Report: Govt. payroll system open to intruders

[InfoSec News <isn () c4i org>]

http://www.usatoday.com/life/cyber/tech/2001-07-10-govt-payroll-computer-security.htm

07/10/2001 

WASHINGTON (AP)  A government payroll computer center in Denver is
fraught with security problems, raising the possibility that criminals
could steal or alter records, congressional investigators said
Tuesday.

The General Accounting Office, the investigative arm of Congress,
faulted the National Business Center for not adequately securing its
computer network, not investigating suspicious access patterns and
having lax physical security.

"The effect of these weaknesses is to place sensitive NBC-Denver
financial and personnel information at risk of unauthorized
disclosure, critical financial operations at risk of disruption, and
assets at risk of loss," the report said.

The center handled more than $12 billion in financial transactions
last year, including payroll checks for more than 200,000 federal
employees. It develops and operates financial systems for more than 30
federal organizations, as well as its parent, the Interior Department.

A deputy to Interior Secretary Gale Norton told investigators he was
thankful for the audit, and promised the problems will be fixed.

Despite security reviews by Interior's own watchdog office in 1997 and
1998, many security problems still exist, congressional investigators
said.

Many of them involved granting too many people access to the most
sensitive programs and networks, even if their job doesn't require
that access level. Investigators also easily guessed passwords and
found ones that had not been changed in three years.

Security experts say computer passwords should be changed frequently
to protect against earlier breaches and disgruntled ex-employees.

Physical security is also a problem, congressional investigators said.
Although a special photo identification is required, many people
entered the building by following a person with an authorized card.
Guards were posted at the entrances, but they failed to check each
person.

People who weren't cleared to enter the building could get in
relatively easily, congressional investigators said, "increasing the
risk that intruders with malicious intent might obtain access to
sensitive computer resources or disrupt operations."

Robert Lamb, an acting assistant secretary at Interior, told
investigators that about half of the recommendations have already been
fulfilled, and the rest will be finished by the end of the year.

Many federal agencies have had trouble keeping computer systems secure
from hackers and criminals.

Earlier this year, the GAO reported that it broke into the Internal
Revenue Service's electronic tax payment system and was able to read
tax returns filed online.

Computer networks at the Department of Veterans Affairs, Environmental
Protection Agency, and the agency that controls Medicare have also
been found to have significant vulnerabilities.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.