RE: Sleuths Invade Military PCs With Ease

[InfoSec News <isn () c4i org>]

Forwarded from: "Huggins, Michael" <mhhuggins () firstcommand com>

I do have a problem with this type of activity.  We are supposed to be
ethical and abide by standards when a certified professional violates
those standards their certification should and ought to be revoked.  
There is no excuse for un-solicited scanning or penetration.

Michael H. Huggins
CISSP CTOC USN (ret)
First Command Information
Security Manager
817 569 2435


-----Original Message-----
From: InfoSec News [mailto:isn () c4i org] 
Sent: Friday, August 16, 2002 1:33 AM
To: isn () attrition org
Subject: [ISN] Sleuths Invade Military PCs With Ease 


Forwarded from: William Knowles <wk () c4i org>

http://www.washingtonpost.com/wp-dyn/articles/A24191-2002Aug15.html

By Robert O'Harrow Jr.
Washington Post Staff Writer
Friday, August 16, 2002; Page A01 

SAN DIEGO, Aug. 15 -- Security consultants entered scores of 
confidential military and government computers without approval this 
summer, exposing vulnerabilities that specialists say open the 
networks to electronic attacks and spying.

The consultants, inexperienced but armed with free, widely available 
software, identified unprotected PCs and then roamed at will through 
sensitive files containing military procedures, personnel records and 
financial data.

One computer at Fort Hood in Texas held a copy of an air support 
squadron's "smart book" that details radio encryption techniques, the 
use of laser targeting systems and other field procedures. Another 
maintained hundreds of personnel records containing Social Security 
numbers, security clearance levels and credit card numbers. A NASA 
computer contained vendor records, including company bank account and 
financial routing numbers.

Available on other machines across the country were e-mail messages, 
confidential disciplinary letters and, in one case, a memo naming 
couriers to carry secret documents and their destinations, according 
to records maintained by ForensicTec Solutions Inc., the 
four-month-old security company that discovered the lapses.

ForensicTec officials said they first stumbled upon the accessible 
military computers about two months ago, when they were checking 
network security for a private-sector client. They saw several of the 
computers' online identifiers, known as Internet protocol addresses. 
Through a simple Internet search, they found the computers were linked 
to networks at Fort Hood.

Former employees of a private investigation firm -- and relative 
newcomers to the security field -- the ForensicTec consultants said 
they continued examining the system because they were curious, as well 
as appalled by the ease of access. They made their findings public, 
said ForensicTec President Brett O'Keeffe, because they hoped to help 
the government identify the problem -- and to "get some positive 
exposure" for their company.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.