[ISN] Computer security consultant recovers notes thought to have been destroyed

From: InfoSec News (alerts@private)
Date: Fri Sep 01 2006 - 02:14:45 PDT


http://www.athensnews.com/issue/article.php3?story_id=25781

By Jim Phillips 
Athens NEWS Senior Writer 
2006-08-31

A set of notes that a consultant used to put together a report on Ohio
University's computer security problems, and that reportedly was
thrown out, has now apparently turned up.

"We found all the interview notes," reported Charlie Moran, president
of the Illinois-based Moran Technology Consulting, on Monday.

The supposedly discarded notes have been a factor in a bitter dispute
between OU and two top information technology officials whom the
university fired Aug. 3.

Tom Reid and Tom Acheson were fired for their alleged responsibility
in allowing hackers to break into OU computer databases on repeated
occasions, and to access personal data including Social Security
numbers on thousands of alumni, students, donors and subcontractors.

After the breaches were discovered (and made the news nationwide), OU
hired Moran to investigate why they happened. In June, the company
released a report -- with many sections blacked out for security
reasons -- that laid heavy blame on Reid and Acheson for leaving OU's
computer system open to attack.

Reid was director of OU's Communication Network Services, and Acheson
was the Unix systems manager for CNS. OU Chief Information Office
William Sams has said that he did not rely primarily on the Moran
report in deciding to fire the two, though Reid and Acheson argue that
the report did play a central role in their losing their jobs.

Reid and Acheson are fighting their terminations, and have asked a
local judge to order OU to release records relating to the security
breaches and the creation of the Moran report.

Last month, OU officials confirmed that Moran had told them that the
company disposed of the notes it used of its interviews with OU
personnel, which went into the writing of the report.

Attorneys for Reid and Acheson cried foul, contending that the
interview notes should have been public record, that Moran was
required to turn them over to OU under the terms of its contract, and
that their destruction was probably illegal.

Attorney Fred Gittes, who represents Acheson, said Wednesday that he
had not known the interview notes had supposedly been found. He added
that he's going to be highly skeptical about the documents, assuming
he ever gets to see them.

"I hadn't been informed of that," Gittes said. "And of course, there
will be serious questions about the authenticity of these records,
since there have been repeated public statements that they have been
destroyed."

James Colner, who represents Reid, said that he also had been unaware
of the recovery of the notes, but that he hopes to see them soon.

"We certainly believe they're public records, and they should be
turned over to us," he said. "We'll see if the university does that.  
So far, they haven't given us hardly anything."

Moran said he believed all copies of the notes had been trashed, but
that a search for them in an electronic version turned up e-mailed
copies that had been retained. He said Moran has given them to OU.

"We were able, by going back through old e-mails, to find the 22
interviews that were missing. So OU has all that stuff," he confirmed.  
"Any document we ever had, and every file we ever had, is there."

He stressed that Moran continues to believe that the notes are private
work product, which the public has no legal right to see. However, he
added, he has decided to wash his hands of that issue and leave the
status of the documents to OU.

"We're still convinced they aren't public records," Moran said. "But I
don't need that noise any more."

Asked Wednesday about OU's receiving the lost notes, OU Legal Affairs
Director John Burns responded, "We can't comment on that at the
moment." He did say, however, that assuming the existence of the
documents, OU would still have to make a decision on whether it
considers them public records.

Burns added that OU is still working through records requests by Reid
and Acheson, and that "much of what they've asked for, we don't have."  
This would include preliminary drafts of the Moran report, he said.

Though a court may end up ruling on whether Moran complied with the
terms of his contract as far as providing documents related to its
report, Burns said that in his view, "he's acted in good faith and
given us what he's got."


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Fri Sep 01 2006 - 02:31:34 PDT