Man indicted in alleged hacking of county's system

[InfoSec News <isn () c4i org>]

http://www.chron.com/cs/CDA/story.hts/tech/news/1507766

By ROSANNA RUIZ
July 24, 2002

A Houston man who once showed a Harris County official how easy it was
for an outsider to access a county computer system was accused by a
federal grand jury Wednesday of doing just that.

Stefan Puffer, 33, was indicted on two counts of fraud for allegedly
hacking into the county district clerk's wireless computer system that
has been taken out of operation because of its vulnerability.

Puffer is accused of accessing the system March 8, costing the county
$5,000 to clean up after the alleged breach.

Puffer, a computer security analyst who worked briefly for the
county's technology department in 1999, could get five years in prison
and a $250,000 fine on each count if he's convicted. Puffer declined
to comment Wednesday and referred questions to his attorney, who was
not available.

District Clerk Charles Bacarisse said no files were compromised, but
the county had to shut down the wireless system about a month after it
was set up.

The county, he said, had intended to use the wireless service to
connect personal computers used by court clerks at the Civil Courts
Building, 301 Fannin, to their network. The old courthouse can no
longer sustain more computer lines, he said.

"I'm hopeful we can determine an appropriate way to secure that system
well enough to use wireless service," Bacarisse said.

On March 18, Puffer showed a county official and a Chronicle reporter
how he was able to use his laptop computer and a $60 to $75 wireless
card to tap into the clerk's system.

In a Chronicle article about the demonstration, Puffer said he noticed
he could access the county network in early March, when he scanned for
weaknesses throughout Houston.

He said he could also access numerous home, government, university and
business computer systems.

The article quoted Bacarisse as saying his staff was alerted when
someone tried to access the system March 8. He also characterized
Puffer's demonstration as a "low-level intrusion" that did no
permanent damage.

As for Puffer's March 18 demonstration, Bacarisse said Wednesday,
"Normally you secure a contract with an entity before you hack into a
system, if that's what you're saying your expertise is."

County Attorney Mike Stafford said he will resume his investigation
into whether the security breach was corrected as promptly as county
officials learned of it and the origin of a pornographic picture found
on the clerk's office server in March.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.