County vulnerable to hackers

[InfoSec News <isn () c4i org>]

http://www.dailymail.com/news/News/2002122342/

Kris Wise
Daily Mail staff 
<kriswise () dailymail com>
December 23, 2002

A review of computer security in Kanawha County's courthouse has found
county financial records, voters' registration information and other
confidential computer documents could be vulnerable to hackers.

The county's Web site and wireless network had to be shut down today
in an effort to prevent potential attacks on the system, County
Commissioner Kent Carper said.

County Manager Dan Blue last week hired Terradon Corp. to conduct a
review of the county's computer network and its security system.

A security engineer hacked into the county commission's network within
an hour and a half, sent employees an e-mail that appeared to be from
Carper, directed staff members to issue a check for $75 million and
created a county file that warned officials he "owned the network."

Terradon's engineer hacked into the system from his laptop while
parked in a vehicle outside the courthouse. He then sent fictitious
e-mails and directives while sitting between two state troopers in the
courthouse lobby, County Manager Allen Bleigh said.

"He did it very easily without anyone having any idea he was doing
this," Bleigh said.

The county's wireless network allows county employees to enter
information into the system from laptops and cell phones. Though only
3 percent of information is entered through the wireless system, it is
"an open door" to all county records, Bleigh said.

"It was a terrific error in judgment to set the system up this way,"  
Carper said. "You would never go off and leave financial records
unlocked at night and that's essentially what we have done. There are
all kinds of people out there who are very skilled and knowledgeable.  
I'm going to assume someone else has done this or could easily do
this."

Carper notified fellow commissioners and elected officials last week
to warn them that a security breach was possible and to get permission
to tap into certain records. Initial concerns were that people could
erase or change financial records, change registration for voters, put
a virus in the system or gain access to criminal records,
commissioners said.

Terradon's engineers still are working to see what information would
have been vulnerable if the system still were operating with the
wireless network. Law enforcement records, criminal records and grand
jury information kept by the Sheriff's Department and Prosecutor's
Office are stored in another protected system and were not included in
the test, Carper said.

Commission President Dave Hardy said the most substantial security
risk for the county was that individuals could have used the county's
system as a platform to break into other systems or host their own Web
site.

"My biggest concern is how a hacker could mask his own identity
through our system," Hardy said. "It's very hard to get someone
in-house to do this kind of (security) work for what governments can
pay. It's something all agencies need to take a look at."

County systems administrator Dennis Wyer said the wireless network was
established to allow employees to enter information into the county
system during meetings or court proceedings.

Today's shutdown of the Web site and network will prevent any
unauthorized person from gaining access to the system until further
security measures are in place, Wyer said.

The county had planned to buy more than $500,000 of new financial
software in the coming year. Commissioners will discuss at the Jan. 16
meeting whether to buy additional computer security equipment or to
extend a contract with the computer-engineering firm to conduct
security audits.

The network that stores records for the commission, the County Clerk's
Office and the Assessor's Office also has no warning system to alert
administrators of an attempted security breach.

Last week's review found there had been recent attempts to hack into
county clerk's records.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.