USDA Computer Security Draws Scrutiny Of Congress

[InfoSec News <isn () C4I ORG>]

http://www.techweb.com/wire/story/reuters-finance/REU20010321S0009

03/21/01, 7:40 p.m. ET
Reuters

WASHINGTON - The investigative arm of Congress said Wednesday it had
launched a probe to determine if computer hackers could alter
market-sensitive crop data published by the U.S. Agriculture
Department.

The USDA issues authoritative monthly estimates of U.S. crops ranging
for oranges and peanuts to grain, cotton, and soybeans based on
thousands of field samples and interviews with farmers.

Billions of dollars in commodities trading can be affected if the USDA
says a crop is smaller or larger than expected.

The General Accounting Office began a review of USDA computer security
this week at the request of Senate Agriculture Committee leaders, a
GAO spokesman said.

Committee chairman Richard Lugar, and Indiana Republican, and the
panel's Democratic leader, Tom Harkin of Iowa, asked GAO for "a full
review of security standards and practices" at USDA's National
Agricultural Statistics Service (NASS).

"The possible consequences to our agricultural market and commodity
trading system resulting from a security breach at NASS are
potentially enormous," Lugar and Harkin said in a letter to GAO.

NASS Associate Administrator Rich Allen said the agency's computer
system defeated past attempts at intrusion.

There were numerous checks in place to assure data was authentic, he
said, and the most sensitive data was encrypted and stored off the
computer system until the day it was needed.

"We have not documented anyone being successful getting into our
system through the firewall," Allen said. "We've passed all those
tests."

Two USDA computer specialists told Lugar that some NASS managers and
technicians blatantly disregarded regulations against relying solely
on passwords to block unauthorized access to the computer system and
the material in it.

Kirkland Williams and Sylvia Hammond said in a letter that this "small
hole" meant an Internet intruder could enter sensitive areas of the
NASS system, such as those containing crop measurement data, without
being detected.

"The current data that is presently used is not within a protected
database system, meaning that with very little skills on the computer
side, one could access databases and directly manipulate the data
without fear of detection," they said.

A minor alteration of data in key locations "can cause a greater shift
in the market," Williams and Hammond added.

But even if a hacker deduced a valid password, Allen said, the
intruder still would need "rights" to reach parts of the computer
system.

It was "not likely" that hackers could manipulate state-level data
without being detected because of auditing and monitoring safeguards,
he said.

And at the national level, "forecasts aren't finalized until 1
(o'clock) in the morning" on the day the report is released at 8:30
a.m. Eastern time, Allen said. "The number does not exist the day
before" and USDA keeps purposely separate the pieces of information
needed for a forecast until the "lockup" begins.

Under the decades-old lock-up system, analysts inside a sealed suite
of rooms tabulate crop information and assess likely crop size.
Telephone lines are disconnected and window shades locked in place to
prevent premature release of data.

No one is allowed to leave the secure area until the report is
released. Escorted visitors are asked to surrender cell phones before
being admitted through locked doors.

Hammond and Williams said, however, there was no reliable security
system in place to prevent use of cellular phones or similar
electronic devices inside the "lockup" area.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".