Forwarded From: Kjell Wooding <kwooding@codetalker.com>
http://www.codetalker.com/
http://www.msnbc.com:80/news/168969.asp
Internal study at Department of Energy finds huge lapses
By Brock N. Meeks
MSNBC
WASHINGTON, May 30 - An internal review of unclassified computer
systems throughout all major Department of Energy facilities found
serious security lapses, including the presence of classified and
sensitive nuclear weapons information on systems open to anyone with
an Internet connection. MSNBC has learned the study has prompted
administrators to scramble to implement a time-consuming
"contamination clean-up," to remove classified information from
Net-accessible computers.
"VIRTUALLY ANYONE on the Internet," using readily obtainable
hacking tools, could gain access to "at a minimum, password files
and, more disconcerting, classified and sensitive data," the report
says. Worse, it adds, "hackers can and have compromised DOE
systems."
"The Department of Energy takes the report very seriously," said
Larry Altenburg a member of DOE's Critical Infrastructure
Protection Task Force in the Office of Nonproliferation and National
Security. "As the oversight office noted, our sites have acted on
issues raised by the interim report," he said.
The report covers 64,000 unclassified department computer systems,
1,400 of which are accessible to anyone on the Internet. The final
review, due in October, will have reviewed double that number of
publicly available systems, the official said.
The measured tone of the report belies its conclusions. The Los
Alamos National Laboratory alone, charged with safekeeping
America's nuclear weapons stockpile, has had 15 security breaches
since November.
MSNBC has learned one of those incidents, involving the transfer of
classified information via the Internet, is now under investigation by
the FBI. "These findings raised quite a few eyebrows in the
department," said one DOE computer administrator, who spoke on
condition of anonymity.
"The DOE has concerns about our ability to protect classified
information. We're not doing that very well at all," said Stan
Busboom, Security and Safeguards Division director at Los Alamos
National Laboratory in the lab's May 13 newsletter.
HACKER'S PLAYGROUND
The main problem involves computer systems that allow anonymous public
access for file transfers. The report found that security measures
weren't adequate to protect files stored on those systems. Some
systems were found to be susceptible to being used as covert hacker
"drop off" sites for storing illegal software.
"Once a server is used for this purpose, it is often referenced in a
'pirate list' ... distributed through the Internet
'underground,' " the report says. It also notes that the security
evaluation team found such illegal software at one DOE site.
Many of the systems weren't configured properly, allowing anonymous
users to alter information, if they wanted to. In addition, department
investigators were able to access personal directories of DOE
employees in which they found "sensitive working documents, e-mail,
passwords and other potentially sensitive information that could be
downloaded."
EXTREME OPEN ACCESS
One of the "most significant" problems the report cites is the lack of
an effective way to ensure that classified and sensitive information
is not placed on department unclassified systems. "In many cases, the
computer system users have no controls and little training as to what
can and cannot be placed on a particular system," the report says.
At one site, department investigators found what appeared to be
"highly sensitive information" available for downloading. After an
internal review by the department's Office of Declassification, it was
determined that one of the documents was classified and should never
have been publicly available. In all cases where sensitive or
classified information was found, the systems have since been
modified, the report says, so that the documents are no longer
publicly accessible.
The report notes that "unclassified controlled nuclear information"
was found available to the public, including "documents providing
detailed descriptions (hundreds of pages) of a facility containing
special nuclear material, including building configurations, process
descriptions, and routes by which materials are moved."
System password files were downloaded and "cracked, granting full
access to user files and programs," the report says. In addition,
e-mail passwords were compromised, "some of which allowed interactive
access to large e-mail servers where user data directories were
available for downloading."
The password file violations was especially troubling to
investigators, who noted that by using the compromised accounts "an
intruder could migrate through the network and obtain sensitive
information."
ALL WE KNOW IS WE DON'T KNOW
An interim report, published in March, was issued despite the fact the
the review was only 50 percent complete because the security
vulnerabilities were so great, the report says.
Lists of "vulnerable" computers have been provided to each department
site reviewed so that corrective measures can be implemented, the
report says. "How, when, how often, or by whom these vulnerabilities
and data may have already been exploited via the worldwide Internet
can only be conjectured," the report's conclusion says. Although the
DOE investigators operated under self-imposed constraints, they didn't
alter files, for example, "it is unknown what malicious activities may
have already occurred in terms of the observed vulnerabilities," the
report says.
--
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sun May 31 10:50:02 1998