Bogus IDs give easy access to CIA, FBI, Pentagon

[William Knowles <wk () C4I ORG>]

http://www.theage.com.au/breaking/0005/25/A17287-2000May25.shtml

[Moderators note: While this is on the razors edge of information
security, It seems appropriate as far as security awareness goes.]


WASHINGTON, May 24 - Using bogus credentials anyone can obtain from a
catalogue or the Internet, armed investigators posing as federal
agents or police officers easily breached security at the Pentagon,
Justice Department, FBI, CIA, State Department and 14 other United
States agencies and two large airports earlier this month.

In one test of security, two investigators from the General Accounting
Office flashing phoney IDs drove a rental van into the courtyard of
the Department of Justice building. The vehicle was not searched or
inspected, according to officials familiar with the investigation.

"A team of undercover agents successfully penetrated (these agencies)
and could have introduced weapons, explosives, chemical-biological
agents, listening devices or other hazardous materials," said Robert
Hast, assistant comptroller general at GAO, in a draft of prepared
testimony obtained by Knight Ridder.

A hearing on the security breaches is set for tomorrow before the
House Judiciary Crime Subcommittee.

Hast, who supervised the security tests at the request of the House
subcommittee, told a closed-door meeting of federal officials
yesterday that GAO employees, including two retired Secret Service
agents, used counterfeit law enforcement IDs - FBI and New York Police
credentials - from sources advertising on the Internet.

"We did not utilise any genuine law enforcement credential," said
Hast. "At least one agent always carried a briefcase or bag. In all
cases, our agents were able to enter the facility by being either
waved around or through a magnetometer, without their person or bag
being screened."

At Washington's Reagan National Airport and the Orlando (Florida)
International Airport, the two GAO investigators had tickets and were
able to obtain boarding passes and firearms permits to carry their
weapons onto flights. Security staffers looked at their fake IDs and
waved the pair through without having their briefcases go through an
X-ray machine.

At the CIA, FBI and the State Department, investigators were allowed
to keep their weapons and unscreened bags but required to have an
escort. At the CIA and FBI, the investigators were able to enter
toilets with their bags, unescorted. At State they ditched their
escort and walked through the building without being challenged.

In five cases, including the Justice Department and the Pentagon, the
investigators were able to reach the suites of offices occupied by the
Cabinet official or agency head.

The security tests followed reports to the House subcommittee alleging
easy access to phoney badges and other credentials on the Internet.
The counterfeit IDs were not even good imitations of the real thing,
said subcommittee chairman Bill McCollum, an Orlando Republican.

The GAO investigation was conducted at a time when security at federal
buildings is coming under increased scrutiny. The State Department has
been criticised for recent breaches that include a missing laptop
computer that contained classified information on nuclear and chemical
weapons.

One security consultant who has worked with the federal government
said he was not surprised by the GAO investigation.

"There is little security consciousness among top officials, and their
budgets scrimp on it," said Neil Livingstone of GlobalOptions, a
Washington, D.C., security consulting firm. "Now with desktop
publishing and colour printers, it's easy to make your own
credentials."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".