GAO hacks Army Corps computer system

[William Knowles <wk () C4I ORG>]

http://www.govexec.com/dailyfed/1000/101300t1.htm

October 13, 2000
By Tanya N. Ballard
tballard () govexec com

The U.S. Army Corps of Engineers' core financial computer system is
full of computer security holes, making sensitive financial data
vulnerable to hackers, a new General Accounting Office study says.

The Corps' key financial system processes military engineering,
construction, civil works and real estate projects. According to GAO,
users with valid access, as well as hackers, could change or alter
information and disclose or destroy sensitive financial data,
including social security numbers and other personal information
stored in the system.

GAO hired a contractor, PricewaterhouseCoopers, to test the system's
vulnerabilities. The firm successfully hacked into the Corps' computer
system and found serious weaknesses, according to the report,
"Financial Management: Significant Weaknesses in Corps of Engineers'
Computer Controls,"(GAO-01-89).

Problem areas included: remote access to the Corps' system; users with
access to unauthorized areas; infrequent logging and monitoring of
individuals' access to stored data; and the absence of audit logs to
detect and monitor security violations.

But Russell Fuhrman, acting commander of the Corps, disagreed with
GAO's findings, and said he did not believe his agency had "pervasive
weaknesses" as the report asserted.

"The Corps of Engineers' automated systems are continually being
modernized and security strengthened," Fuhrman said. "We are working
hard to provide the government and our customers with a safe and
secure information system and financial management operating system."

Fuhrman said the release of the report is premature since his agency
has already taken steps to fix many of the problems GAO identified and
because PricewaterhouseCoopers has not yet completed follow-up work
that might show that many of the problems are resolved.

Still, GAO stuck with its original assessment, saying that the Corps'
efforts to correct weaknesses need to be institutionalized as a
continuous program of risk management.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".