[iwar] [fc:Key.U.S..Computer.Systems.Called.Vulnerable.to]

From: Fred Cohen (fc@all.net)
Date: 2001-09-27 15:29:07


Return-Path: <sentto-279987-2451-1001629664-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 27 Sep 2001 15:30:08 -0700 (PDT)
Received: (qmail 31799 invoked by uid 510); 27 Sep 2001 22:29:26 -0000
Received: from n18.groups.yahoo.com (216.115.96.68) by 204.181.12.215 with SMTP; 27 Sep 2001 22:29:26 -0000
X-eGroups-Return: sentto-279987-2451-1001629664-fc=all.net@returns.onelist.com
Received: from [10.1.1.220] by mr.egroups.com with NNFMP; 27 Sep 2001 22:29:08 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_4_1); 27 Sep 2001 22:27:44 -0000
Received: (qmail 90589 invoked from network); 27 Sep 2001 22:27:44 -0000
Received: from unknown (10.1.10.26) by 10.1.1.220 with QMQP; 27 Sep 2001 22:27:44 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 27 Sep 2001 22:29:07 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id PAA22156 for iwar@onelist.com; Thu, 27 Sep 2001 15:29:07 -0700
Message-Id: <200109272229.PAA22156@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 27 Sep 2001 15:29:07 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Key.U.S..Computer.Systems.Called.Vulnerable.to]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

Key U.S. Computer Systems Called Vulnerable to
By Robert O'Harrow Jr.,
Washington Post Staff Writer
Thursday, September 27, 2001; 7:58 AM

As the Bush administration prepares to fight terrorism abroad, it faces
a long-standing vulnerability at home: a persistent lack of security for
computer systems at the Defense Department, the Federal Aviation
Administration and other key government offices. 

Despite repeated warnings about the threat foreign governments,
terrorists and hackers pose, at least 24 federal agencies have failed to
adopt effective security to protect their computers and networks from
attacks over the Internet, according to government reports, computer
experts and former intelligence officials. 

Many agencies still do not use passwords properly, some cannot detect
intruders, and government systems overall are so porous, specialists
say, that hackers can use even an innocuous agency's network to breach
other, more sensitive systems via the Internet. 

Chinese hackers, angered by the death of a Chinese pilot in a collision
with an American spy plane, were able to deface several government Web
sites in April.  In a case last year, a computer virus breached Defense
Department security, damaging some computers and infecting some
classified systems. 

With the number and sophistication of computer attacks rising, "a clear
risk exists that terrorists or hostile foreign states could launch
computer-based attacks on systems supporting critical infrastructures to
severely damage or disrupt national defense or vital public operations
or steal sensitive data," the General Accounting Office concluded this
spring. 

Robert Dacey, director of information security issues at the GAO, told
Congress in April that major agencies' systems "are riddled with
weaknesses" that "place a broad array of federal operations and assets
at risk of fraud, misuse and disruptions."

The National Security Agency, the supersecret electronic spy agency that
also protects U.S.  codes, has warned that foreign governments have
already developed ways to attack U.S.  computer systems. 

Officials worry about attacks involving computer viruses that might
disrupt communications, destroy sensitive information or disable such
sensitive operations as the FAA flight control system or those that
support Pentagon war efforts. 

Bush administration officials said they recognize the exposure and plan
to issue an executive order in the next few weeks to create an office of
cyber-security in the National Security Council office in the White
House to deal with it.  Yesterday, an FBI official told a House
subcommittee that the bureau and other agencies are working on the
problem. 

The problem extends beyond the government.  Many businesses also have
failed to make security a priority in recent years and have suffered the
same sorts of disruptions.  Security specialists warn that power grids,
banking networks and other key private computer systems could be
targeted. 

Previous initiatives to defend government computers have foundered, in
some cases because of budget troubles or bureaucratic squabbling. 

The National Infrastructure Protection Center, set up at the FBI in 1998
to detect and help prevent cyber-threats, didn't have enough specialists
to staff a 24-hour unit to monitor the Internet, in part because of FBI
budget restraints, another GAO report found.  And the CIA and National
Security Agency left key posts at the center vacant for more than a
year. 

A Defense Department plan to protect its sprawling global computer
systems, promised after audits found glaring security weaknesses, missed
its own deadlines because the agency didn't hire enough managers to run
the initiative, the GAO found. 

"It leaves us all very vulnerable, and nobody has been paying
attention," said Sallie McDonald, the assistant commissioner of the
Office of Information Assurance and Critical Infrastructure Protection
at the General Services Administration.  "It's not just hackers that we
have to be worried about.  It's nation states."

A senior FBI official said that "while government systems have
vulnerabilities which are being exploited, the agencies are working
extremely hard to formulate and implement policies to reduce those
risks."

The number of attacks has soared in recent years.  Three years ago, the
Federal Computer Incident Response Center counted 376 incidentsaffecting
2,732 federal systems and 86 military systems.  Last year, the number of
incidents reported was 586, involving 575,568 federal systems and 148
military systems. 

In July, for example, the "Code Red" computer worm infected thousands of
government computers.  The White House had to change its Web site
address to avoid the worm and the Pentagon temporarily blocked access to
some areas of its public Web site while it installed protective
software. 

A few months earlier, the Chinese hackers invaded government and
business Web sites ‹ including those run by the Navy and the departments
of Labor and Health and Human Services.  Last year, an attack program
called "ILOVEYOU" penetrated systems at the Defense Department, the CIA
and at least a dozen other agencies, as well as an array of private
companies such as AT&amp;T and Ford. 

The vast majority of incidents are never reported, however, in part
because some agencies sometimes cannot detect when a hacker has gained
access to their files, officials said. 

Last year, Congress mandated better security procedures, including a
requirement that agencies give the Office of Management and Budget
reports detailing assessments of computer security, starting this fall. 

Frank Cilluffo, a senior policy analyst at the Center for Strategic and
International Studies,a policy think tank, said security will not
improve until the government better coordinates and funds its efforts. 

"There's been a whole lot of talk and not a lot of action.  .  .  . 
There's no accountability," he said, adding that policymakers have never
had to confront a security breach even close to the severity of the
attacks on Sept.  11.  "There's no one pulling all these pieces
together."

He added: "This is an issue that hasn't been in the mainstream.  Now
it's something that decision-makers, policymakers and others have to act
upon."

Among the 24 agencies cited by inspectors general and the GAO for
serious security gaps are the departments of Justice, State and the
Treasury and the Nuclear Regulatory Commission.  Problems include:

€ U.S.  Army Corps of Engineers systems had "serious vulnerabilities"
that would allow both hackers and numerous legitimate users "to
improperly modify, inappropriately disclose and/or destroy sensitive and
financial data," according to a GAO report in October.  The weaknesses
increase the vulnerability of other Defense Department networks and
systems to which the Corps's network is linked, it added. 

€ The FAA has routinely failed to secure physical access to its computer
systems in recent years, and in several cases it failed to conduct
background checks on auditors who have access to sensitive information. 
"FAA's efforts to prevent unauthorized access to data are inadequate in
all critical areas we reviewed ‹ personnel security, facility physical
security, system access security," the GAO reported last September. 

"Until FAA addresses the pervasive weaknesses in its computer security
program, its critical information systems will remain at increased risk
of intrusion and attack, and its aviation operations will remain at
risk," Joel C.  Willemssen of the GAO told the House Committee on
Science. 

€ The Environmental Protection Agency continues to have "pervasive
problems that essentially rendered EPA's agency-wide information
security program ineffective," according to a July 2000 GAO report. 
About the same time, hackers used an EPA site as a chat room to conduct
electronic conversations.  Officials said the EPA has been making
efforts to bolster security, but problems remain. 

€ Auditors examining seven Commerce Department systems broke through
security using the Internet and were in a position to "read, copy,
modify, and delete sensitive economic, financial, personnel, and
confidential business data."

One of the problems, investigators said, was that network users could
gain extraordinary access to certain department databases simply by
logging on as a systems administrator.  No password was necessary. 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT