Slashdot Mirror
Federal Computers Fail Hacker Test
Nintendork writes: "An article by the Associated Press, published on CNN tells of the latest network security report cards earned by Federal agencies. The Department of Defense along with several others failed. I hope terrorists that pose physical threats don't have any script kiddies in their arsenal."
Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.
Top Most Bizarre/Disturbing Error Messages
I hope terrorists that pose physical threats don't have any script kiddies in their arsenal
So, Al Queda is going to deface the DOD's webpage? Who cares? The article mentioned the ever present password list taped to a computer, which would imply physical access. I doubt the average script kiddie has the social skills to get that.
Reboot macht Frei.
I can't believe that they could have scored at F on any security test. Am I naive?
Well the following paragraph of the article gives some blatant examples of poor practices that were found:
The GAO routinely hacks into federal computers to test security and rarely fails. At the Commerce Department, for example, the GAO in August found some computers didn't require any passwords; some used "password" as the password; and entire lists of passwords were stored in plain view on the computers themselves. When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.
This isn't all that hard to believe. These networks are huge, and there will always be some people who value convenience over security. The question is whether the admins are understaffed, inexperienced, or simply lax in enforcing policies.
Promote proofreading. Don't mod up sloppy posts.
It's been known for quite some time that government agencies are quite an easy target. The fact is, most agencies are not centrally controlled as to what software they need to run, much less what service packs/security patches that need to be installed.
I was on an independant team to go over several different agencies policies and security models concerning the Internet, and this is what we found.
1) Most of the time we could find a vulnerable host on a network to exploit from the Internet with an off the shelf exploit.
2) The hosts and their networks usually tend to not have much information worth a terrorists time. I'm not saying that this is an excuse, merely pointing out the fact that if they're running a default install of IIS4, most of the time there isn't much on the network worth the time invested.
3) Most networks with something worth looking for, have some levels of security in place.
All of that said, I can assure you that most skript kiddies (the ones that posted to attrition.net, etc) don't have the knowledge to gain access to anything more than a default install on a jpl or nasa.gov host.
Reb
::strong arabian accent::
Hello, sir, um, secretary, sir, um, could you, um, read the words taped onto your screen?
"k5jd930d03DfA"
Praise Allah!
*click*
When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.
I wish they had defined "illegal, electronic counterattack." What exactly did he do? I bet he did just what any one of you would have done, he performed portscan to see if there were any open ports suggesting a compromised system.
Edith Keeler Must Die
I did a small job working for Compaq installing NT4 boxen for the local SSAs (Social Security Agency)(s). They used a Centralized NT 4 server with SP3 (Yes, service pack 3) and the administrator password was... get this... "password1". The client machines loged in to the PDC on a TokenRing network which took minutes just to download a 50k profile. The man who was in charge of all of this was being overpaid, since I could tell that some of these older machines still had virii on them. :\ and the server crashed twice because of a tokenring bug in service pack 3, and they din't know what it was, nor did they know that SP6a was available. The assistant din't even know what Windows2000 was, much less BSD/Linux.
Yes, the governement does have very terrible security. I thought our taxdollars were paying for more than this? Im not bashing, or trying to be a troll, but wouln't some form of UNIX like BSD, or Linux reduce our tax rates, providing the admins know how to use it? I know they are paying thousands just for that ONE NT4 server running on a Pentium Pro 200, with 128mb ram.
--------------------------
Is this a sig?
--------------------------
Having worked for the government for awhile, both in and out of the military, there are several insights for that part of the network. For awhile, the official architecture was Windows NT. Regardless of it's strengths or weaknesses. We were using Novell at the time and under constant pressure from on high to get with the official architecture. Fortunately, my boss was more concerned with costs and effectiveness than official position. However, security wasn't an issue. Even in '98 we didn't have a firewall and the director didn't see the need for one. And since he didn't see the need for one, there wasn't going to be one. Only secure networks were using firewalls, and they weren't using NT for that. You might say, "I thought you just said the official architecture was to use NT?" and you would be correct. But even MS couldn't overcome the obligation for classified networks to look at security and stability first and evangelism second. The firewalls were manned by *nix boxen or other platforms and people that knew how to configure them.
Another problem is the civil service. You can have someone rise from a computer background to head a major department responsible for all IT and Telecomm issues that can barely use an e-mail client and can't explain one difference between ISDN and POTS. Then, they hire based on longevity. If you show up with the qualifications for a gs-9/10/11 position but haven't been in civil service, don't even think about it. Come in as a 4 or 5 and work your way up. Those inside the system feel that the higher position should be their's by virtue of having "put in their time". Promotions should be based on how long you've been in the system, not whether or not you can do it. My wife, who was in the civil service was once warned not to even think about applying for a specific position. Despite have a degree in the field and current certifications (medical field where those things frequently mean something) she hadn't been there long enough to deserve to apply for it. The woman who warned her used to have current qualifications, but had stopped bothering to stay current over 10 years ago. Nor attend any sort of training or classes to at least stay up on developing techniques. Not smart in any field. This sort of personnel system doesn't encourage people to stay or even to try to hire on. At this particular installation, those of us that could move on, did. Oh, did I mention that the pay isn't one of the more enticing features? I started at a large corporation making more than the director of that organization. Not that I make that much, they make that little.
Let's see, forced system architectures from the top down. A system that rewards longevity at the expense of competence. No central policies to control and/or coordinate at the command level, let alone service level, let alone within the civilian side of the house. And an incredibly low pay scale. I can't imagine why there would there would be any deficiencies. The good news is that there still exist some competent, dedicated people within this structure. Which is why any of the networks and/or machines passed at all.
You must be the change you wish to see in the world - Ghandi
Anyone who has put in a few years doing IT or security at a big organization (University, large corporation, whatever) can attest to the fact that the people who are ultimately in charge of the Big Security Decisions (i.e. the ones that can write the checks or sign-off on policy) are often the ones that have the least clue about it. They don't see the "Bad Guys" parked outside with their tools and getaway cars, waiting to break in while your not looking, so they think worrying about security and user education is either a waste of time and that you're too paranoid for always talking about "security", or they've bought whatever line they were sold by whomever sold them the promise of "security" and delivers instead a world of Macro Viruses and Code Red worms.
While I have to believe the "really important super-secret stuff" is kept safely locked away by geeks wiser and smarter than us, it cannot come as a surprise that the state of government computer security is about the same as security on the internet at large... it mostly sucks. Why? We can blame the software companies that release easily exploited code, and maybe we should start making them more accountable, but as long as people keep picking dumb passwords, administrators keep letting them, and they in turn keep following poor practices (fricken clear-text password lists!?!), then this what happens.