Sleuths Invade Military PCs With Ease

August 16, 2002; Page A01

SAN DIEGO, Aug. 15 -- Security consultants entered scores of confidential military and government computers without approval this summer, exposing vulnerabilities that specialists say open the networks to electronic attacks and spying.

The consultants, inexperienced but armed with free, widely available software, identified unprotected PCs and then roamed at will through sensitive files containing military procedures, personnel records and financial data.

One computer at Fort Hood in Texas held a copy of an air support squadron's "smart book" that details radio encryption techniques, the use of laser targeting systems and other field procedures. Another maintained hundreds of personnel records containing Social Security numbers, security clearance levels and credit card numbers. A NASA computer contained vendor records, including company bank account and financial routing numbers.

Available on other machines across the country were e-mail messages, confidential disciplinary letters and, in one case, a memo naming couriers to carry secret documents and their destinations, according to records maintained by ForensicTec Solutions Inc., the four-month-old security company that discovered the lapses.

ForensicTec officials said they first stumbled upon the accessible military computers about two months ago, when they were checking network security for a private-sector client. They saw several of the computers' online identifiers, known as Internet protocol addresses. Through a simple Internet search, they found the computers were linked to networks at Fort Hood.

Former employees of a private investigation firm -- and relative newcomers to the security field -- the ForensicTec consultants said they continued examining the system because they were curious, as well as appalled by the ease of access. They made their findings public, said ForensicTec President Brett O'Keeffe, because they hoped to help the government identify the problem -- and to "get some positive exposure" for their company.

"We were shocked and almost scared by how easy it was to get in," O'Keeffe said. "It's like coming across the Pentagon and seeing a door open with no one guarding it."

Even though it's a felony under U.S. law to enter a computer without authorization, the number of intrusions has skyrocketed, according to data collected by the CERT Coordination Center at Carnegie Mellon University. The number of incidents reported to CERT -- the leading clearinghouse of information about intrusions, viruses and computer crimes -- increased from 406 in 1991 to almost 53,000 last year.

for full article see
http://www.washingtonpost.com/wp-dyn/articles/A24191-2002Aug15.html