[IWAR] SECURITY Serious flaw--airports, financial, etc.

From: 7Pillars Partners (partnersat_private)
Date: Sat Feb 07 1998 - 14:43:02 PST

  • Next message: Michael Wilson: "[IWAR] TEMPEST software"

    Posted at 2:20 p.m. PST Saturday, February 7, 1998 
     Airports told of flaw in
     security system
     New York Times 
     SAN FRANCISCO -- Aviation officials have quietly notified airports
     in the United States and Britain that a design flaw in a widely used
     security system could enable terrorists to gain control of the electronic
     badges that allow employees with security clearance to enter and
     leave restricted areas.
     What is more, the computer security experts who discovered the flaw
     say that the same system, which is made by a small company in
     Southern California, is frequently used in state prisons, county jails,
     financial institutions, military contractors, technology companies, drug
     companies, county and federal government buildings, including the
     CIA, and the like.
     The flaw could make any of these sites vulnerable to terrorists or
     computer intruders, the experts said.
     The problem was found in December by MSB Associates, a
     computer security consulting concern in San Mateo, Calif., in a
     routine security audit for a large California-based financial services
     software company. MSB security experts spoke with a reporter on
     the condition that the company they were auditing not be identified.
     The failure to detect the problem for several years in so many
     supposedly secure sites underscores the risks inherent in the
     increasingly widespread reliance on computers and computer
     networks for security once performed by mechanical locks and
     human guards.
     Because such systems relinquish control of door-locking mechanisms
     to the computer that administers and monitors the electronic badges,
     all the entry points of a supposedly secure building become vulnerable
     to any skilled outsider who gains access to the computer.
     For that reason, the computer is supposed to be completely isolated:
     not only kept in a guarded room but not connected to other
     computers through a network and should not be accessible to the
     outside world on telephone lines.
     But MSB found that in the case of the electronic badge system made
     by Receptors Inc. of Torrance, Calif., it was possible for an intruder
     to use a dial-up telephone line or another computer on a network to
     do any of the following:
     -- Create permanent or temporary badges that would allow access to
     secured areas by unauthorized people.
     -- Unlock doors guarding sensitive areas.
     -- Schedule events like unlocking all doors to a building or within a
     building at a particular time.
     -- Create badges that would leave no record that a person had
     entered or left a secured area.
     MSB contacted aviation officials in the United States and Britain in
     mid-December after discovering the flaw. The consultants said they
     became concerned about vulnerability to terrorists when they found
     the names of customers that use the system, including airports, listed
     in the software company's own source code.
     Rebecca Trexler, an FAA spokeswoman, said that the agency never
     publicly commented on airport security ``because it's not in the public
     interest to discuss security vulnerabilities in the aviation system.''
     But she added, ``As for this specific problem, we've notified our field
     personnel and they are examining the situation with airports that use
     this system.'' The agency is planning to meet soon with industry to
     explain the new security guidelines, she said.
     Although the FAA would not confirm which airports were at risk,
     MSB consultants gave a reporter a list of airports in the United
     States, Britain and several other countries in which the Receptors
     system had been installed. The list, which the reporter was allowed to
     review on the condition that its contents not be published, also
     contained the names of other secured sites, from private companies to
     government agencies and penal institutions.
     Receptors' chief operating officer, Dale Williams, said in January that
     the company's security equipment was being used in 40 airports
     around the world. But he insisted that the problem uncovered by
     MSB lay not with the Receptors equipment itself but with the way it
     had been installed in certain cases.
     ``This is not a problem,'' Williams said, because the airport officials
     who had contacted him had said that they did not permit routine
     outside access to the computer systems that control the electronic
     badge systems. Standard procedure, he said, is for the modems that
     allow access to the computer over phone lines to be turned on and
     connected only when maintenance was being performed by
     Receptors' employees.
     But Williams acknowledged that a number of the electronic badge
     systems were connected to computer networks and that he could not
     be certain that the networks themselves were secure from the outside
     world. He also acknowledged that other serious vulnerabilities had
     resulted in Receptors' equipment having been removed from the U.S.
     House of Representatives.
     From January 1995 until the middle of 1996, Receptors' equipment
     controlled physical access to the House. It was removed after the
     inspector general of the House, John W. Lainhart IV, reported that
     757 former employees still appeared on the House system and still
     had working electronic badges.
     ``Former employee ID records that were carried on the House ID
     system as active,'' the inspector general's report said, ``created a
     potential false sense of security and could contribute to former
     employees gaining unauthorized access to House office buildings
     during nonbusiness hours.''
     The inspector general said in an interview that he did not know of a
     threatening incident because of the flaw.
     In January, the MSB consultants said they were still able to duplicate
     that problem in their own client's system by creating a badge with the
     name Millard Fillmore. Even after employees of the financial services
     company found the false name and removed it from the computer, the
     consultants said, the badge continued to allow access to the building.
     Thus, an employee of the company who had quit or had been
     dismissed, for whatever reason, would still be able to enter the
     Mark Seiden, a computer security expert at MSB, said he believed
     that the flaw resulted from a programming error.
     The report also criticized the method by which Congress permitted
     Receptors' employees to make software changes -- a procedure
     identical to the one that Williams said was still used by airports that
     use Receptors' equipment.
     What is more, the report criticized the House badge system because it
     did not maintain logs of computer activities. Although the system did
     keep records of which doors had been opened by which badges, it
     did not record who was doing what on the computer system itself,
     meaning that security managers had no way to detect intrusions by
     unauthorized people.
     Williams acknowledged the security shortcomings enumerated by the
     inspector general, but he said that the House system had been
     installed by a second firm, Controlled Access Concepts, in Fairfax,
     Va. He said that Receptors had volunteered to repair the problems
     but that Controlled Access had rejected the offer.
     ``It was a customized system, and it was one of the stupidest things
     we've done in our lives,'' Williams said. ``The system had software
     problems, without a doubt.''
     Court records indicate that Controlled Access sued Receptors in
     December 1996 in relation to another electronic badge system, at the
     Library of Congress. The suit is unresolved.
     Controlled Access declined to comment on the case. 
     1997 - 1998 Mercury Center. The information you receive online from
     Mercury Center is protected by the copyright laws of the United States. The
     copyright laws prohibit any copying, redistributing, retransmitting, or
      repurposing of any copyright-protected material. 

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:41 PDT