http://www.boston.com/news/local/new_hamp
shire/articles/2006/03/29/nh_computer_specialist_says_superi
ors_ignored_security_warnings/
March 29, 2006
CONCORD, N.H. -- A state computer specialist who was put on
leave two
days after a security breach was announced says bosses
ignored his
warnings about more serious weaknesses in New Hampshire's
computer
network.
Doug Oliver of Tilton, 44, was suspended with pay last month
after the
announcement of the security breach affecting motor vehicle
offices,
the state veterans home in Tilton, the Liquor Commission and
state
liquor stores.
Oliver spoke to the Concord Monitor and New Hampshire Public
Radio,
saying he wants to clear his name. He said officials
underreported the
extent of the hacking. And he said they knew as early as
last summer
that perhaps more than half the state's computer systems
were at
significant or severe risk of being attacked.
"I'm not looking to do any harm to anybody,"
Oliver told the Monitor.
"I'm just looking to make sure that the debate and
the right questions
are getting asked, because I'm not convinced the right
questions are
getting asked."
Rick Bailey, New Hampshire's chief information officer and
Oliver's
boss, declined to comment on Oliver's allegations, citing
personnel
issues.
"It's a difficult situation," he said,
declining to name the employee
who was suspended. "An investigation was ongoing. The
FBI and the
Department of Justice recommended that this individual not
be in the
environment while the investigation ran its course, and we
followed
that direction. Administrative-leave scenarios are not
intended to
suggest guilt or innocence."
In February 2005, a hacker defaced the state's NH.gov Web
site with
internet graffiti. In response, Bailey compiled a
three-person team,
including Oliver, which was directed to act like hackers to
test state
computer security.
The testing, which concluded last summer, revealed that more
than 60
percent of the sampled servers were at risk for
"significant to
severe" security breaches, Oliver said.
One of the biggest problems the team identified was a
failure to
upgrade databases to protect them from a worm that caused
widespread
damage on the internet a few years ago. Microsoft has
provided patches
to protect against that worm since 2003, Oliver said, but
had not been
applied.
"There were events and incidences being reported by
this (security
tool) that I was seeing multiple network machines being
touched by
this worm," Oliver told NHPR. "In addition,
there were other
signatures, other flags or events that this tool was firing
at the
same time that were strongly indicative of an attack against
the
network."
Bailey said the security tool Oliver used is good, but not
perfect,
raising the possibility of false alerts.
No reports of illegal activity were reported as a result of
the
security breach the state announced, but officials asked
people who
used credit cards in the previous six months to report any
suspicious
purchases to the state Consumer Protection Bureau.
State information technology experts became aware of the
breach when
they spotted software in the system that can allow a hacker
to watch
transactions, but not to recover earlier records, said
Bailey.
Oliver said the program also can be used as a security test,
and that
he installed it last year during the security checking. It
was
supposed to have been removed.
Oliver, who has worked for the state since 2002, was a
technical
support specialist who had written software and performed
security
checks on computer servers that handle credit card
transactions. He
says he was scanning state servers for hacker vulnerability
on Feb. 16
when his supervisors asked him to speak with the FBI.
Shortly after
that interview, he said he was locked out of his network
account, and
told he was placed on leave. He was not given a specific
reason.
"I feel that I'm coming under fire
inappropriately," he said. "Perhaps
(I'm) being scapegoated or retaliated against because of
what I know."
In his last days on the job, he said, his supervisor accused
him of
"being chicken little, or being disgruntled somehow,
and of being
overzealous because of a new toy"- an expensive
security device the
state had been testing.
_________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org
|