Wednesday, April 4, 2018

Congress And Wasserman Schultz Negligent For Allowing Hacking Suspects Continued Access, Expert Says.


Posted By Luke Rosiak On 12:27 AM 04/04/2018 
  • Congress didn’t take away IT aides’ network access until nearly a year after it learned of suspicious activity
  • A cybersecurity expert said the House was negligent and violated basic cybersecurity practices
  • He said  he has investigated many cases in which IT aides have stolen sensitive information
A publication for IT security professionals says House leaders of both parties were negligent and in violation of basic IT protocol by allowing Imran Awan and his family to continue in their roles as server administrators for four months despite knowing they were suspected of serious misconduct by the House Inspector General.
“The lack of concern and perspective on the potential risks posed by Imran Awan is alarming,” an article in SearchSecurity says. “This case is an example of negligence trumping security and, worse yet, common sense. Awan’s alleged activities and the way many handled themselves, from the hiring to the response in the wake of the investigation, should concern us all.”
Forty-four House Democrats employed the Pakistani-born Imran Awan and his family in a position where they could read all the emails and files of one in five Democratic congressmen.
The author, cybersecurity expert Kevin McDonald of Alvaka Networks, especially faults the judgement of Democratic Rep. Debbie Wasserman Schultz, who kept Imran on her payroll for an additional six months after House leadership banned him from the network. He also questions her claim the IT aide was somehow providing tech services without ever connecting to the House network.
“When challenged about why she allowed a person under criminal investigation to continue to access the building — where computers are stored and used — to assist with IT issues, Wasserman Schultz defended her actions by telling reporters that IT admins could assist with issues without having network access, and that IT support included other elements besides the network, such as phones, printers and software,” the article reads.
Imran did, in fact, use his continued access to the building to to leave a laptop apparently purchased by Wasserman Schultz’s office, which he left in a phone booth April 6, 2017, according to a Capitol Police report.
Committee on House Administration leaders Republican Gregg Harper and Democrat Bob Brady learned the Awan family was suspected of equipment-theft in April 2016 but did not suspend their network access, instead tasking the House Office of Inspector General (IG) with an investigation, according to an IG presentation.
The misconduct extended beyond potential theft of equipment to cybersecurity issues, according to the IG. It presented a briefing in September 2016 that alleged Imran and family members were logging into servers of offices they did not work for thousands of times and warned of indications a “server is being used for nefarious purposes and elevated the risk that individuals could be reading and/or removing information.” The briefing went to Speaker of the House Paul Ryan, House Minority Leader Nancy Pelosi, Harper and Brady.
“Despite an ongoing investigation into potential misconduct, these members of the House IT staff were allowed to continue working as administrators for nearly a year,” McDonald wrote.
The aides should have immediately been placed on a paid suspension, he continued. “If issues or questions arise about their conduct, they should have their access immediately revoked until an investigation can be completed. There is no room for leniency or error until the concerns are alleviated.”
McDonald pointed out the dangers rogue IT aides pose. “They can add programs designed to spy on users, damage systems or data, redirect data flows and communications, or fully reproduce every bit of data contained on the systems they control. They can pretend to be a user and take action as if they are that user.”
The Awans were allegedly logging in, using members of Congress’s personal usernames, according to the IG.
The security professional wrote: “I have been involved in investigations where data was deleted, information was exfiltrated, money was stolen and clients were locked out of their own systems, and even extorted by staffers with information they gained from systems access. This means that the utmost care must be taken in selecting these technology professionals, determining their access and monitoring their behaviors.”
“In particular, sensitive systems in government, defense and finance should be accessed and supported only by those with impeccable work history, experience, knowledge and character,” he continued.
The Administration Committee requires background checks for IT aides, but its policy includes a loophole that allows other members to vouch for them in lieu of the recommended practice of a Capitol Police background check. The Daily Caller News Foundation reported Monday the IG report says the aides “have not been vetted (e.g. background checks),” meaning every member waived background checks for the Awans.
House officials finally banned the Awans from the House network on Feb. 2, 2017. Wasserman Schultz still kept him on staff, claiming the IT aide was somehow providing tech assistance without touching the network.
“Imran Awan was allowed to continue working as an IT admin for several months with restricted network access despite obvious red flags,” McDonald lamented.
“Let’s break it down from an IT security perspective. First, Wasserman Schultz implies that allowing someone under criminal investigation to remain in proximity to sensitive computers and the network equipment connected to it is no big deal. Second, she goes on to say that, basically, phones, printers, the website and software are nothing to worry about, despite the fact that malware placed on any of the above can lead to systems’ access. Even without gaining system access, key loggers and other data capture malware can, in fact, steal copies of everything a House member or staffer is doing.”
Though the IG report says server logs show “unauthorized access,” the Awans have not been charged with hacking. Democrats, as the victims of the alleged wrongdoing, have been reticent to press charges against the Awans, a House source told TheDNCF. Democrats have, in turn, cited the lack of cybersecurity charges to dismiss the issue.
“Regardless of whether Awan is found guilty, the response from members of Congress should be concerning,” McDonald wrote. “Even if it does not rise to the level of espionage, it should be a massive wakeup call about who is being allowed to access congressional IT systems and other sensitive government computers.”
Imran and his wife were charged in July with felonies for allegedly cashing out their congressional retirement account under false pretenses before attempting to leave the country.
The Administration Committee hasn’t changed the policy surrounding House information security nor answered basic questions about the unauthorized access.
“There should be a top-down investigation into the hiring, monitoring and termination practices of Congressional members’ IT staff, and new protocols need to be instituted,” McDonald wrote.

No comments: