Computer Security: Hackers Penetrate DOD Computer Systems

GAO discussed the intrusions of Dutch hackers into Department of Defense (DOD) unclassified, sensitive computer systems during Operation Desert Storm/Shield. GAO noted that: (1) computer hackers from the Netherlands penetrated 34 DOD sites attached to Internet, an unclassified network composed of smaller networks nationwide and overseas, between April 1990 and May 1991; (2) the hackers had access to unclassified, sensitive information regarding military personnel, logistics, and weapons systems development data, which can be highly sensitive during times of international conflict; (3) the hackers generally gained access to the DOD computer systems by weaving their way on Internet through university, government, and commercial systems; (4) the most common weaknesses hackers exploited to gain access into military sites were accounts with easily guessed passwords, well-known security holes in computer operating systems, and vendor-supplied accounts; (5) the majority of the hackers' activities were aimed at modifying the system to obtain system administrator privileges and to create new privileged accounts and establish methods for later entry; and (6) in most cases a university, contractor, or DOD official notified system administrators of an intrusion which prompted them to either secure their system or temporarily leave the vulnerability open to determine the intruder's identity. GAO believes that: (1) security weaknesses that permitted the intrusions highlight inadequate DOD attention to computer security; and (2) poor password management, failure to maintain audit trails, and inadequate computer security training all contributed to the intrusions.