    to networks at Fort Hood.
    Former employees of a private investigation firm -- and relative 
    newcomers to the security field -- the ForensicTec consultants said 
    they continued examining the system because they were curious, as well 
    as appalled by the ease of access. They made their findings public, 
    said ForensicTec President Brett O'Keeffe, because they hoped to help 
    the government identify the problem -- and to "get some positive 
    exposure" for their company.
    "We were shocked and almost scared by how easy it was to get in," 
    O'Keeffe said. "It's like coming across the Pentagon and seeing a door 
    open with no one guarding it."
    In response to an inquiry by The Washington Post, military 
    investigators this week confirmed some of the intrusions at Fort Hood, 
    saying they were made into occurred on PCs containing unclassified 
    information. Senior officials said they are preparing an Army-wide 
    directive requiring all shared computer files containing sensitive 
    information to be password-protected. Sensitive information includes 
    such items as Social Security numbers, confidential plans and so on, 
    officials said.
    The Army has never before focused so intently on the security of 
    desktop computers containing unclassified data, but it is doing so now 
    because so many more machines are linked to vulnerable networks, 
    officials said. These systems are not as strictly secured because they 
    are not supposed to contain or communicate any classified material. 
    More secure networks are typically not linked to the Internet and 
    employ much more stringent safeguards, including procedures to 
    authenticate the identities of computer users.
    "Everything is connected," said Col. Thaddeus Dmuchowski, director of 
    information assurance for the Army. "Our 'defense in-depth' has to go 
    down to the individual computer."
    ForensicTec's electronic forays show that the government continues to 
    struggle with how to close off systems to prying eyes -- including 
    terrorists and foreign agents -- after a presidential directive last 
    fall making cybersecurity a national priority.
    That struggle was underscored by a General Accounting Office report 
    last month that concluded the government wasn't doing an adequate job 
    coordinating efforts to protect its online systems. Next month, the 
    White House's new Critical Infrastructure Protection Board will 
    release a sweeping national plan intended to bolster computer 
    None of the material made available by ForensicTec appears to be 
    classified. But government and private specialists said that such open 
    systems pose a threat because compromised machines may contain 
    passwords, operational plans or easy pathways to more sensitive 
    They also could be used to mount an electronic attack anonymously or 
    to gather enormous amounts of unclassified information to gain insight 
    about what an agency or military unit is privately contemplating, 
    specialists said.
    "If you had an organized spy effort, that would be the real concern," 
    Richard M. Smith, an Internet security consultant based in Cambridge, 
    Mass., said of ForensicTec's findings. "This is a widespread problem."
    Kevin Poulsen, another security specialist, worries that an intruder 
    could place onto an unsecured network malicious software such as a 
    virus, worm or Trojan horse program that could wind up on 
    more-sensitive networks as desktop machines migrate from one place to 
    "The government is now lagging behind the sophisticated Internet 
    users, when they should be leading," said Poulsen, editorial director 
    of SecurityFocus, a Web site devoted to such matters.
    A spokesman for the Pentagon agency responsible for computer network 
    defense said he could not discuss the ForensicTec activity because the 
    vulnerabilities are under investigation. Maj. Barry Venable, a 
    spokesman for the U.S. Space Command, said the military takes 
    seriously all such intrusions, even if the system entered does not 
    cotain classified data. He said hackers rarely gain control of 
    military computers.
    "Even one successful intrusion or instance of unauthorized activity is 
    too many," he said. "The services and DOD agencies are working hard to 
    educate their computer users and administrators to practice and 
    implement proper computer security practices and procedures in a very 
    dynamic information environment."
    The issue of computer security has become more pressing in recent 
    years as vastly more computers and networks have been linked to the 
    Internet. Many public and private computers still have not been 
    properly configured to block outsiders, and security components of 
    operating software often are left set on the lowest default level to 
    ease installation.
    Even though it's a felony under U.S. law to enter a computer without 
    authorization, the number of intrusions has skyrocketed, according to 
    data collected by the CERT Coordination Center at Carnegie Mellon 
    University. The number of incidents reported to CERT -- the leading 
    clearinghouse of information about intrusions, viruses and computer 
    crimes -- increased from 406 in 1991 to almost 53,000 last year.
    Howard Schmidt, vice chairman of the White House Critical 
    Infrastructure Protection Board, said officials have been 
    crisscrossing the country to push for better practices. But he 
    acknowledged that many individuals still don't take rudimentary 
    precautions, such as adopting passwords more complex than "password" 
    or a pet's name. And system administrators often do not fix known 
    flaws with widely available software "patches."
    Schmidt said the board's strategy, to be announced next month, will 
    provide clearer guidance about how to achieve better security for 
    government agencies and businesses alike. A crucial element will be to 
    encourage people to follow through on existing rules and procedures.
    "This reinforces to us that there's still a lot of work to be done," 
    he said of the ForensicTec findings. "It's more than technology. . . . 
    It's people not following the rules, people not following the 
    The GAO report last month said the "risks associated with our nation's 
    reliance on interconnected computer systems are substantial and 
    varied," echoing a series of earlier reports chronicling the 
    government's inability to secure its computers.
    "By launching attacks across a span of communications systems and 
    computers, attackers can effectively disguise their identity, location 
    and intent," it said. "Such attacks could severely disrupt 
    computer-supported operations, compromise confidentiality of sensitive 
    information and diminish the integrity of critical data."
    ForensicTec consultants said it wasn't hard to probe the systems. They 
    employed readily available software tools that scan entire networks 
    and issue reports about linked computers. The scans showed that scores 
    of machines were configured to share files with anyone who knew where 
    to look. The reports also contained people's names and revealed that 
    many of the computers required no passwords for access, or relied on 
    easily crackable passwords such as "administrator."
    The consultants said they identified other Internet addresses during 
    their exploration of Fort Hood, including those for machines at the 
    National Aeronautics and Space Administration, the DOD Network 
    Information Center, the Department of Energy and other state and 
    federal facilities. Scans of those systems yielded similar results: 
    hundreds of virtually unprotected computer files.
    O'Keeffe, the company president, said his consultants concluded that 
    they had tripped across a serious problem.
    "If we can do this, other governments' intelligence agencies, hackers, 
    criminals and what have you can do it, too," he said, adding that he 
    hopes to help the government by bringing the vulnerabilities to light. 
    "We could have easily walked away from it."
    The material they saw ranged from poetry and drafts of personal 
    letters to spreadsheets containing personal and financial information 
    about soldiers. 
    A couple of memos to members of a squadron at Fort Hood included the 
    location of several safes and the inventory of one: secret operations 
    information on hard drives, floppy disks and CDs.
    Another memo designated a courier -- by name, rank and Social Security 
    number -- who would "be hand-carrying classified information" to Fort 
    Irwin Army Installation in California, apparently from February to 
    The consultants also obtained access to spreadsheets and e-mail 
    messages at NASA containing details about vendor relationships, 
    account numbers and other matters. NASA spokesman Brian Dunbar said he 
    could not confirm the provenance of the information obtained by 
    ForensicTec. But he said the agency was investigating its claims of 
    vulnerability in accounting-related computers.
    "We will investigate what's going on here," he said. "If this 
    information is in the clear, it poses a risk to these companies and we 
    need to get it fixed."
    Steven Aftergood, a research analyst and government information 
    specialist, said that much of the data the consultants came across is, 
    by itself, "of limited sensitivity." But the easy access to government 
    machines represents a substantial security challenge, at a time when 
    military, government and business officials rely on computer networks 
    more than ever.
    "It's a qualitatively new kind of vulnerability that the government 
    has not quite come to terms with yet," said Aftergood, a senior 
    research analyst at the Federation of American Scientists. "And it is 
    a vulnerability that will increase in severity if the government 
    doesn't do something about it."
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 16 2002 - 02:28:09 PDT