Hackers are becoming more and more successful in gaining root-privilege control of government computer systems containing sensitive information, said federal officials who testified last week before a U.S. House subcommittee. The officials said computers at many agencies are riddled with security weaknesses and that little is being done to change that.
When an attacker gets root privileges to a server, he essentially has the power to do anything a systems administrator could do, from copying files to installing software such as sniffer programs that can monitor the activities of end users. And intruders are increasingly doing just that, the officials told the House Subcommittee on Oversight and Investigation.
"The increase in the number of root compromises, denial-of-service attacks, network reconnaissance activities, destructive viruses and malicious code, coupled with the advances in attack sophistication, pose a measurable threat to government systems," said Sallie McDonald, an assistant commissioner at the General Services Administration (GSA).
Last year, 155 systems at 32 federal agencies suffered root compromises in which intruders took full administrative control of the machines, according to the GSA. That's up from 64 root compromises in 1998 and 110 two years ago. And the government has only a vague idea of what kinds of data may have fallen into unauthorized hands.
For at least five of the root compromises, officials were able to verify that access had been obtained to sensitive information, McDonald testified. But for the remaining 150 incidents, she added, "compromise of any or all information must be assumed." She characterized the compromised data as involving scientific and environmental studies but said she couldn't elaborate.
Meanwhile, in a report released last week summarizing security audits that have been completed at 24 federal agencies, the General Accounting Office (GAO) said it had identified significant security weaknesses at each one. Robert Dacey, director of information security issues at the GAO, said in his testimony that the shortcomings have "placed an enormous amount of highly sensitive data . . . at risk of inappropriate disclosure."
The government is going to find itself in "deep, deep trouble" if its IT security procedures aren't improved, warned Rep. Billy Tauzin (R-La.), chairman of the House Committee on Energy and Commerce. If sensitive personal data about U.S. citizens is compromised, "Americans are going to wake up angrier than you can possibly imagine," he said.
Many of the thousands of attempts to illegally gain access to federal systems come from abroad, testified Ronald Dick, who took over as the director of the FBI's National Infrastructure Protection Center cyberdefense agency last month. "We know many nations are developing information warfare capabilities as well as adapting [cybercrime] tools," he said.
Hackers are also exchanging vulnerability information with one another, said Tom Noonan, president and CEO of Internet Security Systems Inc. in Atlanta. "There is a whole new currency on the Internet that's called the back door," he said, adding that attackers are trading information about back doors that provide access to different systems.
One step the government could take to strengthen the security of its systems is to focus more resources on improving education and training, Noonan said. "Computer security experts are scarce," he added. "They are in short supply, and they are expensive."
A 1998 directive by President Clinton ordered all federal agencies to complete a virtual bulletproofing of their IT systems by May 2003. But officials said most agencies are behind in that work and that only a few are doing penetration testing.
This story, "Federal systems are prey to hackers" was originally published by Computerworld.