Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Government Computer Security Evaluated

Posted by ryuzaki0 on from the bad-bad-leroy-brown dept.

Logic Bomb writes "Yahoo is carrying a wire story about a report by the House Subcommittee on Government Management, Information and Technology. It gave the US government an overall grade of D- on computer security. That probably isn't a big surprise, but the details of the report are scary -- the Department of Defense got a D+. Isn't that lovely? The big question though is whether this is an example of particularly poor government performance or just typical of what you'd find in most Internet-linked systems. My guess is the latter."

14 of 205 comments (clear)

  1. Pride (In the Name of Love) by Grasshopper · · Score: 5


    I work for a government agency (USPS), and while my experience with them deals only with internet and intranet applications, it's worth noting that the biggest obstacle we face (and likely the other government agencies as well) is the pride of the people that create insecure applications.

    If you happen to read something on slashdot, such as the IE cookie exploit, then dare report it to a division using cookies for sensitive information, you just get a heated debate.

    It took me no more than thirty minutes to compromise the "secure" cookie of their application, and it contained sensitive information that could compromise the entire application in plain text!

    Fortunately, the right people (suits) got wind of my experiment, and this security hole is actually being dealt with. With all the effort it takes to get people to open their eyes, I can understand why nothing gets done about such issues.

    It's really like testing someone's program, only to have your feedback ignored.

    What's the point?

    --
    Source code is a lot like a parachute; it needs to be open in order to function properly.
  2. our security by tdrury · · Score: 5

    I don't know where those people worked, but where I worked doing DoD research we had pretty severe restrictions. For a while all the computers had to be Tempest approved (for low-emissions). If not, they were used inside "the can" which was a large metal room within another room. Both had massive combination locks on them and motion sensors. Once, we were throwing network cables above the drop-ceiling - we didn't know about the motions sensors - and when they went off we all shit a brick.

    All machines had removable hard-drives that would be locked in safes. After use, the hard drive was removed and the machines power was cycled. None of these machines were networked. The only network was within "the can" and that didn't go external.

    When photocopying classified, you had to run blank sheets through the copier when finished. And you had to have a second person with you to check everything when you were done.

    When classified as to be destroyed (and that isn't easy to get approval) we had an incinerator in the building for it. We all wondered if we could use it to cremate deceased pets....

    We were apart of a University with many foreign nationals. Part of the CS school had facilities in our building where the students would go. When security found out they kicked all foreign nationals out of the building. We lost a couple good grad students because of it.

    Security violations were severe since we could potentially lose all funding if our clearance was revoked. Auditors came around yearly and quizzed randomly on procedures.

    All in all, it wasn't a huge hassle to do all this stuff - it was part of the routine. Of course, I avoided classified work as much as possible...

    -tim

  3. HEY MAN!! by AntiTuX · · Score: 4

    Hey man, at least they passed :)

  4. Is this a surprise? by TheDullBlade · · Score: 5

    Haven't any of you watched War Games?

    Any kid with a C-64 can hack the Pentagon and set off a nuclear war.

    Uh, it was a historical recreation, wasn't it?

    --------

    --
    /.
  5. That's just an A- by TheDullBlade · · Score: 4

    For an A, the computer must be vaporized by a nuclear blast.

    For an A+ the computer must be hurled into a black hole (some information might be gathered from the trajectories of the particles thrown off by the nuclear blast).

    --------

    --
    /.
  6. Gov't security comes from Gov't employees... by kabir · · Score: 4
    The main problem with government security is that it must be enacted by government employees. Now, I'm not saying that government employees are inherently stupid, or anything like that. But I have run into a lot of security guys who are ex-gov't or ex-military, and the general consensus from them seems to be this: most of the good, talented technology people (security, programming, etc.) bail of military/gov't service because of the lousey pay (as compared to the commercial world), poor working conditions, and mis-management. As near as I can tell from talking to these people, the gov't wants security and quality without spending the needed amounts of money and (perhaps more importantly) energy on it.

    That pretty much leaves the security in the hands of folks whith little or no experience. Based on that the report isn't surprising at all.

    Of course, this is all second hand information. Perhaps some military/gov't (or ex) security folks here on /. (c'mon, we know you're here) could pipe up and correct me if I'm way off base?
    --

    --
    Behold the Power of Cheese!
  7. Re:So how can you get an A+? (kill all users...) by namespan · · Score: 5

    Attributed to David A. Guidry:

    network security:

    1. Kill all your users.
    2. Remove all accounts.
    3. Detach network and dialups.
    4. Turn off machine.

    So rather than encasing the computer in titanium and dumping it in the pacific ocean, we do that to the users. After all, computers don't cause computer insecurity -- people do. So securing the computer is peripheral (not to be confused with peripherals).

    Of course, we have to be careful when suggesting things like #1 to the US Government. After all, national security is paramount...

    --
    Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
  8. Not a surprise. by Xerithane · · Score: 4

    Back in the good old days of college years, I served as an intern for NASA. Part of my experience there was monitoring security processes for our group. There really weren't any. We were handling classified information including some military inventions and devices for our project and some of our trusted boxes (there was RSH used with .rhosts) were out of the box redhat 4.2 with no additional security precautions. I changed that as soon as possible, but the night before the last machine was to be worked on it was broken into.. how's that for irony.
    However, my experience with commercial networks have been a lot worse. One company had two seperate networks, connected by a machine with two NIC's and it was expected to filter traffic between the two. Rather amusing approach to segregating between a private and public network. Their only problem is the gateway between private and public had an ancient version of sendmail serving mail as well.
    Ahh.. I love the smell of poor management in the morning.

    nerdfarm.org

    --
    Dacels Jewelers can't be trusted.
  9. No surprise... by kgasso · · Score: 5

    The government has never really been too "security-conscious" as far as I'm concerned.. just look at all the breakins that government agency websites have experienced in the past, and still experience - or the breakins that were publicized at least.. who knows how many more systems were just cracked into.

    Seems they're thinking with their wallet and not their heads. They don't see a need to hire professionals to secure and monitor their network because they assume it's already secure. Wouldn't also surprise me if they thought the threat of prosecution were enough to keep crackers out. That's just plain stupid.

    How much does it cost to install IDS systems on networks that should be secure (or any network, for that matter?). And a few paid professionals? You're trusting these people with your data. Social security numbers, tax records, etc. and they have little security at best.
    --

  10. So how can you get an A+? by SpanishInquisition · · Score: 4

    Computer turned off, cast into solid titanium,
    dropped somewhere in the Pacific?

    --
    Je t'aime Stéphanie
  11. People are the problem by TJ6581 · · Score: 4

    the report said accounts often remained open even after employees or contractors wound up their employment
    access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving ``overly broad access privileges to very large groups of users

    Sounds like it's less that the system isn't secure and more like they really need to give their employees a good lesson in security.
    "Freedom of speech has always been the abstract red-headed stepchild of the Constitution"

    --
    "Freedom of speech has always been the abstract red-headed stepchild of the Constitution"
    -Suck
  12. Mostly user ignorance. by brad.hill · · Score: 5
    I'm sure that this forum will be filled with flames about MS software, which is admittedly insecure, but a lot of it is just ignorance, and even the best Unix systems can be made very insecure this way.

    A friend of mine worked on a classified project for a DoD contractor, and I was appalled at his stories. He was set in front of a computer, and his boss called away on business before he could give my buddy a login id. The computer was named "Enterprise". On the bottom of the keyboard was a sticky with the word "Picard" on it. Yes, it was the root password. Similar stickys were to be found on the bottom of nearly every computer in the place.

    Worse still, they would download very sensitive data from satellites using rsh to a root account with a .rhosts file! When he pointed out that this was probably the LEAST secure method they could possibly choose, they told him that this scheme was the recommendation of a DoD security consultant.

    Their entire idea of security seemed to be putting up a bunch of cold war era posters with eagles playing poker against vodka swilling bears and wolves dressed in arabian garb, warning "Don't tip our hand!"

    Admittedly, these weren't machines connected to the outside net, but it would've been trivial for any visitor or janitor to get access to EVERYTHING.

  13. I think it's both by josepha48 · · Score: 5
    Having worked in a goverment agency in the past, I'd have to say it is a little of both. Keeping a internet connected network secure is a difficult job, but goverment workers are usually not the most motivated. The US goverment also has a tendancy to contract out much of its IT work, so they do not have any internel experts. Sure they say they do but most of there experts are not people whom actually are experts. Think of it this way. In the USPTO it was not till 1997 that they actually outfitted all the patent examiners with computers. Many other agencies are the same way. Most of these people were reluctant at first to even answere there email let alone use the computer (yes this is true there was a big issue over this in the USPTO). They contracted out all the installation and had formal training. This is how you log in this is how you log out. When the goverment contracts out they do not always go for the best company. They have a unique system for determining who gets the contract and sometimes who gets it does not deserve it. With no experts and probably not the best company doing the work, how can they be secure. Also with people who generally don't care, this tends to be the norm. I bete if they polled more gov agencies they woudl find this to be a very common thing.

    On an off topic note, I submited a stroy that was rejected. Linux kernel 2.2.17 is out. I saw it at ftp.kernel.org. Yet slashdot hates my news stories so I post here so someone else can submit it.
    ~~~~~~~~~~~~~~~~~~~~
    I don't want a lot, I just want it all ;-)
    Flame away, I have a hose!

    --

    Only 'flamers' flame!

  14. This is for real by Anonymous Coward · · Score: 5
    I work for the DoD, in a sensitive but unclassified environment.

    Around here, people continually circumvent routine security restrictions. Everything is run on Windows NT, but patches are not installed regularly. While all the paperwork is done, it often doesn't reflect reality.

    Worst of all, everything runs outlook, and the various iloveyou kind of viruses spread through here like crazy. Can you imagine such a virus that didn't do anything *but* email all the documents on your computer to Czechloslavakia? But, guess what? We aren't allowed to turn off exectuable attachments, or even "speed bump" them, because "somebody might need them."

    It's insane.