BY MARIA ARMENTAL
Journal Staff Writer
September 15, 2006
HOPKINTON -- A forensics audit into the town's computer network,
focusing on the tax assessor's office, has revealed serious security
In a report dated Aug. 29, Matthew DeMatteo, director of the University
of Rhode Island's Digital Forensics Center, who conducted the audit,
reported he had found a way files could be tampered with and pointed out
network security and procedural irregularities.
DeMatteo was assisted by David Batestini, a network security expert,
David Te, an educational observer, and Steven McCandless, the town's
acting Geographic Information Systems director.
Town Manager William A. DiLibero said steps have been taken to correct
A forensics audit condcuted by director of the University of Rhode
Island's Digital Forensics Center finds a way files could be tampered
with and pointed out network security and procedural irregularities.
The report will be discussed at the council's regular meeting Monday
during executive session, DiLibero said. Public discussion may follow.
In his report, DeMatteo said computer security measures need to be
implemented, access to data restricted and a network and security audit
The audit, conducted this summer at the behest of the former tax
assessor who complained tax records had been altered, analyzed
work-station computers in the tax assessor's and tax collector's offices
for evidence of file tampering.
The server that contains the files used by the tax assessor, DeMatteo
said, is located in a room that is also used as the GIS director's
"While this office is locked," DeMatteo wrote, "it is unclear who has
access to the room and who can obtain access.
"Getting physical access to this room and the server inside would allow
a person to copy, edit, delete, change or otherwise molest and have
access to private town data, including the tax assessor's data,"
"While a proprietary program is generally used to access the tax
assessor's files, the files themselves could be [altered] via the
network connections in the Town Hall."
"It seemed that there was little, if any, permissions or user groups
being enforced on the server."
DeMatteo said examiners found that Microsoft's Remote Desktop protocol,
an option that is off by default and that allows external access to the
server, was turned on on the server and the tax assessor's computer.
"While an intruder would have to know the specific internal and external
[Internet Protocol] addresses for the town's computers, as well as user
names and passwords to the server and the tax assessor's computers, this
is a method of entry that would not be easily noticed, nor would access
information be logged in any system," DeMatteo wrote.
User names and passwords were typically handwritten on a legal pad and
stored in the town's safe. Under new guidelines, employees have been
asked to change their passwords regularly and provide the town manager
and acting GIS director with the updated passwords.
DeMatteo said this "backdoor" entry was used at least once for
maintenance and technical support on the town tax data. The company that
provides the software the tax assessor uses and the revaluation company
also have access permission.
"The current system of how the tax assessor works is unable to be
audited and does not use any logging, peer or management checks, or
primary documents or receipts to confirm the work," DeMatteo wrote.
"It seems to be the digital equivalent of writing out a ledger in pencil
instead of pen -- it is impossible to know who changed what, when it
happened or why."
Former Tax Assessor Margaret M. Hardiman has said the software provider
had disabled an audit function in the office software. Her requests to
have the audit function enabled and access to information restricted
were not addressed, she said.
DeMatteo said a system was installed to monitor computer traffic and
data access using the Remote Desktop protocol over a weekend in early
July. No activity was detected, DeMatteo said.
Hardiman had given DeMatteo a printout of changes in tax data going back
to before she was hired. Hardiman, who was fired in July, had been hired
on Oct. 17, 2005.
"Although there was no key to the data [like a map without a legend], it
did appear that data in the system was being changed in a haphazard
way," DeMatteo wrote in his report, adding data obtained through the
forensic audit could not prove or disprove the allegations. DeMatteo
advised Hardiman to seek legal counsel.
DeMatteo said by the time he was called in, it was too late to determine
who had access to the records and what had been done.
"It was so much after the fact," DeMatteo said.
The type of information he needed to review, he said, "is subject to
change just by normal use of the computer."
"I just tried to show what was possible," he said, "what they should do
about this and my recommendations on what should be done to avoid that
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/