http://www.projo.com/southcounty/content/projo_20060915_audit.329268e.html BY MARIA ARMENTAL Journal Staff Writer September 15, 2006 HOPKINTON -- A forensics audit into the town's computer network, focusing on the tax assessor's office, has revealed serious security flaws. In a report dated Aug. 29, Matthew DeMatteo, director of the University of Rhode Island's Digital Forensics Center, who conducted the audit, reported he had found a way files could be tampered with and pointed out network security and procedural irregularities. DeMatteo was assisted by David Batestini, a network security expert, David Te, an educational observer, and Steven McCandless, the town's acting Geographic Information Systems director. Town Manager William A. DiLibero said steps have been taken to correct the situation. A forensics audit condcuted by director of the University of Rhode Island's Digital Forensics Center finds a way files could be tampered with and pointed out network security and procedural irregularities. The report will be discussed at the council's regular meeting Monday during executive session, DiLibero said. Public discussion may follow. In his report, DeMatteo said computer security measures need to be implemented, access to data restricted and a network and security audit done. The audit, conducted this summer at the behest of the former tax assessor who complained tax records had been altered, analyzed work-station computers in the tax assessor's and tax collector's offices for evidence of file tampering. The server that contains the files used by the tax assessor, DeMatteo said, is located in a room that is also used as the GIS director's office. "While this office is locked," DeMatteo wrote, "it is unclear who has access to the room and who can obtain access. "Getting physical access to this room and the server inside would allow a person to copy, edit, delete, change or otherwise molest and have access to private town data, including the tax assessor's data," DeMatteo continued. "While a proprietary program is generally used to access the tax assessor's files, the files themselves could be [altered] via the network connections in the Town Hall." "It seemed that there was little, if any, permissions or user groups being enforced on the server." DeMatteo said examiners found that Microsoft's Remote Desktop protocol, an option that is off by default and that allows external access to the server, was turned on on the server and the tax assessor's computer. "While an intruder would have to know the specific internal and external [Internet Protocol] addresses for the town's computers, as well as user names and passwords to the server and the tax assessor's computers, this is a method of entry that would not be easily noticed, nor would access information be logged in any system," DeMatteo wrote. User names and passwords were typically handwritten on a legal pad and stored in the town's safe. Under new guidelines, employees have been asked to change their passwords regularly and provide the town manager and acting GIS director with the updated passwords. DeMatteo said this "backdoor" entry was used at least once for maintenance and technical support on the town tax data. The company that provides the software the tax assessor uses and the revaluation company also have access permission. "The current system of how the tax assessor works is unable to be audited and does not use any logging, peer or management checks, or primary documents or receipts to confirm the work," DeMatteo wrote. "It seems to be the digital equivalent of writing out a ledger in pencil instead of pen -- it is impossible to know who changed what, when it happened or why." Former Tax Assessor Margaret M. Hardiman has said the software provider had disabled an audit function in the office software. Her requests to have the audit function enabled and access to information restricted were not addressed, she said. DeMatteo said a system was installed to monitor computer traffic and data access using the Remote Desktop protocol over a weekend in early July. No activity was detected, DeMatteo said. Hardiman had given DeMatteo a printout of changes in tax data going back to before she was hired. Hardiman, who was fired in July, had been hired on Oct. 17, 2005. "Although there was no key to the data [like a map without a legend], it did appear that data in the system was being changed in a haphazard way," DeMatteo wrote in his report, adding data obtained through the forensic audit could not prove or disprove the allegations. DeMatteo advised Hardiman to seek legal counsel. DeMatteo said by the time he was called in, it was too late to determine who had access to the records and what had been done. "It was so much after the fact," DeMatteo said. The type of information he needed to review, he said, "is subject to change just by normal use of the computer." "I just tried to show what was possible," he said, "what they should do about this and my recommendations on what should be done to avoid that situation again." _________________________________ HITBSecConf2006 - Malaysia The largest network security event in Asia 32 internationally renowned speakers 7 tracks of hands-on technical training sessions. Register now: http://conference.hitb.org/hitbsecconf2006kl/
This archive was generated by hypermail 2.1.3 : Sun Sep 17 2006 - 22:31:49 PDT