[ISN] Interior to use wireless despite Internet court battle

InfoSec News isn at c4i.org
Tue May 24 04:55:06 EDT 2005 

http://www.fcw.com/article88944-05-23-05-Web

By Aliya Sternstein
May 23, 2005 

Lawyers representing a group of American Indians suing the Interior 
Department say wireless Internet service could grant unauthorized 
access to Indian trust fund account information. But Interior plans to 
issue a solicitation notice for departmentwide wireless service soon.

Interior lawyers are reviewing the final version of the notice and 
would not comment on its contents. 

Last Tuesday, lawyers gave a federal judge a report published in 
December by Interior's inspector general on wireless management and 
security. It details how easily hackers could manipulate trust 
accounts held by 500,000 American Indians. 

Between October 2003 and April 2004, inspectors found that Interior 
networks sometimes intersected with other networks and broadcasted 
information to inappropriate areas and people.

Last month, Interior shut down the Bureau of Land Management's Web 
site after the IG issued a report warning that its information 
technology systems were vulnerable to cyberthreats. The shutdown was 
the latest in a long-running dispute about the security of Indian 
trust fund information.

December's report notes that at the BLM Boise, Idaho, District Office, 
a wireless network that was supposed to bridge the district office 
directly to a building about a mile away, broadcasting the network 
signal to everyone within a mile radius. Inspectors observed that more 
than 3,000 other commercial and residential wireless networks occupied 
that radius.

Other instances of BLM sloppiness appear throughout the IG's report. 
"We observed approximately 148 users connecting to [a BLM] wireless 
network during non-business hours; however, BLM indicated that there 
were only about 10 authorized users," the report states.

The report adds that officials may have alleviated some security 
concerns by issuing the April 2004 memo that required insecure 
Interior agencies to disconnect their wireless networks.

But the IG report states that the memo is "silent on how DOI should 
handle what may be the inevitable use of wireless technology in the 
future."

Interior officials have not disclosed information about the new 
wireless initiative because of the current litigation and bidding 
protocol.

Interior spokespersons released a statement. "To understand our 
position regarding the commercial wireless [cellular] services program 
under DOI's Wireless initiative, the Office of the Chief Information 
Officer and the Office of Acquisition and Property Management offices 
partnered. Significant progress has been made, and a solicitation will 
soon be issued. This partnership is the department's direct response 
to the March 2004 GAO Report ‘Agencies Can Achieve Significant Savings 
on Purchase Card Buys."

The project's synopsis states that Interior must establish an 
enterprisewide contract vehicle to acquire cost-effective nationwide 
commercial wireless services, coverage and management. The notice 
pertains to commercial mobile wireless services. 

The IG report warns that the agency must take steps to improve 
security of wireless services. The report found, for example, that the 
wireless signals are available after business hours and are also 
identifiable. Inspectors quickly recognized that a wireless network 
was BLM's because it broadcast a unique network name. 

"Additionally, we found at one BLM and one [Fish and Wildlife Service] 
location that wireless networks remained in operation during 
non-business hours," the report stated "This, in conjunction with the 
networks broadcasting unique identifying information that is easily 
identifiable to DOI, accelerates a hacker's ability to compromise DOI 
networks."

At a Bureau of Reclamation facility, inspectors identified wireless 
signals in three parking lots outside the network's perimeter. 

In addition, Interior could not account for all wireless network 
devices. Specifically, six network access points at two BLM locations, 
were not inventoried. 

An earlier court order disconnected the Bureau of Indian Affairs from 
the Internet, but the IG report found that contractors at a BIA office 
used non-Interior laptops that had wireless capabilities. 
Wireless-enabled laptops could be connected to Interior's wired 
networks and expose those networks and data to unauthorized users, the 
report states.

More information about the ISN mailing list