Democrats' cyber-embarrassment offers lessons on IT security
- By William Jackson
- Jan 22, 2004
The office of Senate Sergeant at Arms William Pickle is investigating the apparent unauthorized access to computer files of the Judiciary Committee Democratic staff, and hopes to present a report to the committee in three or four weeks, a source familiar with the investigation said.
The apparent compromise of Democratic files by Republican counterparts offers lessons to those assigned to safekeeping sensitive information.
'It appears to be a simple security policy issue,' said Chris Rouland, vice president of the X-Force research and development department of Internet Security Systems Inc. of Atlanta.
It appears to be a case of using default security settings in which passwords for new users were left blank or access permissions were left wide open, Rouland said. 'It looks like there was a lack of enforcement and auditing of policy.'
The Sergeant at Arms is investigating how Democratic memos got into Republican hands between spring 2002 and April 2003. The documents discussed Democratic strategies for responding to nominations to the federal bench. The breach appears to be the result of a mistake in configuring new Democratic user accounts on a shared server.
The quiet exploitation of this flaw for as long as a year reflects a growing trend in computer hacking, Rouland said. Rather than breaking into a system publicly for the bragging rights, hackers motivated by political or financial gain are taking advantage of vulnerabilities for as long as possible without calling attention to themselves.
Rouland said the compromise appears to be a classic case of an IT system that is crunchy on the outside but chewy on the inside'lacking internal security against insider threats.
'The exterior perimeter of Senate.gov is certainly hardened,' he said. Architecturally both Democratic and Republican staffs are insiders, but politically they are opponents with a need to keep data confidential. In any organization, internal security can be just as important as perimeter security.
William Jackson is a Maryland-based freelance writer.