Cyber security faulted at U.S. Energy Department

[InfoSec News <isn () C4I ORG>]

http://news.excite.com/news/r/000613/18/crime-nuclear-computers

By Jim Wolf

WASHINGTON (Reuters) - Several unclassified computer networks
belonging to the U.S. Energy Department are so vulnerable to intruders
that "any Internet user" could gain control of them, an in-house
watchdog told Congress Tuesday.

An audit carried out April 17 to 28 found an unspecified number of
"Web servers" managed by individual program offices were located
entirely outside a so-called firewall designed to protect against
unauthorized access.

A Web server is a computer that displays pages on the Internet. At
issue is the department's unclassified computing system. It consists
of a backbone network and 25 invidividual local area networks operated
by 29 different program offices in the Washington area.

In all but one case, "there are no security barriers between segments"
connected to the common backbone, Energy Secretary Bill Richardson's
Office of Independent Oversight and Performance Assurance reported.

Most of the servers outside the firewall were found to be "vulnerable
to common hacking exploits, and some contain vulnerabilities that
could allow any Internet user to gain system administrator-level
privileges," Glenn Podonsky, the office director, said.

With such high-level access, an attacker could deface or shut down an
Energy Department Web site "or configure the server to launch attacks
against other Internet entitites," the public version of the
watchdog's report said.

"Headquarters has not developed overall cyber security procedures or
minimum requirements for each network segment on the network,"
Podonsky added. He made his comments to the House Commerce
Subcommittee on Oversight and Investigations.

ONLY AS GOOD AS THE WEAKEST LINK

Disclosure of the gaps in cyber security were the latest blow to the
Energy Department, which acknowledged Monday that two highly
classified computer hard drives containing nuclear weapons data had
disappeared from a vault at Los Alamos National Laboaratory in New
Mexico.

Podonsky said the overall Energy Department network was only as good
at the weakest link.

"In effect, the potentially effective practices of some program
offices are largely negated by the ineffective practices of other
program offices," he said. The audit was prompted by a request from
Rep. Heather Wilson, a New Mexico Republican.

Retired Air Force Gen. Eugene Habiger, the department's security
"czar," told the panel that the department was moving aggressively to
address shortcomings cited in the cyber security audit.

He faulted the Republican-led Congress for allegedly failing to meet
the department's fiscal 2000 supplemental budget request for $35
million to address cyber security needs. Instead, he said, Congress
appropriated only $7 million.

"Consequently, the headquarters' unclassified cyber security
intitiatives were given low priority in light of more pressing needs
at our field sites," Habiger said.

Habiger took over as director of a newly created Office of Security
and Emergency Operations a year ago after a Taiwanese-American
scientist, Wen Ho Lee, was fired on charges of mishandling nuclear
secrets at Los Alamos. Lee, now at a New Mexico prison awaiting trial,
has denied the charges.

House Commerce Commitee Chairman Tom Bliley, a Virginia Republican,
called the audit evidence of "nothing less than a failure of
leadership" by Richardson. Richardson is a possible vice-presidential
running mate of Al Gore, the presumptive Democratic nominee for
president in the November elections.

Referring to the missing hard drives, Bliley said the Energy
Department and its labs "still have a long way to go before the
American public can or should feel confident that our nuclear secrets
are safe in their hands."

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".