Crop Data Feared Open to Hackers

[InfoSec News <isn () C4I ORG>]

http://www.chicagotribune.com/business/businessnews/article/0,2669,SAV-0103210085,FF.html

[My God! The Dukes are going to corner the entire frozen orange juice
market! :)  - WK]

By Robert Manor
Tribune Staff Writer
March 21, 2001

The federal agency that compiles crop forecasts used by commodity
traders suffers from lax computer security, critics say, and
government experts plan to investigate whether hackers can obtain
vital data before it is released to the public.

The crop estimates prepared by the National Agricultural Statistics
Service are supposed to be closely guarded secrets until their release
date--otherwise, unscrupulous traders could use the data to profit at
the expense of other investors.

But the statistics agency ignores basic computer security measures,
according to several employees.

After hearing this month from agency computer technicians worried
about security lapses, Sen. Richard Lugar (R-Ind.), chairman of the
Senate Agriculture Committee, asked the General Accounting Office to
investigate the potential for hacking at the service. The GAO agreed.

"The possible consequences to our agricultural market and commodity
trading system resulting from a security breach at NASS are
potentially enormous," Lugar said.

In recent months Congress has heard repeated criticism about computer
security breaches at the Department of Agriculture, the parent agency
of the statistics service. But security concerns aren't limited to
that department--a number of federal systems recently have been
compromised.

This month hackers broke into a Navy computer system and stole data
about a missile guidance program. The Department of Defense says it is
subject to 500,000 hacking attacks a year. And the Environmental
Protection Agency took its Web site off-line for a time last year
because it was susceptible to hacker assault.

Profitable data

NASS, however, is especially inviting to hackers because the data it
compiles, including reports on the size of grain and oilseed crops,
can be so valuable to commodity traders.

Advance information that the soybean harvest will be smaller than
expected, for instance, easily could translate into
million-dollar-plus profits for traders who buy before the agency
issues its forecast. Such trading "wouldn't attract much attention at
all," said Dan Basse, executive vice president at Chicago-based
research firm AgResource Co.

Officials with the statistics service deny that the agency's computer
systems are vulnerable to hacking. But they confirm the accuracy of
some statements by employees who point out weaknesses.

For one, the agency relies mainly on passwords to keep out intruders,
rather than security software that is harder to breach. Vital data
also is left unencrypted for days at a time.

Hackers have tried to enter the computer network, officials said, but
they know of none that succeeded. Still, the same officials admit they
cannot tell if security has been breached.

"Has it ever happened? I don't know," said Rich Allen, the agency's
associate administrator.

Sylvia Hammond, a computer technician at NASS offices in Washington
and a 25-year federal worker, said not enough is done to keep out
hackers. She contacted Lugar this year.

"We have been reporting security violations since 1998," Hammond said.
Months go by without action, she said.

She and Kirk Williams, a computer technician at the agency for eight
years, said rudimentary precautions to keep hackers from accessing
confidential data are neglected.

They said anyone with a valid password can log on to an agency
workstation through the Internet. Some employees who telecommute use
this to connect with the agency's internal computer network, they
said, although officials deny that such a back door to its internal
system exists.

Policy ignored

In any case, agency policy says passwords are not enough protection
for its computers. Rather, the policy calls for "advanced
authentication in place of static passwords."

Authentication software can detect and exclude someone trying to enter
a network using an unapproved Internet service provider to disguise
his identity. Or it can exclude someone using a computer not
authorized for network access.

NASS officials concede no authentication is required of employees
logging in from a remote location, although it has been policy to do
so since 1996.

Moreover, Williams and Hammond said once anyone has entered the
system, no record is kept of the files they access.

Auditing a computer user's activity is simple and can show whether a
network has been hacked. But without comprehensive auditing, intrusion
can escape detection.

A successful intruder would gain access to detailed agricultural data.
To prepare crop estimates for rice, cotton and other commodities,
service employees in every state interview farmers, tour fields and
obtain other information.

The data are kept at the agency's offices around the country. In
Illinois, data are stored at a Springfield office until sent to
Washington to be analyzed and turned into a public report.

The data are not encrypted, Williams said. That means anyone who
enters the computer system and obtains a key password could access
databases at state offices around the country. Encryption software,
cheap and almost impossible to break, would prevent that.

Rich Allen, the No. 2 official at NASS, said the agency does not
encrypt crop data because it complicates work.

"The slowness, the overhead you pay for having everything encrypted,
is one consideration," he said. "Maybe that will be the next level we
will add."

Allen says the agency doesn't require authentication because employees
are restricted in what data they can access. Those restrictions would
not deter a hacker who obtained the proper password, however.

Security test planned

Among the government computer experts who will look at the agency is
Keith Rhodes, chief technologist for the General Accounting Office.
Rhodes says he will attempt to hack into the service to identify its
computer weak points.

Speaking in general terms, Rhodes said Friday that authentication,
auditing and encryption are all key to protecting data and deterring
hackers.

"You have to have strong authentication procedures," Rhodes said.
"Audit logs [are] the heart of intrusion detection." He said
encryption of data is a strong barrier to hackers.

William Hadesty, associate chief information officer for
cyber-security for the Department of Agriculture, said budget requests
to expand security were rejected. The agency spent $1.2 billion on
information technology last year, but only $12.5 million for computer
security. Only a little more than that is budgeted for this year.

Although hacking is an issue at NASS, there are other security
concerns about crop forecasts. The agency's offices undergo a
procedure called "lockup" on the day analysts prepare their forecasts
for release. Telephone and computer lines are severed and cell phones
are banned. Even the windows are covered to prevent someone from
signaling an accomplice.

Yet the service acknowledges it is possible for any employee to bring
a cell phone into the lockup area, although it is against agency
policy. A security guard asks people entering if they have a cell
phone but does not examine purses or briefcases. There is no metal
detector.

Allen said there is no defense against a dishonest employee.

"If they are willing to violate basic rules of conduct, why wouldn't
they go in on a non-lockup day and store the device somewhere to use
later?" he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".