[Infowarrior] - Cyberattacks at federal agencies draw House scrutiny

Fri Apr 20 01:42:26 UTC 2007

Cyberattacks at federal agencies draw House scrutiny

By Anne Broache
http://news.com.com/Cyberattacks+at+federal+agencies+draw+House+scrutiny/210
0-7348_3-6177783.html

Story last modified Thu Apr 19 17:41:41 PDT 2007

WASHINGTON--As new details emerged about cyberattacks against networks at
the State and Commerce departments last year, politicians on Thursday said
they're concerned many federal agencies are ill-prepared to fend off such
intrusions.

Members of a U.S. House of Representatives cybersecurity subcommittee said
they weren't confident that the computer systems at bureaus within the State
and Commerce departments were adequately secured and scrubbed of backdoors
that could allow cybercrooks to re-enter. They also questioned agency
representatives on whether they could truly guarantee that sensitive
information hadn't been accessed or copied.

"We don't know who's inside our networks," subcommittee chairman Rep. James
Langevin (D-R.I.) said at an afternoon hearing here. "We don't know what
information has been stolen."

Indeed, 21 of 24 major federal agencies had weak or deficient information
security controls in place during the last fiscal year, according to audit
reports, said Gregory Wilshusen, director of information security issues for
the Government Accountability Office.

Pitfalls ranged from failing to replace well-known vendor-supplied passwords
on systems to not encrypting sensitive information to not creating adequate
audit logs to track activity on their systems, according to a new GAO report
(PDF) he summarized at the hearing.

One of the main purposes of the hearing was to allow officials at the State
and Commerce departments to give the first complete public accounts of the
cyberattacks since news reports brought the incidents to light several
months ago.

The State Department troubles began in May, said Donald Reid, senior
coordinator for security infrastructure for the agency's Bureau of
Diplomatic Security. An employee at an office in the East Asia Pacific
region opened an e-mail message that contained what appeared to be a
legitimate Microsoft Word document of a congressional speech--but when
opened, actually unleashed malicious code that allowed the intruder backdoor
access to the State Department's network.

The agency's intrusion detection system "immediately" detected the flaw and
later discovered additional breaches on its systems in other Asian outposts
and at its Washington headquarters, Reid said. In the process of analyzing
that malicious code, analysts also discovered another previously unknown
hole in the Windows operating system that lacked a security patch.

Realizing that Microsoft would not be able to issue a fix as speedily as
necessary, the department developed a temporary "wrapper" designed to
protect the systems from continued exploits, Reid said. All the affected
systems were brought back up and running by July, and the department has not
encountered further troubles, Reid said. (Microsoft ultimately released the
new patch in August.)

Some politicians targeted Reid's assurances that the attacks only affected
"unclassified" systems. Because government auditors have determined that the
State Department lacks a complete inventory of its computer systems, "how
can you be certain your classified networks aren't touching your
unclassified networks, and can you really know hackers have only accessed
unclassified networks?" Langevin asked. He also suggested that even
unclassified networks can contain "sensitive" data.

Also encountering pointed questions from the handful of politicians present
Thursday was Dave Jarrell, manager of the Commerce Department's Critical
Infrastructure Protection Program.

Jarrell recounted events that transpired beginning in July at his
department's Bureau of Industry and Security, which handles the sometimes
thorny topic of export controls. After a senior BIS official discovered one
morning that he could not log in to his machine, an agency computer security
team went on to discover 33 computers that had attempted to establish
connections to suspicious Internet protocol addresses originating from
Internet servers in China.

Some politicians criticized the bureau for admittedly not knowing exactly
how long the attackers were able to gain access to their systems. Jarrell
said the agency was "very confident" that the data on existing machines is
safe. He blamed the inability to pinpoint the time of the intrusion on
faulty audit logs and said the agency was fixing that problem.

Politicians also used the hearing to lash out again at the Department of
Homeland Security's persistently lagging cybersecurity efforts. They
lamented that the agency had only managed to pull up its own information
security grade, as determined by its compliance with federal standards, to
slightly above failing this year. (The State and Commerce departments, for
their part, both received F's.)

"I'll be honest with you," Langevin said. "I don't know how the department
thinks it's going to lead this nation in securing cyberspace when it can't
even secure its own networks."