VICTORIA — B.C. Auditor General Wayne Strelioff found security vulnerabilities with the provincial government’s Corporate Accounting System that were so serious he withheld his report for fear of tipping off hackers.
gave the government time to fix the more dangerous security flaws before the report was finally published on June 28.
The Corporate Accounting System (CAS) provides an online, real-time central accounting system, available through the Internet. Among the vulnerable databases were those containing usernames, passwords and bank account information.
“Some of the findings would have exposed the government to problems,” Strelioff said in an interview this week.
In his audit of CAS, Strelioff found a firewall that was inoperative for hours at a time and a default password still being used. A hacker could have entered the system, carried out transactions, and removed all traces of those transactions.
“When the firewall’s down, that can happen,” Strelioff said.
At one point during their audit, inspectors from Strelioff’s office discovered that the firewall had been out of action for 15 hours before support staff noticed that no entries were being made to a log. As a result, third-party e-mail relays occurred, making it appear that the messages originated from the CAS server.
“The firewall was down, and people didn’t know about it,” he said.
Strelioff suggested that system access had been too broad: “Too many people had the ability to get into the system and make changes.”
Numerous schools, private businesses, wireless connections and “undefined addresses” were allowed through the firewall.
The report did find that overall, the control environment was well-managed. For instance, the government has created a position for a dedicated “enterprise security officer.”
But while many needed controls over the Oracle database were in place, Strelioff found some deficiencies that “could jeopardize the integrity and reliability” of the database’s information.
“At the time of our audit we found that, because of both the unmonitored access gained through the Unix operating system and the absence of auditing access logs, some data tables that would generally be evaluated as properly secured were in fact at risk of undetected access,” the report said. “That is, they could be changed or deleted without any trace of activity in the system.”
Vulnerable data tables included those with usernames, passwords and bank account information. Auditors also discovered that one of the default usernames was still set to the default password.
Default usernames and passwords are commonly supplied with commercial software packages for use by system administrators. Once the software is installed, the passwords are supposed to be changed before it is active.
In this case, the default password was still being used because six months earlier, a patch had restored the password to the default.
In responding to Strelioff’s findings, the finance ministry said it has either fixed or is “working on” all of the vulnerabilities.
For instance, the ministry has narrowed the IP subnets allowed through the CAS firewall down to specific IP ranges, according to a written response included in Strelioff’s report. It is also working on a process to notify support staff when the firewall is not running.
The current version of CAS, which uses the Oracle Financials accounting system and Oracle database in a Unix operating system, was implemented in 2001. Various features are being gradually added.
The system records all of the 4 million payments the government makes annually, as well as two million balance sheet transactions and 700,000 and revenue transactions.
In the 2003-04 fiscal year, revenue totaled $25 billion and spending $23 billion.
The audit is the first in a series of examinations planned by Strelioff for the system.