Hackers are succeeding more and more in gaining root-privilege control of government computer systems containing sensitive information, said federal officials who testified today before a U.S. House subcommittee that computers at many agencies are riddled with security weaknesses.
When an attacker gets root privileges to a server, he or she essentially has the power to do anything that a systems administrator could do, from copying files to installing software or sniffer programs that can monitor the activities of end users. And intruders are increasingly doing just that, the officials told the Subcommittee on Oversight and Investigation.
"The increase in the number of root compromises, denial-of-service attacks, network reconnaissance activities, destructive viruses and malicious code, coupled with the advances in attack sophistication, pose a measurable threat to government systems," said Sallie McDonald, an assistant commissioner at the U.S. General Services Administration (GSA).
Last year, 155 systems at 32 federal agencies suffered root compromises in which intruders took full administrative control of the machines, according to the GSA. That's up from totals of 64 root compromises in 1998 and 110 two years ago. And the government has only a vague idea of what kind of data may have fallen into the wrong hands.
For at least five of the root compromises, officials were able to verify that access had been obtained to sensitive information, McDonald testified. But for the remaining 150 incidents, she added, "compromise of any or all information must be assumed." She characterized the compromised data as involving scientific and environmental studies but said she couldn't offer further details.
Meanwhile, the U.S. General Accounting Office (GAO), in a report released today summarizing security audits that have been completed at 24 federal agencies, said it had identified significant security weaknesses at each one. Robert Dacey, director of information security issues at the GAO, said in his testimony that the shortcomings have "placed an enormous amount of highly sensitive data...at risk of inappropriate disclosure."
The government is going to find itself in "deep, deep trouble" if its IT security procedures aren't improved, warned Rep. Billy Tauzin (R-La.), chairman of the House Energy and Commerce Committee. If sensitive personal data about U.S. citizens is compromised, "Americans are going to wake up angrier then you can possibly imagine," he said.
Many of the thousands of attempts to illegally access federal systems come from abroad, testified Ronald Dick, who took over as director of the FBI's National Infrastructure Protection Center cyberdefense agency last month (see story). "We know many nations are developing information warfare capabilities as well as adapting [cybercrime] tools," he said.
Hackers are also exchanging vulnerability information with one another, said Tom Noonan, president and CEO of Internet Security Systems Inc. in Atlanta. "There is a whole new currency on the Internet that's called the back door," he said, adding that attackers are trading information about back doors that provide access to different systems.
One step the government could take to increase the security of its systems is to focus more resources on improving education and training, Noonan said. "Computer security experts are scarce," he added. "They are in short supply, and they are expensive." The average salary at his 2,000-employee security software company is $80,000, he noted.
A 1998 directive by President Clinton ordered all federal agencies to complete a virtual bulletproofing of their IT systems from attack by May 2003. But officials said most agencies are behind in that work, and only a few are doing penetration testing.
"We are not surprised or pleased by what we are finding," said Rep. James Greenwood (R-Pa.), chairman of the subcommittee that held today's hearing. Even more alarming, he added, is the fact that many attacks aren't detected. "We don't know what was done, and we have no way of knowing what was done," Greenwood said.
During the hearing, subcommittee members watched with rapt attention as a U.S. Department of Energy security team demonstrated how systems are scanned, probed and accessed by intruders. The demonstration also covered how passwords can be cracked and data can be copied after unauthorized access to a system is gained.
This story, "Officials: Federal systems increasingly falling prey to hackers" was originally published by Computerworld.