Come fly with us...come fly away...or take the train...OPPS!

[Egaladeist]

Oct 20, 2005
US Gov't Agency Needs to Improve IT Security
Add Comment (0) | Permalink
During a recent audit of the U.S. Department of Transportation’s IT systems, the agency’s inspector general was able to take control of a vulnerable server and gain access to sensitive information -- a security lapse that he said could put a number of department systems at risk.

It was one of the findings by DOT Inspector General Kenneth Mead, who uncovered about 3,000 weaknesses in the department’s IT systems -- including previously reported vulnerabilities that were never fixed, according to the report.

The DOT oversees 10 agencies, including the Federal Railroad Administration (FRA) and the Federal Aviation Administration (FAA). It was an FRA server that the inspector general was able to take over.

"These weaknesses enabled us to gain total [root-level access] control over a critical file server, desktop computers and a network switch," according to Mead’s report. "From these computers, we accessed sensitive information that enabled us to gain unauthorized entry from the Internet and obtain sensitive information."

Because of interconnectivity among all DOT networks, the security lapse put other departmental systems at risk, the report said.

The inspector general also noted that the FRA hasn’t fully deployed an intrusion-detection system, despite years of effort, meaning the DOT can’t effectively protect its computers, according to the report.

Mead also noted that the DOT failed to install software patches on a timely basis, allowing 700 departmental computers to be infected with the recent Zotob worm. The worm was introduced to the DOT’s network by a contract employee who connected his laptop to the agency’s network in violation of department policy, he said.

"DOT needs to develop a mechanism to ensure that all computers used by telecommuting employees are periodically checked for vulnerabilities and patched with the latest security upgrades," according to the report.

Although the report said that FRA officials are working to eliminate critical vulnerabilities, other agencies have been slow to act. "For example, one of the pending actions is to enhance password security protection in [an FAA] system that contains privacy information," Mead said. "This inexpensive fix would significantly reduce the risk of unauthorized access."

According to the report, the Mead notified DOT officials in 2004 that the FAA needed to improve its IT system security. But the aviation agency didn’t start making improvements until this past April.

Mead is now working on two new reports on security problems in the FAA system for maintaining air traffic control surveillance, navigation and communications equipment. According to the inspector general, the FAA failed to address earlier air traffic control systems security recommendations.

For example, the FAA collected system security information on only about half of the systems used to support high-altitude air traffic services, meaning other critical systems were not reviewed. Because it has not yet analyzed the information it collected, it hasn’t determined what needs to be done to correct any problems. FAA officials also haven’t performed independent testing on-site of its high risk systems, something that’s required by law, according to the report.

In addition to addressing specific vulnerabilities, the DOT also needs to provide more oversight of its IT investments at the FAA, the report said.

"We reviewed 16 FAA major acquisitions and found that nine projects had experienced schedule delays of two to 12 years and 11 projects had experienced cost growth of about US$5.6 billion [from $8.9 billion to $14.5 billion]," Mead said, adding that air traffic control modernization projects still face performance problems, cost increases and schedule delays.

According to the inspector general, the DOT’s CIO received a draft of the report, agreed with Mead’s findings and recommendations, and plans to provide written comments describing exactly what the DOT is doing to correct the problems.

"We have reviewed the report, and we will provide the [inspector general] with a response shortly," DOT spokesman Bill Mosley.

http://www2.csoonline.com/blog_view.html?CID=13352
US Gov't Agency Needs to Improve IT Security - Security Feed - Blog - CSO Magazine

[Egaladeist]

as an add-on...

This shortfall not only affects security but also means the FAA may have trouble meeting the goals outlined in the President’s Management Agenda, the administration’s initiative to improve government efficiency, OMB added.

“The bill … provides only $8 million for FAA information security, which is $4 million below the required funding level for this important program,” OMB said.

Information security at FAA’s air traffic control centers has come under fire from the Transportation Department’s inspector general as well as the Government Accountability Office. In recent reports, both offices said FAA’s air traffic control units are vulnerable to cyberattack.

http://www.gcn.com/vol1_no1/daily-updates/37361-1.html
White House wants more IT security funds for FAA

more on the FAA...

RALEIGH, N.C. -- An air traffic controller criticized federal officials Wednesday for delaying implementation of a new ground radar system at Raleigh-Durham International Airport.

John Brown said the multimillion-dollar ASDE-X radar would help eliminate close calls between taxiing planes and those landing or taking off.

A spokeswoman for the Federal Aviation Administration said ASDE-X is being implemented at 35 airports nationwide, including Charlotte-Douglas International. But RDU is among 15 airports where the radar system would be delayed.

"With the air traffic controllers' contract negotiations pending, no date has been set for future deployments of ASDE-X," spokeswoman Kathleen Bergen said.

"This is a piece of equipment that will allow the controllers in the tower to see aircraft and vehicles on the ground and on the runway during periods of low visibility when weather precludes us from looking out the window," Brown said.

He said he's seen a number of near misses firsthand during his 19-year career and notes that the control tower at RDU is understaffed -- five of the 48 air traffic controller positions at the airport are open -- and overtaxed.

"I've seen things that would make someone nervous to fly," he said. "We want this piece of equipment. We need this piece of equipment. And we think the flying public should demand it."

http://www.nbc17.com/news/5128545/detail.html
NBC 17 - News - Controller: RDU Needs New Radar System

and...

Former Microsoft Employee Sentenced to 30 Months in Prison

A former Microsoft employee who federal prosecutors say used his position at the company to steal software has been sentenced to 30 months in prison.

A federal jury convicted Frank Philips in July on ten counts of wire fraud and one count of use of a false Social Security number.

Prosecutors say Philips used the company's internal ordering system to order large amounts of software and then sold the software on eBay and to software retailers. He gained more than $100,000, which he used for his personal expenses, according to prosecutors.

The company hired Philips in 2000. In December of 1999, he had been sentenced for Social Security fraud for submitting to the FAA an application that listed a false social security number. Philips used a different false Social Security number with Microsoft and claimed he had never been convicted of a felony, according to prosecutors.

In addition to 30 months in prison, his latest sentence includes three years of supervised release and he was ordered to pay $666,290 in restitution.

http://hr.blr.com/display.cfm/id/16831
Former Microsoft Employee Sentenced to 30 Months in Prison