Audit: State computer not secure

Friday, June 25, 2004 | 10:52 a.m.

CARSON CITY -- Security is so lax on the state's computer system that someone was able to hide pornographic and other movies on the system and then distribute them, a legislative audit says.

The staff of the state's Department of Information Technology discovered in November 2002 that a hacker had broken into the system and had copied 60 gigabytes of pornographic and regular movies and images onto the server.

"During this period the server was being used to distribute the movies and images," the audit says. The material was subsequently eliminated from the system. The hacker was not found.

The audit said the information technology department, which is the state's lead agency for electronic information and provides Internet access for the majority the state's departments, needs to improve its "first-line of defense" with changes on its on its firewall and the router that controls electronic traffic.

"Weaknesses in these areas can provide hackers with greater opportunity to gain unauthorized access to the state's network," Audit Supervisor S. Douglas Peterson said. In addition, he said, the auditors "found information maintained on various state Web sites that could provide a malicious user (hacker) with too much information."

This included detailed network diagrams, schematics of computer buildings and names of system administrators or security employees.

Assemblywoman Vonne Chowning, D-North Las Vegas, said she was "extremely troubled" by the audit that would "allow hackers to get into the system." She urged immediate improvements.

Terry Savage, director of information technology, said he would need four or five more employees to make all of the corrections. He said he asked for more personnel from the 2003 Legislature but received only half of what he requested.

Peterson said the legislative auditors believe the changes can be made with the present staff of 216 employees.

The audit also found the department doesn't have plans for data recovery and contingency activities in case of disaster.

There is a large backup generator to provide power in case of a power outage. But the department does not have a policy on how often the generator should be tested to make sure it is working.

The department must draft a plan within 60 days on the improvements it will make and then report back in six months on the steps taken to make these corrections.