Information Security News mailing list archives
Crop Data Feared Open to Hackers
From: InfoSec News <isn () C4I ORG>
Date: Thu, 22 Mar 2001 00:22:44 -0600
http://www.chicagotribune.com/business/businessnews/article/0,2669,SAV-0103210085,FF.html [My God! The Dukes are going to corner the entire frozen orange juice market! :) - WK] By Robert Manor Tribune Staff Writer March 21, 2001 The federal agency that compiles crop forecasts used by commodity traders suffers from lax computer security, critics say, and government experts plan to investigate whether hackers can obtain vital data before it is released to the public. The crop estimates prepared by the National Agricultural Statistics Service are supposed to be closely guarded secrets until their release date--otherwise, unscrupulous traders could use the data to profit at the expense of other investors. But the statistics agency ignores basic computer security measures, according to several employees. After hearing this month from agency computer technicians worried about security lapses, Sen. Richard Lugar (R-Ind.), chairman of the Senate Agriculture Committee, asked the General Accounting Office to investigate the potential for hacking at the service. The GAO agreed. "The possible consequences to our agricultural market and commodity trading system resulting from a security breach at NASS are potentially enormous," Lugar said. In recent months Congress has heard repeated criticism about computer security breaches at the Department of Agriculture, the parent agency of the statistics service. But security concerns aren't limited to that department--a number of federal systems recently have been compromised. This month hackers broke into a Navy computer system and stole data about a missile guidance program. The Department of Defense says it is subject to 500,000 hacking attacks a year. And the Environmental Protection Agency took its Web site off-line for a time last year because it was susceptible to hacker assault. Profitable data NASS, however, is especially inviting to hackers because the data it compiles, including reports on the size of grain and oilseed crops, can be so valuable to commodity traders. Advance information that the soybean harvest will be smaller than expected, for instance, easily could translate into million-dollar-plus profits for traders who buy before the agency issues its forecast. Such trading "wouldn't attract much attention at all," said Dan Basse, executive vice president at Chicago-based research firm AgResource Co. Officials with the statistics service deny that the agency's computer systems are vulnerable to hacking. But they confirm the accuracy of some statements by employees who point out weaknesses. For one, the agency relies mainly on passwords to keep out intruders, rather than security software that is harder to breach. Vital data also is left unencrypted for days at a time. Hackers have tried to enter the computer network, officials said, but they know of none that succeeded. Still, the same officials admit they cannot tell if security has been breached. "Has it ever happened? I don't know," said Rich Allen, the agency's associate administrator. Sylvia Hammond, a computer technician at NASS offices in Washington and a 25-year federal worker, said not enough is done to keep out hackers. She contacted Lugar this year. "We have been reporting security violations since 1998," Hammond said. Months go by without action, she said. She and Kirk Williams, a computer technician at the agency for eight years, said rudimentary precautions to keep hackers from accessing confidential data are neglected. They said anyone with a valid password can log on to an agency workstation through the Internet. Some employees who telecommute use this to connect with the agency's internal computer network, they said, although officials deny that such a back door to its internal system exists. Policy ignored In any case, agency policy says passwords are not enough protection for its computers. Rather, the policy calls for "advanced authentication in place of static passwords." Authentication software can detect and exclude someone trying to enter a network using an unapproved Internet service provider to disguise his identity. Or it can exclude someone using a computer not authorized for network access. NASS officials concede no authentication is required of employees logging in from a remote location, although it has been policy to do so since 1996. Moreover, Williams and Hammond said once anyone has entered the system, no record is kept of the files they access. Auditing a computer user's activity is simple and can show whether a network has been hacked. But without comprehensive auditing, intrusion can escape detection. A successful intruder would gain access to detailed agricultural data. To prepare crop estimates for rice, cotton and other commodities, service employees in every state interview farmers, tour fields and obtain other information. The data are kept at the agency's offices around the country. In Illinois, data are stored at a Springfield office until sent to Washington to be analyzed and turned into a public report. The data are not encrypted, Williams said. That means anyone who enters the computer system and obtains a key password could access databases at state offices around the country. Encryption software, cheap and almost impossible to break, would prevent that. Rich Allen, the No. 2 official at NASS, said the agency does not encrypt crop data because it complicates work. "The slowness, the overhead you pay for having everything encrypted, is one consideration," he said. "Maybe that will be the next level we will add." Allen says the agency doesn't require authentication because employees are restricted in what data they can access. Those restrictions would not deter a hacker who obtained the proper password, however. Security test planned Among the government computer experts who will look at the agency is Keith Rhodes, chief technologist for the General Accounting Office. Rhodes says he will attempt to hack into the service to identify its computer weak points. Speaking in general terms, Rhodes said Friday that authentication, auditing and encryption are all key to protecting data and deterring hackers. "You have to have strong authentication procedures," Rhodes said. "Audit logs [are] the heart of intrusion detection." He said encryption of data is a strong barrier to hackers. William Hadesty, associate chief information officer for cyber-security for the Department of Agriculture, said budget requests to expand security were rejected. The agency spent $1.2 billion on information technology last year, but only $12.5 million for computer security. Only a little more than that is budgeted for this year. Although hacking is an issue at NASS, there are other security concerns about crop forecasts. The agency's offices undergo a procedure called "lockup" on the day analysts prepare their forecasts for release. Telephone and computer lines are severed and cell phones are banned. Even the windows are covered to prevent someone from signaling an accomplice. Yet the service acknowledges it is possible for any employee to bring a cell phone into the lockup area, although it is against agency policy. A security guard asks people entering if they have a cell phone but does not examine purses or briefcases. There is no metal detector. Allen said there is no defense against a dishonest employee. "If they are willing to violate basic rules of conduct, why wouldn't they go in on a non-lockup day and store the device somewhere to use later?" he said. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Crop Data Feared Open to Hackers InfoSec News (Mar 22)