Posted at 2:20 p.m. PST Saturday, February 7, 1998 Airports told of flaw in security system New York Times SAN FRANCISCO -- Aviation officials have quietly notified airports in the United States and Britain that a design flaw in a widely used security system could enable terrorists to gain control of the electronic badges that allow employees with security clearance to enter and leave restricted areas. What is more, the computer security experts who discovered the flaw say that the same system, which is made by a small company in Southern California, is frequently used in state prisons, county jails, financial institutions, military contractors, technology companies, drug companies, county and federal government buildings, including the CIA, and the like. The flaw could make any of these sites vulnerable to terrorists or computer intruders, the experts said. The problem was found in December by MSB Associates, a computer security consulting concern in San Mateo, Calif., in a routine security audit for a large California-based financial services software company. MSB security experts spoke with a reporter on the condition that the company they were auditing not be identified. The failure to detect the problem for several years in so many supposedly secure sites underscores the risks inherent in the increasingly widespread reliance on computers and computer networks for security once performed by mechanical locks and human guards. Because such systems relinquish control of door-locking mechanisms to the computer that administers and monitors the electronic badges, all the entry points of a supposedly secure building become vulnerable to any skilled outsider who gains access to the computer. For that reason, the computer is supposed to be completely isolated: not only kept in a guarded room but not connected to other computers through a network and should not be accessible to the outside world on telephone lines. But MSB found that in the case of the electronic badge system made by Receptors Inc. of Torrance, Calif., it was possible for an intruder to use a dial-up telephone line or another computer on a network to do any of the following: -- Create permanent or temporary badges that would allow access to secured areas by unauthorized people. -- Unlock doors guarding sensitive areas. -- Schedule events like unlocking all doors to a building or within a building at a particular time. -- Create badges that would leave no record that a person had entered or left a secured area. MSB contacted aviation officials in the United States and Britain in mid-December after discovering the flaw. The consultants said they became concerned about vulnerability to terrorists when they found the names of customers that use the system, including airports, listed in the software company's own source code. Rebecca Trexler, an FAA spokeswoman, said that the agency never publicly commented on airport security ``because it's not in the public interest to discuss security vulnerabilities in the aviation system.'' But she added, ``As for this specific problem, we've notified our field personnel and they are examining the situation with airports that use this system.'' The agency is planning to meet soon with industry to explain the new security guidelines, she said. Although the FAA would not confirm which airports were at risk, MSB consultants gave a reporter a list of airports in the United States, Britain and several other countries in which the Receptors system had been installed. The list, which the reporter was allowed to review on the condition that its contents not be published, also contained the names of other secured sites, from private companies to government agencies and penal institutions. Receptors' chief operating officer, Dale Williams, said in January that the company's security equipment was being used in 40 airports around the world. But he insisted that the problem uncovered by MSB lay not with the Receptors equipment itself but with the way it had been installed in certain cases. ``This is not a problem,'' Williams said, because the airport officials who had contacted him had said that they did not permit routine outside access to the computer systems that control the electronic badge systems. Standard procedure, he said, is for the modems that allow access to the computer over phone lines to be turned on and connected only when maintenance was being performed by Receptors' employees. But Williams acknowledged that a number of the electronic badge systems were connected to computer networks and that he could not be certain that the networks themselves were secure from the outside world. He also acknowledged that other serious vulnerabilities had resulted in Receptors' equipment having been removed from the U.S. House of Representatives. From January 1995 until the middle of 1996, Receptors' equipment controlled physical access to the House. It was removed after the inspector general of the House, John W. Lainhart IV, reported that 757 former employees still appeared on the House system and still had working electronic badges. ``Former employee ID records that were carried on the House ID system as active,'' the inspector general's report said, ``created a potential false sense of security and could contribute to former employees gaining unauthorized access to House office buildings during nonbusiness hours.'' The inspector general said in an interview that he did not know of a threatening incident because of the flaw. In January, the MSB consultants said they were still able to duplicate that problem in their own client's system by creating a badge with the name Millard Fillmore. Even after employees of the financial services company found the false name and removed it from the computer, the consultants said, the badge continued to allow access to the building. Thus, an employee of the company who had quit or had been dismissed, for whatever reason, would still be able to enter the premises. Mark Seiden, a computer security expert at MSB, said he believed that the flaw resulted from a programming error. The report also criticized the method by which Congress permitted Receptors' employees to make software changes -- a procedure identical to the one that Williams said was still used by airports that use Receptors' equipment. What is more, the report criticized the House badge system because it did not maintain logs of computer activities. Although the system did keep records of which doors had been opened by which badges, it did not record who was doing what on the computer system itself, meaning that security managers had no way to detect intrusions by unauthorized people. Williams acknowledged the security shortcomings enumerated by the inspector general, but he said that the House system had been installed by a second firm, Controlled Access Concepts, in Fairfax, Va. He said that Receptors had volunteered to repair the problems but that Controlled Access had rejected the offer. ``It was a customized system, and it was one of the stupidest things we've done in our lives,'' Williams said. ``The system had software problems, without a doubt.'' Court records indicate that Controlled Access sued Receptors in December 1996 in relation to another electronic badge system, at the Library of Congress. The suit is unresolved. Controlled Access declined to comment on the case. 1997 - 1998 Mercury Center. The information you receive online from Mercury Center is protected by the copyright laws of the United States. The copyright laws prohibit any copying, redistributing, retransmitting, or repurposing of any copyright-protected material.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:41 PDT