[ISN] Blame for security breaches at OU gets lobbed back and forth

From: InfoSec News (alerts@private)
Date: Wed Aug 09 2006 - 07:26:08 PDT


http://www.athensnews.com/issue/article.php3?story_id=25575

By Jim Phillips
Athens NEWS Senior Writer
2006-08-07

What's the real story on Ohio University's firing Thursday of two top 
officials from its Communication Network Services (CNS)?

OU's chief information officer, William Sams, says Tom Reid and Todd 
Acheson fell asleep at the switch, and should have done more to prevent a 
series of computer hacking incidents that exposed personal data on 
thousands of students and alumni to possible theft.

Reid and Acheson counter that Sams himself should be taking some major 
blame for the security breaches, and suggest that their own biggest 
offense in OU's eyes may have been challenging the qualifications of a 
consultant the university hired to investigate the hackings.

Reid was director of CNS, and Acheson was its Unix systems manager. OU 
suspended them in June, following the release of a report by Moran 
Technology Consultants, Inc., of Napierville, Ill., which was hired to 
investigate the causes of a series of computer security breaches at OU.

The Moran report singled Reid and Acheson out for blame in allowing 
hackers to break into OU computers on at least five occasions over more 
than a year.

On Thursday, OU announced it was firing the two men. Earlier, the two had 
taken part in a disciplinary meeting with Sams, at which they presented 
their cases.

Attorneys for both Acheson and Reid said Friday their clients are getting 
a raw deal.

"This is disgraceful, what the university's doing," alleged Fred Gittes, 
attorney for Acheson. "It's not only a cover-up, but it's insulting in the 
manner in which it's being done."

Gittes and Reid's attorney James Colner both said they were particularly 
incensed by what they consider a blatantly broken promise on OU's part - 
to not make any decisions on Reid and Acheson's employment until the men 
had received all the documentation on their cases that they had requested 
from the university.

But with their records requests still largely unfilled, the attorneys 
claim, Reid and Acheson nonetheless learned Thursday that they'd been 
canned. (In Reid's case, he claims he learned about his firing from a 
reporter before he got the news from OU.)

"We were promised up and down that we were going to get (those records)... 
before any decision was made," Colner said. "And of course, that promise 
was broken."

Gittes agreed, saying the university stonewalled on filling records 
requests for his client, then went back on its word and fired him anyway.

"We could not even get Todd's calendar," Gittes alleged.

He noted that OU released the Moran report only in a heavily redacted 
form, and that the consultant has admitted destroying the notes used in 
compiling the report - an action that Reid and Acheson claim violated the 
terms of Moran's contract.

Asked about any agreement regarding records and the timing of OU's 
employment decision, Sams said Friday: "I think that's something our Legal 
Affairs Office would take under consideration. I can't recall any 
commitment like that." (Reid and Acheson say the promise came from Legal 
Affairs during the disciplinary meeting with Sams.)

Sams himself is leaving his position as chief information officer with OU, 
as soon as the university can find a replacement.

SAMS SAID THAT much of the rope used to hang Reid came, not from the Moran 
report, but from Reid's own presentation at the disciplinary meeting. Sams 
said the evidence shows that Reid and Acheson failed to safeguard the 
outer "perimeter" of the university's whole computer network.

"The responsibility that Mr. Reid and Mr. Acheson had was for the 
wide-area network and the local-area network," he said. "Both of those 
were involved in all of the security breaches."

In a lengthy prepared statement issued Friday - which apparently reflects 
what was in his presentation during his disciplinary meeting
- Reid noted that none of the breaches occurred on computers that were 
  under his management.

Far from having closed his eyes to computer security problems, Reid 
maintains that he made "repeated efforts to gain university attention to 
the issue of information security, dating back to 1998," which included 
making "numerous proposals" for upgrades complete with requests for 
funding.

"My department developed and implemented literally dozens of security 
initiatives in the past 10 years that have served Ohio University quite 
well," he added.

Sams countered that Reid proposed all his projects to improve computer 
security before Sams took over as CIO.

"It's very clear from his own documentation, that he never advised me of 
the seriousness of the security situation," Sams alleged.

He cited the fact that Reid and Acheson never called for installation of a 
"perimeter firewall," a kind of security moat around the outside of the 
university's entire computer system, providing security at the point where 
OU's computers reach out to the Internet. (OU recently announced that such 
a firewall will be put in place, as part of a large-scale reorganization 
of its IT structure.)

"What they did not do was put any good gates on the (information) 
highway," Sams alleged. Because the two were responsible for the security 
of the entire wide-area and local-area networks, he argued, it's 
irrelevant which individual servers they were supposed to be watching.

Reid contends in his prepared statement that it's "widely known" that such 
firewalls aren't typically used at large research universities "due to the 
sheer complexity of the server environment, the need for an open and 
high-performance networking environment crucial to research and learning, 
and the distributed responsibility and authority over many aspects of the 
institution, including information technology."

He cited a report by a task force on computer security in education, which 
stated that while firewalls are widely used to protect critical systems, 
they are "less common" at system perimeters, with only 40 percent of a 
sample of doctoral research universities using them.

Sams countered that this report is three years old and possibly outdated, 
and that a top computer security firm, the Gartner Group of Stamford, 
Mass., has recommended that OU install a perimeter firewall.

Sams added that Reid's job should have included warning Sams that a 
firewall was needed. Asked how, as CIO, he could have been unaware that OU 
was lacking such a supposedly important security feature, Sams 
acknowledged that he did know this, but added that "I was dependent on Mr. 
Reid" to keep him apprised of looming security risks.

Reid has questioned why Sams never raised the computer-security issue with 
him during a two-year performance review in March 2006, in which Sams gave 
Reid high marks for his performance.

ANOTHER POINT MADE by Reid and Acheson involves their relationship with 
Moran, the company whose report first singled the two out publicly for 
blame.

Gittes said Reid and Acheson had some disagreements with Charlie Moran, 
head of Moran Technology Consultants, when the company was working on a 
contract to help develop a student information system at OU, before it was 
hired to investigate the hackings. Based on this conflict, the attorney 
said, he suspects Moran may have had a vested interest in getting rid of 
the two men.

"He views Todd Acheson and Tom Reid as obstacles to getting further 
contracts with OU," Gittes suggested. "It's clear that Mr. Moran had it in 
for (Acheson)."

Reid, likewise, mentions what he calls a "clear conflict of interest on 
the part of Moran Consulting," which he claims was raised as an issue by 
two OU internal experts when they reviewed Moran's report.

(Gittes and Colner have both referred to the opinions of the two internal 
experts, whose comments have not been seen by The Athens NEWS. The 
attorneys claim the professors are highly critical of some of the 
conclusions and reasoning in the Moran report. Sams said he invited the 
experts' comments, read them, and took them into account in making his 
decision to fire Reid and Acheson.)

Regarding the alleged bad blood between Moran and the fired officials, 
Sams said that while he did hear of "a pretty spirited discussion" 
involving Reid and/or Acheson over Moran's ideas about the student 
information system, at the time, he didn't have the impression that it was 
serious.

"I think they had agreed to disagree," he recalled, adding that Moran 
"seemed more bemused by it than anything."

Moran could not be reached for comment.

Ultimately, both Gittes and Colner strongly suggested, Sams himself should 
be under as much scrutiny for the computer breaches as his two underlings.

"The buck for the computer security problems does not stop at Tom Reid's 
desk," Colner declared in his statement. "It stops at the desk of Ohio 
University Chief Information Officer Bill Sams and the university 
president."

Gittes was even more pointed.

"You have the man who is responsible for all of these systems when this 
hacking happened, making these judgments, and nothing's happened to him," 
he said. "He had ultimate responsibility for this. What's happened to 
him?"

OU, however, announced last month that Sams was "stepping aside" as chief 
information officer, pending the hiring of a replacement. In announcing 
his decision, Sams stated in a university news release, "... it has become 
clear to me that a new energy level and skill set is going to be required 
in order to allow (OU's) IT organization to realize its potential. 
Consequently, I recommended to the provost and the president that a search 
for my successor be initiated."



_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Wed Aug 09 2006 - 07:49:10 PDT