Jul 28, 2008 6:07 pm US/Pacific
'Hijacked' SF City Computer Passwords Made Public
SAN FRANCISCO (CNET) ―
Only days after the city of San Francisco had regained control of its computer network after an alleged hijacking, a new vulnerability came to light -- this time brought on by the city itself.
The San Francisco District Attorney's Office made public nearly 150 usernames and passwords used by city officials to gain access to the city's network.
The list was submitted to the court as Exhibit A in the case against Terry Childs, a 43-year-old network administrator for the city who was arrested July 13 on felony charges of tampering with the city's computer network.
Co-workers accused Childs of setting a "time bomb" that would sabotage the network the next time it went down, either for maintenance or due to a power outage.
Childs had effectively taken the city's network hostage by locking administrators out and refusing to give up the passwords needed to regain access. In a secret meeting with Mayor Gavin Newsom last week, Childs handed them over directly to the mayor.
Later in the week, the DA's office filed a court document to argue against a reduction of the $5 million bail set for Childs, who is being held in the county jail. Exhibit A of the document contained the usernames and passwords used by nearly 150 employees to get into the city's virtual private network. And despite saying the passwords pose an "imminent threat" to the city's computer network, they are now public record.
A source told InfoWorld that a second password was needed to gain access to the system. Still, giving up these so-called phase one passwords is hardly recommended security policy.
(© MMVIII, CBS Broadcasting Inc. All Rights Reserved.)
