Thursday, 16th October 2008

News from the Guernsey Press

Password gaffe let ‘hacker’ in

By Nicci Martel

INADEQUATE security 15 years ago allowed one former civil servant access to the Greffe computer system.

Microgen analyst David Cranch, who worked for the States for 14 years, said that from his computer at the former post office headquarters, he very easily gained access to the Greffe’s file structure. Mr Cranch said the recent States internet breach was just another example of IT security not being up to scratch.

‘I was pretty staggered when I found a user called Bailiff and his files were wide open to me. I don’t know what was in it or whether it could have been his secretary’s folder – I didn’t look inside. I got on the phone straight away.’

Mr Cranch worked as a data processor at the post office and also helped pre-plan a network linking 26 States sites.

He did not install the network, which was on ICL DRS 6000 machines, but was eager to know how effective it was and how easy it would be to hack.

Knowing that the Greffe used a similar machine to his own, he decided to try to look at its system over the network.

‘It wasn’t exactly wide open – only users of the DRS 6000 machines on that network could get in – but these machines came with a password and it was the same default password for them all. I assumed that new ones would be chosen, but I decided to try it anyway and no one had thought to change it. It was shocking.’

At first Mr Cranch, who will retire from Microgen this week after 10 years, did not think he had got in because the system looked the same as his own, but then he saw unfamiliar users on the system, including the Bailiff.

He alerted superiors immediately and within minutes received a call back from the States Treasurer.

‘He made me feel really guilty and gave me the third degree. It was like I was being accused of hacking – not a thanks for alerting them.’

He repeated the exercise a few days later but the password had been changed.

He said that although it was 15 years ago, it was still unacceptable to be using a default password.

Treasury and Resources declined to comment.

Have your say on 'Password gaffe let ‘hacker’ in', comment below

This article posted on March 20, 2008 at 2:28 pm, filed under News.
Jobfinder - 468
Whats On - 230Online Forum - 230
eCycle - 468

Post a Comment on this Article

Your email address is never published nor shared. Required fields are marked *

*
*

Disclaimer: We prefer short comments that include no external website links. Please ensure your comment is concise and relates to the article it accompanies. If it is irrelevant or deemed too long, it will not be approved. We reserve the right to edit or reject comments and will not enter into correspondence over editing decisions. Comments that appear on the site are not representative of the views of the This Is Guernsey or Guiton Group.

Your Shout: View all recent comments. More detail on the comment icons.

If you wish to make a comment about this website, please use our feedback form.