Sleuths Invade Military PCs With Ease

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.washingtonpost.com/wp-dyn/articles/A24191-2002Aug15.html

By Robert O'Harrow Jr.
Washington Post Staff Writer
Friday, August 16, 2002; Page A01 

SAN DIEGO, Aug. 15 -- Security consultants entered scores of 
confidential military and government computers without approval this 
summer, exposing vulnerabilities that specialists say open the 
networks to electronic attacks and spying.

The consultants, inexperienced but armed with free, widely available 
software, identified unprotected PCs and then roamed at will through 
sensitive files containing military procedures, personnel records and 
financial data.

One computer at Fort Hood in Texas held a copy of an air support 
squadron's "smart book" that details radio encryption techniques, the 
use of laser targeting systems and other field procedures. Another 
maintained hundreds of personnel records containing Social Security 
numbers, security clearance levels and credit card numbers. A NASA 
computer contained vendor records, including company bank account and 
financial routing numbers.

Available on other machines across the country were e-mail messages, 
confidential disciplinary letters and, in one case, a memo naming 
couriers to carry secret documents and their destinations, according 
to records maintained by ForensicTec Solutions Inc., the 
four-month-old security company that discovered the lapses.

ForensicTec officials said they first stumbled upon the accessible 
military computers about two months ago, when they were checking 
network security for a private-sector client. They saw several of the 
computers' online identifiers, known as Internet protocol addresses. 
Through a simple Internet search, they found the computers were linked 
to networks at Fort Hood.

Former employees of a private investigation firm -- and relative 
newcomers to the security field -- the ForensicTec consultants said 
they continued examining the system because they were curious, as well 
as appalled by the ease of access. They made their findings public, 
said ForensicTec President Brett O'Keeffe, because they hoped to help 
the government identify the problem -- and to "get some positive 
exposure" for their company.

"We were shocked and almost scared by how easy it was to get in," 
O'Keeffe said. "It's like coming across the Pentagon and seeing a door 
open with no one guarding it."

In response to an inquiry by The Washington Post, military 
investigators this week confirmed some of the intrusions at Fort Hood, 
saying they were made into occurred on PCs containing unclassified 
information. Senior officials said they are preparing an Army-wide 
directive requiring all shared computer files containing sensitive 
information to be password-protected. Sensitive information includes 
such items as Social Security numbers, confidential plans and so on, 
officials said.

The Army has never before focused so intently on the security of 
desktop computers containing unclassified data, but it is doing so now 
because so many more machines are linked to vulnerable networks, 
officials said. These systems are not as strictly secured because they 
are not supposed to contain or communicate any classified material. 
More secure networks are typically not linked to the Internet and 
employ much more stringent safeguards, including procedures to 
authenticate the identities of computer users.

"Everything is connected," said Col. Thaddeus Dmuchowski, director of 
information assurance for the Army. "Our 'defense in-depth' has to go 
down to the individual computer."

ForensicTec's electronic forays show that the government continues to 
struggle with how to close off systems to prying eyes -- including 
terrorists and foreign agents -- after a presidential directive last 
fall making cybersecurity a national priority.

That struggle was underscored by a General Accounting Office report 
last month that concluded the government wasn't doing an adequate job 
coordinating efforts to protect its online systems. Next month, the 
White House's new Critical Infrastructure Protection Board will 
release a sweeping national plan intended to bolster computer 
security.

None of the material made available by ForensicTec appears to be 
classified. But government and private specialists said that such open 
systems pose a threat because compromised machines may contain 
passwords, operational plans or easy pathways to more sensitive 
networks. 

They also could be used to mount an electronic attack anonymously or 
to gather enormous amounts of unclassified information to gain insight 
about what an agency or military unit is privately contemplating, 
specialists said.

"If you had an organized spy effort, that would be the real concern," 
Richard M. Smith, an Internet security consultant based in Cambridge, 
Mass., said of ForensicTec's findings. "This is a widespread problem."

Kevin Poulsen, another security specialist, worries that an intruder 
could place onto an unsecured network malicious software such as a 
virus, worm or Trojan horse program that could wind up on 
more-sensitive networks as desktop machines migrate from one place to 
another. 

"The government is now lagging behind the sophisticated Internet 
users, when they should be leading," said Poulsen, editorial director 
of SecurityFocus, a Web site devoted to such matters.

A spokesman for the Pentagon agency responsible for computer network 
defense said he could not discuss the ForensicTec activity because the 
vulnerabilities are under investigation. Maj. Barry Venable, a 
spokesman for the U.S. Space Command, said the military takes 
seriously all such intrusions, even if the system entered does not 
cotain classified data. He said hackers rarely gain control of 
military computers.

"Even one successful intrusion or instance of unauthorized activity is 
too many," he said. "The services and DOD agencies are working hard to 
educate their computer users and administrators to practice and 
implement proper computer security practices and procedures in a very 
dynamic information environment."

The issue of computer security has become more pressing in recent 
years as vastly more computers and networks have been linked to the 
Internet. Many public and private computers still have not been 
properly configured to block outsiders, and security components of 
operating software often are left set on the lowest default level to 
ease installation.

Even though it's a felony under U.S. law to enter a computer without 
authorization, the number of intrusions has skyrocketed, according to 
data collected by the CERT Coordination Center at Carnegie Mellon 
University. The number of incidents reported to CERT -- the leading 
clearinghouse of information about intrusions, viruses and computer 
crimes -- increased from 406 in 1991 to almost 53,000 last year.

Howard Schmidt, vice chairman of the White House Critical 
Infrastructure Protection Board, said officials have been 
crisscrossing the country to push for better practices. But he 
acknowledged that many individuals still don't take rudimentary 
precautions, such as adopting passwords more complex than "password" 
or a pet's name. And system administrators often do not fix known 
flaws with widely available software "patches."

Schmidt said the board's strategy, to be announced next month, will 
provide clearer guidance about how to achieve better security for 
government agencies and businesses alike. A crucial element will be to 
encourage people to follow through on existing rules and procedures.

"This reinforces to us that there's still a lot of work to be done," 
he said of the ForensicTec findings. "It's more than technology. . . . 
It's people not following the rules, people not following the 
policies."

The GAO report last month said the "risks associated with our nation's 
reliance on interconnected computer systems are substantial and 
varied," echoing a series of earlier reports chronicling the 
government's inability to secure its computers.

"By launching attacks across a span of communications systems and 
computers, attackers can effectively disguise their identity, location 
and intent," it said. "Such attacks could severely disrupt 
computer-supported operations, compromise confidentiality of sensitive 
information and diminish the integrity of critical data."

ForensicTec consultants said it wasn't hard to probe the systems. They 
employed readily available software tools that scan entire networks 
and issue reports about linked computers. The scans showed that scores 
of machines were configured to share files with anyone who knew where 
to look. The reports also contained people's names and revealed that 
many of the computers required no passwords for access, or relied on 
easily crackable passwords such as "administrator."

The consultants said they identified other Internet addresses during 
their exploration of Fort Hood, including those for machines at the 
National Aeronautics and Space Administration, the DOD Network 
Information Center, the Department of Energy and other state and 
federal facilities. Scans of those systems yielded similar results: 
hundreds of virtually unprotected computer files.

O'Keeffe, the company president, said his consultants concluded that 
they had tripped across a serious problem.

"If we can do this, other governments' intelligence agencies, hackers, 
criminals and what have you can do it, too," he said, adding that he 
hopes to help the government by bringing the vulnerabilities to light. 
"We could have easily walked away from it."

The material they saw ranged from poetry and drafts of personal 
letters to spreadsheets containing personal and financial information 
about soldiers. 

A couple of memos to members of a squadron at Fort Hood included the 
location of several safes and the inventory of one: secret operations 
information on hard drives, floppy disks and CDs.

Another memo designated a courier -- by name, rank and Social Security 
number -- who would "be hand-carrying classified information" to Fort 
Irwin Army Installation in California, apparently from February to 
June.

The consultants also obtained access to spreadsheets and e-mail 
messages at NASA containing details about vendor relationships, 
account numbers and other matters. NASA spokesman Brian Dunbar said he 
could not confirm the provenance of the information obtained by 
ForensicTec. But he said the agency was investigating its claims of 
vulnerability in accounting-related computers.

"We will investigate what's going on here," he said. "If this 
information is in the clear, it poses a risk to these companies and we 
need to get it fixed."

Steven Aftergood, a research analyst and government information 
specialist, said that much of the data the consultants came across is, 
by itself, "of limited sensitivity." But the easy access to government 
machines represents a substantial security challenge, at a time when 
military, government and business officials rely on computer networks 
more than ever.

"It's a qualitatively new kind of vulnerability that the government 
has not quite come to terms with yet," said Aftergood, a senior 
research analyst at the Federation of American Scientists. "And it is 
a vulnerability that will increase in severity if the government 
doesn't do something about it."


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.