363 lines
15 KiB
Plaintext
363 lines
15 KiB
Plaintext
|
|
United States General Accounting Office
|
|
_____________________________________________________________________________
|
|
GAO Testimony
|
|
|
|
Before the Subcommittee on Government Information and
|
|
Regulation, Committee on Governmental Affairs,
|
|
United States Senate
|
|
|
|
________________________________________________________________________
|
|
For Release COMPUTER
|
|
on Delivery SECURITY
|
|
Expected at
|
|
1:00 p.m. EST
|
|
Wednesday,
|
|
November 20, 1991
|
|
|
|
|
|
|
|
|
|
Hackers Penetrate DOD
|
|
Computer Systems
|
|
|
|
|
|
|
|
Statement of
|
|
Jack L. Brock, Jr. Director
|
|
Government Information and Financial Management
|
|
Information Management and Technology Division
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
GAO/T-IMTEC-92-5
|
|
_____________________________________________________________________
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mr. Chairman and Members of the Subcommittee:
|
|
|
|
I am pleased to participate in the Subcommittee's hearings on
|
|
computer security. At your request, our work focused on hacker
|
|
intrusions into Department of Defense (DOD) unclassified,
|
|
sensitive computer systems during Operation Desert Storm/Shield.
|
|
My testimony today is based on our review of intrusions by a
|
|
group of Dutch hackers into Army, Navy, and Air Force computer
|
|
systems. In particular, we conducted a detailed review of the
|
|
hacker intrusions and system administration responsibilities at
|
|
three DOD sites. While our focus was on unclassified, sensitive
|
|
systems, some of the systems penetrated by this group of hackers
|
|
did not contain sensitive information.
|
|
|
|
The government faces increased levels of risk for information
|
|
security because of greater network use and computer literacy,
|
|
and greater dependency on information technology overall. For
|
|
years hackers have been exploiting security weaknesses of systems
|
|
attached to the Internet--an unclassified network composed of
|
|
over 5,000 smaller networks nationwide and overseas and used
|
|
primarily by government and academic researchers. Their
|
|
techniques have been publicized in hacker bulletin boards and
|
|
magazines, and even in a bestseller, The Cuckoo's Egg written by
|
|
Clifford Stoll. Hackers, however, continue to successfully
|
|
exploit these security weaknesses and undermine the integrity and
|
|
confidentiality of sensitive government information.
|
|
|
|
Between April 1990 and May 1991, computer systems at 34 DOD sites
|
|
attached to the Internet were successfully penetrated by foreign
|
|
hackers. The hackers exploited well-known security weaknesses--
|
|
many of which were exploited in the past by other hacker groups.
|
|
These weaknesses persist because of inadequate attention to
|
|
computer security, such as password management, and the lack of
|
|
technical expertise on the part of some system administrators--
|
|
persons responsible for the technical management of the system.
|
|
|
|
DUTCH HACKERS PENETRATE
|
|
-----------------------
|
|
DOD COMPUTER SYSTEMS
|
|
--------------------
|
|
Between April 1990 and May 1991, computer hackers from the
|
|
Netherlands penetrated 34 DOD sites. DOD officials, however, are
|
|
still unable to determine the full scope of the problem because
|
|
security measures for identifying intrusions are frequently
|
|
lacking. At many of the sites, the hackers had access to
|
|
unclassified, sensitive information on such topics as (1)
|
|
military personnel--personnel performance reports, travel
|
|
information, and personnel reductions; (2) logistics--
|
|
descriptions of the type and quantity of equipment being moved;
|
|
and (3) weapons systems development data.
|
|
|
|
Although such information is unclassified, it can be highly
|
|
sensitive, particularly during times of international conflict.
|
|
For example, information from at least one system, which was
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
successfully penetrated at several sites, directly supported
|
|
Operation Desert Storm/Shield. In addition, according to one DOD
|
|
official, personnel information can be used to target employees
|
|
who may be willing to sell classified information. Further, some
|
|
DOD and government officials have expressed concern that the
|
|
aggregation of unclassified, sensitive information could result
|
|
in the compromise of classified information.
|
|
|
|
Hackers Exploit Well-Known
|
|
--------------------------
|
|
Security Weaknesses
|
|
-------------------
|
|
The hackers generally gained access to the DOD computer systems
|
|
by travelling through several networks and computer systems.
|
|
Using commercial long-distance services, such as Tymnet, the
|
|
hackers weaved their way on the Internet through university,
|
|
government, and commercial systems, often using these sites as
|
|
platforms to enter military sites.
|
|
|
|
The hackers then exploited various security weaknesses to gain
|
|
access into military sites. The most common weaknesses included
|
|
(1) accounts with easily guessed passwords or no passwords, (2)
|
|
well-known security holes in computer operating systems, and (3)
|
|
vendor-supplied accounts--privileged accounts with well-known
|
|
passwords or no passwords at all that are used for system
|
|
operation and maintenance. Once the hackers had access to a
|
|
computer at a given site, access to other computers at that site
|
|
was relatively easy because the computers were often configured
|
|
to trust one another.
|
|
|
|
At several sites the hackers exploited a Trivial File Transfer
|
|
Protocol#1 (TFTP). Some versions of this program had a well-
|
|
known security hole that allowed users on the Internet to access
|
|
a file containing encrypted passwords without logging into the
|
|
system. Once the hackers accessed the password file, they (1)
|
|
probed for accounts with no passwords or accounts where the
|
|
username and password were identical, or (2) downloaded the
|
|
password file to another computer and ran a password cracking
|
|
program--a program that matches words found in the dictionary
|
|
against the encrypted password file. Finally, the hackers
|
|
entered the system, using an authorized account and password, and
|
|
were granted the same privileges as the authorized user.
|
|
|
|
At two of the sites we visited the hackers were able to enter the
|
|
systems because vendor-supplied accounts were left on the system
|
|
with a well-known password or with no password at all. Operating
|
|
systems and software are often delivered to users with certain
|
|
accounts necessary for system operation. When delivered, these
|
|
|
|
_________________________________________________________________
|
|
1 TFTP is a file transfer program that permits the copying of
|
|
files without logging in.
|
|
|
|
3
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
accounts--some of which include system administrator privileges
|
|
that allow them to do anything on the system without restriction-
|
|
-are often unprotected or are protected with known passwords, and
|
|
are therefore vulnerable until the password is changed.
|
|
|
|
Hackers Established
|
|
-------------------
|
|
Methods For Reentry
|
|
-------------------
|
|
The majority of the hackers' activities appeared to be aimed at
|
|
gaining access to DOD computer systems and then establishing
|
|
methods for later entry. In many of the intrusions, the hackers
|
|
modified the system to obtain system administrator privileges and
|
|
to create new privileged accounts. For example, at some sites
|
|
where the hacker entered the system using a vendor-supplied
|
|
password, the hackers ran a program that elevated the privileges
|
|
of the account and then erased evidence of the intrusion by
|
|
removing the program. The hackers then created new privileged
|
|
accounts with passwords known only to them and that blended in
|
|
with the sites' naming conventions, making detection more
|
|
difficult.
|
|
|
|
While there was little evidence that the hackers destroyed
|
|
information, in several instances the hackers modified and copied
|
|
military information. In a few cases, the hackers stored this
|
|
information at major U.S. universities. They modified system
|
|
logs to avoid detection and to remove traces of their activities.
|
|
The hackers also frequently browsed directories and read
|
|
electronic messages. In a few cases, they searched these
|
|
messages for such key words as military, nuclear, weapons,
|
|
missile, Desert Shield, and Desert Storm.
|
|
|
|
Agencies' Response
|
|
------------------
|
|
to the Incidents
|
|
----------------
|
|
In most cases, system administrators did not identify the
|
|
intrusion, but were instead notified of the intrusion by
|
|
university, contractor, or DOD officials. Once the system
|
|
administrators were notified, they usually secured their system--
|
|
such as changing the password of a vendor-supplied account. In a
|
|
few cases, however, the sites left the vulnerability open
|
|
temporarily in an effort to determine the intruder's identity.
|
|
At one site we visited where this was done, the intruders' access
|
|
to sensitive information was contained, and coordinated with law
|
|
enforcement agencies.
|
|
|
|
Only one of the three military services had written procedures
|
|
for incident handling prior to the intrusions. Since the
|
|
intrusions, however, the other two services have established
|
|
written procedures. Despite the lack of procedures, at two of
|
|
the sites we visited security personnel prepared an incident
|
|
|
|
4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
report after they were notified about the intrusion. In
|
|
addition, one site we visited established computer hacker
|
|
reporting procedures for their organization. They also included
|
|
security tips, such as changing default passwords, using
|
|
randomly-selected passwords, and maintaining audit trails.
|
|
|
|
HACKER INTRUSIONS HIGHLIGHT
|
|
---------------------------
|
|
INADEQUATE ATTENTION TO
|
|
-----------------------
|
|
COMPUTER SECURITY
|
|
-----------------
|
|
The security weaknesses that permitted the intrusions and
|
|
prevented their timely discovery highlight DOD's inadequate
|
|
attention to computer security. Poor password management,
|
|
failure to maintain and review audit trails, and inadequate
|
|
computer security training all contributed to the intrusions.
|
|
|
|
DOD directives and military service regulations and instructions
|
|
require both adequate computer security training for those
|
|
responsible for systems, and audit trails--records of system
|
|
activities--that are reviewed periodically and detailed enough to
|
|
determine the cause or magnitude of compromise. In addition, the
|
|
military services require password management procedures. The
|
|
intrusions, however, indicate that these requirements were not
|
|
always followed.
|
|
|
|
Poor password management--easily-guessed passwords and vendor-
|
|
supplied accounts whose password had not been changed--was the
|
|
most commonly exploited weakness contributing to the intrusions,
|
|
including those at each of the sites we visited. At one site we
|
|
visited the hacker exploited a vendor-supplied account, left on
|
|
the system without a password, that in turn provided system
|
|
administrator privileges.
|
|
|
|
In addition, officials also noted that failure to maintain or
|
|
periodically review audit trails was a key reason why most system
|
|
administrators were unable to detect the intrusions or determine
|
|
how long their system had been compromised. For example, few of
|
|
the 34 sites whose systems were penetrated were able to identify
|
|
or verify the intrusions.
|
|
|
|
Several officials stated that system administration duties are
|
|
generally part-time duties and that administrators frequently
|
|
have little computer security background or training. At one
|
|
site, for example, the system administrator had little knowledge
|
|
of computers and system administrator responsibilities. In
|
|
addition, with the exception of a brief overview of computer
|
|
security as part of the introductory training for the system, the
|
|
system administrator had not received any computer security
|
|
training. Moreover, after the intrusion occurred, the newly
|
|
appointed system administrator did not receive any additional
|
|
|
|
5
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
computer security training and did not know the proper security
|
|
reporting chain.
|
|
|
|
The security weaknesses that I have described here today have
|
|
been and continue to be exploited by various hacker groups. Two
|
|
years ago we issued a report, Computer Security: Virus
|
|
Highlights Need for Improved Internet Management, (GAO/IMTEC-89-
|
|
57), highlighting some of the same weaknesses--poor password
|
|
management and system administrators who lacked the technical
|
|
expertise to deal with security problems--that we discussed here
|
|
today. In addition, numerous Computer Emergency Response Team
|
|
(CERT) security advisories, available to anyone on the Internet,
|
|
have addressed these weaknesses. Yet, despite these warnings,
|
|
these security weaknesses continue to exist. Without the proper
|
|
resources and attention, these weaknesses will continue to exist
|
|
and be exploited, thus undermining the integrity and
|
|
confidentiality of government information.
|
|
|
|
This concludes my remarks. I will now answer any questions you
|
|
or members of the Subcommittee may have concerning these issues.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6
|
|
|
|
Downloaded From P-80 International Information Systems 304-744-2253
|