[ISN] Computers vulnerable at Oregon department

From: InfoSec News (isnat_private)
Date: Mon Sep 23 2002 - 23:31:09 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - September 23rd 2002"

    SALEM -- The state Department of Human Services has systematically
    neglected computer security for years, leaving Oregon's largest agency
    vulnerable to hackers and thieving employees who can pay themselves
    public benefits, according to an internal agency report.
    A consultant hired to evaluate the agency's computer safeguards found
    lapses at every level. State auditors identified similar problems a
    year ago, and agency leaders then promised to fix them.
    They still haven't.
    "Nothing's been completed," said Cindy Becker, Human Services' chief
    administrative officer. "We thought we were fixing things that ended
    up not getting fixed."
    Becker's boss, Human Services Director Bob Mink, says that he knows
    the computers are vulnerable but that he doesn't have the money to
    plug the leaks and won't do it unless the Legislature comes up with
    the cash. No one knows how much it will cost.
    "I will never divert program money to serve people to take care of
    these data security issues," Mink said. "We've got security interests
    competing against service interests."
    The agency, with 9,300 employees and a two-year budget of $8.5
    billion, serves Oregon's neediest residents.
    Its computers store personal information on more than 900,000 people
    who receive state benefits and an unknown number of former recipients.  
    The computers also are used to issue millions of dollars in payments
    to Oregonians.
    Security weaknesses allow outsiders access to much of that
    information, according to the consultant, Certicom Corp. The
    consultant said hackers could tap into the computers for identity
    theft, sabotage or state benefits.
    Certicom also concluded that state employees can readily get into
    computer files they don't need for their jobs, allowing privacy
    breaches or theft.
    Crooked employees already have cracked the computers.
    State auditors highlighted that problem last year, identifying nine
    instances in which agency employees tapped computers to steal
    $201,000. In one case, an office clerk making $21,228 a year got
    $5,917 in state welfare by failing to disclose she had a job. Her
    employer: the Human Services Department's child welfare agency. When
    agency officials discovered the theft, they kept the clerk on staff
    but arranged for her to repay the money: at $20 a month.
    Another employee took information from closed client files to open new
    files and create paperwork to make it look as if clients were getting
    day-care services from his wife. The employee generated checks
    totaling $72,618 during 28 months for nonexistent day care.
    Police and state ethics investigators are examining those cases.
    Portions of Certicom's July report recently were released to The
    Oregonian under the state's public records law.
    The report echoed concerns raised last year by state auditors, who
    found that Human Services managers needed to make security a priority
    to stop employee theft and guard against disclosure of personal
    information such as medical records.
    Agency officials were surprised by what state auditors found. "I
    wasn't aware how vulnerable we were," Mink, the Human Services
    director, said in a recent interview.
    Mink responded to the August 2001 state audit by pledging to make
    security a higher priority and to work to plug security breaches.
    However, Mink said he considers lax security a serious problem but
    doesn't have the money to fix it. The agency will ask the 2003
    Legislature for money, but he and Becker aren't optimistic.
    "I don't think there's going to be any type of money for this in the
    future," Mink said.
    The agency set up a task force last month to address security issues,
    focusing on changes that don't require money. Becker said the agency
    also might get some help as it meets new federal requirements to
    safeguard personal information. An agency proposal for meeting that
    requirement includes $2.3 million to improve security.
    Certicom and state auditors said in their separate reports that
    security is as much an attitude as a computer code. "Executive
    management has not made security of its systems a priority," state
    auditors reported in August 2001.
    The Certicom report agreed. "Security, over and over again, has been
    an afterthought," it said.
    Certicom described five "absolutely essential" steps to boost
    security, starting with a basic plan for how to do that. Certicom
    noted the agency doesn't have staff capable of such planning.
    The consulting firm found that the agency's computers are vulnerable
    to hackers because no security policies are in place, employee
    passwords are poorly managed, and encryption is inadequate.
    "This is a textbook case of how computer systems are commonly
    compromised over the Internet," the report said.
    Employees not on guard The report said the agency's lack of concern
    about security means employees aren't on guard for potential breaches
    and could be tricked into allowing outsiders to reach sensitive
    "Trusting employees are very susceptible to such attacks when security
    is not forefront on their minds," it noted.
    Employees also can compromise agency computers, Certicom concluded.
    "Motivation can include personal hardship, malice or extortion," the
    report said. "Targets are most likely to be those that lead to direct
    personal gain (e.g. unauthorized funds transfers or theft)."
    Human Services' computer security problems date to at least 1991, when
    an internal evaluation was done as the agency planned to shift to new
    software to secure its electronic files.
    "The current system doesn't work very well," the report said. "Giving
    100 people the same password doesn't amount to very effective
    The current system deployed by the agency hasn't worked much better.  
    The one employee who understood the security software left three years
    ago. Agency officials can't locate him, and no one else understands
    how the agency's computers have been programmed with the code.
    In 1998, state auditors identified security gaps and recommended 22
    remedies. Three years later, auditors discovered 14 steps still not
    The agency's own auditors in 1999 chronicled the computer security
    lapses, but the only recommendation followed was to hire a data
    security manager. Scott Burrows took the job in April 2001, but he was
    given no budget and no authority to order any changes. He quit two
    months ago, and agency officials say they have no immediate plans to
    replace him.
    "We got off to a bad start," Becker said. "It's been a stop-and-start
    thing. It has not gone the way we wanted it to."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 02:50:05 PDT