Sunday, June 08, 2008

The VA Computer Breach You Don't Know About (Jim)

Last week, the Veterans Administration announced a breach of their computer security system in May 2006 involving "1,000 patients at Walter Reed Army Medical Center". They stayed silent on a computer security breach that happened after. Though the number of records accessed and/or changed is smaller in the second breach, it's the more alarming one.

It's alarming because the investigation into the breach really revealed nothing. The investigation was rushed through, a key witness was never interviewed and the investigators didn't know what to make of the suspect and which parts of his statement were true or false.

What they did know was that he was a veteran. What they did know was that he was not accessing his own records. What they did know was he accessed at least one Vietnam veteran's records and the veteran was of no relation to him and he stated he had never me the man. (Ava
and C.I., who know all the details of the story and chased it down last week are not participating in the writing of this. Because it's a last minute feature they gave me ten questions that they would respond yes or no to. I asked, "Well did the man know the veteran?" Their response was, "No, he never met the man." For their coverage, see "Princess Tiny Meat's Big Day (Ava & C.I.)," "The federal government's got problems" and "Iraq snapshot" from last week; they broke the story.)

When the system was breached, the VA knew almost immediately. They dragged their feet in starting the investigation and, due to orders from above, they rushed the investigation to a close once it started.

The breach took place in the basement of a civilian, non-federal building. Present during the breach was the man and a woman. (Again, Ava and C.I. responding to my question.) During the hurried investigation, the woman was never questioned. (Ava and C.I. and an investigator.) The computer used to breach the system was her computer. Due to a family emergency, she was not at work during the one-day investigation. The investigators could have reached her but they were not given the time and were being ordered to wrap it up before they had even started the investigation.


The vet who breached the system (he admitted to that during the investigation) told two conflicting stories. Short on time and under pressure, no conclusion was reached. An investigator not part of the investigation but aware of the steps taken and of the final report states that, after comparing notes with Ava and C.I. Friday morning, he thinks their view (which he stated was that the veteran was not attempting to alter any records) is correct and that they are correct in their belief that the veteran stories conflicted because he was attempting to cover for the woman who was only observing his actions.

The woman could verify that but, though Ava and C.I. were able to speak to her, the government didn't bother to track her down.

The only witness to the breach as it took place was never questioned by the government.

Why the rush to wrap up?

The breach happened not by any great computer skills.

This wasn't a hacking piece of art.

Somehow the veteran who was deployed this decade was given passwords and he plugged those in until he found one that worked.

Ava and C.I. have repeatedly stressed in their reporting that the "who" (the veteran) wasn't really the big story. They have stressed that there are multiple human interest angles that could produce many feature stories. But they have time and again stated the "how" is the issue.

In 2006, OMB ordered the VA to increase their security systems.

Basic security includes regularly changing passwords. Had those orders been followed, the veteran would never have been able to breach the website.

Something as basic as regularly changing your password, a system any corporate outfit has set up to automatically prompt all users to do on regular basis, is not being followed at the VA. As a result, people who gained passwords they should never have had access to can plug in a password that was good as far back as three years ago and stand a good chance of playing open sesame with the VA system. In this instance, the password utilized would have allowed the veteran to alter records and not just view them. (Again, the investigator I spoke to had spoken with Ava and C.I. Friday and he agrees with their judgment that no records were altered.)

The Vietnam veteran's records appear to be altered. Not through any tracking on the part of the VA that shows an alteration but due to a physical detail that does not add up. (Ava and C.I. say that detail was wrong when the Vietnam veteran was inducted into the service all those years ago. And that, had the investigating team been given time to do a real investigation, they would have been able to see that paper records now on microfiche backed up that the error occurred at induction.)

In admissions of breaches to the press, the VA regularly states that it just happened or no one knows how it happened or that new measures prevent it happening again. This breach is important because it resulted from basic security guidelines not being followed and from the OMB order being ignored. That is why the VA wanted the investigation rushed. That is why they have not spoken publicly about the breach.

Unless and until basic orders and guidelines are followed, the VA computer system is a sandbox anyone can enter at will and, if they're lucky, the VA may know someone breached the system and an after-the-fact investigation may be able to determine whether records were merely viewed or also altered. Along with the passwords issues, there is an issue of trap doors that needs to be addressed.

Since the stolen laptops incident, the VA has publicly maintained that they are doing everything to secure the records. That is not reality. Were it the reality, the breach from a civilian building in Texas would not have taken place.


Notes: In the rush of this edition, I forgot all about this article. Due to time constraints, Ava and C.I. (who wanted no part of this article) agreed to answer ten questions with "yes" or "no" but went a bit beyond that in each reply. I thank them for that. In addition, Friday, I spoke with three people familiar with the report and familiar with the investigation in the department that carried out the investigation. I also spoke with a friend of C.I.'s in upper management at the VA.

The consenus of those familar with the investigation is that Ava and C.I. -- in one day -- nailed down what the investigation didn't. The VA source states that especially after Senator Patty Murray and others have called for resignations at the VA, this is a story the department would like buried. For those who don't have time to read Ava and C.I.'s previous reporting, a casual conversation on Tuesday with a government official about the breach AP was reporting led to an offhand remark by the official which Ava and C.I. caught and then followed up on. I would not have known about this if they hadn't written about it (so though my byline is on it, this is also their story and they certainly broke it and could write a whole series on it). Had they not handed me their cell phones and said, "Figure out who are sources are, Big Shot," I would not have been able to root out or confirm anything. The investigation was rushed and the system is not secure. Those are the reasons people other than Ava and C.I. spoke to me. I did not speak to the man who breached the system or the woman present. Ava and C.I. have spoken to all participants except the man who breached the system.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.
Poll1 { display:none; }