Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: InfoSec News (isn_at_c4i.org)
Date: Fri Aug 16 2002 - 01:33:22 CDT
Forwarded from: William Knowles <wkc4i.org>
By Robert O'Harrow Jr.
Washington Post Staff Writer
Friday, August 16, 2002; Page A01
SAN DIEGO, Aug. 15 -- Security consultants entered scores of
confidential military and government computers without approval this
summer, exposing vulnerabilities that specialists say open the
networks to electronic attacks and spying.
The consultants, inexperienced but armed with free, widely available
software, identified unprotected PCs and then roamed at will through
sensitive files containing military procedures, personnel records and
One computer at Fort Hood in Texas held a copy of an air support
squadron's "smart book" that details radio encryption techniques, the
use of laser targeting systems and other field procedures. Another
maintained hundreds of personnel records containing Social Security
numbers, security clearance levels and credit card numbers. A NASA
computer contained vendor records, including company bank account and
financial routing numbers.
Available on other machines across the country were e-mail messages,
confidential disciplinary letters and, in one case, a memo naming
couriers to carry secret documents and their destinations, according
to records maintained by ForensicTec Solutions Inc., the
four-month-old security company that discovered the lapses.
ForensicTec officials said they first stumbled upon the accessible
military computers about two months ago, when they were checking
network security for a private-sector client. They saw several of the
computers' online identifiers, known as Internet protocol addresses.
Through a simple Internet search, they found the computers were linked
to networks at Fort Hood.
Former employees of a private investigation firm -- and relative
newcomers to the security field -- the ForensicTec consultants said
they continued examining the system because they were curious, as well
as appalled by the ease of access. They made their findings public,
said ForensicTec President Brett O'Keeffe, because they hoped to help
the government identify the problem -- and to "get some positive
exposure" for their company.
"We were shocked and almost scared by how easy it was to get in,"
O'Keeffe said. "It's like coming across the Pentagon and seeing a door
open with no one guarding it."
In response to an inquiry by The Washington Post, military
investigators this week confirmed some of the intrusions at Fort Hood,
saying they were made into occurred on PCs containing unclassified
information. Senior officials said they are preparing an Army-wide
directive requiring all shared computer files containing sensitive
information to be password-protected. Sensitive information includes
such items as Social Security numbers, confidential plans and so on,
The Army has never before focused so intently on the security of
desktop computers containing unclassified data, but it is doing so now
because so many more machines are linked to vulnerable networks,
officials said. These systems are not as strictly secured because they
are not supposed to contain or communicate any classified material.
More secure networks are typically not linked to the Internet and
employ much more stringent safeguards, including procedures to
authenticate the identities of computer users.
"Everything is connected," said Col. Thaddeus Dmuchowski, director of
information assurance for the Army. "Our 'defense in-depth' has to go
down to the individual computer."
ForensicTec's electronic forays show that the government continues to
struggle with how to close off systems to prying eyes -- including
terrorists and foreign agents -- after a presidential directive last
fall making cybersecurity a national priority.
That struggle was underscored by a General Accounting Office report
last month that concluded the government wasn't doing an adequate job
coordinating efforts to protect its online systems. Next month, the
White House's new Critical Infrastructure Protection Board will
release a sweeping national plan intended to bolster computer
None of the material made available by ForensicTec appears to be
classified. But government and private specialists said that such open
systems pose a threat because compromised machines may contain
passwords, operational plans or easy pathways to more sensitive
They also could be used to mount an electronic attack anonymously or
to gather enormous amounts of unclassified information to gain insight
about what an agency or military unit is privately contemplating,
"If you had an organized spy effort, that would be the real concern,"
Richard M. Smith, an Internet security consultant based in Cambridge,
Mass., said of ForensicTec's findings. "This is a widespread problem."
Kevin Poulsen, another security specialist, worries that an intruder
could place onto an unsecured network malicious software such as a
virus, worm or Trojan horse program that could wind up on
more-sensitive networks as desktop machines migrate from one place to
"The government is now lagging behind the sophisticated Internet
users, when they should be leading," said Poulsen, editorial director
of SecurityFocus, a Web site devoted to such matters.
A spokesman for the Pentagon agency responsible for computer network
defense said he could not discuss the ForensicTec activity because the
vulnerabilities are under investigation. Maj. Barry Venable, a
spokesman for the U.S. Space Command, said the military takes
seriously all such intrusions, even if the system entered does not
cotain classified data. He said hackers rarely gain control of
"Even one successful intrusion or instance of unauthorized activity is
too many," he said. "The services and DOD agencies are working hard to
educate their computer users and administrators to practice and
implement proper computer security practices and procedures in a very
dynamic information environment."
The issue of computer security has become more pressing in recent
years as vastly more computers and networks have been linked to the
Internet. Many public and private computers still have not been
properly configured to block outsiders, and security components of
operating software often are left set on the lowest default level to
Even though it's a felony under U.S. law to enter a computer without
authorization, the number of intrusions has skyrocketed, according to
data collected by the CERT Coordination Center at Carnegie Mellon
University. The number of incidents reported to CERT -- the leading
clearinghouse of information about intrusions, viruses and computer
crimes -- increased from 406 in 1991 to almost 53,000 last year.
Howard Schmidt, vice chairman of the White House Critical
Infrastructure Protection Board, said officials have been
crisscrossing the country to push for better practices. But he
acknowledged that many individuals still don't take rudimentary
precautions, such as adopting passwords more complex than "password"
or a pet's name. And system administrators often do not fix known
flaws with widely available software "patches."
Schmidt said the board's strategy, to be announced next month, will
provide clearer guidance about how to achieve better security for
government agencies and businesses alike. A crucial element will be to
encourage people to follow through on existing rules and procedures.
"This reinforces to us that there's still a lot of work to be done,"
he said of the ForensicTec findings. "It's more than technology. . . .
It's people not following the rules, people not following the
The GAO report last month said the "risks associated with our nation's
reliance on interconnected computer systems are substantial and
varied," echoing a series of earlier reports chronicling the
government's inability to secure its computers.
"By launching attacks across a span of communications systems and
computers, attackers can effectively disguise their identity, location
and intent," it said. "Such attacks could severely disrupt
computer-supported operations, compromise confidentiality of sensitive
information and diminish the integrity of critical data."
ForensicTec consultants said it wasn't hard to probe the systems. They
employed readily available software tools that scan entire networks
and issue reports about linked computers. The scans showed that scores
of machines were configured to share files with anyone who knew where
to look. The reports also contained people's names and revealed that
many of the computers required no passwords for access, or relied on
easily crackable passwords such as "administrator."
The consultants said they identified other Internet addresses during
their exploration of Fort Hood, including those for machines at the
National Aeronautics and Space Administration, the DOD Network
Information Center, the Department of Energy and other state and
federal facilities. Scans of those systems yielded similar results:
hundreds of virtually unprotected computer files.
O'Keeffe, the company president, said his consultants concluded that
they had tripped across a serious problem.
"If we can do this, other governments' intelligence agencies, hackers,
criminals and what have you can do it, too," he said, adding that he
hopes to help the government by bringing the vulnerabilities to light.
"We could have easily walked away from it."
The material they saw ranged from poetry and drafts of personal
letters to spreadsheets containing personal and financial information
A couple of memos to members of a squadron at Fort Hood included the
location of several safes and the inventory of one: secret operations
information on hard drives, floppy disks and CDs.
Another memo designated a courier -- by name, rank and Social Security
number -- who would "be hand-carrying classified information" to Fort
Irwin Army Installation in California, apparently from February to
The consultants also obtained access to spreadsheets and e-mail
messages at NASA containing details about vendor relationships,
account numbers and other matters. NASA spokesman Brian Dunbar said he
could not confirm the provenance of the information obtained by
ForensicTec. But he said the agency was investigating its claims of
vulnerability in accounting-related computers.
"We will investigate what's going on here," he said. "If this
information is in the clear, it poses a risk to these companies and we
need to get it fixed."
Steven Aftergood, a research analyst and government information
specialist, said that much of the data the consultants came across is,
by itself, "of limited sensitivity." But the easy access to government
machines represents a substantial security challenge, at a time when
military, government and business officials rely on computer networks
more than ever.
"It's a qualitatively new kind of vulnerability that the government
has not quite come to terms with yet," said Aftergood, a senior
research analyst at the Federation of American Scientists. "And it is
a vulnerability that will increase in severity if the government
doesn't do something about it."
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.