Security consultants entered scores of confidential
military and government computers without approval this summer, exposing
vulnerabilities that specialists say open the networks to electronic attacks and
The consultants, inexperienced but armed with free, widely available software, identified unprotected PCs and then roamed at will through sensitive files containing military procedures, personnel records and financial data.
One computer at Fort Hood in Texas held a copy of an air support squadron's "smart book" that details radio encryption techniques, the use of laser targeting systems and other field procedures. Another maintained hundreds of personnel records containing Social Security numbers, security clearance levels and credit card numbers. A NASA computer contained vendor records, including company bank account and financial routing numbers.
Available on other machines across the country were e-mail messages, confidential disciplinary letters and, in one case, a memo naming couriers to carry secret documents and their destinations, according to records maintained by ForensicTec Solutions Inc., the four-month-old security company that discovered the lapses.
ForensicTec officials said they first stumbled upon the accessible military computers about two months ago, when they were checking network security for a private-sector client. They saw several of the computers' online identifiers, known as Internet protocol addresses. Through a simple Internet search, they found the computers were linked to networks at Fort Hood.
Former employees of a private investigation firm -- and relative newcomers to the security field -- the ForensicTec consultants said they continued examining the system because they were curious, as well as appalled by the ease of access. They made their findings public, said ForensicTec President Brett O'Keeffe, because they hoped to help the government identify the problem -- and to "get some positive exposure" for their company.
"We were shocked and almost scared by how easy it was to get in," O'Keeffe said. "It's like coming across the Pentagon and seeing a door open with no one guarding it."
In response to an inquiry by The Washington Post, military investigators this week confirmed some of the intrusions at Fort Hood, saying they were occurred on PCs containing unclassified information. Senior officials said they are preparing an Army-wide directive requiring all shared computer files containing sensitive information to be password-protected. Sensitive information includes such items as Social Security numbers, confidential plans and so on, officials said.
The Army has never before focused so intently on the security of desktop computers containing unclassified data, but it is doing so now because so many more machines are linked to vulnerable networks, officials said. These systems are not as strictly secured because they are not supposed to contain or communicate any classified material. More secure networks are typically not linked to the Internet and employ much more stringent safeguards, including procedures to authenticate the identities of computer users.
"Everything is connected," said Col. Thaddeus Dmuchowski, director of information assurance for the Army. "Our 'defense in-depth' has to go down to the individual computer."
ForensicTec's electronic forays show that the government continues to struggle with how to close off systems to prying eyes -- including terrorists and foreign agents -- after a presidential directive last fall making cybersecurity a national priority.
That struggle was underscored by a General Accounting Office report last month that concluded the government wasn't doing an adequate job coordinating efforts to protect its online systems. Next month, the White House's new Critical Infrastructure Protection Board will release a sweeping national plan intended to bolster computer security.
None of the material made available by ForensicTec appears to be classified. But government and private specialists said that such open systems pose a threat because compromised machines may contain passwords, operational plans or easy pathways to more sensitive networks.
They also could be used to mount an electronic attack anonymously or to gather enormous amounts of unclassified information to gain insight about what an agency or military unit is privately contemplating, specialists said.
"If you had an organized spy effort, that would be the real concern," Richard M. Smith, an Internet security consultant based in Cambridge, Mass., said of ForensicTec's findings. "This is a widespread problem."
Kevin Poulsen, another security specialist, worries that an intruder could place onto an unsecured network malicious software such as a virus, worm or Trojan horse program that could wind up on more-sensitive networks as desktop machines migrate from one place to another.
"The government is now lagging behind the sophisticated Internet users, when they should be leading," said Poulsen, editorial director of SecurityFocus, a Web site devoted to such matters.
A spokesman for the Pentagon agency responsible for computer network defense said he could not discuss the ForensicTec activity because the vulnerabilities are under investigation. Maj. Barry Venable, a spokesman for the U.S. Space Command, said the military takes seriously all such intrusions, even if the system entered does not contain classified data. He said hackers rarely gain control of military computers.
"Even one successful intrusion or instance of unauthorized activity is too many," he said. "The services and DOD agencies are working hard to educate their computer users and administrators to practice and implement proper computer security practices and procedures in a very dynamic information environment."
The issue of computer security has become more pressing in recent years as vastly more computers and networks have been linked to the Internet. Many public and private computers still have not been properly configured to block outsiders, and security components of operating software often are left set on the lowest default level to ease installation.
Even though it's a felony under U.S. law to enter a computer without authorization, the number of intrusions has skyrocketed, according to data collected by the CERT Coordination Center at Carnegie Mellon University. The number of incidents reported to CERT -- the leading clearinghouse of information about intrusions, viruses and computer crimes -- increased from 406 in 1991 to almost 53,000 last year.
Howard Schmidt, vice chairman of the White House Critical Infrastructure Protection Board, said officials have been crisscrossing the country to push for better practices. But he acknowledged that many individuals still don't take rudimentary precautions, such as adopting passwords more complex than "password" or a pet's name. And system administrators often do not fix known flaws with widely available software "patches."
Schmidt said the board's strategy, to be announced next month, will provide clearer guidance about how to achieve better security for government agencies and businesses alike. A crucial element will be to encourage people to follow through on existing rules and procedures.
"This reinforces to us that there's still a lot of work to be done," he said of the ForensicTec findings. "It's more than technology. . . . It's people not following the rules, people not following the policies."
The GAO report last month said the "risks associated with our nation's reliance on interconnected computer systems are substantial and varied," echoing a series of earlier reports chronicling the government's inability to secure its computers.
"By launching attacks across a span of communications systems and computers, attackers can effectively disguise their identity, location and intent," it said. "Such attacks could severely disrupt computer-supported operations, compromise confidentiality of sensitive information and diminish the integrity of critical data."
ForensicTec consultants said it wasn't hard to probe the systems. They employed readily available software tools that scan entire networks and issue reports about linked computers. The scans showed that scores of machines were configured to share files with anyone who knew where to look. The reports also contained people's names and revealed that many of the computers required no passwords for access, or relied on easily crackable passwords such as "administrator."
The consultants said they identified other Internet addresses during their exploration of Fort Hood, including those for machines at the National Aeronautics and Space Administration, the DOD Network Information Center, the Department of Energy and other state and federal facilities. Scans of those systems yielded similar results: hundreds of virtually unprotected computer files.
O'Keeffe, the company president, said his consultants concluded that they had tripped across a serious problem.
"If we can do this, other governments' intelligence agencies, hackers, criminals and what have you can do it, too," he said, adding that he hopes to help the government by bringing the vulnerabilities to light. "We could have easily walked away from it."
The material they saw ranged from poetry and drafts of personal letters to spreadsheets containing personal and financial information about soldiers.
A couple of memos to members of a squadron at Fort Hood included the location of several safes and the inventory of one: secret operations information on hard drives, floppy disks and CDs.
Another memo designated a courier -- by name, rank and Social Security number -- who would "be hand-carrying classified information" to Fort Irwin Army Installation in California, apparently from February to June.
The consultants also obtained access to spreadsheets and e-mail messages at NASA containing details about vendor relationships, account numbers and other matters. NASA spokesman Brian Dunbar said he could not confirm the provenance of the information obtained by ForensicTec. But he said the agency was investigating its claims of vulnerability in accounting-related computers.
"We will investigate what's going on here," he said. "If this information is in the clear, it poses a risk to these companies and we need to get it fixed."
Steven Aftergood, a research analyst and government information specialist, said that much of the data the consultants came across is, by itself, "of limited sensitivity." But the easy access to government machines represents a substantial security challenge, at a time when military, government and business officials rely on computer networks more than ever.
"It's a qualitatively new kind of vulnerability that the government has not quite come to terms with yet," said Aftergood, a senior research analyst at the Federation of American Scientists. "And it is a vulnerability that will increase in severity if the government doesn't do something about it."