COSEv19no4.

qxd

26/05/00

12:21

Page 302

Security Views/Dr. Bill Hancock

new system, NSFs four-character PINs will become

longer passwords with mixed characters and numbers
as well as encryption.
Each university has an administrator who registers and
certifies its users. In the new password system, the
administrator will initialize users and change passwords if needed.
NSF tends to pursue its own path for information
technology initiatives that have become part of government-wide contracts because they are not costeffective on a small scale, said Linda Massaro, NSF
chief information officer and director of information
and resource management.
The Government Paperwork Elimination Act does not
dictate what technology agencies should use for electronic signatures but encourages them to use the
appropriate level of authentification for their applications, Guida said. Theyre making a decision that the
potential for fraud is such that one does not need the
level of security PKI provides, Guida said. One of
the things weve encouraged agencies to think about,
even if they decide they dont need PKI for an application, is the expectation of interoperability with PKI.
Agencies should think about whether their digital certificates can be honoured by other agencies, he said.
PINs and passwords dont have that capability because
they tend to be managed locally. Based on the upcoming pilot, NSF plans to institutionalize its electronic
signature approach by Oct. 1. If its successful, the
agency plans to use electronic signatures for other
transactions, Stuck said.

Justice Department Conducting

Criminal Probe in Former CIA
Director Activities
The Justice Department is conducting a new criminal
investigation of whether former CIA director John
Deutch violated the law in mishandling secrets on his
home computer, officials say. The inquiry represents
the second time the department has looked into the
matter, reflecting what top Justice officials say is their

302

concern that Deutch be held to the same standards

applied to Chinese nuclear scientist Wen Ho Lee,
whom the government charged earlier this year with
mishandling atomic weapons secrets on computers at
the Los Alamos National Laboratory.
Lees attorneys have publicly challenged his indictment, citing the departments decision in April 1999
not to prosecute Deutch for storing numerous classified CIA documents on an unsecured computer in his
home, which was used by his children to connect to
the Internet. In February, Attorney General Janet
Reno announced the Deutch case was under review
again. Initially, it appeared that Justice prosecutors were
simply going to examine a CIA inspector general
report on the matter to see if it disclosed any evidence
beyond what they had found.
But in late February and early March, FBI agents were
sent out to conduct a new round of interviews with
two or three individuals, which one department official, requesting anonymity, said amounted to opening
a preliminary inquiry in the case, one step short of a
full investigation. That round of FBI interviews was
also said to have focused on the question of whether
CIA officials improperly delayed reporting the Deutch
incident to the Justice Department.
After a review in early March, Justice officials requested that the FBI conduct more interviews, according to
a senior Justice official, who said in effect the criminal
investigation was reopened at that time. Meanwhile, a
special White House intelligence panel headed by former Sen. Warren B. Rudman has presented President
Clinton with a report critical of current and former
CIA officials for failing to follow through adequately
on the evidence against Deutch,The New York Times
Web site and The Washington Post reported Saturday.
The Deutch affair also is being investigated by
Republicans in Congress. And the renewed Justice
interest in the case after the department declined to
bring criminal charges in spring 1999 played a role
in the refusal in early March this year by former CIA
general counsel Michael J. ONeil to testify before the
Senate Intelligence Committee unless given immunity from prosecution.

COSEv19no4.qxd

26/05/00

12:21

Page 303

Computers & Security, Vol. 19, No. 4

In a yearlong probe that ended April 1999, the departments criminal division concluded Deutchs lapses
were sloppy rather than criminal. It referred the case
to the CIA inspector general for administrative discipline. Last August, the CIA stripped Deutch of his
security clearance. After ONeil refused to testify voluntarily, he was subpoenaed. On March 7, ONeil
invoked his right not to incriminate himself and
refused to answer questions from Senate Intelligence
Committee members about the Deutch case.
In a written statement, ONeils lawyer, Roger
Spaeder, said he had advised his client not to testify
while Reno reviews an earlier decision not to prosecute Deutch or others.
ONeil, who left the agency in October 1997, at first
declined to turn over computer storage cards from
Deutchs computers and delayed notifying the Justice
Department of the matter, according to an unclassified
version of the CIA inspector generals report.
The report concluded that the actions by ONeil and
another CIA executive, had the effect of delaying a
prompt investigation of this matter.
Although Deutchs security lapse was found in
December 1996 as he was leaving the agency, the CIA
did not submit a report to the Justice Department until
March 1998 and did not notify congressional oversight
panels until June 1998. CIA director from May 1995
to December 1996, Deutch processed thousands of
highly classified documents on unprotected home
computers that he and family members also used to
connect the Internet, making the information potentially vulnerable to hackers, according to the CIA
inspector generals report. Deutch has apologized.

Apache Site Defaced

While the rest of the world battled the Love Bug
worm, free Web-server software-provider Apache had
problems of its own. Due to system-level misconfigurations of ftpd and bugzilla, a hacker was able to
obtain a shell account and replace Apaches logo of a
feather and its Powered by Apache tagline with a
Microsoft logo and credit.

Yes, the www.apache.org site was penetrated, said

Ken Coar, a director and vice president of the Apache
Software Foundation. The penetration was through
some network services that were configured with an
insufficient degree of paranoia. The penetration was
not through the Apache Web server software nor any
of the other Apache software, but through standard
network utilities found on virtually all Internet
servers.
The people who penetrated the Apache.org system
likely were grey hats, Coar said.The hacker spectrum
runs from black hats, who would break in, do damage, and attempt to avoid tracing, to white hats, who
would note the configuration problems and let the
site managers know about them without taking
advantage of them.
These people fall into the grey area in between
because they told us about the problems, but not until
after they had utilized them to make some apparently
innocuous changes, he said.
Cruciphux, publisher of the security and hacking
electronic zine HWA.hax0r.news, ezine said the site
was defaced around 6:37 p.m. EDT on May 3 by
hackers known as {} and Hardbeat.
{} belongs to Buffer Overflow Security, a fledgling
security group consisting of ex-hackers and including
people such as mixter, who wrote TFN, the DDOSdistributed attack tool recently brought to light in the
media by denial-of-service attacks on major websites, the ezine wrote. A mirror of the defaced site
can be found on the Attrition.org mirror site and specific details of the break-in can be found on Apaches
site.
They came right out and admitted what had happened and said they were at fault, said OpMan, a
New York-based computer systems enthusiast, who
noted that you wont see Microsoft taking the blame
for the ILOVEYOU debacle.
This was a classy hack, Cruciphux said. It ended
almost like a fairy tale. Although tracks were covered
and logs cleared, it was decided to alert the apache.org

303