Trust
Second expert describes hack of Interior Department


Internet Vulnerability Documents:
OIG Memo 1 | OIG Memo 2 | OIG Findings | Internet Security Systems (ISS) Report on BLM

From the Indianz.Com Archive:
Interior's security weaknesses not unique: NBC vulnerable to attack (January 17, 2002)
A second Internet security expert testified on Monday that he was able to hack into the Interior Department's computer systems, obtain personal information Secretary Gale Norton and exploit other vulnerabilities that led him to "personal data on all the astronauts."

Phil Brass and his firm Internet Security Systems (http://www.iss.net) were hired by Interior's Inspector General to test the department's computer network. One Bush administration official has described the system as "bulletproof."

But Brass described a far different situation in testimony he gave in the Cobell v. Norton evidentiary hearing. He explained how he purposely looked for sensitive information about Norton and other top officials to show the department that its systems were vulnerable to hackers despite an investment of $100 million.

"We were able to retrieve credentials to many systems," Brass told the court.

Specifically, Brass hacked into the National Business Center (http://www.nbc.gov), an Interior agency that handles more than $9 billion in payroll for more than 200,000 government employees and more than $3 billion in other financial transactions. Over a period of six weeks in March and April, he obtained access to sensitive information about Norton and other top officials that would "make all executives go white."

"I felt empowered," he testified. Among other information, he said he found credit card numbers for "all DOI employees" contained in a database that had been inaccurately marked "bankcard_training_doiu." DOIU is the acronym for the Department of the Interior University (http://www.doiu.nbc.gov).

"This was real data, not training data," said Dennis Gingold, an attorney for the Cobell plaintiffs.

"Exactly," Brass said. He later verified with Interior that the credit card numbers were real.

During his time in the system, Brass prepared what he called "dossiers" on associate deputy secretary Jim Cason and P. Lynn Scarlett, the assistant secretary for policy, management and budget. Cason's dossier, for example, contained his government-issued credit card numbers and other personal information.

Brass was about to do the same for Norton until the Inspector General pulled the plug on the test, he said. "I believe they were worried about upsetting Gale," he testified.

Before that happened, he told the court he was able to find some sensitive information about Norton, a Cabinet official. "I believed I pulled some of her personal data," he said.

And because he knew the NBC processes payroll, financial and other data for a number of federal agencies, Brass kept looking to see how far he could get. Weaknesses in the system led him to NASA, where he found "personal data on all the astronauts." When asked if he could have changed the data, he said "I'm pretty sure I could have done that."

Cason, who has served in the Bush administration since August 2001, has previously told the court that the department has made improvements to "basically bulletproof" the network from hackers like Brass and Scott Miles, another ISS employee who testified in the hearing last week.

But Brass and Miles presented a conflicting view. Both said they performed "penetration" tests on Interior's systems without being detected.

"I hadn't been discovered," Brass said yesterday. Miles testified last week that he gained access to Indian trust data, something Brass said he didn't do.

Brian Dunbar, a spokesperson for NASA, said he was personally unaware that the Interior Department hired computer hackers to test the systems. "I can't comment on that because we don't have any first-hand reports on it," he said, adding that NASA normally doesn't comment on alleged security breaches.

The hearing continues today in federal court in Washington, D.C. The Cobell plaintiffs are seeking a court order to disconnect the vulnerable systems from the Internet, something Brass said was entirely reasonable.

"I personally say you can't ever eliminate the risk," he testified. "There really is no such thing as a secure computer."

Relevant Links:
Indian Trust: Cobell v. Norton - http://www.indiantrust.com
Cobell v. Norton, Department of Justice - http://www.usdoj.gov/civil/cases/cobell/index.htm
Indian Trust, Department of Interior - http://www.doi.gov/indiantrust