[ISN] The first fallout from Cybergate

From: InfoSec News (isn@private)
Date: Wed Feb 11 2004 - 02:47:03 PST

  • Next message: InfoSec News: "[ISN] EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption"

    http://www.theregister.co.uk/content/55/35447.html
    
    By Mark Rasch
    SecurityFocus
    Posted: 10/02/2004 
    
    Did Republican staffers commit a crime by clicking on the "My Network
    Places" icon to access Democratic memos, asks SecurityFocus columnist
    Mark Rasch.
    
    Politics is dirty business, and rarely so much as in the area of
    patronage: appointments to sought-after federal jobs in general, and
    to the federal bench in particular. So it should be little surprise
    that, with so much at stake, one political party would want to use the
    insecurity inherent in computerized databases to its political
    advantage.
    
    What is surprising, however, is that, caught with their hand in the
    cookie jar, Senate Republicans employed the tactic of blaming the
    victim: they said, in essence, It's your fault that we got and used
    your information. If successful, this tactic does not bode well for
    the government's ability to prosecute computer crimes, and to protect
    critical infrastructures.
    
    With the resignation last Thursday of Senate staffer Manuel Miranda as
    the first victim of what I might call "cybergate," we may learn
    whether this tactic will be pursued and whether it will be ultimately
    successful.
    
    The scandal itself revolves around the process by which federal judges
    are appointed, and more importantly, how such appointments are blocked
    by the opposing party. When President George W. Bush came to office,
    he sought to make numerous appointments to the federal bench -- some
    to positions that conservative Republicans had deliberately left
    vacant for years of Democratic administrations.
    
    The Democrats, at the time a majority in the Senate, sought to use
    tactics similar to those they criticized Republicans for in preventing
    such nominations from reaching a vote on the floor of the Senate. The
    key Senate Committee responsible for such appointments was the
    Judiciary Committee.
    
    Democratic staffers wrote and transmitted confidential memoranda
    describing the means they would use to block such nominations in
    general, and the nomination of conservative Republican Miguel Estrada
    in particular. A year ago, in February 2003, columnist Robert Novak --
    the same columnist responsible for revealing the name of a CIA
    operative on a leak from government officials -- published information
    from these Democratic strategy memos. Novak reported that the
    information came from "internal Senate sources" but refused to
    identify these sources when questioned by Boston Globe reporter
    Charlie Savage.
    
    It now appears that the memos were stored on a computer server that
    also served the Judiciary Committee. When the Republicans regained
    control of the Senate, they regained control of the Judiciary
    Committee as well. Eager young staffers apparently discovered that
    access to the Democratic strategy memos was not password-protected,
    and was located on the shared server, where they could access it by
    clicking on the "My Network Places" icon on their own desktops.
    
    There is some dispute over what happened next -- though in my opinion
    it makes no difference. The Republicans argued that a computer
    technician told the Democrats about the configuration problem in the
    summer of 2002, and the Democrats claim they knew nothing about it
    until November of 2003. In either event, it's clear that Republican
    staffers, learning of the lack of protection to the documents, used
    the opportunity to take, read and leak the contents of the memos.
    
    The 'They Deserved It' Defense
    
    When the source and method of the leaks became apparent, the Senate
    Sergeant at Arms launched an investigation. Former Republican Senate
    Judiciary Committee Staffer Manuel Miranda came under suspicion, as he
    was one of the committee's point people on judicial appointments, and
    had since left the Judiciary committee to work for Senate Majority
    Leader Bill Frist.
    
    What is amazing is what comes next. When interviewed by the Boston
    Globe about the incident, Miranda reportedly claimed that the only
    wrongdoing was on the part of the Democrats, both for the content of
    their memos, and for their negligence in placing them where they could
    be seen.
    
    "There appears to have been no hacking, no stealing, and no violation
    of any Senate rule," the Globe quoted Miranda as saying. "Stealing
    assumes a property right and there is no property right to a
    government document. . . . These documents are not covered under the
    Senate disclosure rule because they are not official business and, to
    the extent they were disclosed, they were disclosed inadvertently by
    negligent [Democratic] staff."
    
    So, Miranda claims it isn't stealing because you can't steal
    government documents, and it's not a violation of the rules because
    they aren't government documents. Or something like that. He also
    seems to argue that the password misconfiguration made the documents
    fair game.
    
    There was a time when that would have been true.
    
    When the federal computer crime law passed was passed by Congress in
    1986, the statute only made it illegal to access certain computers
    (deemed "federal interest computers") without authorization, and made
    no provision for those who exceeded the scope of authorized access.  
    This was not an oversight, but a deliberate limitation on the scope of
    the statute, and it was cited by courts in, for example, dismissing
    computer crime charges against Boston IRS employee Richard Czubinski
    who repeatedly violated rules and searched IRS databases for
    information about friends, relatives and political enemies. Congress
    specifically indicated that people who were authorized users of a
    computer system, and who used that access to look at individual files
    they were not supposed to see, should not be covered by the law.
    
    But in one of the many amendments to the federal computer crime
    statute, Congress changed the wording, and explicitly criminalized the
    act of exceeding the scope of authorized access to a system. Doing
    this to federal computers is outlawed by Title 18 U.S.C. 1030(a)(2),
    which makes it a crime to intentionally access a computer without
    authorization or to exceed authorized access, and thereby obtain
    "information from any department or agency of the United States."
    
    So, did the Republican Judiciary Committee staffers violate the law?
    
    What I love about being a lawyer is that the answer to any question is
    always the same: "It depends." The law requires proof that the
    unauthorized access, or the exceeding of authorized access, was done
    intentionally.
    
    With no passwords, and no lines of demarcation, it is possible to
    argue that the Republicans' access to the Democratic strategy
    documents was not deliberate, or that it was not exceeding the scope
    of authorization, because all of the documents were on a single,
    unprotected server.
    
    This, of course, defies common sense, but the law often defies common
    sense. Similarly, the federal law requires proof that the information
    obtained be obtained from "an agency or Department of the United
    States." It seems that Miranda is arguing that, when the Democratic
    staffers act in a political capacity, their documents no longer relate
    to an Agency or Department - it's just politics. Finally, Miranda
    seems to argue that there is no proprietary right to government
    documents. While he is correct that government documents are not
    entitled to copyright protection, this does not imply that it is
    therefore okay to break into a computer database and take them.
    
    The investigation continues, and Miranda, while continuing to proclaim
    his innocence, is so far the only casualty. But if his argument that
    failures of security excuse the taking of documents is accepted,
    truth, justice and information security may be the next casualties of
    political warfare.
    
    
    Mark D. Rasch, J.D., is a former head of the Justice Department's
    computer crime unit, and now serves as Senior Vice President and Chief
    Security Counsel at Solutionary Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Feb 11 2004 - 05:36:55 PST