No Trust: Hacking the Department of Interior
Facebook Twitter Email

"I don't like running a network that can be breached by a high school kid." -- Dom Nessi, former Chief Information Officer, Bureau of Indian Affairs, to Government Executive News, April 1, 2001.

During an investigation which commenced in May, Special Master Alan Balaran and a computer security firm he hired called Predictive Systems were able to break into a wide array of Department of Interior systems and networks that house and transmit trust fund data.

With permission from U.S. District Judge Royce Lamberth, the special master's team logged onto computer servers, accessed databases, broke into Interior and Bureau of Indian Affairs networks, discovered they could modify and erase sensitive data and even created an Individual Indian Money (IIM) trust account in Balaran's name. All of these breaches occured repeatedly and with ease -- and all without being noticed, or even tracked, by the Interior's own computer officials.

Here's a rundown of how it happened.

Predictive originally planned a two-phase test of the Interior's computer infrastructure. First, it would try to access the system from the public Internet; and second, it would test the network from within.

However, the company soon found it could scrap the second phase because protections were non-existent. "Early on in the testing it became apparent that it was possible to access the sensitive internal data from the Internet and that the internal on-site testing phase was not needed due to the lack of overall perimeter security," Predictive wrote in August after a first round of hacking.

Using widely available, and free, tools employed by hackers all over the world, Predictive tapped into a number of systems the Interior deemed "critical" to bringing its trust duties into the 21st century. These systems included:

  • The Trust Asset and Accounting Management System (TAAMS)
    Predictive was able to break into a TAAMS server because it had "no password." As a result, the firm could perform administrative, high-level functions typically not available to low-level users.

    Also, Predictive could access TAAMS because the BIANET, a BIA network accessible via the Internet, had "blank" passwords. Through this vulnerability, the firm gained administrative powers that allowed it to access data stored in a TAAMS database.

    TAAMS is housed on two AS/400 servers, made by IBM, in Addison, Texas. The servers, the database and all its associated logic (coded in dBase) are fully owned by a third party, Applied Terravision Systems, because the Interior failed to consider long-term ownership and development issues.

  • The Integrated Records Management System (IRMS)
    A so-called "legacy" system in use since 1982, Predictive was able to gain "complete access" to IRMS, which tracks leases and distributes payments to account holders. Weaknesses on the BIANET allowed the firm to see every IRMS account that has ever existed.

    Predictive could modify and delete user accounts, meaning it could prevent authorized Interior users from entering the system and give access to non-authorized outsiders.

    Further, Predictive gained "complete control" to an IRMS server because it had a "blank" password. The firm was able to copy files and create links to sensitive data to outside networks via standard and highly vulnerable Microsoft Windows capabilities.

    IRMS is coded in Cobol 74, an outmoded but pervasive language, and is composed of six databases -- including individual and tribal ownership and leasing data -- that reside on a Unisys Clearpath NX server in Reston, Virginia. Reston is the location of the BIA's Office of Information Resources Management, whose controversial move from Albuquerque, New Mexico, was temporarily halted by Lamberth.

  • Other Unnamed Systems.
    Additionally, Predictive found numerous problems on a number of systems, most of which are not specifically named because information in the report is redacted. The firm was able to access "sensitive" information including "gigabytes" of BIA e-mail, configuration files, log reports, and all usernames and passwords on an unnamed system. Many of these systems had weak password or no password protections.

    Certain Interior computers were also running web servers, file transfer programs, remote access servers and other technologies that could allow anonymous access by outsiders. Other systems were prone to well-known hacking techniques, including denial of service, buffer overflows, "Trojan Horse" programs and Microsoft Windows "scripting" attacks -- all of which are typically preventable by applying readily available "patches" to fix security holes.

    All of this hacking -- which took place between June 24 and July 8 -- led Predictive to conclude in an August report that the BIA lacks "basic security" measures. "Even if every security vulnerability in this report was corrected, BIA's overall lack of a secure network perimeter would still leave BIA exposed to additional risk," the firm wrote.

    Predictive recommended the BIA implement such standard protections as a firewall and intrusion devices. Along with Balaran, the firm informed BIA of the numerous problems at a meeting with Brian Bowker, then-director of OIRM.

    Despite Predictive's damaging report, Bowker indicated the company was successful only because he had "turned over the keys to the store." Balaran said he felt Bowker was trying to "discount" the findings, so he again instructed Predictive to break into the system on August 30.

    It was during this time that Predictive created a trust account for Balaran, whose report is not specific as to which system was accessed to perform this incredible breach. Predictive was able to create its own trust data and modify existing data on an unnamed system, leading the firm yet again to warn BIA of problems and make a number of specific recommendations to correct the deficiencies.

    Balaran's report doesn't indicate whether or not BIA has complied with any of Predictive's recommendations. However, he said "nothing has change" in regards to no less than 30 reports over the past decade confirming the Interior's worst fears about Indian trust data.

    Balaran further questions why neither the Bush nor Clinton administrations informed Judge Lamberth of known problems -- none of the interior's court-mandated quarterly reports make a hint of the enormous breaches. He questions why Special Trustee Tom Slonaker, Interior Chief Information Officer Daryl White and former BIA Chief Information Officer Dom Nessi ignored or did not even read reports written by the department's recently hired security firm, SeNet International, or inform Congress about the problems. Norton has since hired Predictive, according to her press secretary.

    Based on this "deplorable record," Balaran recommends Lamberth "intervene and assume direct oversight of those systems housing Indian trust data. Without such direct oversight, the threat to records crucial to the welfare of hundreds of thousands of IIM beneficiaries will continue unchecked.

    Lamberth today will hold a hearing in federal district court at 10 a.m. to consider shutting down every single system and network that houses or transmits trust data and taking them under his wing.

    The BIA is currently without a Chief Information Officer. Nessi, whose repeated revelations about trust reform led Lamberth to appoint a court monitor and Balaran to uncover problems, stepped down in July to join the National Park System as its CIO.

    Assistant Secretary Neal McCaleb is attempting to move the CIO position to Oklahoma City, Oklahoma, even though the post currently reports directly to Deputy Assistant Secretary James McDivitt in Washington, D.C., and the BIA's main computer infrastructure and OIRM are located in Virginia.

    Today on Indianz.Com:
    Report reveals attacks on tribal, Indian trust (12/5)
    Trust fund hacking bad news for Norton (12/5)

    Get the Report:
    Report and Recommendations of the Special Master Regarding the Security of Trust Data at the Department of the Interior (12/4)

    Relevant Links:
    Indian Trust, Department of Interior -
    Office of the Special Trustee -
    Trust Management Improvement Project -
    Indian Trust: Cobell v. Norton -