Slashdot Mirror
US Government Computer Security Evaluated
Logic Bomb writes "Yahoo is carrying a wire story about a report by the House Subcommittee on Government Management, Information and Technology. It gave the US government an overall grade of D- on computer security. That probably isn't a big surprise, but the details of the report are scary -- the Department of Defense got a D+. Isn't that lovely? The big question though is whether this is an example of particularly poor government performance or just typical of what you'd find in most Internet-linked systems. My guess is the latter."
...people are wary of Carnivore, and don't believe the FBI's assurances of security and propriety. Any system that can be abused will be abused.
Perfect examples of why inefficiency/inadequacy are a definite risk.
Karma: Excellent, but still won't get you laid.
I work for a government agency (USPS), and while my experience with them deals only with internet and intranet applications, it's worth noting that the biggest obstacle we face (and likely the other government agencies as well) is the pride of the people that create insecure applications.
If you happen to read something on slashdot, such as the IE cookie exploit, then dare report it to a division using cookies for sensitive information, you just get a heated debate.
It took me no more than thirty minutes to compromise the "secure" cookie of their application, and it contained sensitive information that could compromise the entire application in plain text!
Fortunately, the right people (suits) got wind of my experiment, and this security hole is actually being dealt with. With all the effort it takes to get people to open their eyes, I can understand why nothing gets done about such issues.
It's really like testing someone's program, only to have your feedback ignored.
What's the point?
Source code is a lot like a parachute; it needs to be open in order to function properly.
"typical of what you'd find in most Internet-linked systems"??
/.ers out there know that the Internet is very hard to secure. But they also know that it can be done with a good deal of practice and knowhow. So I'd say it's not that. I'd say it's more likely poor government performance that we're seeing there.
Sorry, doesn't wash.
Many
Ideally, the government should have the highest security and technological savvy of any entity in the country, in order to protect its citizens from threats from outside the country.
(Ideally, the government should also be protecting the rights of the citizens too rather than chipping away at them with an espresso spoon whereever any cartel like the MPAA or RIAA tells them to, but that's another rant entirely.)
So what's wrong? Either:
a) they don't have the knowhow to maintain system security, or
b) they have the knowhow, but aren't utilizing it correctly.
I'd like to see a correlation of government salaries in relation to similar positions in private industries. If they're dissimilar, and the government pays its workers less than the private sector, then I think it'll be safe to say where the talent's gone...
You cannot truly appreciate Dilbert until you read it in the original Klingon.
I don't know where those people worked, but where I worked doing DoD research we had pretty severe restrictions. For a while all the computers had to be Tempest approved (for low-emissions). If not, they were used inside "the can" which was a large metal room within another room. Both had massive combination locks on them and motion sensors. Once, we were throwing network cables above the drop-ceiling - we didn't know about the motions sensors - and when they went off we all shit a brick.
All machines had removable hard-drives that would be locked in safes. After use, the hard drive was removed and the machines power was cycled. None of these machines were networked. The only network was within "the can" and that didn't go external.
When photocopying classified, you had to run blank sheets through the copier when finished. And you had to have a second person with you to check everything when you were done.
When classified as to be destroyed (and that isn't easy to get approval) we had an incinerator in the building for it. We all wondered if we could use it to cremate deceased pets....
We were apart of a University with many foreign nationals. Part of the CS school had facilities in our building where the students would go. When security found out they kicked all foreign nationals out of the building. We lost a couple good grad students because of it.
Security violations were severe since we could potentially lose all funding if our clearance was revoked. Auditors came around yearly and quizzed randomly on procedures.
All in all, it wasn't a huge hassle to do all this stuff - it was part of the routine. Of course, I avoided classified work as much as possible...
-tim
Hey man, at least they passed :)
Haven't any of you watched War Games?
Any kid with a C-64 can hack the Pentagon and set off a nuclear war.
Uh, it was a historical recreation, wasn't it?
--------
For an A, the computer must be vaporized by a nuclear blast.
For an A+ the computer must be hurled into a black hole (some information might be gathered from the trajectories of the particles thrown off by the nuclear blast).
--------
That pretty much leaves the security in the hands of folks whith little or no experience. Based on that the report isn't surprising at all.
Of course, this is all second hand information. Perhaps some military/gov't (or ex) security folks here on /. (c'mon, we know you're here) could pipe up and correct me if I'm way off base?
--
Behold the Power of Cheese!
Walkin.
Find a corner with nobody around.
grab a cat-5, split wires off into a wireless transmitter.
hide cable away under a desk.
park a vehicle in parking lot of building with receiver inside, dumping to a laptop.
steal social security #s (most are unencrypted networks), personal info, address info, drivers license info, etc.
Enjoy. Guarenteed to work at your local DMV!
Ever need an online dictionary?
... or, more likely, it's a report done by a Republican Congress to discredit a Democratic administration. They've been doing this all year. For example, when Bill Richardson (a Hispanic and therefore politically valuable) was a front-runner for the Democratic VP slot, Congress brought as much media blame as possible on him for apparent security leaks in the Energy Department.
FYI, Congressional panels and committees are generally controlled by the majority party of that branch of Congress, even when they're called "non-partisan".
I'm not endorsing Democrats or slamming Republicans here, I'm just pointing out politics as I see them. The same thing might happen if the parties' roles were reversed. I am neither Democratic nor Republican.
Tragically, www.fbi.gov has huge security weaknesses. They left port 80 open, allowing us 31337 haxors to connect. Once connected, we can send specailly formed packets known as "|-|77P R3qu3575" to the remote host and retrieve files.
The government should just pack it in.
There's no way to protect a system from the likes of me.
--Shoeboy
I worked with a DoD contractor (software development) for a while. The people taking care of the company web site were former NSA and military. And not long out of the DoD, either.
In dealing with these people, I have found that while there are some smart people in the military, there aren't many. For example: I sent an e-mail to a software developer in Russia (he had some GPL'd stuff we were using). Two days later, I was called in to the IT department and threatened with termination for "letting the Russians know we have an IP address!". I wish I were kidding you.
Another example: we needed a new e-mail server for one of the offices-- maybe thirty accounts. I talked with one of the guys, mentioned perhaps using OpenBSD and Sendmail. I asked him about it a few weeks later, and the response was: "No, a lot of our guys attach Microsoft Office documents to their e-mails, we need to make sure the server is compatible." (and this server was NOT supposed to scan documents and attachments for viruses).
Why does the DoD have such shitty security? They have idiots in charge. Idiots that talk a big talk, but have no fucking clue. They sling buzzwords around, they take credit for the other guys' work, and they get promoted with maximum time and grade. The military doesn't know the difference between a competent soldier and an incompetent soldier. God, it's irritating.
Attributed to David A. Guidry:
network security:
1. Kill all your users.
2. Remove all accounts.
3. Detach network and dialups.
4. Turn off machine.
So rather than encasing the computer in titanium and dumping it in the pacific ocean, we do that to the users. After all, computers don't cause computer insecurity -- people do. So securing the computer is peripheral (not to be confused with peripherals).
Of course, we have to be careful when suggesting things like #1 to the US Government. After all, national security is paramount...
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
Back in the good old days of college years, I served as an intern for NASA. Part of my experience there was monitoring security processes for our group. There really weren't any. We were handling classified information including some military inventions and devices for our project and some of our trusted boxes (there was RSH used with .rhosts) were out of the box redhat 4.2 with no additional security precautions. I changed that as soon as possible, but the night before the last machine was to be worked on it was broken into.. how's that for irony.
However, my experience with commercial networks have been a lot worse. One company had two seperate networks, connected by a machine with two NIC's and it was expected to filter traffic between the two. Rather amusing approach to segregating between a private and public network. Their only problem is the gateway between private and public had an ancient version of sendmail serving mail as well.
Ahh.. I love the smell of poor management in the morning.
nerdfarm.org
Dacels Jewelers can't be trusted.
I'll bet you dimes to doughnuts that the NSA, FBI, and CIA all have pretty tight security with nothing that even has a remote chance of being classified coming near the internet. DoD is slightly surprising, but hints at their arrogance - they believe they are superior and no one would be able to crack them.
As originally said though, and especially in light of the Western Union attack, this is probably the general state of all computer security.
This is not the way to build a lasting empire.
Yeah, those do, but it's the departments you don't care about that have the most "computers". The NSA and the Weather Service and stuff have a few huge machines, but the IRS and DOEdu and DoEnergy have more employees, each of whom has one or more machines.
But wait, it gets worse: When you study the computers at a location you have two areas: servers and clients. We have like 10 solaris boxes, all of which are counted together as "the server", then we have desktops for 150+ users, each of which is counted as "a computer." For security purposes, that's 151 "computers" that are counted, only one of which (the server stack) is under the direct day-to-day control of the IS group. Hell, our IS people aren't even in the same building as the majority of desktops. Those who were here before I started will tell you, security was much easier when everyone here ran xterms, but the users push for laptops and crap on their desk that couldn't be made secure if we rewrote it line-by-line. It's all we can do to keep them from saving their password in Eudora, or even getting them to use that instead of Outlook in the first place (that filipino iluvyou kid sure did me a big favor).
They have to do it that way because people use their machines in such a varied fashion, so rating security, for us, is really how secure your server is and how effective you are at enforcing network policy, which is much, much harder. Some of us are hoping the switch from 98 to 2k will help, as far as forcing people to save shit where it belongs, but the future doesn't look bright: I told the new accountant he had to cycle a dozen passwords for our grant requests, and he threatened my job!
At one unnamed agency, all 1,100 users had been granted access to sensitive system directories and settings, the GAO found.
As far as this is concerned. I'd like to think that organizations can be secure enough in other ways to not have to have co-workers hiding information from co-workers that are possibly right next to them.
-Daniel
The government has never really been too "security-conscious" as far as I'm concerned.. just look at all the breakins that government agency websites have experienced in the past, and still experience - or the breakins that were publicized at least.. who knows how many more systems were just cracked into.
Seems they're thinking with their wallet and not their heads. They don't see a need to hire professionals to secure and monitor their network because they assume it's already secure. Wouldn't also surprise me if they thought the threat of prosecution were enough to keep crackers out. That's just plain stupid.
How much does it cost to install IDS systems on networks that should be secure (or any network, for that matter?). And a few paid professionals? You're trusting these people with your data. Social security numbers, tax records, etc. and they have little security at best.
--
Computer turned off, cast into solid titanium,
dropped somewhere in the Pacific?
Je t'aime Stéphanie
the report said accounts often remained open even after employees or contractors wound up their employment
access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving ``overly broad access privileges to very large groups of users
Sounds like it's less that the system isn't secure and more like they really need to give their employees a good lesson in security.
"Freedom of speech has always been the abstract red-headed stepchild of the Constitution"
"Freedom of speech has always been the abstract red-headed stepchild of the Constitution"
-Suck
A friend of mine worked on a classified project for a DoD contractor, and I was appalled at his stories. He was set in front of a computer, and his boss called away on business before he could give my buddy a login id. The computer was named "Enterprise". On the bottom of the keyboard was a sticky with the word "Picard" on it. Yes, it was the root password. Similar stickys were to be found on the bottom of nearly every computer in the place.
Worse still, they would download very sensitive data from satellites using rsh to a root account with a .rhosts file! When he pointed out that this was probably the LEAST secure method they could possibly choose, they told him that this scheme was the recommendation of a DoD security consultant.
Their entire idea of security seemed to be putting up a bunch of cold war era posters with eagles playing poker against vodka swilling bears and wolves dressed in arabian garb, warning "Don't tip our hand!"
Admittedly, these weren't machines connected to the outside net, but it would've been trivial for any visitor or janitor to get access to EVERYTHING.
As a term employee with the Forest Circus I was amazed at how little the employees understood about security. Any password that was not username1 or username2 was a pet/spouse/child's name. And root on the servers was just as simple.
When a temp asks you to restart a printer queue for the second time and you give him the server passwords and door combo, security isn't even a bad joke. Forget about DoD web pages getting "owned". The issue is a vast collection of financial, tax, and research data that's available to any techie who helps fix a federal employee's home computer and asks for a password to "test" the VPN. Until user security is adressed systematically, upgrading the firewalls is a waste of time and resources.
Wait... you mean you still haven't joined the ACLU?
The problems with articles like these is that you never know what is being reviewed.
For instance, does this include the many many DoD defense grant and contract holders who have sensitive information? I mean most of those are educational institutions and you know what their security is like. Lord knows anyone could break into my lab with little more than determination and a swift kick.
The other question is, while the system may be wide open, how important is the data that is available on it? The DoE and DoD like to keep all the nasty secrets behind air walls so there is no chance they are going to get out unless someone physically penetrates the building.
BTW I have seen people posting thinks saying that higher government security will produce to a smaller government. These people obviously don't understand how government works. More security means more government to provide this security (additional security personnel) and more government to make up for the inefficiency caused by more stringent security. If you want a drastically smaller government then I suggest you look elsewhere, like privatizing programs for added flexibility.
So far I've gotten all my Karma from telling people they are wrong... :)
Do you really want efficient government?
Only if you believe they are benevolent. If you believe they are self-absorbed [as I do] or malevolent [as some do], then you want to limit their effectiveness.
I believe that govt expands to the limits of it's incompetence. Since I really don't want more govt, I must limit it's effectiveness, and accept the resulting bureaucratic inefficiency.
It makes it so much easier to find out where those black helicopters are headed...
Seriously... instead of handing out life sentences the government should seriously consider handing out paychecks. Face it, they need someone with a clue on their side.
Windows2000: Where do you think you're going today?
And this isn't limited to just governments. Private business, which is supposedly smarter, harder working, etc than the government is FULL of convenience-minded people for whom security means nothing.
"Password restrictions? Filtering? Attachments? Get out! It might add 0.000023 seconds to my workload and as a Very Busy And Very Important Marketing Droid With Expensive Shoes And A Smart Haircut I don't have *time* to cope with that stuff!"
Of course, these are the same people who want you fired when the system is down at 0-early-30 on a Sunday morning for patching.
You're right that its insane, its totally out of control.
The only thing going for us is that Win95, which all the workstations except mine run, is usually so badly mangled by the end users that I don't think it could do much harm prior to blue screening..
On an off topic note, I submited a stroy that was rejected. Linux kernel 2.2.17 is out. I saw it at ftp.kernel.org. Yet slashdot hates my news stories so I post here so someone else can submit it. ;-)
~~~~~~~~~~~~~~~~~~~~
I don't want a lot, I just want it all
Flame away, I have a hose!
Only 'flamers' flame!
What would it cost to have a fingerprint scanner on each goverment computer.
I know when I co-oped for the Feds back in 1987, they took my fingerprints, so it's still probably policy to fingerprint each new employee.
Stick a little fingerprint reader on each workstation, and security gets a heck of a lot better (spare me the arguments about stealing or forging the fingerprint authentication file, I'm talking security against weak assualts).
Of course, when you have fingerprints of every person who worked for the Federal government, every criminal, and every welfare recipient, you have fingerprints on a big hunk of the country. All we need then is to fingerprint student loan borrrowers. Anyone know if the NSA has massive fingerprint recognition computers?
And once something has been proved to work for the Federal government, it's a much easier sell to get it into private industry. Who knows, we all may fingerprinted soon, in the name of better security. Bye bye rights. I think Voltaire said it best, those that would forgo a little freedom for security will soon have neither.
Around here, people continually circumvent routine security restrictions. Everything is run on Windows NT, but patches are not installed regularly. While all the paperwork is done, it often doesn't reflect reality.
Worst of all, everything runs outlook, and the various iloveyou kind of viruses spread through here like crazy. Can you imagine such a virus that didn't do anything *but* email all the documents on your computer to Czechloslavakia? But, guess what? We aren't allowed to turn off exectuable attachments, or even "speed bump" them, because "somebody might need them."
It's insane.