Usernames and passwords to San Francisco network exposed in court docs

San Francisco again has control of its own FiberWAN network, but as it compiles evidence to keep distraught network administrator Terry Childs in jail, the city could have opened itself up to a slew of new security problems.

The San Francisco District Attorney's office entered up to 150 usernames and passwords into Exhibit A of the ongoing legal case against Childs. Each account is said to be sensitive and private, and the city has gone through a lot of work to get the accounts back, only to enter them into the public domain through the courtroom filings.

The passwords entered into Exhibit A happen to be just one set of at least two sets of passwords necessary to access the network, but security experts again were left shaking their heads. Access into the city's VPN network would still be required to make use of the exposed login information.

All of the usernames are linked to the mayor's office and district attorney's office, multiple city agencies and departments, and the city's police department. Security experts already pointed out the city should change all of the passwords, especially since a number of them are identical to their usernames or would otherwise be easy to guess.

Specifically, Exhibit A was used against Childs when he requested his bail be lowered from an unusually high $5 million. Childs will have to remain in jail until Sept. 24, the date of his next hearing. The high bail was set because of fears that Childs would leave prison and use the passwords to permanently lock the city out of its own network.

Childs, a San Francisco Department of Technology (DOT) senior network administrator who had control of the city's FiberWAN network, changed passwords and effectively locked everyone out of the network. He stopped users from accessing parts of the network they were authorized to use, and also enabled his own access to sections of the network to which he should have been restricted while he worked for the city, San Francisco district attorney spokespeople said.

Childs finally disclosed passwords for city administrators only after meeting San Francisco Mayor Gavin Newsom in person, who then delivered them to Cisco Systems engineers brought in to help unlock the network.

The FiberWAN network is responsible for controlling the city's e-mails, law enforcement records, payroll, and personal records. It controls 60 percent of the city's municipal data that also includes lawyer information and 311 information system.

After being arrested, Childs was charged with four felony counts of tampering with computer networks and has a fifth pending misdemeanor for criminal damages. He has pleaded not guilty to all five charges.