Federal Computers Fail Hacker Test

Nintendork writes: "An article by the Associated Press, published on CNN tells of the latest network security report cards earned by Federal agencies. The Department of Defense along with several others failed. I hope terrorists that pose physical threats don't have any script kiddies in their arsenal."

I don't buy it...

[Mustang+Matt]

I wish they would have gone into more detail about what tests were ran and how they were failed. It's easy to criticize the government but where are the facts?

I can't believe that they could have scored at F on any security test. Am I naive?

Is it physical security or through the internet or what?

Does anyone have any links that show what tests were done and how they scored on each one?

Re:I don't buy it...

[BlueboyX]

At the school I volunteer at I talked to a woman who will be setting up a new lan. She was discussing how complicated setting up secure networks is with the librarian. She seemed pretty happy with herself that she knew how to prevent people from getting onto the computers by just clicking the 'X' button on the login menu. Her face looked pretty impressive when I told her that another trick lets people get in a system by loging in as 'Default'

Heh, I used that trick once to get in a hospital computer system where my father worked (he forgot his new password). The X trick didnt work, but Default sure did.

Let's just face it, we are dealing with normal people here. Not nerds. Most of us here could set up a more secure network than you will find on average. And I include alot of us who have never actually set up a network in that statement. Alot of things that are common sense to us are magical or totally unknown to normal people.

The only way the gov and various businesses are going to get more secure is if they train their people in computers (unlikely) or hire more nerds (also unlikely, for the gov at least. They cant/dont compete with businesses very well).

In other words, alot of basic things in the beurocratic and commercial worlds are going to have to change if they are going to seriously make their systems secure.

Whoa. I almost fell over.

[hool5400]

Federal computers fail security tests? That IS news. This IS sarcasm.

Is there still a person alive that doesn't realise that government computers are generally less secure than the mean? Complicated systems fused with apathy, ignorance and stupidity. It will nail you every time.

Are international hackers the greatest threat?

[Tim_F]

I'm not sure I agree that international hackers re the greatest threat here. If I were the US government, I'd be more concerned about the American script kiddies (for example when the CIA site was defaced).

It also doesn't tell WHICH computers.

[Ieshan]

Personally, I don't buy the article because it doesn't tell which computers failed the tests. Somehow, I doubt there's any sensitive, highly classified information stored on 95% of government computers - most government workers simply don't have access to that type of data or knowledge.

I'm scared at the fact that someone could report on this with so little attention to detail. It's an article simply designed to scare people into thinking that the US government isn't more prepared than they are.

What do the grades mean?

[recursiv]

Without a specification of what these letter grades mean, this is all fairly meaningless and subjective. A 'C' could mean anything.
An 'F' is the worst possible grade, so does this mean that there is no possible way for those agencies to have done worse?

I found the results from last year here. It's interesting that it was released on September 11 2000.

I work at a school

[BlueboyX]

I do volunteer work at a local elementary school. I have been helping them repair computers that got damaged due to renovations during the summer and weird things the teachers do.

Now, teachers are somewhat educated people. You can't just instantly become a teacher (as you could get some other bureaucratic positions) yet they are technophobic or just plain computer illiterate. Heck, I have to help them set up their vcrs! The extent of computer security that they can handle is putting a password on the Accelerated Reader program so that kids don't change their grades.

These people are not stupid or ignorant in general. They just know jack about computers. If these teachers, being more educated than your standard bureaucrat might be, can't deal with computer security then how could a standard bureaucrat be expected to?

Government systems administrators? School networks don't have system admins. They have librarians that know a little bit about computers. That is who will be maintaining the network at the school I volunteer at when I eventually leave. As far as I can tell, they never have had a dedicated computer person in the entire school district who maintains these systems. I know there is a woman in the district who is going to be working on installing more computer equipment, but fixing things doesn't seem to be a normal part of her job.

Just putting things in perspective.

What kind of counterattack?

[kindbud]

When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.

I wish they had defined "illegal, electronic counterattack." What exactly did he do? I bet he did just what any one of you would have done, he performed portscan to see if there were any open ports suggesting a compromised system.

Re:What kind of counterattack?

[rockwood]

I would assume 'illegal' to mean "...against agency policy..." The employee most likely took personal responsibilty of counter-attacking a supposed hacker instead of reporting to the proper departmental channels. In which case (if it were a real hacker and not an internal test hack) the employee could have compromised more of the system or tipped off the hacker that they were noticed causing them to leave and the security department having to deal with the remains of a hack rather then monitoring and tracing a live/current hack. Or causing the hacker to freak and cover his found tracks radically by taking down entire systems.

I too would have been interested in knowing the guidlines for these grades. Prior to 9/11/01 it is possible that the systems were looked at in a much less crucial manner, whereas after 9/11/01 those reviewing the systems may have been much more critical. This causing the grades to drop when the systems actually remained at the same level of security. - Henry Smith

Be careful

[Kiro]

The FBI and CIA have been known to do turnabouts on hackers. Just ask Max Vision. The gov't fought long and hard to demonize and criminalize even the whitest hats of hacking, and Ashcroft's pushing to get them labeled as terrorist acts on top of that.
The DoD's had it's fair share of smudged histories. Be Alert. Keep your pistol handy.
Yes, you can be useful in combatting terrorism. Just make sure you know where the line is getting drawn and be on the correct side of it.
And realize that some of combatting terrorism may go against projects you've been supporting, like anonymous remailers, strong crypto for everyone, anti-censorship protections, and the elusive set of projects working to enable dissidents in countries such as China to safely communicate with the outside world. These and other tools can also be used by the bad guys, and will no doubt become targets

.

Re:Be careful

[BrookHarty]

Good example, the CIA armed, and gave billions to Afghanistan to fight Russia. Now some of those Afghanistan rebels/terrorists are armed and well funded by the USA.

Good intentions can turn around and bite you on the ass.

big deal

I contracted for an audit department for the DoD and they had nothing but accounting on their computers (novell and windows). Big deal, are people going to hack in and see what their are paying their various contractors. I'm sure that the stuff that should be really secure IS really secure.

The SSA

[RageMachine]

I did a small job working for Compaq installing NT4 boxen for the local SSAs (Social Security Agency)(s). They used a Centralized NT 4 server with SP3 (Yes, service pack 3) and the administrator password was... get this... "password1". The client machines loged in to the PDC on a TokenRing network which took minutes just to download a 50k profile. The man who was in charge of all of this was being overpaid, since I could tell that some of these older machines still had virii on them. :\ and the server crashed twice because of a tokenring bug in service pack 3, and they din't know what it was, nor did they know that SP6a was available. The assistant din't even know what Windows2000 was, much less BSD/Linux.

Yes, the governement does have very terrible security. I thought our taxdollars were paying for more than this? Im not bashing, or trying to be a troll, but wouln't some form of UNIX like BSD, or Linux reduce our tax rates, providing the admins know how to use it? I know they are paying thousands just for that ONE NT4 server running on a Pentium Pro 200, with 128mb ram.

Systemic Problems

[Marcus+Erroneous]

Having worked for the government for awhile, both in and out of the military, there are several insights for that part of the network. For awhile, the official architecture was Windows NT. Regardless of it's strengths or weaknesses. We were using Novell at the time and under constant pressure from on high to get with the official architecture. Fortunately, my boss was more concerned with costs and effectiveness than official position. However, security wasn't an issue. Even in '98 we didn't have a firewall and the director didn't see the need for one. And since he didn't see the need for one, there wasn't going to be one. Only secure networks were using firewalls, and they weren't using NT for that. You might say, "I thought you just said the official architecture was to use NT?" and you would be correct. But even MS couldn't overcome the obligation for classified networks to look at security and stability first and evangelism second. The firewalls were manned by *nix boxen or other platforms and people that knew how to configure them.
Another problem is the civil service. You can have someone rise from a computer background to head a major department responsible for all IT and Telecomm issues that can barely use an e-mail client and can't explain one difference between ISDN and POTS. Then, they hire based on longevity. If you show up with the qualifications for a gs-9/10/11 position but haven't been in civil service, don't even think about it. Come in as a 4 or 5 and work your way up. Those inside the system feel that the higher position should be their's by virtue of having "put in their time". Promotions should be based on how long you've been in the system, not whether or not you can do it. My wife, who was in the civil service was once warned not to even think about applying for a specific position. Despite have a degree in the field and current certifications (medical field where those things frequently mean something) she hadn't been there long enough to deserve to apply for it. The woman who warned her used to have current qualifications, but had stopped bothering to stay current over 10 years ago. Nor attend any sort of training or classes to at least stay up on developing techniques. Not smart in any field. This sort of personnel system doesn't encourage people to stay or even to try to hire on. At this particular installation, those of us that could move on, did. Oh, did I mention that the pay isn't one of the more enticing features? I started at a large corporation making more than the director of that organization. Not that I make that much, they make that little.
Let's see, forced system architectures from the top down. A system that rewards longevity at the expense of competence. No central policies to control and/or coordinate at the command level, let alone service level, let alone within the civilian side of the house. And an incredibly low pay scale. I can't imagine why there would there would be any deficiencies. The good news is that there still exist some competent, dedicated people within this structure. Which is why any of the networks and/or machines passed at all.

Waddaya mean password is a bad password?

[raumdass]

Anyone who has put in a few years doing IT or security at a big organization (University, large corporation, whatever) can attest to the fact that the people who are ultimately in charge of the Big Security Decisions (i.e. the ones that can write the checks or sign-off on policy) are often the ones that have the least clue about it. They don't see the "Bad Guys" parked outside with their tools and getaway cars, waiting to break in while your not looking, so they think worrying about security and user education is either a waste of time and that you're too paranoid for always talking about "security", or they've bought whatever line they were sold by whomever sold them the promise of "security" and delivers instead a world of Macro Viruses and Code Red worms.

While I have to believe the "really important super-secret stuff" is kept safely locked away by geeks wiser and smarter than us, it cannot come as a surprise that the state of government computer security is about the same as security on the internet at large... it mostly sucks. Why? We can blame the software companies that release easily exploited code, and maybe we should start making them more accountable, but as long as people keep picking dumb passwords, administrators keep letting them, and they in turn keep following poor practices (fricken clear-text password lists!?!), then this what happens.

Re:Typical useless gov't reports

[DahGhostfacedFiddlah]

Yep - no "glory" cracking into a D- system.