EPA's Web security still vulnerable to hackers

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1005-200-2497497.html?tag=st.ne.1005.thed.ni

By Erich Luening
Staff Writer, CNET News.com
August 11, 2000, 1:35 p.m. PT

Update: Despite efforts to shore up computer security, the
Environmental Protection Agency is still an open target for hackers,
according to congressional investigators.

A report released today by the General Accounting Office, the
investigative arm of Congress, found that the agency's system
continues to be "riddled with security weaknesses" that could allow
hackers to tamper with data, view sensitive information or attack
other agencies using the EPA system.

In the report, investigators said the EPA failed to notice government
security experts rummaging through its computers. During their tests,
investigators were able to guess passwords, hack into the computer
network, watch unsuspecting people type their passwords, and move
throughout the network unimpeded.

In response to the report, the EPA said in a statement that it "will
continue its efforts into the future to improve computer security, to
take into account emerging technologies."

"The administration is fully committed to the public's right-to-know,
has consistently expanded and defended that right," the EPA's
statement said. "Computer issues should not be used in an effort to
restrict vital information."

The GAO investigated the agency at the request of House Commerce
Committee Chairman Tom Bliley, R-Va., who in August 1999 asked for an
audit of the EPA's system for his review of the computer security
policies and programs of some federal agencies under the committee's
jurisdiction.

Investigators found widespread flaws that rendered the EPA's
information security program ineffective, according to the report.

"The GAO report, coupled with the committee's other recent oversight
in this area, shows that despite the tough rhetoric, the Clinton-Gore
administration's cybersecurity policy amounts to little more than
paper pushing," Bliley said in a statement.

After a preliminary review last February found "serious and pervasive
problems" in the EPA's security system, Bliley said he asked the
agency to take down its computer systems and overhaul its network
security. The EPA complied by shuttering its Internet link temporarily
to make repairs, according to the GAO report.

Since the system was restored, the agency has been beefing up its
computer security measures. Investigators, however, say there is still
work to be done.

"It is unfortunate that years of gross mismanagement at the agency
have left these sensitive systems and data at such serious risk for so
long," Bliley said in a statement. "But it is even more unfortunate
that it took this committee's oversight and public pressure to
motivate the agency to undertake responsible steps to ensure its
computer systems provide adequate protection for sensitive agency
data."

In the report, investigators also expressed concern regarding
weaknesses found during their current assessment that had been
detailed for the agency in 1997 in a report from the EPA's own
inspector general.

The GAO performed its audit at the EPA's headquarters and the National
Computer Center from September 1999 through February 2000.

In late July, Bliley asked the GAO for a similar audit of the Commerce
Department's cybersecurity program. He also recently launched a review
of the Food and Drug Administration's information management policies
and practices, requesting records detailing the agency's computer
security practices and any hacker attacks against it.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".