http://www.dchieftain.com/news/43773-08-25-04.html Dana L. Bowley El Defensor Chieftain Editor August 25, 2004 A computer hacker who broke into a state agency's system recently and essentially downloaded the agency's database was tracked down by researchers from a New Mexico Tech program, state legislators were told here Monday. A research assistant in Tech's Information Technology department and the ICASA program, Srinivas Mukkamala, told seven members of the legislative Information Technology Oversight Committee who were meeting in Socorro this week that the intrusion into the agency's system demonstrates the vulnerability of computer networks, even the state's. It also, he said, demonstrates the cutting-edge technology being developed by the Institute for Complex Additive Systems Analysis division at Tech. Officials declined to identify the agency involved other than to say it is one of the smaller state agencies, with offices in Santa Fe and Albuquerque, but it has control over a considerable amount of money. Ultimately, Mukkamala said, no funds were taken and no data was lost or misused. But the ease with which the system was hacked by a disgruntled former employee should concern legislators, he and other ICASA representatives said. Mukkamala said the individual used programs that are available on the Internet to enter the system through an open printer port accessed via the agency's Web page, gain full access to the Web server and from there enter the agency's information technology administration server. Once in the IT server, the hacker established himself as the system administrator and downloaded virtually the entire database. Mukkamala said that after the agency discovered the intrusion, it asked ICASA to do an analysis and try to trace the hack. "Even though he tried to erase his tracks, we were able to trace the footprint (back to the hacker)," he said. The suspect turned out to be a disgruntled former employee who left the agency about a year ago but still had access information for the system. There was no information available concerning the law enforcement side of the case. Mukkamala said that while he was doing the analysis of the agency's computer system, he found it so easy to access that "I was able to walk all through their network." The ICASA officials used the break-in to demonstrate how vulnerable computer systems are to attack and how urgently the state needs to implement a training program for system administrators and users. Most information system breaches, they said, are the result of poor policies and procedures directly related to inadequate training. "A firewall is not enough," Mukkamala told the lawmakers. "Information security needs to be multi-layered." He said those layers should include preventive security such as virus protection and firewalls, intrusion detection scanning, user authentication systems and enforcement of policies that promote secure usage. "A very small percentage of people who call themselves hackers really understand the workings of IT systems," Mukkamala said, but because of the availability of hacking tools they can cause havoc with poorly secured systems. He said that 75 percent of IT systems with a firewall are vulnerable to attack, and 95 percent of those without a firewall. And, he said, while most virus and worm attacks don't cause serious damage, the disruptions they cause are costly. He noted that the Melissa virus last year cost business and government an estimated $8.7 billion. Rather than damage, virus and worm developers are going for speed, he said, and they're succeeding. Where it once took days for a virus or worm to spread, now it's nearly instantaneous. He cited the recent "Slammer" worm, which infected more than 100,000 computers per hour and spread around the globe in three minutes. Max Baca, of the IT department at New Mexico Highlands University, which will be teaming up with Tech on some projects, said up to now there has been no economic incentive for virus and worm developers, but that is changing. "Worm and virus developers are linking up with spammers" to develop ways to defeat anti-spam software and procedures and to actually force spam on computer users without the user doing anything. "So now, there's an economic incentive," Baca said, which is bad news for IT administrators. Teresa Hall, associate director of ICASA, while making a pitch for more funding for her program, urged the committee to recommend funding for training of state IT administrators and system users. "I would urge the state to invest in security training immediately," Hall said. ICASA is a division of Tech and is a cooperative venture between academia, industry and government dedicated to studying the behavior, vulnerabilities and predictability of very complex systems, and developing real-world processes and solutions. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Thu Aug 26 2004 - 04:28:03 PDT