Thursday, February 8, 2007

Hacker breaks into website of Canadian nuclear agency

Hacker breaks into website of Canadian nuclear agency
Incident prompts security fears
The Ottawa Citizen February 08, 2007

A brazen hacker attacked the Canadian Nuclear Safety Commission website yesterday, littering it with dozens of photographs of a nuclear explosion and raising concerns about the security of information held by the nation's nuclear watchdog.

The incident was discovered about 3 p.m. by a Citizen reporter. All of the commission's current and archived news releases, dating back to 1998, were renamed as "security breaches" and, when opened, a colour photograph of a fiery mushroom cloud appeared under the heading "For Immediate Release."

An accompanying caption read: "Please dont (sic) put me in jail......oops, I divided by zero."

The pages were disabled minutes after the newspaper contacted the agency.

Commission spokesman Aurele Gervais said the attack was limited to the website's public media section and "there's been no internal information that's been compromised."

It is not known how the hacker was able to gain access.

A secure government login link from the public site to a separate and internal commission site that tracks the movement of high-risk radioactive sealed sources, used in industries such as construction, agriculture, and mining, was not compromised, he said.

"If somebody's really determined to drive a truck through a wall, they can find a way," said Katherine Fletcher, managing director of iStudio, the Ottawa company that hosts the website. "The important thing is that it was stopped very quickly and that data has been restored."

The incident, however, underscores concerns about information security at the commission, which regulates nuclear safety in Canada.

"The fact that it's a nuclear safety commission understandably raises eyebrows because it raises the question about the broader security of their computer systems," said Michael Geist, an Internet and e-commerce law expert at the University of Ottawa.

"The reality is that governments make a particularly juicy target because there's the prospect of broader (media) coverage and they're viewed by many within that (hacking) community as being more secure and therefore more of a challenge."

Because the hacker boldly announced himself on the site's media section, as opposed, for example, to attempting to quietly alter site information, "there's probably no reason to suspect that serious damage was done," said Brian O'Higgins, chief technology officer with Third Brigade, an Ottawa Internet security firm.

The incident is the first successful hacking incident to hit iStudio since it opened in 1998, said Ms. Fletcher. The company has hosted the nuclear commission's site for more than seven years.

The most serious reported hacking incident involving a federal government system occurred in 1999, when a group of teenage hackers penetrated a top-security Department of National Defence computer system.

A Texas youth was arrested on charges of breaching computers owned by a Wisconsin publishing company and five government agencies, including the U.S. Postal Service, the Texas State Auditor's Office and Canada's defence department.

Russell Sanford, who was 17 at the time, later told the Citizen how easy the Defence network was to penetrate and why he did it. "I still believe that in the end, when the public begins to realize how unsecure governments really are, that all my crimes will have been worthwhile," he said.