-MAIN-MENU-  
Appal Home
Appal.org
  -MAIN-MENU-  
Search The Website
-*-

A Long Fixed Security Hole   Posted: January 1, 2010
Governor Paul Patton February 21, 1996
Office of the Governor
Frankfort, Ky

Sir,
This letter is to follow-up on my report to you about a security flaw in the Commonwealth's Judicial Computer Network. As I said to you after your meeting with the Kentucky Appalachian Commission/ Commonwealth Fellows yesterday, there is a massive security flaw that permitted me 'Supervisor' level privilege on the Frankfort file server that holds all the court records. I was in a position to view, alter or delete information. I happen to know enough about the particular network software that I expect I could have made such alterations without detection. Others may only be able to view and copy data without detection.

I discovered this flaw while employed in Letcher County to inventory the courthouse computer system on January 1, 1994. I inadvertently included the courtroom terminal in my survey. Since I was asked to test the security of the extant computers, I challenged the courtroom terminal with a simple break command and was dumbfounded to find myself logged in to the Frankfort system, on a Sunday, with maximum privilege. I was very grateful that I was in the presence of two witnesses who can attest to my actions. The only 'special' knowledge that I employed was to use the standard DOS Break command. That command is documented in every DOS manual since DOS was CPM, back in 1979.

I chose to try to signal that there had been an intrusion. I did that by creating a new user named "ZZ". That act alone should have brought down the house. There is no more visible or outrageous an act than to add user accounts to a secure system. Naming it ZZ assured that it was always the last user listed, and hence the one that remains on screen when any kind of user list is written. I tried hard to signal the intrusion.

At my next opportunity, I brought this to the attention of Jim Wood, the judge who operates in that courtroom. I demonstrated the ease of entry to the network. He gave me the name of Alden Fey, and I called Mr. Fey, early in January 1994. We discussed the nature of my technique, and my suggestions for improving security. I have not tried to test the system, nor follow up with Mr. Fey since that date. I have occasionally discussed this flaw with appropriate members of the state judiciary, and it's my understanding that no new procedures have been installed to respond to this flaw.

It is my hope that the Commonwealth will address this problem. I would suggest that this is a job for an experienced security professional. As one who has installed and maintained dozens of networks, I am painfully aware that security is not a intuitive or simple job. This security hole is a time bomb that could mortally wound the rule of law in the Commonwealth. Even the idea that the records are insecure will be a field day for lawyers and criminals. The ten million dollars recently embezzled from state government is a tiny problem by comparison. However expensive, it has to be cheaper to fix before wholesale invasion and adulteration of the data, and the resultant loss of public trust. It is also a tar-baby. Becoming associated with the problem without effecting a solution is bound to be bad for one's career.

I wish you the very best of luck with this problem. Please call if I can be of further assistance.

   All Postings
BROWSE       Headlines and Postings

Privacy Policy
Webmaster & Acknowledgments
Copyright (C) 2002,2016 W.S. Herrick and/or Respective Copyright Holders