A second Internet security expert testified on Monday that he was able to hack into the Interior Department's computer systems, obtain personal information Secretary Gale Norton and exploit
other vulnerabilities that led him to "personal data on all the astronauts."
Phil Brass and his firm Internet Security Systems
(
http://www.iss.net)
were hired by Interior's Inspector General to test the department's
computer network. One Bush administration official has described the
system as "bulletproof."
But Brass described a far different situation in testimony
he gave in the Cobell v. Norton evidentiary hearing.
He explained how he purposely looked for sensitive information about
Norton and other top officials to show the department that its
systems were vulnerable to hackers despite an investment of $100
million.
"We were able to retrieve credentials to many systems," Brass
told the court.
Specifically, Brass hacked
into the National Business Center
(
http://www.nbc.gov), an Interior
agency that handles more than $9 billion in payroll for
more than 200,000 government employees and more than
$3 billion in other financial transactions.
Over a period of six weeks in March and April, he obtained
access to sensitive information about Norton and other
top officials that would "make all executives
go white."
"I felt empowered," he testified. Among other information,
he said he found credit card numbers for "all DOI employees"
contained in a database that had been inaccurately
marked "bankcard_training_doiu."
DOIU is the acronym for the Department of
the Interior University (
http://www.doiu.nbc.gov).
"This was real data, not training data," said Dennis Gingold, an
attorney for the Cobell plaintiffs.
"Exactly," Brass said. He later verified with Interior
that the credit card numbers were real.
During his time in the system,
Brass prepared what he called "dossiers" on associate
deputy secretary Jim Cason and P. Lynn Scarlett, the
assistant secretary for policy, management and budget.
Cason's dossier, for example, contained his government-issued
credit card numbers and other personal information.
Brass was about to do the same for Norton until the Inspector
General pulled the plug on the test, he said. "I believe they were
worried about upsetting Gale," he testified.
Before that happened, he told the court he was able to
find some sensitive information about Norton, a Cabinet official.
"I believed I pulled some of her personal data," he said.
And because he knew the NBC processes payroll, financial and other data for a number of federal agencies, Brass kept looking to see how far he could get. Weaknesses in the system led him to NASA, where he found "personal data on all the astronauts." When asked if he could have
changed the data, he said "I'm pretty sure I could have done that."
Cason, who has served in the Bush administration since August 2001, has previously told the court that the department has made improvements to "basically bulletproof" the network from
hackers like Brass and Scott Miles, another ISS employee who testified
in the hearing last week.
But Brass and Miles presented a conflicting view. Both said they performed "penetration" tests on Interior's systems without being detected.
"I hadn't been discovered," Brass said yesterday. Miles testified last week that he gained access to Indian trust data, something Brass said he didn't do.
Brian Dunbar, a spokesperson for NASA, said he was personally unaware
that the Interior Department hired computer hackers to test the
systems. "I can't comment on that because we don't have any first-hand reports on it," he said, adding that NASA normally doesn't
comment on alleged security breaches.
The hearing continues today in federal court in Washington, D.C.
The Cobell plaintiffs are seeking a court order to disconnect
the vulnerable systems from the Internet, something Brass said
was entirely reasonable.
"I personally say you can't ever eliminate the risk," he testified.
"There really is no such thing as a secure computer."
Relevant Links:
Indian Trust: Cobell v. Norton -
http://www.indiantrust.comCobell
v. Norton, Department of Justice -
http://www.usdoj.gov/civil/cases/cobell/index.htmIndian
Trust, Department of Interior -
http://www.doi.gov/indiantrust