U.S. Interior Dept. Unplugged... Again

IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."

No OS mentioned in the article

[$calar]

I wonder who the culprit is.

Re:No OS mentioned in the article

Here's an article from a recent incident. No Trust: Hacking the Department of Interior

Since the article doesn't mention, I'll ask:

[burgburgburg]

Does anyone know what system(s) they are running? What (if anything) are they using as firewall(s)? What types of servers are they using? What database(s)?

Is their continuing failure to secure their system due to lack of will/lack of money/what they're using or some combo of the three?

Re:Since the article doesn't mention, I'll ask:

[Chester+K]

Even if you do manage to get all of the systems designed and get ready to roll the upgrades out, someone will just come along and axe the plan while they try to figure out if this move will make them risk their neck in the slightest. Trying to work for people who essentially can't be fired is a nightmare.

The above is absolutely true, and during some contracting work with the military, I was even told pretty much exactly what's said above.

When it comes to Government IT, the only thing that can really get you fired is if you opened a new security vulnerability. The way the admins deal with that is by not allowing any changes to occur under their watch. It's extremely infuriating.

The Internet eh?

[goosebane]

I think part of the problem with a lot of the corporations/departments having many security flaws, or systems open to the net that shouldnt be is the fact that many people still see the internet as an idealistic place for the exchange of ideas and commerce. People are still slow to realize the danger that lies in the internet, and the fact that it can be dangerous. If people knew more about the dangers of technology they might be more apt to work on protecting themselves.

It's a political thing

"The Interior Department said the order "is a new frontier in this court's efforts to run the operations of executive branch agencies."

"We are working closely with the Department of Justice to quickly respond to this order in the appropriate legal venue," the agency said in a faxed statement. //

It's a political thing. Probably not much of a technical problem here at all. Somebody's making a move for power somewhere and now all of this BS. They are punishing the Interior by taking down links with schools on them rather than just blocking traffic via access lists and firewalls.

If they really had a problem with some of the services being provided as insecure they could have either firewalled those services or just blocked them at the router. Since, they did not take a rational approach to solving the problem, the problem is likely a political one from one greybearded idiot to another.

Been a consultant for the government. Seen it. I once went almost 4 months doing nothing but earning good money while waiting for the Chicago Tollway to resolve some political infighting. 4 months of sitting at home, watching TV and basically chilling out on Illinois tax dollars.

It was lovely.

Re:"Larry, Moe & Curly Consulting"

[bmwm3nut]

...a good 40% of retailers use the INTERNET to connect to the bank...

it's even worse than that. i know a guy who works at a credit union. his job is to do end-of-day, end-of-month, etc processing. one of his jobs, is to ftp the transactions to/from visa everynight. it's not sftp or any other encrypted connection. just plan text ftp right over the internet. no one at the place will listen to him about how insecure that is! and just think, if visa is doing that for this credit union, i imagine that they're doing it for all the banks/retailers they deal with.

Re:"Larry, Moe & Curly Consulting"

[DR+SoB]

Not quite.. There is a translation that takes place, I'm not talking about X.25 over TCP, I'm talking about banks that have NO TCP connection available for there mainframes, so they had to buy a server that sits in front of the mainframe that listens on TCP takes the credit packet and translates it into the banks X.25 format. The reason is many retailers want to use TCP type POS's but the bank's (well, SOME in Canada) don't support a front end TCP. Does that make sense now? And yes, I've also worked on networks that run X.25 over TCP.

X.25 is definitely more complicated then setting up a software VPN, and I'm not talking about simply typing in a DNA and connecting with pre-configured software. As for a hardware VPN there is no setup there, it's transparent to the end application, could it get simpler then that?

Now, back to my inane ranting and trolling..

Funky People

I'm posting this AC for obvious reasons.

A few years back we had a run-in with the DOI. We found very strange things in our web and FTP logs and traced them back to a Denver office of the DOI. Basically what they were doing was spending hours every night (way after office hours) digging and digging and digging to see what they could find. There were tons of 501s because these guys would enumerate when directory listing was turned off.

My colleage wrote to the DOI in Washington and asked 'what's up'. Because of the evidence we could show, the DOI Washington office decided to put a sniffer on the Denver line. Great, we thought, soon this wil be cleared up. As if.

A week goes by, and the Washington DOI people contact us. Their sniffer thing didn't work. When they were about to install it, some dork went around the Denver office barking, 'OK EVERYBODY HAS TO GO HOME EARLY TONIGHT WE'RE INSTALLING A SNIFFER ON THE LINE'.

Now if you believe that story (and that's how they told it) is another matter. We did not - and ever since, at regular intervals, they're back again.

Funky group. Very funky!

Shred them, m'boy, shred them!

[Evil+Schmoo]

Which is why secured government facilities are required to shred all classified documents. And as for Mr. Feynman's legendary escapades, Los Alamos was recently severely upbraided by the DOE for its lax security.

Most government facilities have the lowest level of classified information ("Secret"). Very few have "Top Secret" or higher. And even with Secret, there are very extensive procedures in place in terms of document storage, personnel access, etc.; you're not going to be able to get in with a penknife, leastways not when the document is in a 2-ton graphite safe with 70-point rotary dial behind an armed guard gate.

And as for the guy who found a 10-Base T hub? Dude. That's nothing. We throw old junk away all the time. I just threw 5 Betacam SP decks, worth about $6000 each, in the trash last week. Remember, the agencies can't sell equipment; only the GSA sells surplus, and that's at auction. And it's not like the agencies get credit for turning stuff in. So there is no financial incentive for the agencies to save old equipment, and the paperwork is far too much of a hassle to deal with, just to get it transferred off the books to surplus. (You have to verify condition and certify it, blah blah blah.) So we just get it written off as damaged beyond repair, and toss it.

Believe me, I'd take the stuff home if I could, but then I'd technically be stealing. It has to be officially thrown away first.

God Bless America.

Re:Shred them, m'boy, shred them!

[mr_sfstk8d]

Correction:
The lowest level of secure materials is FOUO, For Official Use Only. It only has to be torn into quarters (printed doc. that is). Secret must be shredded, and TS or higher (wink, wink) must be pulverized, incinerated or both.
Which is why in certain work places, they keep hatchets, sledgehammers and white phosphorous grenades handy. Spring cleaning, don't you know.

Re:I wonder about the old paper systems

[theodicey]

Everything about their facility was insecure.

they were infiltrated by the judge's appointed special master, a lawyer named Alan Balaran, with only minimal social engineering.

Re:Here's the original occurence

[skrysakj]

If critical backups get messed up because of security testing, that would be a security hole.

Amen. My point in a nutshell.

This a critical system, this is the real world. No holds barred. Now, abomb threat to clear the building as a "test" is severe, yes. It's costly, causes a panic, and may not be appropriate. But, it needs to be tested for as well (maybe in conversation, such as "What are your procedures for a bomb threat? Do you lock the doors behind you and log out?) or do it on a Saturday. Hell, even announced it is a TEST bomb scare, people will go through their routines and procedures and security holes will come to light. But make sure it is done at an unknown time, and with unknown factors to make it as real as possible.

Re:Here's the original occurence

[Bozdune]

No, I've seen this kind of sissy fight before. Believe me, the "rules of engagement" were purely electronic. They were probably arguing that they didn't want any "disruptions" of their service. Now they have a big disruption shoved right up their asses, well-deservedly so IMO.

Department of Interior?

[mh101]

And what exactly is a "Department of Interior"? Please enlighten this curious non-American. This is the first time I've ever seen the name Department of Interior...

Re:I wonder about the old paper systems

[ScrewMaster]

Well, I don't know. There was a story on the news this morning that I heard before I left for work. Some dude (or dudette) broke into a major IRS facility, easily bypassing all the "security systems" that were in place. Interestingly, the reports indicate that no confidential tax information or anything else of consequence was stolen, however (and this is remarkable) the pop machines were ripped off. In any event, I'm not sure that your belief that physically secure is all that secure is true. This person or persons unknown could presumably have rifled all the file cabinets in the place if they had wanted to.

The issue isn't copying information.

[Ungrounded+Lightning]

First you have to gain access to the facility, then you have to have access to that area and then you have to have access to the files. It is not that easy to just stroll in there and get a copy of them.

At least in the case of the indian stuff it wasn't an issue of getting copies of the information.

They "lost" essentially all of the indians' money - and the records were corrupted enough that it was no longer possible to trace who took it.

The bureaucrats in charge (the likely suspects) then took advantage of the insecure network to finger-point away from themselves. And the systems were taken offline when it was shown that they were STILL wide open.

Tribal Colleges (bia.edu)

[mccoma]

All of the Tribal Colleges that were hooked to the BIA now have no internet access. Most of the colleges are in rural areas that have no other avenue for internet access (well, barring spending a lot of $$$ which most of these tribes don't have - casinos only work if you have a large city next door).

Any distance learning classes are going to have some problems. So the court ruling affects the education of the next generation. It looks like US Geological Survey (the group that administers the bia.edu part) will be going to court to get the order lifted for the colleges so they can go on without interference.

PS
Also, it is believed that the amount of lost money for mineral / grazing rights on the trust land total around $10 billion.