WASHINGTON (ZDNet By: Brock Meeks 5.19.98) - Computers at the State
Department containing sensitive, but unclassified, information were
routinely "hacked" and found vulnerable to outside intrusion according
to a government study obtained by MSNBC.
A similar government report exposes critical weaknesses in the Federal
Aviation Administration's air traffic control system computers that
could jeopardize the flying public's safety, according to the report
obtained by MSNBC.
The reports are scheduled to be made public Tuesday during a Senate
panel hearing on the issue of government computer security.
More bad news: the computer break-ins at the State Department were
done by rank amateurs; auditors from the General Accounting Office,
which conducted the studies, were trained to use common hacking tools
downloaded from the Internet, according to a congressional staffer for
Sen. Fred Thompson (R-Tenn.), who requested the studies from the GAO
and whose governmental affairs committee will hold the hearings
Tuesday.
According to the State Department study, "Computer Security:
Pervasive, Serious Weaknesses Jeopardizes State Department
Operations," the department's computer systems are "vulnerable
to access, change, disclosure, disruption or even denial of
service by unauthorized individuals."
The newly minted GAO hackers found they could gain access to the most
critical functions of the computer system the "system administrator"
or "root" access that allowed them to "download, delete, and modify
these data, add new data, shut down servers, and monitor network
traffic. Worse: the hacking attempts "went largely undetected,"
the report says.
A State Department spokesman said no comment would be available
until the department had a chance to read the official report.
The report obtained by MSNBC notes that the State Department has
read a classified version and is implementing steps "beginning
to address the lack of a central focus for computer security"
and is correcting weaknesses highlighted in the report.
Exploitation at State
The GAO said that "individuals or organizations seeking to damage
State operations, commit terrorism, or obtain financial gain could
possibly exploit the department's" computer security flaws, including
disruption of diplomatic negotiations and agreements.
Deletion or alteration of data in States' computers "could enable
dangerous individuals to enter the United States," the report says.
And confidential background material, gathered on potential employees
being considered for security clearances, are kept on State's
unclassified network.
The computer attacks were first cleared with top State department
officials; GAO hackers operated under strict "rules of engagement"
that included no hacking attempts on classified State computer
systems.
GAO also found that the human element was a big security risk, as
well. Unlocked work areas were accessed because no one asked for
identification. Computer terminals in these unlocked areas were
found logged in and ready to use, GAO said. In one instance the
user ID and password were taped to the computer terminal.
The report found no central office inside State to deal with
computer security issues, with such duties having become
"fragmented" among three offices. The State Department's own
Internet risk analysis, quoted in the report, admits "it is
extremely difficult to detect when information is lost,
misdirected, intercepted or spoofed."
The State Department did get high marks for its Internet security.
Though the GAO team tried to gain access to internal State networks by
"going through and around State's Internet gateways or exploiting
information servers from the outside via the Internet, we were not
able to gain access," the report says. The GAO hackers made their
successful intrusions on regular dial up modem lines, right into
the State department network itself, bypassing the Internet.
Failure at the FAA
Failure to adequately protect the nation's air traffic control
computer systems, as well as the buildings that house them, "could
cause nationwide disruption of air traffic or even loss of life due
to collisions," says the GAO report "Air Traffic Control: Weak
Computer Security Practices Jeopardize Flight Safety."
The GAO team studying the FAA said the agency "is ineffective in all
critical areas included in our computer security review-facilities
physical security, operational systems information security, future
systems modernization security and management structure and policy
implementation."
The report found 13 physical security weaknesses at just one aircraft
controlling facility last year. The FAA is unaware of similar concerns
among its other 187 similar aircraft controlling facilities because
the agency hasn't conducted a risk assessment of those operations
since 1993, the study said.
Further, only 3 of 90 air traffic control computer systems has had a
risk assessment done to ferret out vulnerabilities, the report said.
Without knowing if the others are vulnerable, said the GAO, the agency
"cannot adequately protect them."
In addition, only one of the nine crucial air traffic control
telecommunications networks has been analyzed, according to the
report.
The FAA did not return calls for comment; however, the report notes
that the agency didn't agree with all its findings. The FAA disagreed
that its management of computer security is inappropriate or that ATC
systems "are vulnerable to the point of jeopardizing flight safety."
The GAO report says it doesn't agree with the FAA's "alternative
interpretations" of its findings.
The FAA has "for years" known that its vulnerabilities could
"jeopardize, and have already jeopardized, flight safety," the
report says. In a classified version of the FAA report, the GAO
says it detailed those instances were FAA vulnerabilities put
the public at risk.
In a parting shot, the report notes that the FAA has "invested
billions of dollars in failed efforts to modernize its ATC
systems while critical security vulnerabilities went uncorrected."
==
There's a compelling reason to master information & news.
Clearly there will be better job and financial opportunites.
Other high stakes will be missed by people if they don't
master and connect information. -- Everette Dennis
==
http://www.dis.org/erehwon/
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Wed May 20 08:33:47 1998