DOD IT projects come under fire

Computerworld - For weeks, the agency responsible for the U.S. Department of Defense's global networks and classified command and control systems had a gaping security hole in its own front yard. Security cameras at its Arlington, Va., headquarters were connected to a nonsecure wireless LAN until this week.

Chris O'Ferrell, chief technology officer at NetSec Inc. in Herndon, Va., which provides intrusion-detection services to numerous federal agencies and commercial customers, detected the nonsecure wireless LAN at the Defense Information Systems Agency (DISA) on May 10.

While parked across the street from DISA's headquarters, O'Ferrell was able to view the Service Set Identifier (SSID) numbers of access points and numerous IP addresses. Using a standard 802.11b wireless LAN card attached to his laptop computer and AP detection software from San Diego-based NetStumbler.com, he was able to scan the network in less than half an hour.

Lackadaisical Safeguards

O'Ferrell, who didn't attempt to enter the network, also determined that DISA had failed to protect the system with the most basic form of 802.11b security, the Wired Equivalent Privacy (WEP) protocol.

The lack of encryption and other protections could make it possible for an intruder to enter the security camera system by launching a denial-of-service attack against a specific access point, allowing the intruder to "spoof" that access point. That would enable him to view what security personnel see with the closed-circuit TV camera.

The wireless LAN allows security personnel to remotely pan, tilt or zoom the cameras, according to Betsy Flood, a DISA spokeswoman.

That information could make it easier for intruders to conduct a physical penetration of the compound, which houses the Defense Department's Global Network Operations Center, Computer Emergency Response Team and Network Security Operations Center.

O'Ferrell expressed concern that DISA had taken what he considered to be a casual approach to wireless networks operating at its headquarters.

Flood confirmed that DISA had operated a closed-circuit TV security camera system for about 45 days without encryption while it was being tested. During that time, she said, anyone sniffing the nonencrypted system could indeed "see what we see on our video monitors, i.e., the parking lot, the front gate, the fence line, etc."

Flood, who said on May 16 that the agency planned to encrypt the network by the end of that day, also acknowledged that one of the cameras was broadcasting the "AP-BLDG 12" SSID, an access point SSID for one of the cameras in the compound. She said DISA is working with its vendors to change settings to make the system more secure.