Experts Say Lax Security Allowed San Francisco Network Hijacking, Admin Offers Passwords

Experts Say Lax Security Allowed San Francisco Network Hijacking, Admin Offers Passwords - Via Threat Level:

SAN FRANCISCO -- San Francisco's "rogue" computer admin accused of commandeering the city's exclusive network passwords has offered to hand them over, his attorney said Thursday.

The jailed defendant, Terry Childs, 43, pleaded not guilty Thursday to four felony counts of denying access to the city's network and of producing an unauthorized access device to control the government's network remotely.

Childs is being held on $5 million bail, as the authorities fear he could unleash a wave of attacks on the FiberWAN system Childs built. It controls the city's e-mails, payroll, law enforcement records and other data.

Security officials said the hijacking could have been avoided had the city undertaken proper security measures.

Childs' attorney, Erin Crane, said that the ordeal is one "big misunderstanding."

"As the case unfolds, you'll see that," Crane said. "He's been willing to hand over the passwords since Tuesday."

Crane said "we have negotiations underway" with prosecutors, but she refused to provide details. She said Childs worked under a "hostile environment" at the city's Department of Technology Information Services, but declined to elaborate.

A spokesman for District Attorney Kamala Harris declined comment. San Francisco County Superior Court Judge Paul Alvarado set a bail hearing for Wednesday.

Computer security experts suggested the city committed a security foul by granting somebody a super-level pass to the entire system.

"You segment it into little pieces," said Lina Liberti, vice president for security management with CA, formerly Computer Associates, based in New York. "No one person should have access to everything. "

"This doesn't happen on the trading floors in Manhattan because access is segmented out," Liberti said in a telephone interview.

Jamz Yaneza, threat research manager for Trend Micro in Cupertino, California, said the security faux pas could have been avoided. "Nobody in their right mind today does that," he said in a telephone interview.

Ron Vinson, deputy director of the San Francisco Department of Telecommunications and Information Systems, said in an e-mail to Threat Level that "5-6 people" other than Childs have an all-access pass to the network.

"We're regaining control of the access that Mr. Childs has denied us access to," he said in a telephone interview. "We're not sure what we were locked out of."

He said it was unclear how long Childs, arrested Sunday, allegedly had exclusive access to the FiberWAN network, the major backbone of city government's computing infrastructure connecting hundreds of different departments and buildings to a central data center, and to each other.

"We're investigating that now," he said.

The FiberWAN system carries more than 60 percent of the network traffic of all city government.

Vinson said the city "realized last week" that Childs allegedly and effectively froze out all admins. "The police and the department of technology asked him, 'Hey, You need to give us access,' and he said 'No,'" Vinson said.

"He changed it so nobody could access it but him," Vinson said.

Dana Hom, the chief operations officer for the San Francisco Department of Telecommunications and Information Systems between 2000 and 2004, was suspicious that the city might have breached another central command of network management: system back up

"If they had adequate backup, they could effectively restore it with new passwords in days or so," Hom said in a telephone interview. "Unless the backups don't exist. The executive management should be held accountable for that."

Mayor Gavin Newsom, who described Childs as a "rogue employee that got a bit maniacal," said it could take up to eight weeks to restore control of the FiberWAN network.

"What raises my suspicions about the network component backups, either not existing or outdated, is the amount of time city officials are quoting to rebuild the network," Hom said.

Hom added that, "It doesn't take a rocket scientist to restore the configurations for all of it. It is all capable of being backed up and stored away safely, off site."

Vinson was not prepared to comment whether the city was also locked out of its backup.

"The network itself does have mirroring and backup built into it," Vinson said. "Obviously, it would help shorten our timeline if we had his (Child's) cooperation."