Slashdot Mirror
U.S. Department of Interior Ordered Offline
The whole of the U.S. Department of Interior has been forced off of the internet as a result of a court case Cobell v. Babbit. This was the result of compromises with the Microsoft Windows servers. A judge decided to take the whole of the organization down. Should this judge have this much power? Info here on the
indian trust web site. This includes the BLM, USGS and the Park Service. Staggering, really. CD: Hold off on the blaming of MS, it's still not clear.
I know I ruined my slashdot credibility by actually READING THE ARTICLE, but this applies only to systems that provide access to the Indian Trust data, and its an emergency order designed to protect the people whose data is stored there. This was a "computer infrastructure so easily penetrable that a court investigator and his team of security experts were able to break in and repeatedly access, modify and even create trust data -- all without raising a response from the government." This involves the finances of over 300,000 people, I don't think the judge was out of bounds in ordering it closed.
Good point; Quoth Netcraft
The site www.doi.gov is running Apache/1.3.12 (Unix) on Solaris
Other sub-domains are Netscape Enterprise on Solaris and Lotus Domino on NT4/98.
Laugh while you can, monkey boy!
This was the result of compromises with the Microsoft Windows servers.
However, I see no mention of the operating/database that was compromised. Following one of the background links there is reference to an IBM mainframe.
Among the facts omitted was the name of the Denver firm that maintains the IBM computer mainframe for the trust system
Just thought that should be pointed out.
Now the webservers may be IIS but the database being hacked was IBM. Most likely just a poor implementation.
Entering via the Internet, the "hackers" found they could break many of the passwords protecting accounts, using a tool called a "cracker." Many of the passwords, according to the report, were easy to guess, particularly one -- "passwd" -- which was frequently used.
This had nothing to do with the fact that they were running IIS, Apache, Joe's Web Server, etc. The issue was weak database passwords.
netcraft shows lots of different OS and servers are being used. The security breach could have been done through anyone of them, or the bad security could've been on the database itself.
... then again, that's not the sort of information they want to make public if the DOI wasn't addressing the problem.
For example :
The site doi.gov is running Lotus-Domino/5.0.8 on NT4/Windows 98.
The site www.den.doi.gov is running Netscape-Enterprise/4.0 on Solaris 8.
The site www.ios.doi.gov is running Apache/1.3.12 (Unix) on unknown.
The site www.doi.gov is running Apache/1.3.12 (Unix) on Solaris
I couldn't spot a document on indiantrust.org which went into technical details either
http://www.thehungersite.com
I work without a contract every day! I prefer to let my work's value set my salary rather than rely on my ability to to obstruct business.
You have to see some truth in the statement that unions only afford more protection to the mediocre worker than they do to the above average worker.
..at least when I check a few minutes ago. And SamSpade is reporting the front-end NPS server is Netscape Enterprise v4.1.
:)
.. why let the facts hamper you?
-'fester
-'fester
Insurance companies do this. I know, because I helped enable one. When you have low-volume, high importance data (like the personal records of Native Americans!!) this approach is justified. I'm not surprised in the least, however, that our underfunded park service wasn't able to hire a government contractor that would take security seriously. We can be as condescending as we like (and we usually are) but if you've ever tried to work through federal procurement procedures, you understand you're dealing with a very limited talent pool.
From Netcraft's Survey:
The site www.doi.gov is running Apache/1.3.12 (Unix) on Solaris.
Of course, we don't know whether this was the system which the government investigators broke in, or whether it's something in this domain.
Bush Lies Watch
This is bad. There have been many, many reports and firestorms about these computer systems according to the Special Master's Report released as a court document.
.gov agency has the report detailing their secuirity holes, they left many of them wide open. So much so that Predictive could add bogus accounts and transfer real monies from real accounts into the bogus accounts, get sensitive documents and lots of other mischief. Really bad.
Predictive (the security company) broke in and documented abysmal security -- no firwalls, blank administrator passwords, other stuff that would make any script kiddie drool. The response of the B. of Indian Affairs was "naw, it's not that bad; you cheated".
So Predictive did it again. Got basically the same results. So after the
In classic Dilbertesque style, the Gov blames the messenger, says it's not really that bad (again) and promises to do a whole lot of nothing -- just like it has been doing for 10 years according to the special master's report you can click on here:
http://www.indiantrust.org/documents.cfm
This is bad. Real bad. Sad to say this judicial action was necessary. Sad.
it was not the front end web server that got broken into...
With permission from U.S. District Judge Royce Lamberth, the special master's team logged onto computer servers, accessed databases, broke into Interior and Bureau of Indian Affairs networks, discovered they could modify and erase sensitive data and even created an Individual Indian Money (IIM) trust account in Balaran's name. All of these breaches occured repeatedly and with ease -- and all without being noticed, or even tracked, by the Interior's own computer officials.
Here's a rundown of how it happened.
Predictive originally planned a two-phase test of the Interior's computer infrastructure. First, it would try to access the system from the public Internet; and second, it would test the network from within.
However, the company soon found it could scrap the second phase because protections were non-existent.
"Early on in the testing it became apparent that it was possible to access the sensitive internal data from the Internet and that the internal on-site testing phase was not needed due to the lack of overall perimeter security," Predictive wrote in August after a first round of hacking.
Using widely available, and free, tools employed by hackers all over the world, Predictive tapped into a number of systems the Interior deemed "critical" to bringing its trust duties into the 21st century. These systems included:
Predictive was able to break into a TAAMS server because it had "no password." As a result, the firm could perform administrative, high-level functions typically not available to low-level users.
Also, Predictive could access TAAMS because the BIANET, a BIA network accessible via the Internet, had "blank" passwords. Through this vulnerability, the firm gained administrative powers that allowed it to access data stored in a TAAMS database.
TAAMS is housed on two AS/400 servers, made by IBM, in Addison, Texas. The servers, the database and all its associated logic (coded in dBase) are fully owned by a third party, Applied Terravision Systems, because the Interior failed to consider long-term ownership and development issues.
A so-called "legacy" system in use since 1982, Predictive was able to gain "complete access" to IRMS, which tracks leases and distributes payments to account holders. Weaknesses on the BIANET allowed the firm to see every IRMS account that has ever existed.
Predictive could modify and delete user accounts, meaning it could prevent authorized Interior users from entering the system and give access to non-authorized outsiders.
Further, Predictive gained "complete control" to an IRMS server because it had a "blank" password. The firm was able to copy files and create links to sensitive data to outside networks via standard and highly vulnerable Microsoft Windows capabilities.
IRMS is coded in Cobol 74, an outmoded but pervasive language, and is composed of six databases -- including individual and tribal ownership and leasing data -- that reside on a Unisys Clearpath NX server in Reston, Virginia. Reston is the location of the BIA's Office of Information Resources Management, whose controversial move from Albuquerque, New Mexico, was temporarily halted by Lamberth.
Additionally, Predictive found numerous problems on a number of systems, most of which are not specifically named because information in the report is redacted. The firm was able to access "sensitive" information including "gigabytes" of BIA e-mail, configuration files, log reports, and all usernames and passwords on an unnamed system. Many of these systems had weak password or no password protections.
Certain Interior computers were also running web servers, file transfer programs, remote access servers and other technologies that could allow anonymous access by outsiders. Other systems were prone to well-known hacking techniques, including denial of service, buffer overflows, "Trojan Horse" programs and Microsoft Windows "scripting" attacks -- all of which are typically preventable by applying readily available "patches" to fix security holes.
All of this hacking -- which took place between June 24 and July 8 -- led Predictive to conclude in an August report that the BIA lacks "basic security" measures. "Even if every security vulnerability in this report was corrected, BIA's overall lack of a secure network perimeter would still leave BIA exposed to additional risk," the firm wrote.
Predictive recommended the BIA implement such standard protections as a firewall and intrusion devices. Along with Balaran, the firm informed BIA of the numerous problems at a meeting with Brian Bowker, then-director of OIRM.
Despite Predictive's damaging report, Bowker indicated the company was successful only because he had "turned over the keys to the store." Balaran said he felt Bowker was trying to "discount" the findings, so he again instructed Predictive to break into the system on August 30.
It was during this time that Predictive created a trust account for Balaran, whose report is not specific as to which system was accessed to perform this incredible breach. Predictive was able to create its own trust data and modify existing data on an unnamed system, leading the firm yet again to warn BIA of problems and make a number of specific recommendations to correct the deficiencies.
They have a bunch of IBM mainframes, Unisys NX, AS 400 etc. They had troubles with security in 1989 - from the report by Andersen's auditors. They had troubles with ecurity, backups, procedures in 1994.
They are plain lazy fucks.
<^>_<(ô ô)>_<^>
The District Court's web site has the (redacted) Special Master's Report (PDF) which gives the technical details.
Whoever did the redacting didn't know much about the technology; it's frequently possible to infer what's been removed from context.
After reading the report, I understand why the judge ordered the networks disconnected from the Internet. If I were in his place, I'd have ordered the systems shut down completely.
The report is a case study in gross mismanagement of information systems; this isn't about holes in any vendor's software, but about people who, it seems, simply didn't care about data security or integrity.
This District Court page has copies of the other recent orders in the case, too.
You are conveniently ignoring the finding of fact from the McDonald's case.
McDonald's *knew* their coffee was much hotter than it should be. Dangerously too hot! McD's had funded research that showed them that their customers like their coffee a comfortable *warm* temperature, just like the coffee the get at other restaurants, or from their coffee makers at home. So why did McD's have a *corporate-level policy* directing stores to set the temperature on the coffee makers so extraordinarily high?
To cut down on free refils. The same research showed that customers given coffee that was too hot were MUCH more likely to depart the store without seeking a refill. The research finding also showed that there would be an increased risk of customer injuries.
The McDonald's corporation had been in possession of, and demonstrated an understanding of the facts of the situation, and chose to increase the risks to their customers for the sake of saving money.
If the DOI decided to shut down their entire network instead of taking those machines offline, that was their stupid decision.
On the other hand, if security is as lax as it seems, we all have (illegitimate, potential) access to said data. Maybe we'd better disconnect... ;)
Today, before the Senate, John Aschroft, the Attorney General of the United States, stated in plain terms that any criticism of Ashcroft's policies of extrajudicial military tribunals and other suspensions of civil and human rights will help terrorism. (LINK) .
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.
Folks, this is not rocket science. The easiest way to determine if the DOI is on the net or not is to try to connect to the DOI homepage itself. As of this moment (1:00 AM Central time), the entire DOI is off the net. It's not just the BIA or the agencies and sites directly related to it. It's the entire DOI. I am a DOI contractor and I can assure you that our facility (which has nothing to do with the Bureau of Indian Affairs) was most certainly yanked off the net this afternoon, and it remains off the net.
This is really causing pandemonium at our workplace. We cannot access our electronic timesheets because the server is external to our network, and as a result, I've just finished filling out my timesheet from home (because otherwise, it's not going to get done.) The silly part of it is that the facility that I work at has quite robust security, and yet we were still forced offline. This is not an "intelligent decision." This is a knee-jerk reaction that is going to end up inconveniencing a lot of people that have paid a lot of money for Earth science data. It's going to cost the government (and, as a result, you, the taxpayer) a lot of money.
By the time you read this comment, the whole issue may have been rendered moot; there was some hope that the court order might be rescinded overnight. If the order was rescinded and you are able to connect to the above links, then I'm glad (because I'll be able to do my job tomorrow.) But rest assured that the entire DOI lost network connectivity this afternoon. This is judicial idiocy, plain and simple; there is no more diplomatic way to put it.
We're going down, in a spiral to the ground
OTOH, when I want money I ask for it, and if I don't get it I go elsewhere if the market lets me.
"If the market lets me" is a key part of why teachers need good union representation. Ever try to look for a decent teaching job mid-school year? I can tell you it ain't no fun. There is far less fluidity in the education market than in engineering. What if you only had one window of opportunity to change jobs in any calendar year? That cube would start to feel even more confining than it already does.
Also, you may not be able to move as easily as people in other professions. The market is limited by government regulation. Certification rules vary. Do you need a different license to be a geek in a different state? I didn't think so.
Sig?
Sigue Sigue Sputnik!!!
Well, don't implicitly trust Netcraft.
The entry for my employer's site is just plain wrong. The IP address shown is one from over 9 months ago, and the OS fingerprint is from that era as well.
I've followed the "tell us if we're wrong" mailto links on the site to no avail. Since I'm the friggin' sysadmin I know the info's wrong and there's no load balancer or proxy crap involved.
Just don't take it as gospel.
Folks, the problem with this ruling is that it affects every single DoI entity. That means thousands of people who depend on real time data such as stream flow measurements, information about volcanoes, earthquakes, and landslides, data on endangered species/migratory birds, and even folks looking for information about National Park status, are left completely out in the cold. The Bureau of Indian Affairs is a very small part of the DoI's operations.
I've seen the faulty accounting system of the BIA up close and personal, and I agree it is completely bogus and needs to be torn down and redone from scratch. But taking the entire DoI off the Internet hurts thousands of people, including many Native Americans, who depend upon data supplied by DoI agencies for making critical decisions. Remember that the DoI includes not only the BIA, but the National Park Service, the U.S. Fish & Wildlife Service, the US Geological Survey, the Bureau of Land Management, the Minerals Management Service, and several others. Taking all of them offline because of the actions of any one component, even the Secretary of the Interior, is downright irresponsible, and could even endanger the public safety.
Neither (most of) the DoI nor the American public deserve to be treated this way.