Information Security News mailing list archives
USDA Computer Security Draws Scrutiny Of Congress
From: InfoSec News <isn () C4I ORG>
Date: Thu, 22 Mar 2001 22:46:31 -0600
http://www.techweb.com/wire/story/reuters-finance/REU20010321S0009 03/21/01, 7:40 p.m. ET Reuters WASHINGTON - The investigative arm of Congress said Wednesday it had launched a probe to determine if computer hackers could alter market-sensitive crop data published by the U.S. Agriculture Department. The USDA issues authoritative monthly estimates of U.S. crops ranging for oranges and peanuts to grain, cotton, and soybeans based on thousands of field samples and interviews with farmers. Billions of dollars in commodities trading can be affected if the USDA says a crop is smaller or larger than expected. The General Accounting Office began a review of USDA computer security this week at the request of Senate Agriculture Committee leaders, a GAO spokesman said. Committee chairman Richard Lugar, and Indiana Republican, and the panel's Democratic leader, Tom Harkin of Iowa, asked GAO for "a full review of security standards and practices" at USDA's National Agricultural Statistics Service (NASS). "The possible consequences to our agricultural market and commodity trading system resulting from a security breach at NASS are potentially enormous," Lugar and Harkin said in a letter to GAO. NASS Associate Administrator Rich Allen said the agency's computer system defeated past attempts at intrusion. There were numerous checks in place to assure data was authentic, he said, and the most sensitive data was encrypted and stored off the computer system until the day it was needed. "We have not documented anyone being successful getting into our system through the firewall," Allen said. "We've passed all those tests." Two USDA computer specialists told Lugar that some NASS managers and technicians blatantly disregarded regulations against relying solely on passwords to block unauthorized access to the computer system and the material in it. Kirkland Williams and Sylvia Hammond said in a letter that this "small hole" meant an Internet intruder could enter sensitive areas of the NASS system, such as those containing crop measurement data, without being detected. "The current data that is presently used is not within a protected database system, meaning that with very little skills on the computer side, one could access databases and directly manipulate the data without fear of detection," they said. A minor alteration of data in key locations "can cause a greater shift in the market," Williams and Hammond added. But even if a hacker deduced a valid password, Allen said, the intruder still would need "rights" to reach parts of the computer system. It was "not likely" that hackers could manipulate state-level data without being detected because of auditing and monitoring safeguards, he said. And at the national level, "forecasts aren't finalized until 1 (o'clock) in the morning" on the day the report is released at 8:30 a.m. Eastern time, Allen said. "The number does not exist the day before" and USDA keeps purposely separate the pieces of information needed for a forecast until the "lockup" begins. Under the decades-old lock-up system, analysts inside a sealed suite of rooms tabulate crop information and assess likely crop size. Telephone lines are disconnected and window shades locked in place to prevent premature release of data. No one is allowed to leave the secure area until the report is released. Escorted visitors are asked to surrender cell phones before being admitted through locked doors. Hammond and Williams said, however, there was no reliable security system in place to prevent use of cellular phones or similar electronic devices inside the "lockup" area. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- USDA Computer Security Draws Scrutiny Of Congress InfoSec News (Mar 23)