United States General Accounting Office _____________________________________________________________________________ GAO Testimony Before the Subcommittee on Government Information and Regulation, Committee on Governmental Affairs, United States Senate _____________________________________________________________________________ For Release COMPUTER on Delivery SECURITY Expected at 1:00 p.m. EST Wednesday, November 20, 1991 Hackers Penetrate DOD Computer Systems Statement of Jack L. Brock, Jr. Director Government Information and Financial Management Information Management and Technology Division GAO/T-IMTEC-92-5 _____________________________________________________________________________ Mr. Chairman and Members of the Subcommittee: I am pleased to participate in the Subcommittee's hearings on computer security. At your request, our work focused on hacker intrusions into Department of Defense (DOD) unclassified, sensitive computer systems during Operation Desert Storm/Shield. My testimony today is based on our review of intrusions by a group of Dutch hackers into Army, Navy, and Air Force computer systems. In particular, we conducted a detailed review of the hacker intrusions and system administration responsibilities at three DOD sites. While our focus was on unclassified, sensitive systems, some of the systems penetrated by this group of hackers did not contain sensitive information. The government faces increased levels of risk for information security because of greater network use and computer literacy, and greater dependency on information technology overall. For years hackers have been exploiting security weaknesses of systems attached to the Internet--an unclassified network composed of over 5,000 smaller networks nationwide and overseas and used primarily by government and academic researchers. Their techniques have been publicized in hacker bulletin boards and magazines, and even in a bestseller, The Cuckoo's Egg written by Clifford Stoll. Hackers, however, continue to successfully exploit these security weaknesses and undermine the integrity and confidentiality of sensitive government information. Between April 1990 and May 1991, computer systems at 34 DOD sites attached to the Internet were successfully penetrated by foreign hackers. The hackers exploited well-known security weaknesses-- many of which were exploited in the past by other hacker groups. These weaknesses persist because of inadequate attention to computer security, such as password management, and the lack of technical expertise on the part of some system administrators-- persons responsible for the technical management of the system. DUTCH HACKERS PENETRATE ----------------------- DOD COMPUTER SYSTEMS -------------------- Between April 1990 and May 1991, computer hackers from the Netherlands penetrated 34 DOD sites. DOD officials, however, are still unable to determine the full scope of the problem because security measures for identifying intrusions are frequently lacking. At many of the sites, the hackers had access to unclassified, sensitive information on such topics as (1) military personnel--personnel performance reports, travel information, and personnel reductions; (2) logistics-- descriptions of the type and quantity of equipment being moved; and (3) weapons systems development data. Although such information is unclassified, it can be highly sensitive, particularly during times of international conflict. For example, information from at least one system, which was successfully penetrated at several sites, directly supported Operation Desert Storm/Shield. In addition, according to one DOD official, personnel information can be used to target employees who may be willing to sell classified information. Further, some DOD and government officials have expressed concern that the aggregation of unclassified, sensitive information could result in the compromise of classified information. Hackers Exploit Well-Known -------------------------- Security Weaknesses ------------------- The hackers generally gained access to the DOD computer systems by travelling through several networks and computer systems. Using commercial long-distance services, such as Tymnet, the hackers weaved their way on the Internet through university, government, and commercial systems, often using these sites as platforms to enter military sites. The hackers then exploited various security weaknesses to gain access into military sites. The most common weaknesses included (1) accounts with easily guessed passwords or no passwords, (2) well-known security holes in computer operating systems, and (3) vendor-supplied accounts--privileged accounts with well-known passwords or no passwords at all that are used for system operation and maintenance. Once the hackers had access to a computer at a given site, access to other computers at that site was relatively easy because the computers were often configured to trust one another. At several sites the hackers exploited a Trivial File Transfer Protocol#1 (TFTP). Some versions of this program had a well- known security hole that allowed users on the Internet to access a file containing encrypted passwords without logging into the system. Once the hackers accessed the password file, they (1) probed for accounts with no passwords or accounts where the username and password were identical, or (2) downloaded the password file to another computer and ran a password cracking program--a program that matches words found in the dictionary against the encrypted password file. Finally, the hackers entered the system, using an authorized account and password, and were granted the same privileges as the authorized user. At two of the sites we visited the hackers were able to enter the systems because vendor-supplied accounts were left on the system with a well-known password or with no password at all. Operating systems and software are often delivered to users with certain accounts necessary for system operation. When delivered, these _________________________________________________________________ 1 TFTP is a file transfer program that permits the copying of files without logging in. 3 accounts--some of which include system administrator privileges that allow them to do anything on the system without restriction- -are often unprotected or are protected with known passwords, and are therefore vulnerable until the password is changed. Hackers Established ------------------- Methods For Reentry ------------------- The majority of the hackers' activities appeared to be aimed at gaining access to DOD computer systems and then establishing methods for later entry. In many of the intrusions, the hackers modified the system to obtain system administrator privileges and to create new privileged accounts. For example, at some sites where the hacker entered the system using a vendor-supplied password, the hackers ran a program that elevated the privileges of the account and then erased evidence of the intrusion by removing the program. The hackers then created new privileged accounts with passwords known only to them and that blended in with the sites' naming conventions, making detection more difficult. While there was little evidence that the hackers destroyed information, in several instances the hackers modified and copied military information. In a few cases, the hackers stored this information at major U.S. universities. They modified system logs to avoid detection and to remove traces of their activities. The hackers also frequently browsed directories and read electronic messages. In a few cases, they searched these messages for such key words as military, nuclear, weapons, missile, Desert Shield, and Desert Storm. Agencies' Response ------------------ to the Incidents ---------------- In most cases, system administrators did not identify the intrusion, but were instead notified of the intrusion by university, contractor, or DOD officials. Once the system administrators were notified, they usually secured their system-- such as changing the password of a vendor-supplied account. In a few cases, however, the sites left the vulnerability open temporarily in an effort to determine the intruder's identity. At one site we visited where this was done, the intruders' access to sensitive information was contained, and coordinated with law enforcement agencies. Only one of the three military services had written procedures for incident handling prior to the intrusions. Since the intrusions, however, the other two services have established written procedures. Despite the lack of procedures, at two of the sites we visited security personnel prepared an incident 4 report after they were notified about the intrusion. In addition, one site we visited established computer hacker reporting procedures for their organization. They also included security tips, such as changing default passwords, using randomly-selected passwords, and maintaining audit trails. HACKER INTRUSIONS HIGHLIGHT --------------------------- INADEQUATE ATTENTION TO ----------------------- COMPUTER SECURITY ----------------- The security weaknesses that permitted the intrusions and prevented their timely discovery highlight DOD's inadequate attention to computer security. Poor password management, failure to maintain and review audit trails, and inadequate computer security training all contributed to the intrusions. DOD directives and military service regulations and instructions require both adequate computer security training for those responsible for systems, and audit trails--records of system activities--that are reviewed periodically and detailed enough to determine the cause or magnitude of compromise. In addition, the military services require password management procedures. The intrusions, however, indicate that these requirements were not always followed. Poor password management--easily-guessed passwords and vendor- supplied accounts whose password had not been changed--was the most commonly exploited weakness contributing to the intrusions, including those at each of the sites we visited. At one site we visited the hacker exploited a vendor-supplied account, left on the system without a password, that in turn provided system administrator privileges. In addition, officials also noted that failure to maintain or periodically review audit trails was a key reason why most system administrators were unable to detect the intrusions or determine how long their system had been compromised. For example, few of the 34 sites whose systems were penetrated were able to identify or verify the intrusions. Several officials stated that system administration duties are generally part-time duties and that administrators frequently have little computer security background or training. At one site, for example, the system administrator had little knowledge of computers and system administrator responsibilities. In addition, with the exception of a brief overview of computer security as part of the introductory training for the system, the system administrator had not received any computer security training. Moreover, after the intrusion occurred, the newly appointed system administrator did not receive any additional 5 computer security training and did not know the proper security reporting chain. The security weaknesses that I have described here today have been and continue to be exploited by various hacker groups. Two years ago we issued a report, Computer Security: Virus Highlights Need for Improved Internet Management, (GAO/IMTEC-89- 57), highlighting some of the same weaknesses--poor password management and system administrators who lacked the technical expertise to deal with security problems--that we discussed here today. In addition, numerous Computer Emergency Response Team (CERT) security advisories, available to anyone on the Internet, have addressed these weaknesses. Yet, despite these warnings, these security weaknesses continue to exist. Without the proper resources and attention, these weaknesses will continue to exist and be exploited, thus undermining the integrity and confidentiality of government information. This concludes my remarks. I will now answer any questions you or members of the Subcommittee may have concerning these issues. 6 .