U.S. Interior Dept. Unplugged... Again
IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."
Is their continuing failure to secure their system due to lack of will/lack of money/what they're using or some combo of the three?
"The Interior Department said the order "is a new frontier in this court's efforts to run the operations of executive branch agencies."
//
"We are working closely with the Department of Justice to quickly respond to this order in the appropriate legal venue," the agency said in a faxed statement.
It's a political thing. Probably not much of a technical problem here at all. Somebody's making a move for power somewhere and now all of this BS. They are punishing the Interior by taking down links with schools on them rather than just blocking traffic via access lists and firewalls.
If they really had a problem with some of the services being provided as insecure they could have either firewalled those services or just blocked them at the router. Since, they did not take a rational approach to solving the problem, the problem is likely a political one from one greybearded idiot to another.
Been a consultant for the government. Seen it. I once went almost 4 months doing nothing but earning good money while waiting for the Chicago Tollway to resolve some political infighting. 4 months of sitting at home, watching TV and basically chilling out on Illinois tax dollars.
It was lovely.
...a good 40% of retailers use the INTERNET to connect to the bank...
it's even worse than that. i know a guy who works at a credit union. his job is to do end-of-day, end-of-month, etc processing. one of his jobs, is to ftp the transactions to/from visa everynight. it's not sftp or any other encrypted connection. just plan text ftp right over the internet. no one at the place will listen to him about how insecure that is! and just think, if visa is doing that for this credit union, i imagine that they're doing it for all the banks/retailers they deal with.
I'm posting this AC for obvious reasons.
A few years back we had a run-in with the DOI. We found very strange things in our web and FTP logs and traced them back to a Denver office of the DOI. Basically what they were doing was spending hours every night (way after office hours) digging and digging and digging to see what they could find. There were tons of 501s because these guys would enumerate when directory listing was turned off.
My colleage wrote to the DOI in Washington and asked 'what's up'. Because of the evidence we could show, the DOI Washington office decided to put a sniffer on the Denver line. Great, we thought, soon this wil be cleared up. As if.
A week goes by, and the Washington DOI people contact us. Their sniffer thing didn't work. When they were about to install it, some dork went around the Denver office barking, 'OK EVERYBODY HAS TO GO HOME EARLY TONIGHT WE'RE INSTALLING A SNIFFER ON THE LINE'.
Now if you believe that story (and that's how they told it) is another matter. We did not - and ever since, at regular intervals, they're back again.
Funky group. Very funky!
Which is why secured government facilities are required to shred all classified documents. And as for Mr. Feynman's legendary escapades, Los Alamos was recently severely upbraided by the DOE for its lax security.
Most government facilities have the lowest level of classified information ("Secret"). Very few have "Top Secret" or higher. And even with Secret, there are very extensive procedures in place in terms of document storage, personnel access, etc.; you're not going to be able to get in with a penknife, leastways not when the document is in a 2-ton graphite safe with 70-point rotary dial behind an armed guard gate.
And as for the guy who found a 10-Base T hub? Dude. That's nothing. We throw old junk away all the time. I just threw 5 Betacam SP decks, worth about $6000 each, in the trash last week. Remember, the agencies can't sell equipment; only the GSA sells surplus, and that's at auction. And it's not like the agencies get credit for turning stuff in. So there is no financial incentive for the agencies to save old equipment, and the paperwork is far too much of a hassle to deal with, just to get it transferred off the books to surplus. (You have to verify condition and certify it, blah blah blah.) So we just get it written off as damaged beyond repair, and toss it.
Believe me, I'd take the stuff home if I could, but then I'd technically be stealing. It has to be officially thrown away first.
God Bless America.
they were infiltrated by the judge's appointed special master, a lawyer named Alan Balaran, with only minimal social engineering.
If critical backups get messed up because of security testing, that would be a security hole.
Amen. My point in a nutshell.
This a critical system, this is the real world. No holds barred. Now, abomb threat to clear the building as a "test" is severe, yes. It's costly, causes a panic, and may not be appropriate. But, it needs to be tested for as well (maybe in conversation, such as "What are your procedures for a bomb threat? Do you lock the doors behind you and log out?) or do it on a Saturday. Hell, even announced it is a TEST bomb scare, people will go through their routines and procedures and security holes will come to light. But make sure it is done at an unknown time, and with unknown factors to make it as real as possible.