Kansas auditors crack 1,000 passwords

The Kansas Health and Environment Department has serious IT security and disaster recovery problems, the state's legislative auditor has found. The auditors said they used password-cracking software to decipher more than 1,000 of the department's passwords'including several administrative passwords'or 60 percent of the total, in three minutes.

The department began fixing the security weaknesses and other problems found in its systems as soon as it learned of them, department secretary Roderick L. Bremby said in response to the report.

'The department's antivirus system was badly flawed, allowing computers to become infected with a large number of different viruses, worms and Trojan horses,' said the report, Kansas Department of Health and Environment Information Systems: Reviewing the Department's Management of Those Systems.

'The department's firewall was poorly configured, creating several large holes in and out,' the report said. Auditors found that the department lacked or failed to enforce many basic security policies, such as procedures for incident response, physical security, configuration documentation and former-user account deletion. They also found several major problems with security planning.

The auditors concluded that the department lacked the tools necessary to recover from a disaster and said the plan, left over from the year 2000 rollover, 'would be nearly useless in a disaster.'

In response to the auditors' recommendations, the department hired FishNet Security Inc. of Kansas City, Mo., for a complete vulnerability assessment.

In response to the auditors' recommendations to overhaul systems security and other IT problems, Bremby wrote, 'All recommendations will be ranked and prioritized by risk, and deadlines will be established to complete all recommendations as quickly as possible.' He encouraged the auditors to conduct a second review within a year.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected