Hacker fear scares EPA offline

[InfoSec News <isn () C4I ORG>]

http://www.zdii.com/industry_list.asp?mode=news&doc_id=ZD2440573

By Joel Deane ZDNet News
February 9, 2001 8:33pm

The U.S. Environmental Protection Agency suffered another security
embarrassment Thursday when it shut down its Web site for fear of
computer hacker attacks.

The decision comes just a week after eight major Web sites, including
ZDNet (NYSE: ZDZ), were knocked offline by denial-of-service attacks.
However, the EPA site has been known to be vulnerable to hacker
attacks since at least September 1997.

The EPA said its site will be down for a week or two until an ongoing
security upgrade program is complete.

"The agency has been working with the General Accounting Office (GAO)
and the Office of Inspector General for several months to strengthen
the security of our Web site," the agency said Thursday. "The decision
to temporarily close access to the Web site was made after a meeting
Wednesday with computer security experts."

The experts told EPA officials that recent public attention on the
agency's computer vulnerabilities made the site a likely target for
hackers.

Weaknesses a 'serious threat'

As reported on ZDNet News, the GAO met with EPA officials last
December after it had found the agency's information systems were at
risk. "These weaknesses pose a serious threat to the integrity of the
EPA's information systems; and, if uncorrected, could allow
unauthorized users to take control of the EPA's network operations,"
wrote David McClure, associate director for the GAO's accounting and
information management division, in December.

At the time, the EPA's lax security came in for heavy criticism from
Rep. Thomas J. Bliley Jr., R-Va., chairman of the House Commerce
Committee, who called the situation "unacceptable" in a December 1999
letter to the EPA chief administrator Carol M. Browner.

Bliley also blasted the agency's "poor track record" -- referring to
the fact that in September 1997 the EPA inspector general admitted the
site was vulnerable the hacker attacks and, in December 1998, the EPA
told Congress in its annual report that its information security plans
were "deficient or non-existent."

On Wednesday, Bliley was after the EPA again, re-releasing a scathing
letter he wrote to Browner last year and laying the blame at her feet
for the site's unplugging.

"It is unfortunate that the American people temporarily will not have
access to the important public information contained on the EPA Web
site," Bliley said in a statement. "That sad fact is the fault of no
one other than EPA administrator Carol Browner and her management
team. Had they heeded seven years of warnings by security experts and
performed their duties with even a modicum of responsibility over this
time, last night's shutdown would not have been necessary."

EPA spokesman Dave Cohen said the agency was "saddened" by having to
take the Web site down, noting it is a popular outlet for the public
to access all types of information on air and water pollution in local
communities.

"We were afraid it had become a real target," Cohen said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".