I was told that my network was "hackable", and that in fact it was penetrated....

So, here are the details.  I manage a network that includes a Police Department.  A state IT official has told me that he were able to hack the network via my public access point,   Penetrate into the system and "see" all my devices.  This was part of an on-going dispute over a problem we were having maintaining a VPN Tunnel with his office.

Back to the "HACK"

They have not told me how they did it, nor have they described what they did.

This seems counter intuitive  to me,  

Should they be and / or are they required to tell me how they got in, so I can close and lock the door?

I do know what ports are open, and they are EMAIL (POP and IMAP), and MYSql.

There are NO default user names and passwords on any of those ports.

I am in the process of paying a professional group to "review" my public facing connection.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Presumably you are on the same side. You have a site-to-site IPsec VPN tunnel with proper phase security and a very stiff password (key) and they got in.  You should ask them how?
My two cents - there are two things I see going on here. One is ego. The other is criminal. This person hacked into your system - which is illegal and he is a State IT employee and won't tel you how, which he has an obligation to. Because of theses two things this makes this person a huge liability to the State he works for and your network.

Because you're responsible for a law enforcement network you should report this immediately to your boss and explain the situation. If you don't you become a culpable participant in the crime.

As for the public access point -because you used the term access point I'm assuming it is a WIFI access point. What WIFi protocol are you using? If you're using WEP then any one with a laptop running a linux distro can hack it. WPA2 they can not. If you are using WPA2 then most likely he has your passwords.

A crime has been committed by the State employee. You should be equally concerned about that and cover your ass or you could loose your job at best, worst case scenario you could end up in legal trouble and never working in the IT field again.
Shaun VermaakTechnical SpecialistCommented:
Should they be and / or are they required to tell me how they got in, so I can close and lock the door?
Yes, they should provide a detailed report otherwise this cannot be validated and/or risk mitigated. It is irresponsible for them not to provide it.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

JohnBusiness Consultant (Owner)Commented:
Yes as I noted above they need to be asked (and so then provide "how")
Eric_Where_am_IAuthor Commented:
Thanks for the feedback.  I know it isn't a "technical" question.  And so everyone following is aware, I left out a few facts (reflected in the comments above).

Everyone is aware of the event, from the TOP - down.  At both ends of the team (Town and State).

I guess my real question is ...It seems to me, that there should be if there isn't a law that states something like the following.  I am hoping its federal.

"In the event an individual or organisation becomes aware of a security issue with a network, in particular a government network, they are require under statute blah-blah.blah, to report the security issue and to provide details to the authorities in order that the issue can be corrected in a timely and effective manner, thereby preventing loss or theft of data.
JohnBusiness Consultant (Owner)Commented:
You probably need to engage your superiors so that any laws or regulations that pertain to this are properly interpreted.
I'm afraid that your wish for a statute, while well-intentioned, may well create more problems than it resolves.  For example, I'd bet that a clever lawyer could reasonably argue that "a security issue with a network" exists in nearly all cases.

When an open-source programmer finds a security flaw in code that is very popular, do we really want to put a legal obligation on them to notify everyone that they may know uses the code?  I would hope not.

Non-bluetooth wireless keyboards are a significant security issue.  I don't want to have legal liability if I notice one in use in a government network and I don't report it to them.

I absolutely agree that those who claim to have found a significant security issue with your network should give you details.  As mentioned above, you are "on the same side".  I just don't want it to become a legal requirement.

Lastly, beware of getting legal advice on EE!  That's generally not the expertise you'll find here.
Hacking is illegal and not disclosing the details of the hack is unethical at best. You don't have to be a legal expert to know this.

If you are unable to divulge the details your access points or don't know, then you should hire a third party to button up your network.

I would start by changing all your admin passwords, if you haven't already done so.
"hacking is illegal" is far too broad.  We don't know the precise details of what "hacking" actually means in this case nor do we know the strict legal authority that the "state IT authority" has with this owners of this network in question.  For example, is there some sort of legal agreement between the two entities that relates to the right to set up the VPN tunnel that may have allowed the State to confirm that the network is safe?  I'm not suggesting that there is, only that we are overreaching to make legal claims without knowing such details.

If I connect to a public access point at a local coffee shop and run an IP scanner, seeing the public information that the connected computers are providing, have I "hacked" the network?  Is my behavior illegal?  From the initial description, it COULD be no more than this.
@CompProbSolv Dude check your ego and just stick to trying to answer the question asked. I don't attack your answers and I would appreciate if you would not attack mine. It's not up to you to decide which answer is best. It's up to the person who asked the question.
A key assumption I am making here is that you're running a network for a county or local government, not a portion of the state government.

A state IT official has told me that he were able to hack the network via my public access point
This is a red flag right here. You might want to check your network architecture, and what portions of the network can access what. He might not have hacked per se, but was able to access resources that he should not have been able to through a publicly accessible AP.

Should they be and / or are they required to tell me how they got in, so I can close and lock the door?
This gets tricky. Should they? Yes. Do they have to? Given that the person is a state official but most likely not doing it as a part of their work duties, the answer is probably no to the requirement side. Had this person being doing this under some sort of authorized scenario, they would be required to disclose the vulnerability to whoever hired them, which wouldn't be you.

CompProbSolv also brought up great points.
@jmac - I wouldn't get so sensitive about CPS. The points are he raised are valid. The issue with a number of things posted on EE is that you have to read beyond the what is written, because of missing details or a lack of understanding. While you're thinking his points are irrelevant, they actually would heavily influence the response to this question. There are some obvious unknowns here that matter. Even if the background of the state official's actions are unknown to the author.
@jmac44: My comments were not intended to be an attack on you.  Rather, I was trying to guide the one who asked the initial question to reasonable answers.

I've learned over the years of troubleshooting that one has to be very careful about how accurately one assumes that a symptom is reported.  I don't question peoples motives generally, just their accuracy in use of the language.  "Hack" is a term that has evolved dramatically and doesn't mean the same to everyone.  The details of the "hack" may be no more than what I asked about the coffee shop scenario.  Of course, it could be that the network is far more exposed than that.  If the State IT person remains uncooperative, it's tough to know exactly what he found.

With all of that aside, I don't think that EE is the place for specific legal advice, for numerous reasons.  Without knowing some of the details I raised, I don't think one can make an informed decision.

On the other hand, I think that ethical comments are well in order here.  Those represent less precise standards than the law and we all have some expertise in that.
Eric_Where_am_IAuthor Commented:
ok, I think from the comments (and the metaphor -- everything is in a blender fits here) indicates that this is a touchy subject at best.

I get that there are security flaws in every network, starting with the people you have at the keyboards.  But this particular incident is very specific in that it was described as "I was able to enter your network through your internet access point remotely, and could see all of your devices."  So printers could be altered, copiers, etc...

As I said, I know what ports are open.  I have every other port closed.  The ports are EMAIL and 3306. Thats it.

3306 does not have a default user name and password and is managed by a vendor.

and the email ports all point directly at a system that isn't connected to the network internally, just to the internet.

I would love to have leverage with this gentleman, to force him to be more specific.  and my question really boiled down to...if you penetrate a government network  (regardless of its size or relative importance),  I do believe there should be a law that says you have to report it.  

I am not advocating big brother, just what I see as common sense.  Now if he didn't tell me he got in, how would I know to pursue the matter?  

I wouldn't.  I also think he is full of BS, and DID NOT in fact get "in" as he said he did.  I think this was a smoke screen to cover his own issues with the original problem (the tunnel not connecting)  He blamed the CISCO Router, the engineer programming it, our internal network, our external access (what we are talking about here), and insisted that we resolve all of it before we could possibly assume his programming was at fault.
Eric, I agree with your thought that he's full of BS. There's a lot that going around these days. The amount of hubris on display in the IT field is on the same level as government politics. While it was completely clear what you meant by the term "HACK"
able to hack the network via my public access point, Penetrate into the system and "see" all my devices
others choose to split hairs with the term, giving themselves a pat on the back for sounding good in hopes that you will grant them a reward. Personally I don't care if anyone agrees with my statements. One merely needs to google the definition of hacking. To get into the minutia of a term is not helpful or say don't give legal advice at the same giving legal advice is well pretty damn funny.  The two contributors to this post (you know who you are) can give yourselves big 'ole virtual high five for being so damn eloquent. Good for you! Peace out and have a Happy New Year.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I would love to have leverage with this gentleman, to force him to be more specific.
You do have one piece of leverage: report it to a higher up on your end, which should cause it to get reported to someone at the agency of the state employee. That state employee would suddenly be left with few choices: a) disclose, b) deny everything, c) make up some crazy story. If the person is indeed blowing smoke, he is going to go with options b or c, but b being most likely because option c would cause far more embarrassment.

Really, the incident is a more sensitive topic to you and those who use the network you run. Those of us who have been trying to assist may not see eye to eye as we looked from different angles, even if someone decided to go the passive aggressive route.

A security review never hurts to have regardless. Better safe than sorry. Report it through the appropriate mechanism and see where it goes. Just be sure to document and have your bases covered. Good luck!
At the risk of being accused of splitting more hairs, I have just a couple more comments.  "able to hack the network via my public access point, Penetrate into the system and "see" all my devices" could mean nothing more than what I asked about the public network at a coffee shop.  I've had clients get VERY concerned (generally without merit) about the information that a simple IP scanner reveals.  I don't consider that a "hack", though others certainly might.

I've also learned that in the computer world (actually, life in general) people rarely use the official (dictionary or otherwise) definition of words.  If they did, our jobs (and lives) would be so much easier.  I looked up what dictionary.com has for "hack" and don't see anything that says that the State IT person circumvented any security nor anything about malicious intent.
Eric_Where_am_IAuthor Commented:
Thanks for you considered feed back.  The truth is that my real issue is getting the people who could assist me in putting legal pressure on the person making these statements are not falling into line, they are afraid of "rocking" the boat with a larger more powerful entity.  I do not think this is typical of government activity in general, but I do think it is typical of the government I work for (small town).

I have shared the dialog of this question with everyone on my side of the fence.  It is at this time highly unlikely that it will go beyond that.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.