Lax security left Senate files wide open (Memogate)

www.gcn.com ^ | 3/5/2004 | William Jackson

[GodGunsandGuts]

GOP staff members of the Senate Judiciary Committee had free access to sensitive Democratic computer files because of what investigators termed a “significant lack of security” on the committee’s network.

A report by the Senate sergeant at arms has blamed the poor controls on the IT administrator’s inexperience and lack of training.

“Forensic analysis indicated that a majority of the files and folders on the server were accessible to all users on the network,” said the report, released yesterday. “Any user on the network could read, create, modify or delete any of the files or folders.”

The report made recommendations for improving the committee’s computer security, including setting minimal technical skill standards for administrators.

The problems came to light in a three-month investigation by Sergeant at Arms William H. Pickle about leaks of Democratic memos to the press late last year. The apparent intent was to embarrass Democrats by revealing political strategies in opposing conservative judicial nominations. But the investigation exposed partisan spying by several GOP staff members.

In what was described as an unprecedented investigation, the sergeant at arms hired an outside computer forensics firm to help in the investigation.

Republican and Democratic committee staffs share a single LAN, which until recently had a single administrator. Investigators found that user accounts established before August 2001 were generally created with strict access controls. Those established after that date, when a new administrator was hired, were open.

According to Pickle’s report, a committee clerk discovered he could access Democratic files in the fall of 2001 while he watched the systems administrator working. Improper access apparently continued until last spring, when the network hardware and software were upgraded. Although many accounts remained open, the directories no longer were visible to most users. A new administrator was hired last July.

Most of the investigation’s results came from interviews with staff members. Security practices were so inadequate that forensics specialists said they could learn little.

“While there was extensive forensic analysis of servers and individual workstations, the results were limited due to the absence of proactive security auditing,” the report said.

No record was kept of changes in access controls, and it was not possible to tell who was accessing what files.

The sergeant at arms concluded that the lapses were not the result of malicious behavior by the administrator, who was hired just out of college, but rather of lack of experience, training and oversight.

The problems found in the investigation were not limited to that period, or to the Judiciary Committee.

“Like some other Senate offices, the Judiciary Committee has historically been staffed with systems administrators who preferred to perform most computer-related tasks themselves,” the report said. “This has been true even if they had only minimal technical experience.”

Since the leak was discovered, the committee’s Republican and Democratic staffs have been put on separate LANs with separate administrators. Chairman Orrin Hatch (R-Utah) and ranking Democrat Patrick Leahy of Vermont requested a network security audit by the General Services Administration in February.

Although the report identified several possible ethics and criminal violations, it made no recommendation for legal action. It did, however, recommend these actions to improve IT security throughout the Senate:

• Establish technical skills assessment, certification and continuing education requirements for system administrators
• Set minimum qualifications for administrators
• Create a best-practices manual for computer security
• Require ethics and computer security training for all new employees.

[GodGunsandGuts]

hmmm....I figured as much but here is the official finding. I can tell you my keester would be in the soup line if I did this. Also interesting that the whole infrastructure was taken care of by one admin.

[Spruce]

I assume the firings are over.

[Fun Bob]

Hey democrats, we are sorry about filegate...we are sorry you found out and put a password on your publically acessible files. Sorry, you put the information out there, you don't take the proper security procedures so that they can be read without any security invasion (double click!) and it is your fault.

miserable failure miserable failure miserable failure miserable failure war criminal

[jocko12]

THE DIMS ARE GETTING DIMMER.

[deport]

03/05/04

Lax security left Senate files wide open

By William Jackson
GCN Staff

GOP staff members of the Senate Judiciary Committee had free access to sensitive Democratic computer files because of what investigators termed a “significant lack of security” on the committee’s network.

A report by the Senate sergeant at arms has blamed the poor controls on the IT administrator’s inexperience and lack of training.

“Forensic analysis indicated that a majority of the files and folders on the server were accessible to all users on the network,” said the report, released yesterday. “Any user on the network could read, create, modify or delete any of the files or folders.”

The report made recommendations for improving the committee’s computer security, including setting minimal technical skill standards for administrators.

The problems came to light in a three-month investigation by Sergeant at Arms William H. Pickle about leaks of Democratic memos to the press late last year. The apparent intent was to embarrass Democrats by revealing political strategies in opposing conservative judicial nominations. But the investigation exposed partisan spying by several GOP staff members.

In what was described as an unprecedented investigation, the sergeant at arms hired an outside computer forensics firm to help in the investigation.

Republican and Democratic committee staffs share a single LAN, which until recently had a single administrator. Investigators found that user accounts established before August 2001 were generally created with strict access controls. Those established after that date, when a new administrator was hired, were open.

According to Pickle’s report, a committee clerk discovered he could access Democratic files in the fall of 2001 while he watched the systems administrator working. Improper access apparently continued until last spring, when the network hardware and software were upgraded. Although many accounts remained open, the directories no longer were visible to most users. A new administrator was hired last July.

Most of the investigation’s results came from interviews with staff members. Security practices were so inadequate that forensics specialists said they could learn little.

“While there was extensive forensic analysis of servers and individual workstations, the results were limited due to the absence of proactive security auditing,” the report said.

No record was kept of changes in access controls, and it was not possible to tell who was accessing what files.

The sergeant at arms concluded that the lapses were not the result of malicious behavior by the administrator, who was hired just out of college, but rather of lack of experience, training and oversight.

The problems found in the investigation were not limited to that period, or to the Judiciary Committee.

“Like some other Senate offices, the Judiciary Committee has historically been staffed with systems administrators who preferred to perform most computer-related tasks themselves,” the report said. “This has been true even if they had only minimal technical experience.”

Since the leak was discovered, the committee’s Republican and Democratic staffs have been put on separate LANs with separate administrators. Chairman Orrin Hatch (R-Utah) and ranking Democrat Patrick Leahy of Vermont requested a network security audit by the General Services Administration in February.

Although the report identified several possible ethics and criminal violations, it made no recommendation for legal action. It did, however, recommend these actions to improve IT security throughout the Senate:

• Establish technical skills assessment, certification and continuing education requirements for system administrators
• Set minimum qualifications for administrators
• Create a best-practices manual for computer security
• Require ethics and computer security training for all new employees.
  
  

[hoosiermama]

If the GOP staff members had access, than others must have also. Maybe it WASN'T a GOP staff member who "leaked" the information.

I smell a RAT. First you leave the information accessible, then you "leak" it and blame your opponent.....Sounds like a set up to me.

[Diogenesis]

The Republicans should censure themselves
and then give the Democrats an award for stealing (and using ) the FBI files.

[4integrity]

Miranda, the Repub staffer who resigned(?), was on with Cal Thomas of Fox News, and stated that many of the Dem memos are not legally protected documents. So, why have these memos not been made public? Why isn't Sen. Frist talking about the content of the memos? This should have been the primary issue....but the Dems are good at manipulating the media. Frist should replace Hatch as Chair of Judicial Committee.

[Spruce]

I rescind my comment in post #2.

This is not about computer security. It's about the treason words spoken and recorded.

[sarasmom]

No, sounds like typical RINO rollover.
Shoot the messenger, and forget all about the message.
Judge the style, not the substance.
Nail a man for tax evasion, and forget all about actual murders and victims.
We must set priorities in investigating political crimes! /sarcasm//.

[angkor]

Always remember to leave those "Democrat" and "Republican" shares open to Everyone. It's too much of a headache to use group profiles. And never turn on auditing. Someone might yell at you if you question their activities on the network.

[angkor]

smell a RAT. First you leave the information accessible, then you "leak" it and blame your opponent

"No record was kept of changes in access controls, and it was not possible to tell who was accessing what files."

[harpo11]

Right on! Mrs. Clinton's stealing of over 900 FBI files vs. some stupid computer glitch merits far more investigation.

[Cultural Jihad]

miserable failure miserable failure miserable failure miserable failure war criminal
(worth repeating)

[expatpat]

That wasn't a computer glitch -- they were provided to her (via Livingstone, I believe) by the FBI.

[savedbygrace]

Miranda should get his job back. He has been vindicated by this report. He is one of the good guys and deserves our support.

[Loyal Buckeye]

Answer this one. If the RATs can't keep their own files secure, how would they ever keep our country secure?

[weegee]

What portion of this computer server does the DNC own? We know that the DNC illegally used government computers during the Clinton administration.

How are these memos "Democrat" or "Democratic" files? They are files. I do not read that any falsification of identity was needed to become "super user" and to have access to the files. There was no "theft" because there was no security.

Teddy Kennedy has compared this to Watergate but the DNC does not own this space. When I worked at Compaq we commonly shared files across the network. Secure drives containing confidential information required password access.

Miguel Miranda is a whistelblower into possibly illegal corruption between 501c3 charities (like the NAACP) and senators who were trying to manipulate court decisions by withholding judicial nominees.

The Rats are just upset that a paper trail remains.

[savedbygrace]

You're asking the wrong person. I mean, I know the right answer (they can't), but I'm not the one you need to ask.

[Waco]

Can't everyone wake up? The RATS set the system up. They "snooped" from the start. So what, if they were exposed on anything? They could count on the media to run cover, which it has. (Have the chicom $$$$$$$ arrived yet?) That's what set of the "CFR" farce,remember?

[CyberAnt]

And .. what I find very interesting is that 2 years ago when someone from the repub offices alerted the dems of the security lapse, they DID NOTHING .. why?? Maybe because the dems liked being able to have access to all the repub memos.

I'm thinking that way because of the way the dems reacted to the disclosure of the nasty dem memo, and accused the repubs of "hacking", "burglary", "stealing", etc. - as soon as I heard that, the first thing that came to mind was, "me thinks thou protesteth too much".

[CyberAnt]

See my #21

[CyberAnt]

I think it was Greg Jarrett the other day on Fox - he was hot and came very close to calling the guest a liar over the "stolen" memo issue. He was especially upset over the collusion between a senator and the NAACP. He also brought up the comment in the memo which says they can't have Estrada because he's Latino! Greg was livid!!

[leprechaun9]

There was no leak. The Democraps treat their political heavy handedness the same as they treat matters of National Security. Didn't Billy Clintoooooon arrange for the encryption coding of our satellite communications to go to the Chinese - LORAL or something like that?

[Political Junkie Too]

Let's not forget that we're talking about the same Democrat party that somehow failed to archive all the White House emails during the Clinton years because the server name was "mail" instead of "Mail", at least that was the excuse given by the crack IT staff when they found that all the email backup tapes were blank.

Of course, that was the same Democrat White House that had the West Wing phone banks reduced to less than state-of-the-art systems because they didn't want the ability to have phone calls traced to specific offices.

With the deviousness that they show everywhere else, one has to assume that everything they do has some kind of plausible deniability "out" in the plan.

-PJ

[onyx]

Thank you.

[Fishtalk]

You know, I kind of admire how the Dems handled this. It's amazing how they turned what could have been a PR nightmare around and made it into an attack on the Repubs. Of course it's unfair and of course it takes gall.

But consider first just who allowed this to happen. And please consider first one Orrin Hatch who is the biggest of the Repub apologists. He FIRED a guy for looking at a memo that was not protected or passworded or kept out of the public domain in any fashion. Ole Orrin would let a Dem pee on his shoe, tell him it's raining, and apologize for not having larger shoes.

Instead of standing up and fighting like men, the Repubs were once again weak. They had political dynamite in those memos and they stood by and let the Dems turn it against them.

My fellow Freepers, stop all yer complaining. If this were a board game the Dems would have won handily due to excellent strategizing.

Only it's not a board game and if the Repubs don't grow a pair or get a clue, they are going to lose the election.

Simple as that.

[concerned about politics]

GOP staff members of the Senate Judiciary Committee had free access to sensitive Democratic computer files because of what investigators termed a “significant lack of security” on the committee’s network.

"Here. Make these files accessible to Republicans. We can say they stole them, and pull off another Water Gate. Ahhhh , just like the good old days."

[Libertina]

eeeewh! There was no warning on your link!

[CedarDave]

Checkout MoveOn.org's earlier take on this. They must have sent out lots of press releases to every nickel and dime paper in the country. This one bought their propaganda:

Hatch caught in embarrassing online tryst with publisher of stolen RAT documents (FR mentioned)

[backhoe]

http://www.freerepublic.com/focus/f-news/1015980/posts

MemoGate- sedition, slander-- or something worse?
Various FR links | 11-06-03 | The Heavy Equipment Guy

 

http://www.freerepublic.com/focus/f-news/1015980/posts

MemoGate- sedition, slander-- or something worse?
Various FR links | 11-06-03 | The Heavy Equipment Guy

[sam_paine]

Anybody wonder if the tenderfootedness of Frist Repubs etal about attacking the Dems on this (and other recent things) is because the Pubs are still nervous about their own strategic info security?

Suppose they suspected that their e-communications were potentially comprimised and that faxes were a non-starter uncontrolled hardcopy alternative.....

...how would Republicans get their talking points out?

I just offer this as a possible explanation as to partly why we see pitiful Pub reaction to the Dem lie machine, and why the only response we get is an old fashioned point-source response from the President, and nobody is prepared with talking points to back him up widely in the media.

[hoosiermama]

Maybe there is a "bigger fish" to catch on this one?....Another "follow the money" perhaps? OTOH it may just be stupidity.

[b4its2late]

Any user on the network could read, create, modify or delete any of the files or folders

Guess they all had administrative rights......

[b4its2late]

And since they all had administrative rights, what information did the demorat staffers get, hmmm?

[4integrity]

Sam, I, too, wonder if the Senate Repubs are keeping quiet on the Dem memos cause of their own "dirty laundry".

[CyberAnt]

Well .. I think the dems are in deep doo-doo on this issue. These open files means they had just as much access as the repubs did .. and I'll NEVER be convinced the dems didn't take advantage of it.

I agree there may be bigger fish to fry. I sure hope they refer this to the DOJ - no matter how loudly the dems howl. These memos are disgraceful and the dems need to be held accountable.

[jospehm20]

No doubt hired because the admin was somebody's buddy, not for their qualifications.

[atomicpossum]

A report by the Senate sergeant at arms has blamed the poor controls on the IT administrator’s inexperience and lack of training.

I'll say. Your average-level network user should understand the nature of protecting your file access....

[pieces of time]

In August 2001 weren't the Rats in charge and Leahy chairman?

[Fixit]