[ISN] N.H. computer specialist says superiors ignored security warnings

From: InfoSec News (isn@private)
Date: Thu Mar 30 2006 - 22:23:54 PST


http://www.boston.com/news/local/new_hampshire/articles/2006/03/29/nh_computer_specialist_says_superiors_ignored_security_warnings/

March 29, 2006

CONCORD, N.H. -- A state computer specialist who was put on leave two 
days after a security breach was announced says bosses ignored his 
warnings about more serious weaknesses in New Hampshire's computer 
network.

Doug Oliver of Tilton, 44, was suspended with pay last month after the 
announcement of the security breach affecting motor vehicle offices, 
the state veterans home in Tilton, the Liquor Commission and state 
liquor stores.

Oliver spoke to the Concord Monitor and New Hampshire Public Radio, 
saying he wants to clear his name. He said officials underreported the 
extent of the hacking. And he said they knew as early as last summer 
that perhaps more than half the state's computer systems were at 
significant or severe risk of being attacked.

"I'm not looking to do any harm to anybody," Oliver told the Monitor. 
"I'm just looking to make sure that the debate and the right questions 
are getting asked, because I'm not convinced the right questions are 
getting asked."

Rick Bailey, New Hampshire's chief information officer and Oliver's 
boss, declined to comment on Oliver's allegations, citing personnel 
issues.

"It's a difficult situation," he said, declining to name the employee 
who was suspended. "An investigation was ongoing. The FBI and the 
Department of Justice recommended that this individual not be in the 
environment while the investigation ran its course, and we followed 
that direction. Administrative-leave scenarios are not intended to 
suggest guilt or innocence."

In February 2005, a hacker defaced the state's NH.gov Web site with 
internet graffiti. In response, Bailey compiled a three-person team, 
including Oliver, which was directed to act like hackers to test state 
computer security.

The testing, which concluded last summer, revealed that more than 60 
percent of the sampled servers were at risk for "significant to 
severe" security breaches, Oliver said.

One of the biggest problems the team identified was a failure to 
upgrade databases to protect them from a worm that caused widespread 
damage on the internet a few years ago. Microsoft has provided patches 
to protect against that worm since 2003, Oliver said, but had not been 
applied.

"There were events and incidences being reported by this (security 
tool) that I was seeing multiple network machines being touched by 
this worm," Oliver told NHPR. "In addition, there were other 
signatures, other flags or events that this tool was firing at the 
same time that were strongly indicative of an attack against the 
network."

Bailey said the security tool Oliver used is good, but not perfect, 
raising the possibility of false alerts.

No reports of illegal activity were reported as a result of the 
security breach the state announced, but officials asked people who 
used credit cards in the previous six months to report any suspicious 
purchases to the state Consumer Protection Bureau.

State information technology experts became aware of the breach when 
they spotted software in the system that can allow a hacker to watch 
transactions, but not to recover earlier records, said Bailey.

Oliver said the program also can be used as a security test, and that 
he installed it last year during the security checking. It was 
supposed to have been removed.

Oliver, who has worked for the state since 2002, was a technical 
support specialist who had written software and performed security 
checks on computer servers that handle credit card transactions. He 
says he was scanning state servers for hacker vulnerability on Feb. 16 
when his supervisors asked him to speak with the FBI. Shortly after 
that interview, he said he was locked out of his network account, and 
told he was placed on leave. He was not given a specific reason.

"I feel that I'm coming under fire inappropriately," he said. "Perhaps 
(I'm) being scapegoated or retaliated against because of what I know."

In his last days on the job, he said, his supervisor accused him of 
"being chicken little, or being disgruntled somehow, and of being 
overzealous because of a new toy"- an expensive security device the 
state had been testing. 



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Mar 30 2006 - 22:49:02 PST