County cuts off computer network

[InfoSec News <isn () c4i org>]

http://www.chron.com/cs/CDA/story.hts/topstory/1302663

By STEVE BREWER
Houston Chronicle
March 21, 2002

Harris County District Clerk Charles Bacarisse shut down a wireless
computer network in his office this week after officials found it
could be vulnerable to high-tech vandals.

The decision was made Tuesday, after a computer security analyst
demonstrated to Steve Jennings, head of the county's Central
Technology Department, and the Houston Chronicle how the system could
be compromised.

Bacarisse and his staff downplayed the weakness, saying hackers,
terrorists or anyone else intending harm would be detected long before
they could do any damage or use the system illegally.

Stefan Puffer, a computer security analyst, met with Jennings on
Monday and used a laptop computer and a $60 to $75 wireless card to
show him how to tap into Bacarisse's system. Puffer said the
demonstration showed the county's wireless networks are vulnerable to
those with the know-how and the intent to break in.

Bacarisse said their wireless system was being tested at the time and
was not in full use, but he ordered a review of the office's
wireless-security procedures.

He also questioned Puffer's motives, noting that the analyst was a
former employee who quit the office after a short unpleasant tenure,
and he criticized Jennings for not pointing out the problem sooner.

Bacarisse was told about the problem Tuesday, a day after Monday's
demonstration.

"We're glad we found out about this, and we're very concerned about
network security," said Bacarisse. "But my concern was how this was
handled."

Jennings said he was concerned that the system could be accessed from
the outside and that he wanted to learn more about the problem before
alerting Bacarisse.

Leaving the county's wireless systems unprotected from hackers creates
a serious potential for vandalism and more serious problems, Jennings
said.

Jennings and Puffer said someone gaining access to the county's system
could use it as a platform to hack other systems, including those of
government agencies and businesses, leaving few traces of who they
were.

Such acts are of special concern to security experts since the
terrorist attacks of Sept. 11. Puffer and Jennings cited NASA as an
example of a nearby federal agency that could be targeted for hacking.

Once tapped into the county system, a hacker could conceivably send
e-mails appearing to come from county officials that could not be
traced to the true author.

"If you're in electronic systems, there's always a potential for
problems if someone has the time, the tools, the talent and the
intent," said Jennings, who thinks the county should establish a
wireless-technology policy.

Just as worrisome, officials say, is the potential for someone to
crash county computers, re-route printers, change, alter or delete
records, or post illegal material on a network computer server.

That would interfere with taxpayer services, Jennings said.

Computer publications are full of warnings about the wireless systems'
security because they can be compromised so cheaply.

The wireless system used by the county also is popular in homes, and
consumers often install them on their own systems without turning on
built-in security features.

Anyone with a laptop computer can buy a wireless card, slide it into
his or her computer and use software to scan for and capture radio
waves linking computers on a wireless system.

The practice, called "wardriving," is easier if the victim has not
taken the simple step of activating the security features to encrypt
the airwaves.

Essentially, wardrivers use the wireless signals to ride into the
computer network, which is what Puffer did to the one being operated
by Bacarisse's office.

Officials said the security feature on Bacarisse's network was not
enabled because it was only being tested.

Puffer said he noticed he could access the county network in early
March, while using his equipment to scan for such weaknesses
throughout Houston.

He said he found more than 250 ways into systems at businesses, homes,
universities and governments -- something Jennings said proves that
the district clerk's office is not alone in its vulnerability.

Bacarisse's staffers said they were planning to use wireless
technology to connect court clerks in the old Civil Courts Building at
301 Fannin to their larger computer system, which is separate from the
one operated by Jennings' office.

The network had not yet been set up, they said, and neither Puffer nor
anyone else could have done any damage.

Bacarisse's staffers have learned that someone tried to access their
system as early as March 8. The system also alerted them to an
intrusion Monday, the day Puffer did his demonstration. But if Puffer
had tried to alter any programs, they said, security safeguards and
software would have blocked him and alerted them immediately.

Bacarisse said Puffer's demonstration was a "low-level intrusion" and
he and his staff equated it to stumbling around a dark house, knocking
over furniture.

But because the county's main system and the independent one run by
Bacarisse are connected, Puffer was able to show Jennings that he
could get information about the county computer network.

That worried Jennings enough that he ordered his staff to tighten
security between the two systems. He also has plans to spend as much
as $40,000 for other security enhancements.

Bacarisse said his staff found a pornographic picture on one of its
servers Tuesday that he suspected was planted by Puffer. He said he
would refer the incident to the District Attorney's Office.

Puffer, who conceded that he quit his job with the district clerk's
office after a short and stormy tenure, denied installing the picture.  
He said he could prove he had nothing to do with it and welcomed any
investigation.

Bacarisse accused Jennings of giving Puffer information to help him
access the system and hinted that Jennings was trying to use the
demonstration to increase his authority over systems that he didn't
control.

Jennings and Puffer vehemently denied that.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.