February 28, 2002
From the desk of Mindles H. Dreck:Nobody Expects The Spanish Inquisition
This story about Judge Lamberth's special master for hacking the Indian Trust Funds is hysterical. Lamberth had grave concerns about the security of the Bureau of Indian Affairs computer systems, so he hired Mr. Balaran to test them.
Mr. Balaran's first attempt barely fits the conventional definition of hacking:
First Mr. Balaran went to a bureau building in Virginia, walked in through a loading platform and asked directions to the computing nerve center, where he plucked from a shredder a lengthy printout of data on some of the trust fund accounts that the agency manages for half a million Indians. Nobody stopped him.
In addition to poor physical security, systems gaps did exist:
Then he hired a team of hackers to break into the bureau's computers, using commonly available software...He hired Predictive Systems Inc. (news/quote), a computer security company based in New York, to perform a "pen test" — industry jargon for any electronic effort to penetrate the defenses of a computer system. When the Predictive Systems team examined the bureau's network, it was immediately apparent that it would be possible to gain access to sensitive data via the Internet using readily available software tools.
The usual bureaucratic antibodies emerge at this point:
the bureau protested the results, saying that the pen test ordinarily would have failed but that the Predictive Systems penetration team, as part of the exercise, had had detailed information about the agency's network.
This despite the fact that the Bureau had already admitted:
"For all practical purposes, we have no security," Mr. Nessi said in that interview.
Mr. Nessi runs the place, so that must have been IT with the denial. Nonetheless, they, too, were proved wrong by Mr. Balaran:
Finally, after the bureau complained that the computer assault had been unfair because it relied on inside knowledge of the agency's network, Mr. Balaran's team broke in again, without such help, even setting up a trust fund account in his name.
Judge Lamberth shut them down after this. Apparently, these concerns had been raised before, even by an outfit whose reliability as a watchdog has been called into question recently:
Mr. Balaran's report noted that there had been at least four earlier ones indicating computer security weaknesses at the bureau. Those warnings date from 1989, when the accounting firm of Arthur Andersen first raised concerns.Most recently, in late 1999, Mr. Nessi, then special adviser to the assistant interior secretary for Indian affairs, commissioned such a report from SeNet International, a computer security company. The evaluation, completed in the spring of 2000, cost nearly $1 million and identified hundreds of weaknesses.
But Mr. Balaran noted in his report that when he interviewed Mr. Nessi in June of last year, he discovered that the SeNet report had been read by neither Mr. Nessi nor any other Indian affairs official.
I've seen it before. Sometimes only a sledgehammer to the head gets a bureaucracy to admit the obvious. Unfortunately, it's not limited to the public sector.
An article in Federal Computer Week, describes the situation at BIA in detail:
"We've been operating with a cart and donkey. All of a sudden, we now have ëStar Trek,'" said Neal McCaleb, an assistant secretary at Interior and director of the Bureau of Indian Affairs. The bureau's multimillion-dollar trust accounting computer system, which was set up less than two years ago to handle money generated by some 54 million acres of American Indian land, is at the core of the problem....."You need to develop a more holistic security programÖall the way from training employees to ensuring passwords to reducing the number of people with rights to developing appropriate firewalls to monitoring," said Al Pesachowitz, who was CIO at the Environmental Protection Agency when it temporarily shut down its Web site two years ago after a GAO audit found security problems.
No word on the mysterious umlaut hackers penetrating ëFederal ComputerÖ Week. Posted by Mindles H. Dreck at February 28, 2002 9:26 PM | Technorati inbound links