[ISN] County vulnerable to hackers

From: InfoSec News (isnat_private)
Date: Tue Dec 24 2002 - 02:36:50 PST

  • Next message: InfoSec News: "[ISN] Microsoft Security Guru Leaves Post"

    Kris Wise
    Daily Mail staff 
    December 23, 2002
    A review of computer security in Kanawha County's courthouse has found
    county financial records, voters' registration information and other
    confidential computer documents could be vulnerable to hackers.
    The county's Web site and wireless network had to be shut down today
    in an effort to prevent potential attacks on the system, County
    Commissioner Kent Carper said.
    County Manager Dan Blue last week hired Terradon Corp. to conduct a
    review of the county's computer network and its security system.
    A security engineer hacked into the county commission's network within
    an hour and a half, sent employees an e-mail that appeared to be from
    Carper, directed staff members to issue a check for $75 million and
    created a county file that warned officials he "owned the network."
    Terradon's engineer hacked into the system from his laptop while
    parked in a vehicle outside the courthouse. He then sent fictitious
    e-mails and directives while sitting between two state troopers in the
    courthouse lobby, County Manager Allen Bleigh said.
    "He did it very easily without anyone having any idea he was doing
    this," Bleigh said.
    The county's wireless network allows county employees to enter
    information into the system from laptops and cell phones. Though only
    3 percent of information is entered through the wireless system, it is
    "an open door" to all county records, Bleigh said.
    "It was a terrific error in judgment to set the system up this way,"  
    Carper said. "You would never go off and leave financial records
    unlocked at night and that's essentially what we have done. There are
    all kinds of people out there who are very skilled and knowledgeable.  
    I'm going to assume someone else has done this or could easily do
    Carper notified fellow commissioners and elected officials last week
    to warn them that a security breach was possible and to get permission
    to tap into certain records. Initial concerns were that people could
    erase or change financial records, change registration for voters, put
    a virus in the system or gain access to criminal records,
    commissioners said.
    Terradon's engineers still are working to see what information would
    have been vulnerable if the system still were operating with the
    wireless network. Law enforcement records, criminal records and grand
    jury information kept by the Sheriff's Department and Prosecutor's
    Office are stored in another protected system and were not included in
    the test, Carper said.
    Commission President Dave Hardy said the most substantial security
    risk for the county was that individuals could have used the county's
    system as a platform to break into other systems or host their own Web
    "My biggest concern is how a hacker could mask his own identity
    through our system," Hardy said. "It's very hard to get someone
    in-house to do this kind of (security) work for what governments can
    pay. It's something all agencies need to take a look at."
    County systems administrator Dennis Wyer said the wireless network was
    established to allow employees to enter information into the county
    system during meetings or court proceedings.
    Today's shutdown of the Web site and network will prevent any
    unauthorized person from gaining access to the system until further
    security measures are in place, Wyer said.
    The county had planned to buy more than $500,000 of new financial
    software in the coming year. Commissioners will discuss at the Jan. 16
    meeting whether to buy additional computer security equipment or to
    extend a contract with the computer-engineering firm to conduct
    security audits.
    The network that stores records for the commission, the County Clerk's
    Office and the Assessor's Office also has no warning system to alert
    administrators of an attempted security breach.
    Last week's review found there had been recent attempts to hack into
    county clerk's records.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 09:10:50 PST