computerwoche.de

Archiv

IT worker disputes state government security breach

30.03.2006
A New Hampshire state IT employee who was placed on paid leave last month after an alleged security breach involving a government server is disputing the state's explanation of the incident.

Douglas A. Oliver, 44, a Web middleware engineer who says he was placed on paid leave Feb. 17 in connection with the incident, said he is speaking out because the state's account is 'incredibly skewed in my estimation.'

In the incident last month, state officials in Concord announced that the FBI and the U.S. Department of Justice were part of an investigation into the discovery of the Cain & Abel program during a routine check of state servers. The server was used by the N.H. Division of Motor Vehicles and the state Veterans Home to transmit financial information. It was also used by the state's Liquor Commission as a backup for sales transactions. No incidents of fraudulent use of credit card numbers on the server have been reported.

Oliver, who has worked in the N.H. Office of Information Technology (OIT) since 2002, said he participated as a member of an OIT security audit team since early last year, when a state government Web site was hit by hackers who defaced several pages with 'graffiti' messages. In response, the OIT began conducting penetration-vulnerability and threat-assessment testing to look at the state's overall IT security, Oliver said.

To conduct the threat assessments, Oliver said he and other IT employees installed and used a collection of software tools, including a copy of Cain & Abel -- a password-recovery program for Microsoft Corp. products that can also be used as malware by hackers to capture and crack passwords -- so that the state's IT security could be accurately tested against real-world intrusions.

The Cain & Abel program was placed on the server using Oliver's security credentials, he said. 'The reasons it was there was totally authorized and legitimate,' he said. Using the application, testing showed that there were several security problems in the system, including Domain Name System cache poisoning, the presence of plain-text, domain-level administrative passwords in files that were viewable by anonymous users and faulty operational practices -- including the presence of local accounts of people no longer employed by the state.