http://www.athensnews.com/issue/article.php3?story_id=25575 By Jim Phillips Athens NEWS Senior Writer 2006-08-07 What's the real story on Ohio University's firing Thursday of two top officials from its Communication Network Services (CNS)? OU's chief information officer, William Sams, says Tom Reid and Todd Acheson fell asleep at the switch, and should have done more to prevent a series of computer hacking incidents that exposed personal data on thousands of students and alumni to possible theft. Reid and Acheson counter that Sams himself should be taking some major blame for the security breaches, and suggest that their own biggest offense in OU's eyes may have been challenging the qualifications of a consultant the university hired to investigate the hackings. Reid was director of CNS, and Acheson was its Unix systems manager. OU suspended them in June, following the release of a report by Moran Technology Consultants, Inc., of Napierville, Ill., which was hired to investigate the causes of a series of computer security breaches at OU. The Moran report singled Reid and Acheson out for blame in allowing hackers to break into OU computers on at least five occasions over more than a year. On Thursday, OU announced it was firing the two men. Earlier, the two had taken part in a disciplinary meeting with Sams, at which they presented their cases. Attorneys for both Acheson and Reid said Friday their clients are getting a raw deal. "This is disgraceful, what the university's doing," alleged Fred Gittes, attorney for Acheson. "It's not only a cover-up, but it's insulting in the manner in which it's being done." Gittes and Reid's attorney James Colner both said they were particularly incensed by what they consider a blatantly broken promise on OU's part - to not make any decisions on Reid and Acheson's employment until the men had received all the documentation on their cases that they had requested from the university. But with their records requests still largely unfilled, the attorneys claim, Reid and Acheson nonetheless learned Thursday that they'd been canned. (In Reid's case, he claims he learned about his firing from a reporter before he got the news from OU.) "We were promised up and down that we were going to get (those records)... before any decision was made," Colner said. "And of course, that promise was broken." Gittes agreed, saying the university stonewalled on filling records requests for his client, then went back on its word and fired him anyway. "We could not even get Todd's calendar," Gittes alleged. He noted that OU released the Moran report only in a heavily redacted form, and that the consultant has admitted destroying the notes used in compiling the report - an action that Reid and Acheson claim violated the terms of Moran's contract. Asked about any agreement regarding records and the timing of OU's employment decision, Sams said Friday: "I think that's something our Legal Affairs Office would take under consideration. I can't recall any commitment like that." (Reid and Acheson say the promise came from Legal Affairs during the disciplinary meeting with Sams.) Sams himself is leaving his position as chief information officer with OU, as soon as the university can find a replacement. SAMS SAID THAT much of the rope used to hang Reid came, not from the Moran report, but from Reid's own presentation at the disciplinary meeting. Sams said the evidence shows that Reid and Acheson failed to safeguard the outer "perimeter" of the university's whole computer network. "The responsibility that Mr. Reid and Mr. Acheson had was for the wide-area network and the local-area network," he said. "Both of those were involved in all of the security breaches." In a lengthy prepared statement issued Friday - which apparently reflects what was in his presentation during his disciplinary meeting - Reid noted that none of the breaches occurred on computers that were under his management. Far from having closed his eyes to computer security problems, Reid maintains that he made "repeated efforts to gain university attention to the issue of information security, dating back to 1998," which included making "numerous proposals" for upgrades complete with requests for funding. "My department developed and implemented literally dozens of security initiatives in the past 10 years that have served Ohio University quite well," he added. Sams countered that Reid proposed all his projects to improve computer security before Sams took over as CIO. "It's very clear from his own documentation, that he never advised me of the seriousness of the security situation," Sams alleged. He cited the fact that Reid and Acheson never called for installation of a "perimeter firewall," a kind of security moat around the outside of the university's entire computer system, providing security at the point where OU's computers reach out to the Internet. (OU recently announced that such a firewall will be put in place, as part of a large-scale reorganization of its IT structure.) "What they did not do was put any good gates on the (information) highway," Sams alleged. Because the two were responsible for the security of the entire wide-area and local-area networks, he argued, it's irrelevant which individual servers they were supposed to be watching. Reid contends in his prepared statement that it's "widely known" that such firewalls aren't typically used at large research universities "due to the sheer complexity of the server environment, the need for an open and high-performance networking environment crucial to research and learning, and the distributed responsibility and authority over many aspects of the institution, including information technology." He cited a report by a task force on computer security in education, which stated that while firewalls are widely used to protect critical systems, they are "less common" at system perimeters, with only 40 percent of a sample of doctoral research universities using them. Sams countered that this report is three years old and possibly outdated, and that a top computer security firm, the Gartner Group of Stamford, Mass., has recommended that OU install a perimeter firewall. Sams added that Reid's job should have included warning Sams that a firewall was needed. Asked how, as CIO, he could have been unaware that OU was lacking such a supposedly important security feature, Sams acknowledged that he did know this, but added that "I was dependent on Mr. Reid" to keep him apprised of looming security risks. Reid has questioned why Sams never raised the computer-security issue with him during a two-year performance review in March 2006, in which Sams gave Reid high marks for his performance. ANOTHER POINT MADE by Reid and Acheson involves their relationship with Moran, the company whose report first singled the two out publicly for blame. Gittes said Reid and Acheson had some disagreements with Charlie Moran, head of Moran Technology Consultants, when the company was working on a contract to help develop a student information system at OU, before it was hired to investigate the hackings. Based on this conflict, the attorney said, he suspects Moran may have had a vested interest in getting rid of the two men. "He views Todd Acheson and Tom Reid as obstacles to getting further contracts with OU," Gittes suggested. "It's clear that Mr. Moran had it in for (Acheson)." Reid, likewise, mentions what he calls a "clear conflict of interest on the part of Moran Consulting," which he claims was raised as an issue by two OU internal experts when they reviewed Moran's report. (Gittes and Colner have both referred to the opinions of the two internal experts, whose comments have not been seen by The Athens NEWS. The attorneys claim the professors are highly critical of some of the conclusions and reasoning in the Moran report. Sams said he invited the experts' comments, read them, and took them into account in making his decision to fire Reid and Acheson.) Regarding the alleged bad blood between Moran and the fired officials, Sams said that while he did hear of "a pretty spirited discussion" involving Reid and/or Acheson over Moran's ideas about the student information system, at the time, he didn't have the impression that it was serious. "I think they had agreed to disagree," he recalled, adding that Moran "seemed more bemused by it than anything." Moran could not be reached for comment. Ultimately, both Gittes and Colner strongly suggested, Sams himself should be under as much scrutiny for the computer breaches as his two underlings. "The buck for the computer security problems does not stop at Tom Reid's desk," Colner declared in his statement. "It stops at the desk of Ohio University Chief Information Officer Bill Sams and the university president." Gittes was even more pointed. "You have the man who is responsible for all of these systems when this hacking happened, making these judgments, and nothing's happened to him," he said. "He had ultimate responsibility for this. What's happened to him?" OU, however, announced last month that Sams was "stepping aside" as chief information officer, pending the hiring of a replacement. In announcing his decision, Sams stated in a university news release, "... it has become clear to me that a new energy level and skill set is going to be required in order to allow (OU's) IT organization to realize its potential. Consequently, I recommended to the provost and the president that a search for my successor be initiated." _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Wed Aug 09 2006 - 07:49:10 PDT