AOH :: ISN-3014.HTM

Security lax on computer of tax assessor

Security lax on computer of tax assessor
Security lax on computer of tax assessor


http://www.projo.com/southcounty/content/projo_20060915_audit.329268e.html 

BY MARIA ARMENTAL
Journal Staff Writer
September 15, 2006

HOPKINTON -- A forensics audit into the town's computer network, 
focusing on the tax assessor's office, has revealed serious security 
flaws.

In a report dated Aug. 29, Matthew DeMatteo, director of the University 
of Rhode Island's Digital Forensics Center, who conducted the audit, 
reported he had found a way files could be tampered with and pointed out 
network security and procedural irregularities.

DeMatteo was assisted by David Batestini, a network security expert, 
David Te, an educational observer, and Steven McCandless, the town's 
acting Geographic Information Systems director.

Town Manager William A. DiLibero said steps have been taken to correct 
the situation.

A forensics audit condcuted by director of the University of Rhode 
Island's Digital Forensics Center finds a way files could be tampered 
with and pointed out network security and procedural irregularities.

The report will be discussed at the council's regular meeting Monday 
during executive session, DiLibero said. Public discussion may follow.

In his report, DeMatteo said computer security measures need to be 
implemented, access to data restricted and a network and security audit 
done.

The audit, conducted this summer at the behest of the former tax 
assessor who complained tax records had been altered, analyzed 
work-station computers in the tax assessor's and tax collector's offices 
for evidence of file tampering.

The server that contains the files used by the tax assessor, DeMatteo 
said, is located in a room that is also used as the GIS director's 
office.

"While this office is locked," DeMatteo wrote, "it is unclear who has 
access to the room and who can obtain access.

"Getting physical access to this room and the server inside would allow 
a person to copy, edit, delete, change or otherwise molest and have 
access to private town data, including the tax assessor's data,"  
DeMatteo continued.

"While a proprietary program is generally used to access the tax 
assessor's files, the files themselves could be [altered] via the 
network connections in the Town Hall."

"It seemed that there was little, if any, permissions or user groups 
being enforced on the server."

DeMatteo said examiners found that Microsoft's Remote Desktop protocol, 
an option that is off by default and that allows external access to the 
server, was turned on on the server and the tax assessor's computer.

"While an intruder would have to know the specific internal and external 
[Internet Protocol] addresses for the town's computers, as well as user 
names and passwords to the server and the tax assessor's computers, this 
is a method of entry that would not be easily noticed, nor would access 
information be logged in any system," DeMatteo wrote.

User names and passwords were typically handwritten on a legal pad and 
stored in the town's safe. Under new guidelines, employees have been 
asked to change their passwords regularly and provide the town manager 
and acting GIS director with the updated passwords.

DeMatteo said this "backdoor" entry was used at least once for 
maintenance and technical support on the town tax data. The company that 
provides the software the tax assessor uses and the revaluation company 
also have access permission.

"The current system of how the tax assessor works is unable to be 
audited and does not use any logging, peer or management checks, or 
primary documents or receipts to confirm the work," DeMatteo wrote.  
"It seems to be the digital equivalent of writing out a ledger in pencil 
instead of pen -- it is impossible to know who changed what, when it 
happened or why."

Former Tax Assessor Margaret M. Hardiman has said the software provider 
had disabled an audit function in the office software. Her requests to 
have the audit function enabled and access to information restricted 
were not addressed, she said.

DeMatteo said a system was installed to monitor computer traffic and 
data access using the Remote Desktop protocol over a weekend in early 
July. No activity was detected, DeMatteo said.

Hardiman had given DeMatteo a printout of changes in tax data going back 
to before she was hired. Hardiman, who was fired in July, had been hired 
on Oct. 17, 2005.

"Although there was no key to the data [like a map without a legend], it 
did appear that data in the system was being changed in a haphazard 
way," DeMatteo wrote in his report, adding data obtained through the 
forensic audit could not prove or disprove the allegations. DeMatteo 
advised Hardiman to seek legal counsel.

DeMatteo said by the time he was called in, it was too late to determine 
who had access to the records and what had been done.

"It was so much after the fact," DeMatteo said.

The type of information he needed to review, he said, "is subject to 
change just by normal use of the computer."

"I just tried to show what was possible," he said, "what they should do 
about this and my recommendations on what should be done to avoid that 
situation again."


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/

Site design & layout copyright © 1986- CodeGods