Lax security left Senate files wide open (Memogate)

www.gcn.com ^ | 3/5/2004 | William Jackson

[GodGunsandGuts]

hmmm....I figured as much but here is the official finding. I can tell you my keester would be in the soup line if I did this. Also interesting that the whole infrastructure was taken care of by one admin.

[Spruce]

I assume the firings are over.

[Fun Bob]

Hey democrats, we are sorry about filegate...we are sorry you found out and put a password on your publically acessible files. Sorry, you put the information out there, you don't take the proper security procedures so that they can be read without any security invasion (double click!) and it is your fault.

miserable failure miserable failure miserable failure miserable failure war criminal

[jocko12]

THE DIMS ARE GETTING DIMMER.

[deport]

03/05/04

Lax security left Senate files wide open

By William Jackson
GCN Staff

GOP staff members of the Senate Judiciary Committee had free access to sensitive Democratic computer files because of what investigators termed a “significant lack of security” on the committee’s network.

A report by the Senate sergeant at arms has blamed the poor controls on the IT administrator’s inexperience and lack of training.

“Forensic analysis indicated that a majority of the files and folders on the server were accessible to all users on the network,” said the report, released yesterday. “Any user on the network could read, create, modify or delete any of the files or folders.”

The report made recommendations for improving the committee’s computer security, including setting minimal technical skill standards for administrators.

The problems came to light in a three-month investigation by Sergeant at Arms William H. Pickle about leaks of Democratic memos to the press late last year. The apparent intent was to embarrass Democrats by revealing political strategies in opposing conservative judicial nominations. But the investigation exposed partisan spying by several GOP staff members.

In what was described as an unprecedented investigation, the sergeant at arms hired an outside computer forensics firm to help in the investigation.

Republican and Democratic committee staffs share a single LAN, which until recently had a single administrator. Investigators found that user accounts established before August 2001 were generally created with strict access controls. Those established after that date, when a new administrator was hired, were open.

According to Pickle’s report, a committee clerk discovered he could access Democratic files in the fall of 2001 while he watched the systems administrator working. Improper access apparently continued until last spring, when the network hardware and software were upgraded. Although many accounts remained open, the directories no longer were visible to most users. A new administrator was hired last July.

Most of the investigation’s results came from interviews with staff members. Security practices were so inadequate that forensics specialists said they could learn little.

“While there was extensive forensic analysis of servers and individual workstations, the results were limited due to the absence of proactive security auditing,” the report said.

No record was kept of changes in access controls, and it was not possible to tell who was accessing what files.

The sergeant at arms concluded that the lapses were not the result of malicious behavior by the administrator, who was hired just out of college, but rather of lack of experience, training and oversight.

The problems found in the investigation were not limited to that period, or to the Judiciary Committee.

“Like some other Senate offices, the Judiciary Committee has historically been staffed with systems administrators who preferred to perform most computer-related tasks themselves,” the report said. “This has been true even if they had only minimal technical experience.”

Since the leak was discovered, the committee’s Republican and Democratic staffs have been put on separate LANs with separate administrators. Chairman Orrin Hatch (R-Utah) and ranking Democrat Patrick Leahy of Vermont requested a network security audit by the General Services Administration in February.

Although the report identified several possible ethics and criminal violations, it made no recommendation for legal action. It did, however, recommend these actions to improve IT security throughout the Senate:

• Establish technical skills assessment, certification and continuing education requirements for system administrators
• Set minimum qualifications for administrators
• Create a best-practices manual for computer security
• Require ethics and computer security training for all new employees.
  
  

[hoosiermama]

If the GOP staff members had access, than others must have also. Maybe it WASN'T a GOP staff member who "leaked" the information.

I smell a RAT. First you leave the information accessible, then you "leak" it and blame your opponent.....Sounds like a set up to me.

[Diogenesis]

The Republicans should censure themselves
and then give the Democrats an award for stealing (and using ) the FBI files.

[4integrity]

Miranda, the Repub staffer who resigned(?), was on with Cal Thomas of Fox News, and stated that many of the Dem memos are not legally protected documents. So, why have these memos not been made public? Why isn't Sen. Frist talking about the content of the memos? This should have been the primary issue....but the Dems are good at manipulating the media. Frist should replace Hatch as Chair of Judicial Committee.

[Spruce]

I rescind my comment in post #2.

This is not about computer security. It's about the treason words spoken and recorded.

[sarasmom]

No, sounds like typical RINO rollover.
Shoot the messenger, and forget all about the message.
Judge the style, not the substance.
Nail a man for tax evasion, and forget all about actual murders and victims.
We must set priorities in investigating political crimes! /sarcasm//.

[angkor]

Always remember to leave those "Democrat" and "Republican" shares open to Everyone. It's too much of a headache to use group profiles. And never turn on auditing. Someone might yell at you if you question their activities on the network.

[angkor]

smell a RAT. First you leave the information accessible, then you "leak" it and blame your opponent

"No record was kept of changes in access controls, and it was not possible to tell who was accessing what files."

[harpo11]

Right on! Mrs. Clinton's stealing of over 900 FBI files vs. some stupid computer glitch merits far more investigation.

[Cultural Jihad]

miserable failure miserable failure miserable failure miserable failure war criminal
(worth repeating)

[expatpat]

That wasn't a computer glitch -- they were provided to her (via Livingstone, I believe) by the FBI.

[savedbygrace]

Miranda should get his job back. He has been vindicated by this report. He is one of the good guys and deserves our support.

[Loyal Buckeye]

Answer this one. If the RATs can't keep their own files secure, how would they ever keep our country secure?

[weegee]

What portion of this computer server does the DNC own? We know that the DNC illegally used government computers during the Clinton administration.

How are these memos "Democrat" or "Democratic" files? They are files. I do not read that any falsification of identity was needed to become "super user" and to have access to the files. There was no "theft" because there was no security.

Teddy Kennedy has compared this to Watergate but the DNC does not own this space. When I worked at Compaq we commonly shared files across the network. Secure drives containing confidential information required password access.

Miguel Miranda is a whistelblower into possibly illegal corruption between 501c3 charities (like the NAACP) and senators who were trying to manipulate court decisions by withholding judicial nominees.

The Rats are just upset that a paper trail remains.

[savedbygrace]

You're asking the wrong person. I mean, I know the right answer (they can't), but I'm not the one you need to ask.

[Waco]

Can't everyone wake up? The RATS set the system up. They "snooped" from the start. So what, if they were exposed on anything? They could count on the media to run cover, which it has. (Have the chicom $$$$$$$ arrived yet?) That's what set of the "CFR" farce,remember?