[ISN] Consultant who fingered 2 OU IT officials denies bias

From: InfoSec News (alerts@private)
Date: Thu Aug 10 2006 - 22:49:25 PDT


http://www.athensnews.com/issue/article.php3?story_id=25597

By Jim Phillips
Athens NEWS Senior Writer
2006-08-10

The president of a consulting firm whose recommendations helped spur the 
firing of two Ohio University information-technology officials denied 
Wednesday that he had any personal stake in seeing the two men removed.

Charlie Moran, of the Illinois-based Moran Technology Consultants, Inc., 
dismissed as groundless suggestions that IT officials Tom Reid and Todd 
Acheson somehow posed a threat to his company's continuing to receive 
lucrative contract work from OU.

"It's a desperate attempt by their attorneys," said Moran, of allegations 
that as an OU contractor he may have had a conflict of interest in the 
case. "It's completely wrong."

The university fired Reid and Acheson last Thursday, following release of 
a report by Moran's company that laid heavy responsibility on the two for 
allowing a series of hacker break-ins to OU computer databases.

Reid was director of OU's Communication Network Services, and Acheson was 
the CNS Unix systems manager. Reid, and Acheson's attorney Fred Gittes, 
have both publicly suggested that Moran may have had a personal motivation 
to see the two officials fired.

Before Moran was hired to investigate the computer-hacking incidents, the 
company worked for OU developing a request-for-proposals to install a 
computerized student information system at the university.  Reid and 
Acheson reportedly raised questions about Moran's handling of this 
project, thus supposedly making him their enemy.

Seeming to support this claim are comments on Moran's report, and on the 
larger computer security question, by a former associate provost for IT at 
OU. Doug Mann, who held the post from 1999-2003, is now executive 
assistant to the dean in OU's College of Osteopathic Medicine.

In a June 1 memo regarding OU computer security issues, Mann stated that 
"Ohio University's IT security vulnerabilities have been known for 
decades. Concerns about security have appeared in every one of the reports 
prepared by various external IT consultants over the years."

While Mann in the 2002-03 academic year was "ramping up a major IT 
security project," he recalled, that project "was derailed when 
then-Provost Steve Kopp eliminated the associate provost for IT position."

While some OU officials continued to push for improved security, according 
to Mann - including, notably, Tom Reid - "the effectiveness of the CNS 
security effort was (and still is) limited by resources and by lack of 
central authority over OU's IT security."

In an e-mail to OU Chief Information Officer William Sams in late June, 
Mann raised serious questions about the accuracy and fairness of the Moran 
report. He also suggested that "in the context of the Moran consulting 
relationship on the OU SIS project, and Tom Reid's alleged hesitance to 
support that project, (the report) presents an appearance of conflict of 
interest."

Mann added that Moran "has profited from the SIS project and has the 
potential to profit further. Moran Technology Consulting received an unbid 
contract to write a security incident report in which they have 
recommended the dismissal of Tom Reid. The Moran report is inconsistent 
and is consistently biased against CNS and Tom Reid. In my professional 
opinion, it would be a serious mistake to undertake major disciplinary 
action such as dismissal against Tom Reid and Tom Acheson based on the 
flawed and biased Moran report."

In an e-mail to OU Legal Services, Sams has acknowledged that Shawn 
Ostermann, chair of electrical engineering and computer science at OU, has 
also reviewed the Moran report and "had similar comments to Doug's."

CHARLIE MORAN INSISTED that reports of his having a clash with Reid and 
Acheson are grossly exaggerated, and that in any case, the two were in no 
position to threaten his status as a contractor with OU.

Moran said that when he was developing the SIS RFP, he met with Acheson to 
talk about any potential obstacles in the IT area to implementing the new 
system.

During that meeting, he acknowledged, he and Acheson had a sharp 
disagreement over the best security tools to use at OU, with Acheson 
championing a software technology known as Shibboleth, and Moran arguing 
that it is "risky, and too new for OU."

However, Moran said the disagreement was civil and professional.

"Todd is a very good technical guy. I found very thoughtful comments 
coming out of him," Moran recalled. On the security-tech issue, he 
admitted, "he and I are black and white. He's a professional, I'm a 
professional, and we have different opinions."

Moran said he met shortly thereafter with Reid, and simply passed on to 
him information about the security question, which Reid said he would look 
into.

"That meeting was the first, and to my knowledge the only, time I met Tom 
Reid," he said. "I had no bad blood (with him). I don't know the man."

He added that his firm, having developed the RFP, disqualified itself from 
bidding on the SIS project, and in any case is too small and specialized 
to consider taking on what might have been a $20 million contract.

"We're a boutique consulting firm," he said. "We weren't going to bid on 
that. We're not big enough."

And while there was a possibility that his firm might get some contract 
work from OU to help implement whatever SIS system it decided to buy, 
Moran said, neither Reid nor Acheson would have any say in that decision, 
and therefore posed no financial threat to his company.  "Those guys are 
not going to have a vote on who the implementation firm is going to be," 
he said.

Mann's comments to Sams on the Moran report go beyond the 
conflict-of-interest issue, however. He also alleged that the report gives 
a "complete misrepresentation" of the role that CNS played in a 2002-03 IT 
security project at OU.

"This misrepresentation does not appear to be an accident, as the report 
takes every opportunity to cast CNS in the most negative light possible," 
Mann added in his memo.

THE MORAN REPORT cited a number of possible steps that could have been 
taken to beef up OU's computer security, but were not. Mann, however, 
contended in his e-mail that "Most of these security steps were the 
responsibility of Computer Services (another IT department at OU) or other 
planning units, not CNS. However, in the report, Computer Services 
receives only the mildest of criticism, despite having free and easy 
access to anti-virus software and automatic Windows updates for server 
administration."

Charlie Moran, however, reiterated a point that has also been argued by 
Sams - that all computer security issues at OU were, at some level, the 
responsibility of CNS.

"Tom Reid owned security for the campus," he insisted.

Reid has maintained that a perimeter firewall, which he has been faulted 
for not installing, might have been a bad idea for OU. Because firewalls 
can make Internet connectivity more sluggish, he claims, some research 
universities have opted not to use them.

Moran dismissed this objection, calling a firewall an obvious, and 
relatively inexpensive, security measure for a place like OU.

"Firewalls are dirt cheap," he declared, estimating that OU could have 
installed one for somewhere between $50,000 and $70,000. "Most schools in 
the country, and most corporations, and I would hope The Athens NEWS, take 
certain security measures including firewalls."

Even if you grant Reid's point that some schools do not use firewalls, he 
said, most of them install some equivalent, alternative security measure. 
"I would say, 'OK, Tom. If you didn't put in firewalls, what did you put 
in their place?' There was nothing," Moran said.

ACHESON, MEANWHILE, has been rounding up a host of supporters for his 
cause among OU employees and people who have had dealings with the 
university.

More than a dozen support letters have been sent to the university so far, 
many of them taking strong issue with the Moran report's portrayal of 
Acheson as a prickly, aloof man whose personal style intimidated 
co-workers and eroded the inter-departmental cooperation needed to 
maintain good computer security university-wide.

One writer, who works in CNS, described Acheson as "one of the few 
managers who consistently engaged his employees on their comments, both 
positive and negative, regarding projects and daily work decisions."

Another writer, OU's IT communications manager Sean O'Malley, said the 
characterization of Acheson as hard to work with "would have been accurate 
five or six years ago," but hasn't been for some time.

"When Acheson first joined CNS, he did have a reputation for having an 
abrasive manner; however, that issue was worked out long ago,"  O'Malley 
wrote. "In fact, I would say for at least the past three years, Acheson 
has been an excellent team player."


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Aug 10 2006 - 22:58:21 PDT