Slashdot Mirror
Border Security System Left Open
7x7 writes "Wired News is running an article on documents they recovered via the Freedom of Information Act and a lawsuit. From the article:"
A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News." It looks like Zotob made it in to the supposedly protected network."
The great wall of China was also ineffective at keeping out intruders.In military terms, these walls are more frontier demarcations than defensive fortifications of worth.
>If there wasn't a Freedom of Information Act, would the public ever really know what had happened?
Even with the FOIA it took a lawsuit to get hold of these records, and they still have some unjustifiable omissions: "A public Microsoft security bulletin is included, but with the bulletin number (MS05-039) blacked out"
The failure here was not that the Windows boxes weren't patched. It's stupid to be patching thousands of systems that are in use w/o serious testing first. Full testing of patches in a world where new viruses/security holes appear every day is effectively impossible. Untested patches may cause new problems for the systems that could actually be worse than a problem caused by a virus.
No, the problem here is that these systems are even on the Internet to begin with. Shouldn't such a network exist in an airspace as a totally private net, with no outside access? Of course, at the core of the private network must be some sort of control mechanism/database with some connectivity to an outside network. But that should be a chokepoint, the only source of ingress/egress to the private network, with no other access than what's needed to serve the system from the local DHS network. That limited access should not include web/email/instant messaging, etc. Just whatever custom/specialized protocol is needed to serve the system.
I'm constantly amazed at the high profile companies/government offices that get nailed by viruses. It's inexcusable.
I spent ten years as a government contractor and this shouldn't surprise anyone. First Homeland Security runs Windows which in itself isn't bad if it's properly patched and maintained.
The danger comes from the the people in government who control the money who have no technical knowledge. This is positively RAMPANT in government. Many times agencies just go with the cheapest bid and contractors give cheaper bids by hiring fairly inexperienced and not so knowledgable techs.
Many government agencies can get by with using Windows but really important agencies whose security cannot be left to chance should not be using Windows....period. Sadly Homeland Security and NSA are both starting to deploy more Windows units and that's only going to be bad for everyone.
Biggest reason why? Strong security requires techs that actually have technical knowledge and can do more than just set up insecure boxes by pointing and clicking. Big difference between *nix and Windows?
*nix needs techs with a decent amount of computer aptitude.
Windows does not
The person attacking you, or entity, or rogue state will not be using script kiddies. This only gets worse from here. "Homeland Security" is fast becoming an oxymoron.
That port doesn't even need to be open between different locations on the same network. It's used for SMB over TCP and they ought to be using firewalls in between departments, as most major corporations do, and blocking it. If people need access to files then they can either make them available via secure intranet or they can rsync (or similar) the files between file servers in different departments. If they're using Win2k they're likely using AD and they should have different servers for different subdomains anyway - that is, if they're using AD properly, and have different subdomains for an organization with multiple locations and departments. Also, some types of military networks are often protected by a combination of physical protection and routine. You're not even allowed to bring a machine into a room where it could be plugged into such a network. In fact, you're not even allowed to bring an iPod in. Actually, let me take it one step further; they don't even permit having a phone - and I'm talking cellular, land line, whatever - in the same room as one of these systems. And by "room" I mean the phone and any computers on the network have to be separated by a door that closes itself and locks. When I worked for Tivoli Systems (part of IBM, though they weren't on the IBM campus when I worked there) I once worked on a support call where I was talking to a guy on a phone who was shouting what I said to a guy holding the door open, who in turn was shouting to the guy sitting at the TME10 console. To their credit, they got everything I said correct, and a good time was had by all except, probably, the poor bastard holding the door open.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
What a total waste of money.
No kidding. Using Windows garbage for any Homeland Security tasks means that every Windows vulnerability (and there are many, many, many of them) becomes a National Security vulnerability. That's a fact, PERIOD. That the clowns responsible for the safety of the citizens of the US think that Windows is suitable for Homeland Security applications shows they are more concerned with protecting Microsoft's profits than protecting our families.
3 things about computers: they're alive, they're self-aware, and they hate your guts.
If it's border security we're talking about, I'd sure as hell rather have a *broken* system than an *insecure* and *vulnerable* system.
These people don't know what they're doing.