CRIME Computers vulnerable at Oregon department

From: brvarin@private
Date: Mon Sep 23 2002 - 07:43:48 PDT

  • Next message: Wil Cooley: "CRIME [Fwd: [pasa-discuss] ANNOUNCEMENT: PASA Meeting 24 Sept, Voice/Video over IP]"

    This'll make you feel good....with our current budget, does anyone seeing
    security actually improving?
    
    And this quote is classic "I will never divert program money to serve
    people to take care of these data security issues," Mink said. "We've got
    security interests competing against service interests."
    
    But it's ok to divert program money to criminals who steal it from the
    state!
    
    http://www.oregonlive.com/news/oregonian/index.ssf?/xml/story.ssf/html_standard.xsl?/base/front_page/1032782122290112.xml
    
    LES ZAITZ
    
    SALEM -- The state Department of Human Services has systematically
    neglected computer security for years, leaving Oregon's largest agency
    vulnerable to hackers and thieving employees who can pay themselves public
    benefits, according to an internal agency report.
    
    
    A consultant hired to evaluate the agency's computer safeguards found
    lapses at every level. State auditors identified similar problems a year
    ago, and agency leaders then promised to fix them.
    
    They still haven't.
    
    "Nothing's been completed," said Cindy Becker, Human Services' chief
    administrative officer. "We thought we were fixing things that ended up not
    getting fixed."
    
    Becker's boss, Human Services Director Bob Mink, says that he knows the
    computers are vulnerable but that he doesn't have the money to plug the
    leaks and won't do it unless the Legislature comes up with the cash. No one
    knows how much it will cost.
    
    "I will never divert program money to serve people to take care of these
    data security issues," Mink said. "We've got security interests competing
    against service interests."
    
    The agency, with 9,300 employees and a two-year budget of $8.5 billion,
    serves Oregon's neediest residents.
    
    Its computers store personal information on more than 900,000 people who
    receive state benefits and an unknown number of former recipients. The
    computers also are used to issue millions of dollars in payments to
    Oregonians.
    
    Security weaknesses allow outsiders access to much of that information,
    according to the consultant, Certicom Corp. The consultant said hackers
    could tap into the computers for identity theft, sabotage or state
    benefits.
    
    Certicom also concluded that state employees can readily get into computer
    files they don't need for their jobs, allowing privacy breaches or theft.
    
    Crooked employees already have cracked the computers.
    
    State auditors highlighted that problem last year, identifying nine
    instances in which agency employees tapped computers to steal $201,000. In
    one case, an office clerk making $21,228 a year got $5,917 in state welfare
    by failing to disclose she had a job. Her employer: the Human Services
    Department's child welfare agency. When agency officials discovered the
    theft, they kept the clerk on staff but arranged for her to repay the
    money: at $20 a month.
    
    Another employee took information from closed client files to open new
    files and create paperwork to make it look as if clients were getting
    day-care services from his wife. The employee generated checks totaling
    $72,618 during 28 months for nonexistent day care.
    
    Police and state ethics investigators are examining those cases.
    
    Portions of Certicom's July report recently were released to The Oregonian
    under the state's public records law.
    
    The report echoed concerns raised last year by state auditors, who found
    that Human Services managers needed to make security a priority to stop
    employee theft and guard against disclosure of personal information such as
    medical records.
    
    Agency officials were surprised by what state auditors found. "I wasn't
    aware how vulnerable we were," Mink, the Human Services director, said in a
    recent interview.
    
    Mink responded to the August 2001 state audit by pledging to make security
    a higher priority and to work to plug security breaches.
    
    However, Mink said he considers lax security a serious problem but doesn't
    have the money to fix it. The agency will ask the 2003 Legislature for
    money, but he and Becker aren't optimistic.
    
    "I don't think there's going to be any type of money for this in the
    future," Mink said.
    
    The agency set up a task force last month to address security issues,
    focusing on changes that don't require money. Becker said the agency also
    might get some help as it meets new federal requirements to safeguard
    personal information. An agency proposal for meeting that requirement
    includes $2.3 million to improve security.
    
    Certicom and state auditors said in their separate reports that security is
    as much an attitude as a computer code. "Executive management has not made
    security of its systems a priority," state auditors reported in August
    2001.
    
    The Certicom report agreed. "Security, over and over again, has been an
    afterthought," it said.
    
    Certicom described five "absolutely essential" steps to boost security,
    starting with a basic plan for how to do that. Certicom noted the agency
    doesn't have staff capable of such planning.
    
    The consulting firm found that the agency's computers are vulnerable to
    hackers because no security policies are in place, employee passwords are
    poorly managed, and encryption is inadequate.
    
    "This is a textbook case of how computer systems are commonly compromised
    over the Internet," the report said.
    
    Employees not on guard The report said the agency's lack of concern about
    security means employees aren't on guard for potential breaches and could
    be tricked into allowing outsiders to reach sensitive computers.
    
    "Trusting employees are very susceptible to such attacks when security is
    not forefront on their minds," it noted.
    
    Employees also can compromise agency computers, Certicom concluded.
    
    "Motivation can include personal hardship, malice or extortion," the report
    said. "Targets are most likely to be those that lead to direct personal
    gain (e.g. unauthorized funds transfers or theft)."
    
    Human Services' computer security problems date to at least 1991, when an
    internal evaluation was done as the agency planned to shift to new software
    to secure its electronic files.
    
    "The current system doesn't work very well," the report said. "Giving 100
    people the same password doesn't amount to very effective security."
    
    The current system deployed by the agency hasn't worked much better. The
    one employee who understood the security software left three years ago.
    Agency officials can't locate him, and no one else understands how the
    agency's computers have been programmed with the code.
    
    In 1998, state auditors identified security gaps and recommended 22
    remedies. Three years later, auditors discovered 14 steps still not
    finished.
    
    The agency's own auditors in 1999 chronicled the computer security lapses,
    but the only recommendation followed was to hire a data security manager.
    Scott Burrows took the job in April 2001, but he was given no budget and no
    authority to order any changes. He quit two months ago, and agency
    officials say they have no immediate plans to replace him.
    
    "We got off to a bad start," Becker said. "It's been a stop-and-start
    thing. It has not gone the way we wanted it to." Les Zaitz: 503-221-8181;
    leszaitz@private
    
    ===========================================================================
    IMPORTANT NOTICE: This communication, including any attachment, contains
    information that may be confidential or privileged, and is intended solely
    for the entity or individual to whom it is addressed.  If you are not the
    intended recipient, you should delete this message and are hereby notified
    that any disclosure, copying, or distribution of this message is strictly
    prohibited.  Nothing in this email, including any attachment, is intended
    to be a legally binding signature.
    



    This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 08:44:18 PDT