U.S. Agency's Computers Didn't Protect Indian Fund

[InfoSec News <isn () c4i org>]

Forwarded from: Elyn Wollensky <elyn () consect com>

http://www.nytimes.com/2002/02/26/technology/26INDI.html

February 26, 2002
By JOHN MARKOFF

Instructed by a federal district judge to determine whether the
computer network at the Bureau of Indian Affairs was secure from
malicious intruders, Alan Balaran decided to infiltrate it.

He did this not once, but three times, and determined among other
things that skilled hackers would be able to bilk Indian funds in
trust at the bureau by having checks sent to themselves.

First Mr. Balaran went to a bureau building in Virginia, walked in
through a loading platform and asked directions to the computing nerve
center, where he plucked from a shredder a lengthy printout of data on
some of the trust fund accounts that the agency manages for half a
million Indians. Nobody stopped him.

Then he hired a team of hackers to break into the bureau's computers,
using commonly available software.

Finally, after the bureau complained that the computer assault had
been unfair because it relied on inside knowledge of the agency's
network, Mr. Balaran's team broke in again, without such help, even
setting up a trust fund account in his name.

Mr. Balaran is no computer rogue. He is a Washington lawyer appointed
as a special master by the federal judge, Royce C. Lamberth, who,
hearing the largest class-action suit ever filed by Indians, has
already determined that for more than a century the government has
mismanaged accounts held in trust for them. Judge Lamberth, who sits
in Washington, will now determine whether the government should be
held in contempt for failure to abide by past orders to repair its
work.

Mr. Balaran, appointed by the judge in 2000 to oversee a variety of
issues related to the suit, began looking into computer security at
the bureau early last year. The effort intensified when a group of
plaintiffs discovered, in the April 2001 issue of Government Executive
magazine, an interview in which the agency's chief information
officer, Dominic Nessi, confessed that its systems were vulnerable to
hacking.

"For all practical purposes, we have no security," Mr. Nessi said in
that interview.

Computer security experts say that although the problems at the bureau
are particularly striking, they are not isolated. Many federal
agencies are vulnerable, they say, despite years of public concern.

Mr. Balaran declined to comment publicly on his investigation, citing
his continuing role in the court case. But the report on what he
found, filed with the court in November, is a litany of security
lapses stemming from what the report portrays as official neglect for
over a decade.

A spokesman for the Interior Department, parent of the Bureau of
Indian Affairs, defended the bureau's computer security efforts,
saying it had tried to deal with vulnerabilities long before the
report. "I don't propose to defend all of the shortcomings," said the
spokesman, John Wright. But "it's not like they didn't try to fix the
problems. There were a number of attempts. We were led to believe" by
consultants that the bureau's systems worked, "and they didn't work."

Mr. Balaran's infiltration began last February, when, accompanied by a
Justice Department lawyer, he drove to the bureau's supposedly secure
data processing center in Reston, Va. After Mr. Balaran asked his
companion to remove his tie so as to attract less attention, they
entered the building from the loading dock. Although they wore no
badges, they were able to walk past a guard at the entrance - twice,
simply to make the point - without being questioned.

Once inside and searching for the secure computing area responsible
for processing and storing data related to Indian trust funds, Mr.  
Balaran asked directions from a passer-by. He was escorted to the
computing room on the second floor. There he was able to walk to a
shredder and pick up a voluminous computer printout with detailed
information about trust funds - money controlled by the government for
the benefit of Indians whose property, descended from a system of
tribal ownership and managed by Washington, is generally leased to
oil, gas or timber companies.

Mr. Balaran filed a report in March alerting the court to the break-in
and the outcome, and then struck again a few months later. He hired
Predictive Systems Inc. a computer security company based in New York,
to perform a "pen test" - industry jargon for any electronic effort to
penetrate the defenses of a computer system. When the Predictive
Systems team examined the bureau's network, it was immediately
apparent that it would be possible to gain access to sensitive data
via the Internet using readily available software tools.

Once the company penetrated the network and reported its findings to
Mr. Balaran, the bureau protested the results, saying that the pen
test ordinarily would have failed but that the Predictive Systems
penetration team, as part of the exercise, had had detailed
information about the agency's network.

So Mr. Balaran asked the company on Aug. 30 to attack the agency's
computers again. This time he authorized the consultants to create a
trust account in his name.

In October, Predictive Systems supplied a report reiterating its
findings that the bureau's computer systems were vulnerable to attack.  
In the second test, conducted without any prior reference material,
the consultants used a completely different computer network to gain
access.

As instructed, they also set up an account in Mr. Balaran's name.  
Since the attack took place during the middle of the trust fund
billing cycle, no check was issued. But Mr. Balaran said the group had
proved to his satisfaction that it would be possible to send money to
any address.

After reading Mr. Balaran's report, Judge Lamberth forced the entire
Interior Department in December to shut down virtually all its
computer systems, since access to the systems of the Indian affairs
bureau could be gained through the systems of other Interior agencies.  
This month, with Mr. Balaran's oversight and the help of Predictive
Systems, the department finally began restoring the interrupted
operations, among other things sending checks to thousands of Indians
to whom trust-fund payments had been suspended as a result of the
shutdown.

Mr. Wright, the Interior Department spokesman, says that 52 percent of
the department's systems are now back online and that Interior is
working with Mr. Balaran, system by system, to return to complete
operation. He could not say when that would be.

Mr. Balaran's report noted that there had been at least four earlier
ones indicating computer security weaknesses at the bureau. Those
warnings date from 1989, when the accounting firm of Arthur Andersen
first raised concerns.

Most recently, in late 1999, Mr. Nessi, then special adviser to the
assistant interior secretary for Indian affairs, commissioned such a
report from SeNet International, a computer security company. The
evaluation, completed in the spring of 2000, cost nearly $1 million
and identified hundreds of weaknesses.

But Mr. Balaran noted in his report that when he interviewed Mr. Nessi
in June of last year, he discovered that the SeNet report had been
read by neither Mr. Nessi nor any other Indian affairs official.

Mr. Balaran's report quoted Mr. Nessi as saying, "You know, with all
the duties that I have, I would not be able to get to each of them."

Reached last night at his Virginia home, Mr. Nessi, who now has
another job at Interior, said he had in fact read part of the report
and in any case had been briefed by SeNet on all of it. He said he had
spent his time at the bureau trying to address the very problems Mr.  
Balaran ultimately identified.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.