Return-Path: <sentto-279987-5199-1029633164-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 17 Aug 2002 18:16:08 -0700 (PDT) Received: (qmail 24048 invoked by uid 510); 18 Aug 2002 01:11:11 -0000 Received: from n4.grp.scd.yahoo.com (66.218.66.88) by all.net with SMTP; 18 Aug 2002 01:11:11 -0000 X-eGroups-Return: sentto-279987-5199-1029633164-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.196] by n4.grp.scd.yahoo.com with NNFMP; 18 Aug 2002 01:12:44 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_7_4); 18 Aug 2002 01:12:43 -0000 Received: (qmail 93090 invoked from network); 18 Aug 2002 01:12:43 -0000 Received: from unknown (66.218.66.216) by m3.grp.scd.yahoo.com with QMQP; 18 Aug 2002 01:12:43 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 18 Aug 2002 01:12:42 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g7I1Dki22049 for iwar@onelist.com; Sat, 17 Aug 2002 18:13:46 -0700 Message-Id: <200208180113.g7I1Dki22049@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sat, 17 Aug 2002 18:13:45 -0700 (PDT) Subject: [iwar] Sleuths Invade Military PCs With Ease (fwd) Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=2.3 required=5.0 tests=SOCIAL_SEC_NUMBER,DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: ** * subscribe at http://techPolice.com =A9 2002 The Washington Post Company washingtonpost.com Sleuths Invade Military PCs With Ease By Robert O'Harrow Jr. Washington Post Staff Writer Friday, August 16, 2002; Page A01 SAN DIEGO, Aug. 15 -- Security consultants entered scores of confidential= military and government computers without approval this summer, exposing= vulnerabilities that specialists say open the networks to electronic= attacks and spying. The consultants, inexperienced but armed with free, widely available= software, identified unprotected PCs and then roamed at will through= sensitive files containing military procedures, personnel records and= financial data. One computer at Fort Hood in Texas held a copy of an air support squadron's= "smart book" that details radio encryption techniques, the use of laser= targeting systems and other field procedures. Another maintained hundreds= of personnel records containing Social Security numbers, security= clearance levels and credit card numbers. A NASA computer contained vendor= records, including company bank account and financial routing numbers. Available on other machines across the country were e-mail messages,= confidential disciplinary letters and, in one case, a memo naming couriers= to carry secret documents and their destinations, according to records= maintained by ForensicTec Solutions Inc., the four-month-old security= company that discovered the lapses. ForensicTec officials said they first stumbled upon the accessible military= computers about two months ago, when they were checking network security= for a private-sector client. They saw several of the computers' online= identifiers, known as Internet protocol addresses. Through a simple= Internet search, they found the computers were linked to networks at Fort= Hood. Former employees of a private investigation firm -- and relative newcomers= to the security field -- the ForensicTec consultants said they continued= examining the system because they were curious, as well as appalled by the= ease of access. They made their findings public, said ForensicTec= President Brett O'Keeffe, because they hoped to help the government= identify the problem -- and to "get some positive exposure" for their= company. "We were shocked and almost scared by how easy it was to get in," O'Keeffe= said. "It's like coming across the Pentagon and seeing a door open with no= one guarding it." In response to an inquiry by The Washington Post, military investigators= this week confirmed some of the intrusions at Fort Hood, saying they were= occurred on PCs containing unclassified information. Senior officials said= they are preparing an Army-wide directive requiring all shared computer= files containing sensitive information to be password-protected. Sensitive= information includes such items as Social Security numbers, confidential= plans and so on, officials said. The Army has never before focused so intently on the security of desktop= computers containing unclassified data, but it is doing so now because so= many more machines are linked to vulnerable networks, officials said.= These systems are not as strictly secured because they are not supposed to= contain or communicate any classified material. More secure networks are= typically not linked to the Internet and employ much more stringent= safeguards, including procedures to authenticate the identities of= computer users. "Everything is connected," said Col. Thaddeus Dmuchowski, director of= information assurance for the Army. "Our 'defense in-depth' has to go down= to the individual computer." ForensicTec's electronic forays show that the government continues to= struggle with how to close off systems to prying eyes -- including= terrorists and foreign agents -- after a presidential directive last fall= making cybersecurity a national priority. That struggle was underscored by a General Accounting Office report last= month that concluded the government wasn't doing an adequate job= coordinating efforts to protect its online systems. Next month, the White= House's new Critical Infrastructure Protection Board will release a= sweeping national plan intended to bolster computer security. None of the material made available by ForensicTec appears to be= classified. But government and private specialists said that such open= systems pose a threat because compromised machines may contain passwords,= operational plans or easy pathways to more sensitive networks. They also could be used to mount an electronic attack anonymously or to= gather enormous amounts of unclassified information to gain insight about= what an agency or military unit is privately contemplating, specialists= said. "If you had an organized spy effort, that would be the real concern,"= Richard M. Smith, an Internet security consultant based in Cambridge,= Mass., said of ForensicTec's findings. "This is a widespread problem." Kevin Poulsen, another security specialist, worries that an intruder could= place onto an unsecured network malicious software such as a virus, worm= or Trojan horse program that could wind up on more-sensitive networks as= desktop machines migrate from one place to another. "The government is now lagging behind the sophisticated Internet users,= when they should be leading," said Poulsen, editorial director of= SecurityFocus, a Web site devoted to such matters. A spokesman for the Pentagon agency responsible for computer network= defense said he could not discuss the ForensicTec activity because the= vulnerabilities are under investigation. Maj. Barry Venable, a spokesman= for the U.S. Space Command, said the military takes seriously all such= intrusions, even if the system entered does not contain classified data.= He said hackers rarely gain control of military computers. "Even one successful intrusion or instance of unauthorized activity is too= many," he said. "The services and DOD agencies are working hard to educate= their computer users and administrators to practice and implement proper= computer security practices and procedures in a very dynamic information= environment." The issue of computer security has become more pressing in recent years as= vastly more computers and networks have been linked to the Internet. Many= public and private computers still have not been properly configured to= block outsiders, and security components of operating software often are= left set on the lowest default level to ease installation. Even though it's a felony under U.S. law to enter a computer without= authorization, the number of intrusions has skyrocketed, according to data= collected by the CERT Coordination Center at Carnegie Mellon University.= The number of incidents reported to CERT -- the leading clearinghouse of= information about intrusions, viruses and computer crimes -- increased= from 406 in 1991 to almost 53,000 last year. Howard Schmidt, vice chairman of the White House Critical Infrastructure= Protection Board, said officials have been crisscrossing the country to= push for better practices. But he acknowledged that many individuals still= don't take rudimentary precautions, such as adopting passwords more= complex than "password" or a pet's name. And system administrators often= do not fix known flaws with widely available software "patches." Schmidt said the board's strategy, to be announced next month, will provide= clearer guidance about how to achieve better security for government= agencies and businesses alike. A crucial element will be to encourage= people to follow through on existing rules and procedures. "This reinforces to us that there's still a lot of work to be done," he= said of the ForensicTec findings. "It's more than technology. . . . It's= people not following the rules, people not following the policies." The GAO report last month said the "risks associated with our nation's= reliance on interconnected computer systems are substantial and varied,"= echoing a series of earlier reports chronicling the government's inability= to secure its computers. "By launching attacks across a span of communications systems and= computers, attackers can effectively disguise their identity, location and= intent," it said. "Such attacks could severely disrupt computer-supported= operations, compromise confidentiality of sensitive information and= diminish the integrity of critical data." ForensicTec consultants said it wasn't hard to probe the systems. They= employed readily available software tools that scan entire networks and= issue reports about linked computers. The scans showed that scores of= machines were configured to share files with anyone who knew where to= look. The reports also contained people's names and revealed that many of= the computers required no passwords for access, or relied on easily= crackable passwords such as "administrator." The consultants said they identified other Internet addresses during their= exploration of Fort Hood, including those for machines at the National= Aeronautics and Space Administration, the DOD Network Information Center,= the Department of Energy and other state and federal facilities. Scans of= those systems yielded similar results: hundreds of virtually unprotected= computer files. O'Keeffe, the company president, said his consultants concluded that they= had tripped across a serious problem. "If we can do this, other governments' intelligence agencies, hackers,= criminals and what have you can do it, too," he said, adding that he hopes= to help the government by bringing the vulnerabilities to light. "We could= have easily walked away from it." The material they saw ranged from poetry and drafts of personal letters to= spreadsheets containing personal and financial information about soldiers.= A couple of memos to members of a squadron at Fort Hood included the= location of several safes and the inventory of one: secret operations= information on hard drives, floppy disks and CDs. Another memo designated a courier -- by name, rank and Social Security= number -- who would "be hand-carrying classified information" to Fort= Irwin Army Installation in California, apparently from February to June. The consultants also obtained access to spreadsheets and e-mail messages at= NASA containing details about vendor relationships, account numbers and= other matters. NASA spokesman Brian Dunbar said he could not confirm the= provenance of the information obtained by ForensicTec. But he said the= agency was investigating its claims of vulnerability in accounting-related= computers. "We will investigate what's going on here," he said. "If this information= is in the clear, it poses a risk to these companies and we need to get it= fixed." Steven Aftergood, a research analyst and government information specialist,= said that much of the data the consultants came across is, by itself, "of= limited sensitivity." But the easy access to government machines= represents a substantial security challenge, at a time when military,= government and business officials rely on computer networks more than= ever. "It's a qualitatively new kind of vulnerability that the government has not= quite come to terms with yet," said Aftergood, a senior research analyst= at the Federation of American Scientists. "And it is a vulnerability that= will increase in severity if the government doesn't do something about= it." =A9 2002 The Washington Post Company k ------------------------ Yahoo! Groups Sponsor ---------------------~--> 4 DVDs Free +s&p Join Now http://us.click.yahoo.com/pt6YBB/NXiEAA/Ey.GAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT