Slashdot Mirror
U.S. Interior Dept. Unplugged... Again
IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."
...as reported by internet.com. Interestingly it seems that even the previous time was not really the first?
"For the second time in less than two years, a federal judge has ordered the Interior Department to disconnect from the Internet in order to protect $1 billion in American Indian money managed by the agency.
U.S. District Judge Royce Lamberth said Interior's refusal to cooperate with a court-appointed master who wanted to test the security of Interior's systems, prompted the decision. The government claimed it did not cooperate with Security Assurance Group of Annapolis, Md., because they could not agree on the "rules of engagement."
Much of the money that is handled 'for' the native americans is not federal money from taxes. It is money that is due native americans through things like mineral rights. Security should not even be at the top of the list though- plain mismanagement and incompentence that is criminal. But as is often the case- none of the big players are being held responsible to the extent they should. You can read about it all over the place - like this article
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Looks like the Interior Department has been having computer problems for a long time (December 2001!):
"Web wanderers looking for information on national parks, government mapping services or geological disasters will need to get their information from non-official websites for a while.
U.S. District Judge Royce Lamberth issued the order late Wednesday after a report showed that the computer system which handles $500 million annually in royalties from Indian land has major security holes that make it easy to access the system, alter records and possibly divert funds."
Uh, do you know what a "treaty" is? It is a legally binding contract. Despite having repeatedly violated the treaties, the Interior Department is legally bound to try to honor them. These "payments" are usually part of ongoing compensation for having deprived people of land that they were legally entitled to. The priciple of Eminent Domain does allow the government to kick people off their land, but stipulates that they must be compensated.
"Freedom means freedom for everybody" -- Dick Cheney
It's frustrating to be out of work and not getting offers, while knowing I'm considerably more competent than these fools who still seem to have jobs after b0rking it time and time again.
ehintz
then how exactly do they update your bank account?
Online banking allows you to play with your accounts. If it's hacked it's your data they screw with. The entire bank doesn't become a victim.
Your[sic] one of those bozo's that says "I'll never use my credit card online"
I use my card online all the time.
Not to mention a number of "private" networks use the internet as a backbone.
They're called "VPNs". Good luck hacking a properly maintained one anytime soon.
I know exactly what I'm speaking about. Go back to sleep.
Trolling is a art,
You don't really understand what happened do you?
Firstly, there is no Indian "race" or "nation" that was in conflict with the United States.
There were many conflicts with many tribes and there are many settlements which differ in scope and letter of the agreement.
Since the closing of the Frontier in 1890 and the end of major military action with the American Indians around the same time the rights of the American Indians have changed and the role of the government in thier lives has changed.
The crux of this arguement between the DOI/BIA and the folks suing them isn't about monetarily reimbursing for "or practically annahilating their race" it's about mismangement of natural resources on lands which are on Reservations or were on Reservations which are held in trust by the United States Government who act as stewards of the resources, both discovered and undiscovered.
Basicly the DOI/BIA has lost billions of dollars of money that should have been paid out to various tribes and various private citizens. Not only that, but they can't figure out a webserver that holds confidental information on the monies going out to private citizens that can't be exploited.
and just so everyone knows, the dept of interior is 100% standardized on Microsoft Windows. They do not use any Unix/Linux/BSD anywhere. everything is windows. thats part of the problem of why they are so insecure
Does the name Pavlov ring a bell?
My understanding of the history of this is that DOI has had the least secure computer systems of any U.S. government agency, and have been virtually overrun with cracker activity. It's pretty obvious that someone who knows little about information security, or knowing the government, a LOT of someones, led to this occurring, as I pointed out, for the third time.
As you said, there's no excuse for sensitive systems such as that to be exposed to the Internet, but it's not the first time and probably won't be the last. In the book At Large, author David Freeman points out that at one point, the controls for the Hoover Dam were accessible from the Internet. That's asking for people to DIE, and that's not cool...
Excuse me, someone's at the door. He says he's from Homeland Security...
How am I supposed to fit a pithy, relevant quote into 120 characters?
Interior Dept unplugged from the Net
Judge orders agency to shut Internet system after concluding security holes are still a problem.
March 16, 2004: 2:46 PM EST
WASHINGTON (Reuters) - Wide swaths of the Interior Department were taken off the Internet again Tuesday after a federal judge concluded that the agency still has not fixed security holes that threaten payments owed to American Indians.
It was the third such shutdown for the Interior Department since 2001, when an investigator found that hackers could easily steal money from a system that allocates energy and mineral royalties to 300,000 Indians for use of their land.
U.S. District Court Judge Royce Lamberth said the system still remained vulnerable despite the department's assurances to the contrary, and the agency could not be trusted to fix the problem by itself.
"The feigned indignance of Interior aside, there is simply no other alternative. Interior brought this on themselves," Lamberth wrote in an opinion signed Monday.
The Interior Department said the order "is a new frontier in this court's efforts to run the operations of executive branch agencies."
"We are working closely with the Department of Justice to quickly respond to this order in the appropriate legal venue," the agency said in a faxed statement.
Lamberth, who serves in Washington, ordered Interior to pull all its computer systems offline except for those involved in vital police and fire services.
Bureaus that oversee national parks and provide geological information can also remain online as they have no relation to the trust data, he said.
Divisions that oversee wildlife management, oil and gas royalty payments and Indian affairs were offline Tuesday. Employees are unable to access the Web or send e-mail to those outside the agency, spokesman Dan DuBray said.
The order also shuts down a program that provides Internet access to schools on Indian reservations, the agency said.
Interior could bring its systems back online if an independent reviewer certified them as secure and monitored them on a monthly basis, Lamberth said.
The Interior Department consistently attracts failing computer-security grades from congressional reviewers.
The blackout stems from a class-action lawsuit between the agency and Indians who allege that it has mismanaged trust accounts set up in the late 19th century to handle proceeds from oil, gas and minerals extracted from Indian lands.
Lead plaintiff Elouise Cobell, a member of Montana's Blackfeet tribe, charges that the government has lost track of billions of dollars and wants the judge to transfer control of the accounts to a court-ordered receiver.
Working with a court-appointed overseer, the agency had been able to bring nearly all of its systems back online within a year after Lamberth ordered them unplugged in 2001. But Lamberth ordered some systems offline again in July 2003 after a dispute between the agency and the overseer.
That has nothing to do with your original statement. You said they are not connected. Explain properly.
Well, you asked nicely. When a customer connects to an online bank they aren't directly connected to the banking core. They're on a webserver that's isolated well enough to prevent compromising the main banking systems. The passwords and login credentials aren't usually stored on the web machines, rather the info is passed through to other secured machines. This way if the web server is comprimised the passwords are safe. There are usually firewalls or other security between all these systems.
The key is to isolate the systems and only allow the bare minimum amount of talk to get the job done.
It looks like the Park Service, USGS , and Office of Aircraft Services are still online. Yet there are some seemingly unrelated divisions offline that probably shouldn't be. I don't see why the National Interagency Fire Center is offline. It seems somewhat important!
As someone close to this. You could not be more right.
I like things that are sweet and not things that are lame. --
Not quite. They _DON'T_ PGP encrypt it, it's sent plain text. EVER BANK I'VE WORKED WITH in USA uses plain text to transfer the file. I have seen the PGP encrypted file, but that's only for Canadian banks.
Yes, FTP using Plaintext is risky. That's why Vital (Visanet) would force the LINK/LINE between the companies to be a. encrypted, or b. a VPN.
No retailer want's to spend the $10,000USD on a business class version of PGP (I've investigated it before). Canadian retailers generally get the retail version and make it some guy's duty to manually encrypt the files.
Mod +5 Drunk
1 entry found for UNSECURE.
UNSECURE
\Un`se*cure"\, a. Insecure. [R.] --Milton.
5 entries found for INSECURE.
insecure adj.
1. Not sure or certain; doubtful: unemployed and facing an insecure future.
2. Inadequately guarded or protected; unsafe: A shortage of military police made the air base insecure.
3. Not firm or fixed; unsteady: an insecure foothold.
4.
1. Lacking stability; troubled: an insecure relationship.
2. Lacking self-confidence; plagued by anxiety: had always felt insecure at parties.
holy crap indeed
just ask Kevin
Seeing as how Kevin was caught multiple times and eventually spent years rotting away in the lock up, I don't think that I'll be taking any advice from him. Usually you take advice from successful people not from failures. And yeah, I read his book, it was all common sense stuff, if he wasn't well known as a famous hacker (and I use that term loosley) he never would have been able to get that thing published.
i write software for many many many banks in Minnesota.
Almost all of them use pgp for anything remotely confidential, and many use md5 checksums to make sure nothing got changed in-transit.
I dont know the prices myself but im pretty sure its not $10k. Even if it is, thats peanuts for most banks, especially for something as critical as that.
Plus, I have software out there that many companies dealing with credit cards use. If you apply for a Target credit card, your application (after it has been scanned) goes through my application. Guess what, coming into and going out of, its encrypted.
Maybe you havent worked with banks lately, I'll agree it was pretty bad maybe 6 years ago, but they have got up to speed quickly and most are more secure than your average large company.
The computer security can be laughable sometimes. Those of us who develop software, use Linux whenever possible. I NEVER boot my pc into windows except to allow the IT people to update my antivirus defs. You wouldn't believe the grief I get if I don't boot into windows at least once a week.
So I'm posting anonymously.
We use mostly VAX here at the DOI for the fiancial servers; I'm in charge of maintaining the FORTRAN code that is run for the transfers (key point here: don't touch it! It's worked fine for over 15 years).
On the desktops, its straight up Windows 98, and Office 97, and -- get this -- Netscape 4.7 (yeah, it was the standard for a while, and still is, unfortunately). We're supposed to get upgrades to Windows 2000 (and Office 2000, and Netscape 7.0) one of those days, but they've been saying that for a while now. We don't even run virus scanners on the desktop yet -- you should see some of the spyware installed on some clueless people's desktops. And firewall? Ha! I wish.
Apparently you've not read about the millions of dollars stolen from the American Indians by past operators of the BLM->Office of Indian Affairs... an office can only be as secure as the crooks, er, I mean beaurocrats that operate it...
Genda
Here's the breakdown of the judges' decree I read at work (at one of the DOI deparments) earlier today (and yes, internal email still works!)
:)
A couple years ago Cobell wanted to know how much money was in the trust fund. DOI stutters, says "uhhhh" and a lawsuit is filed. DOJ (Department of Justice) says to DOI "Your computers are not secure, you're cut off from the internet until they are secure." Internet is out for a few months. An appeal is filed, DOI says "We've fixed the problem!" DOJ says OK. Internet is restored, but as it happens nothing has really been secured. IBM is hired to hack at the servers, and for a month and a half of hacking NO ONE NOTICED or even attempted to take countermeasures.
Here's a kicker: when a security audit was planned for one of the machines, DOI pulled the plug when they knew it would be getting scanned! Needless to say, the judge is rightfully upset with DOI, and we probably deserve to have our internet shut off.
In the meantime, it really sucks to have to order stuff over phone and fax. I just hope this outage doesn't last for months. Today was long enough....
Cheers.