Slashdot Mirror

← Back to Stories (view on slashdot.org)

Federal Computers Fail Hacker Test

Posted by timothy on from the an-f-for-the-department-of-education dept.

Nintendork writes: "An article by the Associated Press, published on CNN tells of the latest network security report cards earned by Federal agencies. The Department of Defense along with several others failed. I hope terrorists that pose physical threats don't have any script kiddies in their arsenal."

11 of 125 comments (clear)

  1. Homemade Unix by Ashcrow · · Score: 3, Interesting

    A boss of mine a few years back was an ex-administrator on a private mil network. I picked his brain about some of the stuff and he explained that they use NT on the public networks (IE: for email to friends and family and other trivial things) and a hommade UNIX version for their private/secure networks. Of course this was just for his area of the military.

    As for the DOJ, I met a guy who was arested for cracking into it when he was 19. He explained that it is a lot easier than people think and he cracked it about 11 times before he was caught. He now works for a large security consulting group.

  2. Typical useless gov't reports by baptiste · · Score: 5, Interesting
    Note this from teh article:
    The grades are based on information the departments gave to the Office of Management and Budget (OMB). Under a new federal law, agencies must report regularly to OMB on their efforts to keep computers safe.
    Please - this was just an audit of what agencies SAID they did. Can you imagine the grade they'd get if they actually scanned the systems and networks for vulnerabilities? A monumental task no doubtm but still scary to contemplate.

    Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.

    --
    Top Most Bizarre/Disturbing Error Messages
    1. Re:Typical useless gov't reports by kir · · Score: 3, Interesting

      Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.

      I've worked for or with the DoD for the past 10 years (both as active duty AF and now as a government contractor) - the last 5 working in security. Unfortunately, it has been my experience that your statement is exactly what you said - imagined. (I can really only speak on DoD - The AF and some nameless joint commands in particular.)

      So many security problems exist at so many different levels, it's amazing no major infiltration has occured (that we know about anyway). Sure, IIS web servers all over the DoD are being defaced, but this is small potatos (and on par with the civilian sector). So many "mission critical" systems exist on the NIPRNET (Non-secure Internet Protocol Router NETwork - the DoD's chunk of the internet) with very very few competent administrators... it actually scares me. Patient tracking, Command and Control, Supply, Personnel, and etc. systems ride the NIPRNET. Glean enough information from these systems and you have the equivalent of classified information.

      I said so many problems at so many different levels - What am I talking about? Example: The basics are not being followed. User education is horrendous. I know I could walk into most any secretary's office and find his/her password in minutes. How? Look under the keyboard, inside the monitor's control panel door, under the coffee cup on the desk, inside the top drawer, etc. etc. "Who cares? It's just a secretary. She/He couldn't possibly have access to important information." Well, they don't give secretaries to just any grunt. She's probably the secretary to at least a Colonel (O-6) and she probably has access to his email. What's more littered with sensitive information than a Colonel's or General's email.

      Grab a phone book from any military facility (just look in the trash), get some names, call up the help desk. "This is Sgt Such-and-such... I've just locked myself out. I guess I've forgotten my password. Could you please reset it." "SURE. Your password is now P@ssW0rd. You'll be forced to change it when you next login." (YES, it really is this easy! - I know, I've done it during exercises.) Etc. etc. etc. Pick a basic security best practice and I can guaruntee it is not being followed at most DoD installations.

      I've said this in many previous posts on /. and I'll say it again - MOST DOD ADMINISTRATORS ARE INCOMPETENT! The DoD isn't exactly paying top dollar for their personnel (that's why I'm a governement CONTRACTOR not an EMPLOYEE); Training for the grunts is next to SHITE; and a complete misunderstanding of information security bleeds throughout the top brass in the DoD.

      It's pretty sad, but I keep banging away to make my little chunk of the DoD network(s) more secure. Wish me luck. I think I'll need it!

      --
      3cx.org - A truly bad website.
  3. Re:I don't buy it... by Nick+Number · · Score: 5, Interesting

    I can't believe that they could have scored at F on any security test. Am I naive?

    Well the following paragraph of the article gives some blatant examples of poor practices that were found:

    The GAO routinely hacks into federal computers to test security and rarely fails. At the Commerce Department, for example, the GAO in August found some computers didn't require any passwords; some used "password" as the password; and entire lists of passwords were stored in plain view on the computers themselves. When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.

    This isn't all that hard to believe. These networks are huge, and there will always be some people who value convenience over security. The question is whether the admins are understaffed, inexperienced, or simply lax in enforcing policies.

    --
    Promote proofreading. Don't mod up sloppy posts.
  4. scoring system? by BigBir3d · · Score: 2, Interesting

    Does 'F' imply no password protection?
    Does 'D' imply posted password?
    Does 'C' imply password?
    Does 'B' imply encryption?
    Does 'A' imply near perfection?

    I presume an 'A+' is un-obtainable. If it has a way in, then, can't it be cracked?

  5. It must be a mess by Quizme2000 · · Score: 3, Interesting

    When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.

    This makes it apparent that the IT department is extremly mismanged. Standards and procedures for dealing with hacker attacks, critical loss, and computer abuse are the core requirements of ant IT support. I'm guessing that alot of gov't computers have access to the internet that do not require access for its job function. Every terminal thats connected is a security risk that must be addressed. Probably setup by very underpaid gov't worker that was "trained" in a day.

    --
    "Get them before they get....
  6. Management style... by GISboy · · Score: 2, Interesting

    anyone old enough to remember various management styles, would probably refer to this as the "Open Door Policy".

    In my brief stint at a Panasonic refurbishing depot, the management there also had the same policy.

    "My door is always open, as long as you never walk in, it will remain so."

    "First rule of management; EVERYTHING is your fault" --Hopper, A Bug's Life.

    (note: misfiring neurons due to my son startling me awake at 5am. sigh.)

    --
    If it is not on fire, it is a software problem.
  7. Shouldn't there be a filter against this? by Amiasian · · Score: 1, Interesting

    OK, you know .. if there was some sort of grammar recognizing Perl or CGI script that could link to a dictionary. Something that gives the basic structure of an English sentence and if something violates that structure it doesn't get posted. *shrugs* But I'm not sure if that would work.

  8. Doesn't surpise me but... by Mashiki · · Score: 2, Interesting

    A few things come to mind, they need to be more worried about dumb ass script kiddies, even an idiot can run a program and do something, crackers would be their next likely problem. If they want some help, I'm sure there are many hackers that would jump at the chance to work for them. It is a tough time in the technology field right? Besides, who is more likely to know about all the exploits, crackers for sure, but a very good chance that it is the hackers who were the people that originaly found the exploit.

    We don't have our noses's burried in books and reading the "latest and greatest" security information for no reason.

    --
    Om, nomnomnom...
  9. The reality check by Anonymous Coward · · Score: 2, Interesting

    I am currently a sysad for a small military unit that has 3 WinNT servers (one PDC and 2 BDCs) using MS Exchange 5.5. I have done all I can to lock/patch these monsters down, but it seems like every damn day I am patching this, reinstalling SP-whatever on that. As long as they rely on MS software, it is always going to fail. I have been screaming about getting a firewall for months and months now, but they just look at me and tell me "We don't have the money yet." DON'T HAVE THE MONEY YET!?!?!?! THIS IS THE FRICKIN' DoD WE ARE TALKING ABOUT! I have seen them waste more money on building electro-conference rooms and overhead projectors for useless cheese slides! My nets get scanned by outsiders at least 3 or 4 times a day, and that is only because I HAVEN'T had them registered in the .mil DNS system. If I did, the number would go up.
    The Emperor has no clothes, gentlemen, and I have no sympathy for ANY Government network that gets hacked, when it could have been prevented.

  10. F is for ... by blang · · Score: 2, Interesting

    Freedom of Information. For once, the feds have chosen the most efficient way to implement something.

    --
    -- Another senseless waste of fine bytes.