[ISN] Cyberattacks at federal agencies draw House scrutiny

From: InfoSec News (alerts@private)
Date: Fri Apr 20 2007 - 00:25:22 PDT


http://news.com.com/Cyberattacks+at+federal+agencies+draw+House+scrutiny/2100-7348_3-6177783.html

By Anne Broache
Staff Writer, CNET News.com
April 19, 2007

WASHINGTON -- As new details emerged about cyberattacks against networks 
at the State and Commerce departments last year, politicians on Thursday 
said they're concerned many federal agencies are ill-prepared to fend 
off such intrusions.

Members of a U.S. House of Representatives cybersecurity subcommittee 
said they weren't confident that the computer systems at bureaus within 
the State and Commerce departments were adequately secured and scrubbed 
of backdoors that could allow cybercrooks to re-enter. They also 
questioned agency representatives on whether they could truly guarantee 
that sensitive information hadn't been accessed or copied.

"We don't know who's inside our networks," subcommittee chairman Rep. 
James Langevin (D-R.I.) said at an afternoon hearing here. "We don't 
know what information has been stolen."

Indeed, 21 of 24 major federal agencies had weak or deficient 
information security controls in place during the last fiscal year, 
according to audit reports, said Gregory Wilshusen, director of 
information security issues for the Government Accountability Office.

Pitfalls ranged from failing to replace well-known vendor-supplied 
passwords on systems to not encrypting sensitive information to not 
creating adequate audit logs to track activity on their systems, 
according to a new GAO report (PDF) he summarized at the hearing.

One of the main purposes of the hearing was to allow officials at the 
State and Commerce departments to give the first complete public 
accounts of the cyberattacks since news reports brought the incidents to 
light several months ago.

The State Department troubles began in May, said Donald Reid, senior 
coordinator for security infrastructure for the agency's Bureau of 
Diplomatic Security. An employee at an office in the East Asia Pacific 
region opened an e-mail message that contained what appeared to be a 
legitimate Microsoft Word document of a congressional speech--but when 
opened, actually unleashed malicious code that allowed the intruder 
backdoor access to the State Department's network.

The agency's intrusion detection system "immediately" detected the flaw 
and later discovered additional breaches on its systems in other Asian 
outposts and at its Washington headquarters, Reid said. In the process 
of analyzing that malicious code, analysts also discovered another 
previously unknown hole in the Windows operating system that lacked a 
security patch.

Realizing that Microsoft would not be able to issue a fix as speedily as 
necessary, the department developed a temporary "wrapper" designed to 
protect the systems from continued exploits, Reid said. All the affected 
systems were brought back up and running by July, and the department has 
not encountered further troubles, Reid said. (Microsoft ultimately 
released the new patch in August.)

Some politicians targeted Reid's assurances that the attacks only 
affected "unclassified" systems. Because government auditors have 
determined that the State Department lacks a complete inventory of its 
computer systems, "how can you be certain your classified networks 
aren't touching your unclassified networks, and can you really know 
hackers have only accessed unclassified networks?" Langevin asked. He 
also suggested that even unclassified networks can contain "sensitive" 
data.

Also encountering pointed questions from the handful of politicians 
present Thursday was Dave Jarrell, manager of the Commerce Department's 
Critical Infrastructure Protection Program.

Jarrell recounted events that transpired beginning in July at his 
department's Bureau of Industry and Security, which handles the 
sometimes thorny topic of export controls. After a senior BIS official 
discovered one morning that he could not log in to his machine, an 
agency computer security team went on to discover 33 computers that had 
attempted to establish connections to suspicious Internet protocol 
addresses originating from Internet servers in China.

Some politicians criticized the bureau for admittedly not knowing 
exactly how long the attackers were able to gain access to their 
systems. Jarrell said the agency was "very confident" that the data on 
existing machines is safe. He blamed the inability to pinpoint the time 
of the intrusion on faulty audit logs and said the agency was fixing 
that problem.

Politicians also used the hearing to lash out again at the Department of 
Homeland Security's persistently lagging cybersecurity efforts. They 
lamented that the agency had only managed to pull up its own information 
security grade, as determined by its compliance with federal standards, 
to slightly above failing this year. (The State and Commerce 
departments, for their part, both received F's.)

"I'll be honest with you," Langevin said. "I don't know how the 
department thinks it's going to lead this nation in securing cyberspace 
when it can't even secure its own networks."


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Fri Apr 20 2007 - 00:41:54 PDT