This Web page has been archived on the Web.
2002 April Report of the Auditor General of Canada
Insert 3.1—Our vulnerability assessments identified weaknesses
Outdated applications and unprotected systems
Several host systems used outdated applications known to contain vulnerabilities that could be exploited to gain unauthorized access. In one case a system administrator password was not set, thus allowing any Internet user to gain access to the system.
There are many potential abuses of unauthorized access:
- Sensitive data stored on a system can be viewed and used fraudulently.
- Data or programs can be modified or deleted.
- Access to one departmental system could allow access to another.
- Programs could be installed to attack other systems on the Internet. The attacks would appear to be initiated by the government.
- Systems could be used to share files; the government would be seen as endorsing the content of the files.
Information vulnerable to cyber attacks
Information on system set-up and user identity was vulnerable to attacks. This information could be used to plan a cyber attack or to gain unauthorized access to systems and data.
The following information was available on the systems:
- the type and version of operating system in use;
- the name of the host system;
- the configuration of the system for file sharing (did it allow "trust relationships" that would provide direct access to other systems?);
- a list of valid usernames; and
- the first and last names of users.