From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jan 10 2007 - 00:12:00 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.latimes.com/news/local/la-me-trafficlights9jan09,0,7005703.story?coll=la-home-local

By Sharon Bernstein and Andrew Blankstein
Times Staff Writers
January 9, 2007

Back in August, the union representing the city's traffic engineers
vowed that on the day of their work action, "Los Angeles is not going to
be a fun place to drive."

City officials took the threat seriously.

Fearful that the strikers could wreak havoc on the surface street
system, they temporarily blocked all engineers from access to the
computer that controls traffic signals.

But officials now allege that two engineers, Kartik Patel and Gabriel
Murillo, figured out how to hack in anyway. With a few clicks on a
laptop computer, the pair one a renowned traffic engineer profiled in
the national media, the other a computer whiz who helped build the
system allegedly tied up traffic at four intersections for several days.

Both men pleaded not guilty Monday morning to felony charges stemming
from the case, and Murillo's lawyer said his client meant no harm when
he signed on to the system that day.

But authorities say the pair picked their targets with care
intersections they knew would cause significant backups because they
were close to freeways and major destinations.

They didn't shut the lights off, city transportation sources said.
Rather, the engineers allegedly programmed them so that red lights would
be extremely long on the most congested approaches to the intersections,
causing gridlock for several days starting Aug. 21, they said.

Cars backed up at Los Angeles International Airport, at a key
intersection in Studio City, onto the clogged Glendale Freeway and
throughout the streets of Little Tokyo and the L.A. Civic Center.

The engineers' arrests last Friday point up the vulnerability of L.A.'s
complex traffic control system.

City leaders said Monday they also underscore the delicate balance that
employers must strike in a highly technical environment in which workers
must be trusted enough to have access to important systems.

Some officials Monday called for an immediate review of ways to tighten
security of the computer system, which manages 3,200 of the city's 4,300
traffic signals.

"The issue here was public safety," Councilwoman Wendy Greuel said.
"What if there had been a major accident and we were not able to control
the lights while the officers were on their way?"

Details of the case emerged Monday in interviews and court documents.

After access to the system was cut off for all but top managers, Murillo
signed in as one of them, according to the criminal complaint. Murillo
had helped design the nationally recognized system.

By signing in, the engineers allegedly obtained the codes needed to
unblock the computers that control traffic lights throughout the city.
Soon, the lights at those four intersections were reprogrammed with a
code that prevented city officials from fixing them.

"The red signal would be on too long for the critical approach and the
green signal would be on too long for the noncritical approach, thus
resulting in long backups into the airport and other key intersections
around the city," said one source in the traffic department, who spoke
on condition of anonymity.

Murillo was charged with two felonies: one count of identity theft and
one of unauthorized access to a city computer. Patel was charged with
five felonies: one count of unauthorized access to a city computer and
four of unauthorized disruption or denial of computer services.

Los Angeles County Superior Court Commissioner Catherine J. Pratt
released the men on their own recognizance on the condition that they do
not access city computers or set foot on Department of Transportation
property without their attorneys.

If convicted on all charges, the pair could face several years in state
prison, although authorities said that is unlikely because they have no
criminal records.

Murillo's lawyer, James Blatt, said that his client was on paternity
leave when the incident took place and did not receive an e-mail
indicating that access to the traffic signal control center would be
blocked during the strike.

He said Murillo didn't mean to do anything wrong.

"The issue in the case is Mr. Murillo's intent when he logged into the
system," Blatt said. "Mr. Murillo has been an engineer there [at the
Department of Transportation] for 17 years. He's highly regarded and
respected by management and employees. It was not his intent to
jeopardize the system or the citizens of Los Angeles."

Alan Eisner, who is representing Patel, said his client "unequivocally
denies the charges against him and specifically denies illegally
accessing or disrupting the [computerized traffic light] system. Mr.
Patel has been an employee of the Department of Transportation for more
than 12 years and has an outstanding work history. He and his family are
traumatized by the allegations, and he looks forward to responding to
the allegations in court."

After the arraignment Monday, city employees filled the hallway outside
the courtroom, creating an impromptu receiving line as they filed past
the defendants and their families. Officials from their union were not
in court and did not return calls seeking comment.

In deciding how to handle security in the future, the city faces a
difficult choice: set up systems that could impede the smooth
functioning of its crucial traffic control efforts, or do nothing and
risk another hacking incident.

Clifford Neuman, a computer security expert and the director of the USC
Center for Computer Systems Security, said there are two primary ways to
design computers to guard against malicious activity by insiders, but
each can interfere with employees' ability to do their tasks and would
probably be prohibitively expensive for the city.

Copyright 2007 Los Angeles Times

_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]