DA Admits Error In Exposing SF Passwords
Including a list of more than 100 sensitive IP subnet addresses and virtual private network (VPN) passwords in public court filings for the Terry Childs case was a mistake, the San Francisco District Attorney's Office said over the weekend.
Childs, described by prosecutors as "the only system administrator" for San Francisco's wide area network (WAN) which links interdepartmental computers, was arrested July 12 and charged with four felony counts of computer network tampering and a fifth count of causing associated damages over $200,000. Superior Court judge Lucy McCabe last Wednesday denied the jailed Department of Technology (DOT) employee's motion to be released on his own recognizance or to have his $5 million bail setting reduced.
"Yes, there should have been better coordination between our department and the Department of Technology," DA spokeswoman Erica Derryck said, according to San Francisco Chronicle columnists Phillip Matier and Andrew Ross. "But at the end of the day, these pass codes are going to have to be changed as part of undoing a situation."
The list, entered as "Exhibit A" in prosecutor Conrad Del Rosario's opposition to Childs' bail motion, appears to map the specific City-maintained IP subnets associated with 137 VPN group usernames and passwords for various San Francisco departments, offices and commissions.
"Obviously it was not something we wanted in the public record," said Ron Vinson, deputy chief of the DOT, which manages the VPN.
The VPN codes are not the same as the network device passwords Childs is alleged to have withheld from DOT supervisors and police, the situation that led to his arrest. The device passwords, which Childs gave to San Francisco Mayor Gavin Newsom in a secretly-arranged jailhouse meeting last Monday, were needed to access configurations for five core Cisco-built devices at the heart of the City's FiberWAN network.
Prosecutors "rushed back to court Friday" to correct the mistake, according to Matier and Ross, though some media outlets, including ChannelWeb, possess the original opposition filing.
Next: Network Brought Down For First Time?
The "pages of usernames and passwords" came from "files forensically obtained from the Defendant's computers," Del Rosario writes in his opposition to reducing Childs' bail. "This poses an imminent threat because even if the network was under control of the city, the Defendant could impersonate any of the legitimate users in the City by using their passwords to gain access into the system."
Steps taken by the DOT to correct the potential security breach in the original court filing were unknown at publication time. But InfoWorld networking columnist Paul Venezia wrote Saturday that, "I've received several anonymous (yet highly detailed) emails from people claiming to work for the City of San Francisco informing me that suddenly, their VPN access does not work."
If so, it would mark the first reported instance of a disruption to services on the City's FiberWAN network since the arrest of Childs. According to Vinson, the DOT had "not seen any downtime" on the network during the period administrators were locked out. Del Rosario's reply states that the DOT was "able to regain control of the FiberWAN's core network devices" with the three usernames and one password Childs reportedly gave to Newsom July 21.
Del Rosario writes in his opposition motion that DOT managers and outside networking experts from Cisco were able to prevent a network failure during that timeframe. They determined that the core network devices had been configured in such a way as to fail to reboot if powered down, which would have resulted in "the failure of the entire FiberWAN network resulting in a loss of city services," Del Rosario contends. An electrical shutdown at the DOT's One Market Street facilities that would have powered down the core devices had been scheduled for July 19 but was postponed, according to the assistant district attorney.
Next: 'Anyone Can Gain Access To The Network'
Another previously unknown detail of the Childs case that emerged from the July 23 bail hearing is the presence of "over 1100 different devices, routers, switches, modems, etc, scattered throughout the city's offices that the Defendant may have configured and even locked with his own passwords," according to the prosecution's reply. These include three modems connected to the FiberWAN that Childs allegedly installed in his workplace and kept locked up, unbeknownst to supervisors.
"Cisco engineers have indicated that the types of modems the Defendant installed bypasses logging, auditing, and security measures of a secured network. Further, anyone can gain access to the network by dialing into these unsecured modems, risking the security of the network," the prosecution's filing in the bail hearing states.
The news has lead to some interesting opinions, to say the least.
Venezia, in a Sunday column, wonders whether the prosecution has essentially admitted that any evidence gathered at its "crime scene" -- the FiberWAN network -- could have been tainted:
The Chronicle's Matier and Ross, meanwhile, seem worried that Childs may still be able to wreak havoc on the network from jail:
Hence, Childs needs to be kept behind bars so he won't be able to dial up and destroy the system. Or have a confederate do it.Funny thing is -- under jail rules, Childs gets an hour of phone privileges every day.
The columnists do not elaborate as to whether they fear Childs may possess a MacGyver-like ability to construct a phone phreaking kit from jail-issue materials, or has in fact developed a talent for replicating electronic beeps and buzzes with his own vocal chords -- perhaps wisely leaving such speculation to readers.