Alert preceded Indian trust hacker breach

[InfoSec News <isn () c4i org>]

http://www.denverpost.com/Stories/0,1002,53%257E342624,00.html

By Bill McAllister 
Denver Post Washington Bureau Chief
Friday, January 18, 2002  

WASHINGTON - Three months before a computer hacker broke into Indian
trust records maintained on a Denver computer system, Interior
Secretary Gale Norton was warned that her department's major computer
system, also based in the Colorado capital, was vulnerable to
outsiders.

That warning, from the General Accounting Office, was greeted by
promises to make quick changes - a promise that one Interior official
has since conceded may have been incorrect.

In recent court testimony, Bob Lamb, who was then an acting assistant
secretary, said he had relied on information from a subordinate who
assured him nothing was wrong with the computer system.

Like the ineffective computer system that maintained the Indian trust
records, Interior's National Business Center in Denver also is
seriously flawed, the GAO told Norton in a report dated July 3. The
report said that the system, which maintains the department's
personnel and payroll records, property records and others financial
accounts, lacked adequate security to prevent outsiders from breaking
into the system and altering records.

"These weaknesses placed sensitive NBC-Denver financial and personnel
information at the risk of disclosure, critical financial operations
at the risk of disruption and assets at the risk of loss," said the
GAO, Congress's investigative agency. In addition, the report noted
the problem could also affect the 30 other government agencies that
the Denver center serves.

Norton

Specially, the GAO said, Denver officials did not have adequate
controls over passwords and user identifications, dial-in access or
had properly configured its network.

In Interior's response, Lamb acknowledged the problems and declared
that the department is moving "aggressively to correct all of the
weaknesses identified." All, he said, would be resolved by Dec. 31.

However, that response apparently did not cover the trust records. In
September, a court-approved computer expert was able to hack into the
Denver-based computer system - which maintains trust records for about
300,000 American Indians - and alter them without detection. That
embarrassing episode is one of the major issues in a contempt of court
trial Norton is currently facing in a Washington court.

The link between the two Denver-based computer systems and their
similar problems was disclosed Thursday by www.Indianz.com., a website
on the Internet that has been closely following the Norton trial.

Computer security has emerged as a key issue for the department and
its employees, many of whose access to the Internet has been removed
by a court order that U.S. District Judge Royce C. Lamberth issued in
the Norton case. Citing the hacker, he told Interior officials to deny
Internet access to any Interior computers that have access to trust
records.

The result has been that many Interior agencies no longer have
websites open to the public, and many agency employees cannot use
e-mail to respond to the public.

The NBC-Denver computer system is directed by Norton's office. It
links the department's 14 bureaus and offices with the computer
mainframes in Colorado. At the time of the GAO report, it said there
about 37,000 users with access to the Denver computers.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.