Security consultants entered scores of confidential
military and government computers without approval this summer, exposing
vulnerabilities that specialists say open the networks to electronic attacks and
spying.
The consultants, inexperienced but armed with free, widely available software,
identified unprotected PCs and then roamed at will through sensitive files
containing military procedures, personnel records and financial data.
One computer at Fort Hood in Texas held a copy of an air support squadron's
"smart book" that details radio encryption techniques, the use of laser
targeting systems and other field procedures. Another maintained hundreds of
personnel records containing Social Security numbers, security clearance levels
and credit card numbers. A NASA computer contained vendor records, including
company bank account and financial routing numbers.
Available on other machines across the country were e-mail messages,
confidential disciplinary letters and, in one case, a memo naming couriers to
carry secret documents and their destinations, according to records maintained
by ForensicTec Solutions Inc., the four-month-old security company that
discovered the lapses.
ForensicTec officials said they first stumbled upon the accessible military
computers about two months ago, when they were checking network security for a
private-sector client. They saw several of the computers' online identifiers,
known as Internet protocol addresses. Through a simple Internet search, they
found the computers were linked to networks at Fort Hood.
Former employees of a private investigation firm -- and relative newcomers to
the security field -- the ForensicTec consultants said they continued examining
the system because they were curious, as well as appalled by the ease of access.
They made their findings public, said ForensicTec President Brett O'Keeffe,
because they hoped to help the government identify the problem -- and to "get
some positive exposure" for their company.
"We were shocked and almost scared by how easy it was to get in," O'Keeffe said.
"It's like coming across the Pentagon and seeing a door open with no one
guarding it."
In response to an inquiry by The Washington Post, military investigators this
week confirmed some of the intrusions at Fort Hood, saying they were occurred on
PCs containing unclassified information. Senior officials said they are
preparing an Army-wide directive requiring all shared computer files containing
sensitive information to be password-protected. Sensitive information includes
such items as Social Security numbers, confidential plans and so on, officials
said.
The Army has never before focused so intently on the security of desktop
computers containing unclassified data, but it is doing so now because so many
more machines are linked to vulnerable networks, officials said. These systems
are not as strictly secured because they are not supposed to contain or
communicate any classified material. More secure networks are typically not
linked to the Internet and employ much more stringent safeguards, including
procedures to authenticate the identities of computer users.
"Everything is connected," said Col. Thaddeus Dmuchowski, director of
information assurance for the Army. "Our 'defense in-depth' has to go down to
the individual computer."
ForensicTec's electronic forays show that the government continues to struggle
with how to close off systems to prying eyes -- including terrorists and foreign
agents -- after a presidential directive last fall making cybersecurity a
national priority.
That struggle was underscored by a General Accounting Office report last month
that concluded the government wasn't doing an adequate job coordinating efforts
to protect its online systems. Next month, the White House's new Critical
Infrastructure Protection Board will release a sweeping national plan intended
to bolster computer security.
None of the material made available by ForensicTec appears to be classified. But
government and private specialists said that such open systems pose a threat
because compromised machines may contain passwords, operational plans or easy
pathways to more sensitive networks.
They also could be used to mount an electronic attack anonymously or to gather
enormous amounts of unclassified information to gain insight about what an
agency or military unit is privately contemplating, specialists said.
"If you had an organized spy effort, that would be the real concern," Richard M.
Smith, an Internet security consultant based in Cambridge, Mass., said of
ForensicTec's findings. "This is a widespread problem."
Kevin Poulsen, another security specialist, worries that an intruder could place
onto an unsecured network malicious software such as a virus, worm or Trojan
horse program that could wind up on more-sensitive networks as desktop machines
migrate from one place to another.
"The government is now lagging behind the sophisticated Internet users, when
they should be leading," said Poulsen, editorial director of SecurityFocus, a
Web site devoted to such matters.
A spokesman for the Pentagon agency responsible for computer network defense
said he could not discuss the ForensicTec activity because the vulnerabilities
are under investigation. Maj. Barry Venable, a spokesman for the U.S. Space
Command, said the military takes seriously all such intrusions, even if the
system entered does not contain classified data. He said hackers rarely gain
control of military computers.
"Even one successful intrusion or instance of unauthorized activity is too
many," he said. "The services and DOD agencies are working hard to educate their
computer users and administrators to practice and implement proper computer
security practices and procedures in a very dynamic information environment."
The issue of computer security has become more pressing in recent years as
vastly more computers and networks have been linked to the Internet. Many public
and private computers still have not been properly configured to block
outsiders, and security components of operating software often are left set on
the lowest default level to ease installation.
Even though it's a felony under U.S. law to enter a computer without
authorization, the number of intrusions has skyrocketed, according to data
collected by the CERT Coordination Center at Carnegie Mellon University. The
number of incidents reported to CERT -- the leading clearinghouse of information
about intrusions, viruses and computer crimes -- increased from 406 in 1991 to
almost 53,000 last year.
Howard Schmidt, vice chairman of the White House Critical Infrastructure
Protection Board, said officials have been crisscrossing the country to push for
better practices. But he acknowledged that many individuals still don't take
rudimentary precautions, such as adopting passwords more complex than "password"
or a pet's name. And system administrators often do not fix known flaws with
widely available software "patches."
Schmidt said the board's strategy, to be announced next month, will provide
clearer guidance about how to achieve better security for government agencies
and businesses alike. A crucial element will be to encourage people to follow
through on existing rules and procedures.
"This reinforces to us that there's still a lot of work to be done," he said of
the ForensicTec findings. "It's more than technology. . . . It's people not
following the rules, people not following the policies."
The GAO report last month said the "risks associated with our nation's reliance
on interconnected computer systems are substantial and varied," echoing a series
of earlier reports chronicling the government's inability to secure its
computers.
"By launching attacks across a span of communications systems and computers,
attackers can effectively disguise their identity, location and intent," it
said. "Such attacks could severely disrupt computer-supported operations,
compromise confidentiality of sensitive information and diminish the integrity
of critical data."
ForensicTec consultants said it wasn't hard to probe the systems. They employed
readily available software tools that scan entire networks and issue reports
about linked computers. The scans showed that scores of machines were configured
to share files with anyone who knew where to look. The reports also contained
people's names and revealed that many of the computers required no passwords for
access, or relied on easily crackable passwords such as "administrator."
The consultants said they identified other Internet addresses during their
exploration of Fort Hood, including those for machines at the National
Aeronautics and Space Administration, the DOD Network Information Center, the
Department of Energy and other state and federal facilities. Scans of those
systems yielded similar results: hundreds of virtually unprotected computer
files.
O'Keeffe, the company president, said his consultants concluded that they had
tripped across a serious problem.
"If we can do this, other governments' intelligence agencies, hackers, criminals
and what have you can do it, too," he said, adding that he hopes to help the
government by bringing the vulnerabilities to light. "We could have easily
walked away from it."
The material they saw ranged from poetry and drafts of personal letters to
spreadsheets containing personal and financial information about soldiers.
A couple of memos to members of a squadron at Fort Hood included the location of
several safes and the inventory of one: secret operations information on hard
drives, floppy disks and CDs.
Another memo designated a courier -- by name, rank and Social Security number --
who would "be hand-carrying classified information" to Fort Irwin Army
Installation in California, apparently from February to June.
The consultants also obtained access to spreadsheets and e-mail messages at NASA
containing details about vendor relationships, account numbers and other
matters. NASA spokesman Brian Dunbar said he could not confirm the provenance of
the information obtained by ForensicTec. But he said the agency was
investigating its claims of vulnerability in accounting-related computers.
"We will investigate what's going on here," he said. "If this information is in
the clear, it poses a risk to these companies and we need to get it fixed."
Steven Aftergood, a research analyst and government information specialist, said
that much of the data the consultants came across is, by itself, "of limited
sensitivity." But the easy access to government machines represents a
substantial security challenge, at a time when military, government and business
officials rely on computer networks more than ever.
"It's a qualitatively new kind of vulnerability that the government has not
quite come to terms with yet," said Aftergood, a senior research analyst at the
Federation of American Scientists. "And it is a vulnerability that will increase
in severity if the government doesn't do something about it."