[ISN] Security documents at risk on federal site: Audit

From: InfoSec News (isnat_private)
Date: Mon Feb 17 2003 - 01:16:59 PST

  • Next message: InfoSec News: "[ISN] Man charged with crashing employer's computer site"

    Feb. 16, 2003. 06:08 PM 
    In a major security breach, Transport Canada posted up to 5,000
    confidential documents - some related to airport security - on a
    widely accessible database that is vulnerable to hackers, a new audit
    has found.
    "The scale of error represents a significant contravention of
    government information security and privacy policy," says the internal
    audit of the department's new information system.
    The investigation determined that about one of every 10 documents in
    the department's giant database was confidential and should not have
    been available to every staff member in Transport Canada.
    The database is also likely susceptible to determined hackers, putting
    at risk between 4,000 and 5,000 items - including many secret
    documents that could harm Canada's national interests if disclosed.
    "Notable . . . were documents dealing with airport security matters
    subsequent to the September terrorist attacks" of 2001, says the
    report, citing an example.
    In one sampling, investigators readily obtained 17 national security
    documents marked "Secret" that could be easily viewed and printed.
    The audit report, dated Nov. 19, 2002, was obtained under the Access
    to Information Act.
    The report examines Transport Canada's new records management system,
    developed over two years and completed last fall. The department is
    among the first of 33 federal institutions that will eventually use
    the system to cope with the avalanche of paper civil servants produce
    each year.
    The government-wide project is being managed by Treasury Board.
    The system was originally intended to have an encryption system that
    would protect confidential material, but the additional software was
    never developed for reasons that remain unclear.
    Transport Canada employees nevertheless loaded the database with a
    vast amount of confidential material, including secret records
    detailing cabinet discussions, proposed legislation and national
    security matters.
    "Documents classified as secret would endanger national security,
    cause serious injury to the interests or prestige of the nation, or
    give substantial advantage to a foreign power," the report notes.
    The auditors found that Transport Canada officials rejected a proposal
    to instruct employees about the security classification of documents
    because it would have taken too much time. Instead, the department
    simply sent out an e-mail in late 2001 calling on them to be mindful
    of security designations.
    However, the auditors suggested lack of training was only part of the
    problem - many confidential documents appeared to have been posted out
    of carelessness.
    Citing several research studies, the report says Ottawa's ``Government
    On-Line" initiative could provide hackers with a window to illegally
    tap into sensitive databases. "Transport Canada's vulnerability to
    this type of access is likely similar," the authors wrote.
    Transport Canada officials were aware of the hacker threat as they
    implemented the new system but took no action, the report says.
    Spokesmen for the department did not respond to requests for comment
    on the findings of the audit.
    However, in a written response to the report, Transport Canada
    officials said they have since purged the database of confidential
    materials. The department also says it is conducting a threat and risk
    assessment to determine its vulnerability to hackers.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Feb 17 2003 - 03:29:23 PST