[ISN] Contractor Blamed in DHS Data Breaches

From: InfoSec News (alerts@private)
Date: Mon Sep 24 2007 - 22:19:22 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2007/09/23/AR2007092301471.html

By Ellen Nakashima and Brian Krebs
Washington Post Staff Writers
September 24, 2007

The FBI is investigating a major information technology firm with a $1.7 
billion Department of Homeland Security contract after it allegedly 
failed to detect cyber break-ins traced to a Chinese-language Web site 
and then tried to cover up its deficiencies, according to congressional 
investigators.

At the center of the probe is Unisys Corp., a company that in 2002 won a 
$1 billion deal to build, secure and manage the information technology 
networks for the Transportation Security Administration and DHS 
headquarters. In 2005, the company was awarded a $750 million follow-on 
contract.

On Friday, House Homeland Security Committee Chairman Bennie Thompson 
(D-Miss.) called on DHS Inspector General Richard Skinner to launch his 
own investigation.

As part of the contract, Unisys, based in Blue Bell, Pa., was to install 
network-intrusion detection devices on the unclassified computer systems 
for the TSA and DHS headquarters and monitor the networks. But according 
to evidence gathered by the House Homeland Security Committee, Unisys's 
failure to properly install and monitor the devices meant that DHS was 
not aware for at least three months of cyber-intrusions that began in 
June 2006. Through October of that year, Thompson said, 150 DHS 
computers -- including one in the Office of Procurement Operations, 
which handles contract data -- were compromised by hackers, who sent an 
unknown quantity of information to a Chinese-language Web site that 
appeared to host hacking tools.

The contractor also allegedly falsely certified that the network had 
been protected to cover up its lax oversight, according to the 
committee.

"For the hundreds of millions of dollars that have been spent on 
building this system within Homeland, we should demand accountability by 
the contractor," Thompson said in an interview. "If, in fact, fraud can 
be proven, those individuals guilty of it should be prosecuted."

A Unisys spokeswoman, Lisa Meyer, said that "no investigative body has 
notified us formally or informally of a criminal investigation" on the 
matter and added that she could not comment on specific security 
incidents.

She said that Unisys has provided DHS "with government-certified and 
accredited security programs and systems, which were in place throughout 
2006 and remain so today."

The DHS intrusions are especially disturbing in light of a rash of 
attacks on government computer systems linked to Chinese servers, 
Thompson said. Since last year, hackers have penetrated e-mail and other 
systems at the Defense, State and Commerce departments. Unisys was not 
providing information-security services in those cases.

National security and cyber-security experts say the U.S. government and 
its contractors are the target of a growing cyber-warfare effort that 
they suspect is being conducted by the Chinese government and its 
proxies with the aim of stealing military secrets and accessing the 
computer networks of the world's only military superpower. The trend, 
they say, reflects the convergence of cyber-crime and espionage, abetted 
by the availability of hacker tools on the Internet and lax 
information-technology security.

"This is a warning that our networks are porous and vulnerable to the 
new breed of hackers," said James Lewis, a senior fellow at the Center 
for Strategic and International Studies.

DHS, which oversees agencies critical to domestic security, including 
the TSA and Customs and Border Protection, has insufficiently secured 
its networks, Thompson said. He said he is "troubled" by what he sees as 
DHS officials' indifference to the problem.

DHS spokesman Russ Knocke rejected the assertion. "We've taken the 
committee's allegations very seriously," he said. "At the committee's 
request, we have provided them with copies of every incident report 
since the department was created. . . . We have today fully operational 
security operations capability. That means that every incident, no 
matter how small, is reported to our operations center."

The FBI is investigating Unisys for criminal fraud, according to a 
committee aide. The panel began its inquiry into the matter in April. 
And Homeland Security's Internal Affairs division is conducting a probe 
as well.

FBI spokesman Richard J. Kolko said he could not confirm or deny whether 
the FBI is investigating the matter.

In the 2006 attacks on the DHS systems, hackers often took over 
computers late at night or early in the morning, "exfiltrating" or 
copying and sending out data over hours -- in one case more than five 
hours, according to evidence collected by the committee.

The House panel said its investigation has yielded the following 
results:

It is not clear how the hackers breached the DHS systems. But once 
inside, they used special software to crack a user account password for 
a network administrator who had privileges to modify key system files on 
thousands of computers on the DHS network.

Then the attackers began installing malicious software on dozens of 
computers that not only masked the intrusion but also copied and 
transferred files to an outside Web site.

In July 2006, a Unisys employee detected a possible intrusion but 
"downplayed it and low-level DHS security managers ignored it," the 
committee aide said.

It was not until Sept. 27, 2006, that two DHS systems managers noticed 
that their machines had been accessed with a hacking tool.

Unisys information technology employees began a probe and determined 
that the break-in affected more computers. They discovered that it 
reached back as far as June 13 that year and had continued through at 
least Oct. 1, eventually reaching 150 computers.

Among the security devices Unisys had been hired to install and monitor 
were seven "intrusion-detection systems," which flag suspicious or 
unauthorized computer network activity that may indicate a break-in. The 
devices were purchased in 2004, but by June 2006 only three had been 
installed -- and in such a way that they could not provide real-time 
alerts, according to the committee. The rest were gathering dust in DHS 
storage closets and under desks in their original packaging, the aide 
said.

Although the hackers lifted data from unclassified systems, Paul Kurtz, 
a former White House cyber-security adviser, said that even unclassified 
data, if stolen in large enough quantities, could provide important 
clues about U.S. military and corporate trade secrets.

"Clearly there's cause for concern as to how Unisys has conducted itself 
and the security it has provided," committee member Rep. Jim Langevin 
(D-R.I.) said in an interview. "There were some basic things that should 
have been done -- installation of these intrusion-detection devices -- 
that very well would have given us a strong indication and an alert that 
our systems were penetrated."

Unisys spokeswoman Meyer disputed the committee's version of events. She 
said that Unisys had installed five network-intrusion devices and added 
a sixth in September 2006. Moreover, she said, under the follow-on 
contract, "DHS, citing lack of funding, elected to stop paying for 
security monitoring services," but that the firm continued to provide 
the monitoring anyway.

Knocke said that the claims are "entirely baseless and disingenuous." He 
added that although "Unisys is not prohibited" from bidding on the next 
IT contract, "previous performance can be a factor" in selection.

The committee obtained documents indicating that Unisys was trying to 
"hide gaps" from the government in an apparent attempt to obscure the 
scope of the network security breaches, an aide said. Unisys also failed 
to disclose to DHS that the data were being sent to the Chinese-language 
Web site, the aide said.

Langevin, who chairs the panel's subcommittee on emerging threats and 
cyber-security, complained that senior DHS officials failed to recognize 
the situation's gravity. In a letter sent Friday to Skinner, Langevin 
and Thompson also said that DHS officials "preferred to complete the 
fiscal year's financial transactions rather than immediately take steps 
to mitigate the problem."

Knocke disputed that assertion. "We have spent innumerable man hours 
responding to the committee's inquiries and requests. . . . We are aware 
of, and have responded to, malicious cyber-activity directed at the U.S. 
government over the past few years. We remain concerned that this 
malicious activity is growing more sophisticated and frequent."

In fact, the techniques and tools used in the DHS break-ins were similar 
to incidents at the Defense and Commerce departments, the lawmakers 
said.

Experts said the attacks, which have also hit Germany, Britain and 
France, are part of a series that began several years ago, when U.S. 
officials reported that the unclassified Pentagon and contractors 
running national labs had been under relentless attack from computers in 
China. The intelligence and computer-security communities remain divided 
over whether the intrusions, code-named Titan Rain by federal 
investigators, were carried out by state-sponsored cyber-spies or merely 
opportunistic hackers.

A senior military technology officer warned last fall that China 
downloaded "10 to 20 terabytes of data" from the Pentagon's 
non-classified Internet Protocol router network. "They are looking for 
your identity so they can get into the network as you," Maj. Gen. 
William Lord, Director of Information Services and Integration in the 
Air Force Office of Warfighting Integration, said at an Air Force 
technology conference. "There is a nation-state threat by the Chinese."

The Chinese government has vigorously denied the charges of 
cyber-espionage and Chinese officials have leveled their own allegations 
of cyber-hacking against the United States.

Krebs is a staff writer for washingtonpost.com. Staff researcher Richard 
Drezen contributed to this report.

© 2007 The Washington Post Company



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Mon Sep 24 2007 - 22:45:19 PDT