U.S. Agency's Computers Didn't Protect Indian Fund

Tue Feb 26 10:11:03 EST 2002

This is the not-really-9/11 case that shut down *all* Department of the
Interior access to the net this fall...

Cheers,
RAH
------

http://www.nytimes.com/2002/02/26/technology/26INDI.html?todaysheadlines=&pagewanted=print

February 26, 2002

By JOHN MARKOFF

nstructed by a federal district judge to determine whether the computer
network at the Bureau of Indian Affairs was secure from malicious
intruders, Alan Balaran decided to infiltrate it.

He did this not once, but three times, and determined among other things
that skilled hackers would be able to bilk Indian funds in trust at the
bureau by having checks sent to themselves.

First Mr. Balaran went to a bureau building in Virginia, walked in through
a loading platform and asked directions to the computing nerve center,
where he plucked from a shredder a lengthy printout of data on some of the
trust fund accounts that the agency manages for half a million Indians.
Nobody stopped him.

Then he hired a team of hackers to break into the bureau's computers, using
commonly available software.

Finally, after the bureau complained that the computer assault had been
unfair because it relied on inside knowledge of the agency's network, Mr.
Balaran's team broke in again, without such help, even setting up a trust
fund account in his name.

Mr. Balaran is no computer rogue. He is a Washington lawyer appointed as a
special master by the federal judge, Royce C. Lamberth, who, hearing the
largest class-action suit ever filed by Indians, has already determined
that for more than a century the government has mismanaged accounts held in
trust for them. Judge Lamberth, who sits in Washington, will now determine
whether the government should be held in contempt for failure to abide by
past orders to repair its work.

Mr. Balaran, appointed by the judge in 2000 to oversee a variety of issues
related to the suit, began looking into computer security at the bureau
early last year. The effort intensified when a group of plaintiffs
discovered, in the April 2001 issue of Government Executive magazine, an
interview in which the agency's chief information officer, Dominic Nessi,
confessed that its systems were vulnerable to hacking.

"For all practical purposes, we have no security," Mr. Nessi said in that
interview.

Computer security experts say that although the problems at the bureau are
particularly striking, they are not isolated. Many federal agencies are
vulnerable, they say, despite years of public concern.

Mr. Balaran declined to comment publicly on his investigation, citing his
continuing role in the court case. But the report on what he found, filed
with the court in November, is a litany of security lapses stemming from
what the report portrays as official neglect for over a decade.

A spokesman for the Interior Department, parent of the Bureau of Indian
Affairs, defended the bureau's computer security efforts, saying it had
tried to deal with vulnerabilities long before the report. "I don't propose
to defend all of the shortcomings," said the spokesman, John Wright. But
"it's not like they didn't try to fix the problems. There were a number of
attempts. We were led to believe" by consultants that the bureau's systems
worked, "and they didn't work."

Mr. Balaran's infiltration began last February, when, accompanied by a
Justice Department lawyer, he drove to the bureau's supposedly secure data
processing center in Reston, Va. After Mr. Balaran asked his companion to
remove his tie so as to attract less attention, they entered the building
from the loading dock. Although they wore no badges, they were able to walk
past a guard at the entrance - twice, simply to make the point - without
being questioned.

Once inside and searching for the secure computing area responsible for
processing and storing data related to Indian trust funds, Mr. Balaran
asked directions from a passer-by. He was escorted to the computing room on
the second floor. There he was able to walk to a shredder and pick up a
voluminous computer printout with detailed information about trust funds -
money controlled by the government for the benefit of Indians whose
property, descended from a system of tribal ownership and managed by
Washington, is generally leased to oil, gas or timber companies.

Mr. Balaran filed a report in March alerting the court to the break-in and
the outcome, and then struck again a few months later. He hired Predictive
Systems Inc. (news/quote), a computer security company based in New York,
to perform a "pen test" - industry jargon for any electronic effort to
penetrate the defenses of a computer system. When the Predictive Systems
team examined the bureau's network, it was immediately apparent that it
would be possible to gain access to sensitive data via the Internet using
readily available software tools.

Once the company penetrated the network and reported its findings to Mr.
Balaran, the bureau protested the results, saying that the pen test
ordinarily would have failed but that the Predictive Systems penetration
team, as part of the exercise, had had detailed information about the
agency's network.

So Mr. Balaran asked the company on Aug. 30 to attack the agency's
computers again. This time he authorized the consultants to create a trust
account in his name.

In October, Predictive Systems supplied a report reiterating its findings
that the bureau's computer systems were vulnerable to attack. In the second
test, conducted without any prior reference material, the consultants used
a completely different computer network to gain access.

As instructed, they also set up an account in Mr. Balaran's name. Since the
attack took place during the middle of the trust fund billing cycle, no
check was issued. But Mr. Balaran said the group had proved to his
satisfaction that it would be possible to send money to any address.

After reading Mr. Balaran's report, Judge Lamberth forced the entire
Interior Department in December to shut down virtually all its computer
systems, since access to the systems of the Indian affairs bureau could be
gained through the systems of other Interior agencies. This month, with Mr.
Balaran's oversight and the help of Predictive Systems, the department
finally began restoring the interrupted operations, among other things
sending checks to thousands of Indians to whom trust-fund payments had been
suspended as a result of the shutdown.

Mr. Wright, the Interior Department spokesman, says that 52 percent of the
department's systems are now back online and that Interior is working with
Mr. Balaran, system by system, to return to complete operation. He could
not say when that would be.

Mr. Balaran's report noted that there had been at least four earlier ones
indicating computer security weaknesses at the bureau. Those warnings date
from 1989, when the accounting firm of Arthur Andersen first raised
concerns.

Most recently, in late 1999, Mr. Nessi, then special adviser to the
assistant interior secretary for Indian affairs, commissioned such a report
from SeNet International, a computer security company. The evaluation,
completed in the spring of 2000, cost nearly $1 million and identified
hundreds of weaknesses.

But Mr. Balaran noted in his report that when he interviewed Mr. Nessi in
June of last year, he discovered that the SeNet report had been read by
neither Mr. Nessi nor any other Indian affairs official.

Mr. Balaran's report quoted Mr. Nessi as saying, "You know, with all the
duties that I have, I would not be able to get to each of them."

Reached last night at his Virginia home, Mr. Nessi, who now has another job
at Interior, said he had in fact read part of the report and in any case
had been briefed by SeNet on all of it. He said he had spent his time at
the bureau trying to address the very problems Mr. Balaran ultimately
identified.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com