Published: April 11, 2009 10:56 pm      

EVENING NEWS EDITORIAL: Computer security a serious matter

Stories about handling of situation don’t match up so far

Computer hackers and criminals work around the world, around the clock trying to get information for their gain and others’ misery. It appears they might have an easy target in Clark County government.

A computer security issue nearly two weeks ago in the county auditor’s office could have allowed access to basically all information stored on county computers, including data that could put the county at risk of a lawsuit, such as protected medical records.

The person in charge of the office, Auditor Keith Groth, on Wednesday told The Evening News that password-recovery software — which can be used to access protected programs — was installed by an employee before the March 30 incident, with his knowledge. When The Evening News broke the story Sunday in an article, Groth did not mention he knew of the installation of the programs.

For the Wednesday article, Groth and Clark County Commissioner Ed Meyer said they were told, and believed, the two programs — known as “LCP” and “Cain & Abel” — were loaded onto three desk computers and one laptop computer so employees could work remotely from home.

The problem is those programs aren’t needed to network from different locations, and they can be used to steal information. The gravity of the matter was not lost on Matt Dyer, systems administrator for Clark County government.

“Due to the nature of these programs, this kind of activity cannot be tolerated and is illegal,” Dyer wrote in an e-mail to county commissioners upon learning of the issue.

Groth also said the employee who installed the software had access to the passwords of other auditor’s office employees. This goes against Indiana State Board of Accounts guidelines for computer use, a portion of which reads: “User identification codes and passwords may not be shared.”

Also, “Users other than system administrators and security administrators must be prevented from accessing sensitive operating system commands.” The employee in question is not an administrator.

That brings up a few possible scenarios to consider:

• Groth knew about the installation of the programs and their capabilities, and thus was negligent;

• Groth knew about the programs, but believed what the employee who installed them told him about the reasons for installation; or

• Groth did not know about the installation of the programs, but is saying he did to protect an employee.

For now, Groth says he’s investigating internally, and Meyer asked the Clark County Sheriff’s Department to investigate, which it is.

What’s quite apparent is that someone did something they shouldn’t have. It’s time to find out the reasons for those actions, who knew about them, and exactly when.

The Evening News editorial board is comprised of Publisher Jim Grahn, Editor Shea Van Hoy and Inside Sales Manager JoAnn Galligan. Responses can be e-mailed to shea.vanhoy@newsandtribune.com