Slashdot Mirror

← Back to Stories (view on slashdot.org)

Federal Computers Fail Hacker Test

Posted by timothy on from the an-f-for-the-department-of-education dept.

Nintendork writes: "An article by the Associated Press, published on CNN tells of the latest network security report cards earned by Federal agencies. The Department of Defense along with several others failed. I hope terrorists that pose physical threats don't have any script kiddies in their arsenal."

5 of 125 comments (clear)

  1. Homemade Unix by Ashcrow · · Score: 3, Interesting

    A boss of mine a few years back was an ex-administrator on a private mil network. I picked his brain about some of the stuff and he explained that they use NT on the public networks (IE: for email to friends and family and other trivial things) and a hommade UNIX version for their private/secure networks. Of course this was just for his area of the military.

    As for the DOJ, I met a guy who was arested for cracking into it when he was 19. He explained that it is a lot easier than people think and he cracked it about 11 times before he was caught. He now works for a large security consulting group.

  2. Typical useless gov't reports by baptiste · · Score: 5, Interesting
    Note this from teh article:
    The grades are based on information the departments gave to the Office of Management and Budget (OMB). Under a new federal law, agencies must report regularly to OMB on their efforts to keep computers safe.
    Please - this was just an audit of what agencies SAID they did. Can you imagine the grade they'd get if they actually scanned the systems and networks for vulnerabilities? A monumental task no doubtm but still scary to contemplate.

    Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.

    --
    Top Most Bizarre/Disturbing Error Messages
    1. Re:Typical useless gov't reports by kir · · Score: 3, Interesting

      Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.

      I've worked for or with the DoD for the past 10 years (both as active duty AF and now as a government contractor) - the last 5 working in security. Unfortunately, it has been my experience that your statement is exactly what you said - imagined. (I can really only speak on DoD - The AF and some nameless joint commands in particular.)

      So many security problems exist at so many different levels, it's amazing no major infiltration has occured (that we know about anyway). Sure, IIS web servers all over the DoD are being defaced, but this is small potatos (and on par with the civilian sector). So many "mission critical" systems exist on the NIPRNET (Non-secure Internet Protocol Router NETwork - the DoD's chunk of the internet) with very very few competent administrators... it actually scares me. Patient tracking, Command and Control, Supply, Personnel, and etc. systems ride the NIPRNET. Glean enough information from these systems and you have the equivalent of classified information.

      I said so many problems at so many different levels - What am I talking about? Example: The basics are not being followed. User education is horrendous. I know I could walk into most any secretary's office and find his/her password in minutes. How? Look under the keyboard, inside the monitor's control panel door, under the coffee cup on the desk, inside the top drawer, etc. etc. "Who cares? It's just a secretary. She/He couldn't possibly have access to important information." Well, they don't give secretaries to just any grunt. She's probably the secretary to at least a Colonel (O-6) and she probably has access to his email. What's more littered with sensitive information than a Colonel's or General's email.

      Grab a phone book from any military facility (just look in the trash), get some names, call up the help desk. "This is Sgt Such-and-such... I've just locked myself out. I guess I've forgotten my password. Could you please reset it." "SURE. Your password is now P@ssW0rd. You'll be forced to change it when you next login." (YES, it really is this easy! - I know, I've done it during exercises.) Etc. etc. etc. Pick a basic security best practice and I can guaruntee it is not being followed at most DoD installations.

      I've said this in many previous posts on /. and I'll say it again - MOST DOD ADMINISTRATORS ARE INCOMPETENT! The DoD isn't exactly paying top dollar for their personnel (that's why I'm a governement CONTRACTOR not an EMPLOYEE); Training for the grunts is next to SHITE; and a complete misunderstanding of information security bleeds throughout the top brass in the DoD.

      It's pretty sad, but I keep banging away to make my little chunk of the DoD network(s) more secure. Wish me luck. I think I'll need it!

      --
      3cx.org - A truly bad website.
  3. Re:I don't buy it... by Nick+Number · · Score: 5, Interesting

    I can't believe that they could have scored at F on any security test. Am I naive?

    Well the following paragraph of the article gives some blatant examples of poor practices that were found:

    The GAO routinely hacks into federal computers to test security and rarely fails. At the Commerce Department, for example, the GAO in August found some computers didn't require any passwords; some used "password" as the password; and entire lists of passwords were stored in plain view on the computers themselves. When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.

    This isn't all that hard to believe. These networks are huge, and there will always be some people who value convenience over security. The question is whether the admins are understaffed, inexperienced, or simply lax in enforcing policies.

    --
    Promote proofreading. Don't mod up sloppy posts.
  4. It must be a mess by Quizme2000 · · Score: 3, Interesting

    When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.

    This makes it apparent that the IT department is extremly mismanged. Standards and procedures for dealing with hacker attacks, critical loss, and computer abuse are the core requirements of ant IT support. I'm guessing that alot of gov't computers have access to the internet that do not require access for its job function. Every terminal thats connected is a security risk that must be addressed. Probably setup by very underpaid gov't worker that was "trained" in a day.

    --
    "Get them before they get....