Slashdot Mirror
State Department Hit With Many More Break-Ins
adjust28 writes to tell us CNN is reporting that the US State Department has been dealing with a number of computer break-ins with regards to their headquarters and offices dealing with China and Korea over the past couple of weeks. From the article: "Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking."
The government seems to have never placed much importance on computer security. I recently read Cliff Stoll's 1989 chronicle of a hacking, The Cuckoo's Egg . Back then the government was slow to respond and pretty unmotivated, and it seems like little has changed today. Yet, once they catch someone, they give him a draconian punishment that ruins his life, just look at Mitnick. The government can't seem to decide it's priorities. It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts.
Ask Slashdot: Why do gov't 'puters have net access?
-Palal
Of course, that's what the bayonet is for!
Why do they even have puters?
(pen and papers)
-m10
This could put the State Department ahead of MySpace as the #1 destination site.
It's not offtopic, dumbass. It's orthogonal.
I spent a few months not so long ago tracking down a cracker who had compromised a mail server for an ISP. He'd gotten root, and installed rootkit style stuff that hid directories, etc.
It was a long process to penetrate all his defenses. Finally, I ended up chatting with the cracker a la Yahoo Chat, including video. He was from Romania, and liked diet 7-up.
So, I get all the sources together with which he compromised the server. I had everything, down to IP addresses. I called the FBI and they referred me to some web page that didn't even allow enough upload to report everything I had found.
I submitted what I could. I didn't even gt a "thank you" email. I would have been happy with a "thank you" message. But I got nothing.
My opinion of the dept of Homeland Security as well as the FBI sank immeasurabily as a result.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Maybe they shouldn't have been outsourcing. (that's a joke people)
Philosophy.
Great now they'll get buried in viagra ads. Guys they aren't trying to steal secrets they just wanted your security down so they can sell you dick pills and cheap pirate software. Oh and by the way that nice guy in Nigeria wants to take money out of your account not put it in.
B.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
I don't want to trigger a Windows/Linux debate, but relevant is this quote from a recently slashdotted interview with McKinnon:
Source here
Even if it is considered right to treat such breakins so seriously: how many times must the horse bolt before the barn door?
Joke answer: because they invented it!
Because they're on the green.
For a bunker shot, they'd use a sand wedge.
(1) The classified servers are physically disconnected from the Internet. They have to be.
(2) Every time I read a headline like this, I remember playing Uplink, and chuckling over the poor bastards when what I did hit the headlines. Somewhere in Korea, someone is chuckling hard.
'If you're flammable and have legs, you are never blocking a fire exit.'
people to government: Ha, ha... if we can't have any privacy, neither can you! So there!
So they can continue to wage the War on Child Pr0n, of course.
How are sites slashdotted when nobody reads TFAs?
I think not. Just remember the whole fuzz about journalists being bugged so that anyone calling them with secret information can be traced. How can the press then do its job?
If total security is achieved say goodbye to all those leaks and exposes. You will have a system that makes the KGB look like childsplay. Not because they will abuse it but because if they want to they can, without ever being found out. All that would need to happen is for someone to come along who wishes to abuse it. Do you trust any party so much you want to give them complete secrecy?
Democracy and free press are nasty things. They conflict immidiatly with the need to keep things hidden. Even such a simple thing as the skunk works is a direct violation of the principles of free press and accountable goverment. How the hell can we judge our goverment if they can keep what they are doing hidden from us?
The only alternative is to accept a certain level insecurity and just go after the people that go to far. A very strange state of affairs but better then living in a police state.
Mitnick ain't a victim. He is a stupid criminal and deserves everything he is going to get. He was not a journalist seeking the truth, he was just a cracker messing around with computers that were not his.
If I do not lock my door that does not give you the right to enter my house. Neither do I want to live in a world where the goverment is behind closed doors.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
After the State Department break-ins, many employees were instructed to change their passwords.
The root password is now "god" instead of "sex"
The password for the defense department computers in question was 'Joshua'.
If you don't get this your not geek enough, hang your head in shame.
Users... the only thing keeping 1st level support from being the bottom feeders.
Keep it off the network!!!
||| I still can't believe Parkay's not butter.
I submitted what I could. I didn't even gt a "thank you" email. I would have been happy with a "thank you" message. But I got nothing.
My opinion of the dept of Homeland Security as well as the FBI sank immeasurabily as a result.
Your error was that you failed to realize what the priorities of these agencies are. Report the incident again only this time put the words 'terrorist' and 'activity' in the subject line. Wait an hour and then turn on the TV, switch to a news channel and you should hear reports of massive USAF airstrikes somewhere in Romania. For shorter response times try adding the word 'Osama' to the subject line. Just be careful when using the words 'bin' and 'Laden' since combining those with the other three in one subject line might lead to a tactical nuclear strike.
One has to wonder if this is for real or if this is just another stab at fear-mongering so more propositions to cripple net neutrality / online privacy / ... can be passed.
If they really experienced that much security breaches I doubt CNN would be allowed to publicize this.
OTOH, TFA mentions a lot of scary evil things like North-Korean missiles and Chinese Hackers.
I'm not sure whether I prefer this article to be for real or propaganda, both possibilities imply information warfare on the US people.
Nothing news about this; this is a dupe; there was already an article before of the US being the #1 destination for Internet traffic.
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Since most state computer security seems to be so laughably weak. UK 'hacker' Gary McKinnon, currently being extradited to the US, got into US Navy logistics computers by just typing in admin and password to login screens for Windows NT for goodness sake. If the most advanced military force on the planet is using an unsupported operating system I dread to think what the state department's systems must be like.
Ask Slashdot: Why do gov't 'puters have net access?
Why shouldn't they? They need to do work and send email to people outside the government like the rest of us. How do you think, for example, all the tax forms show up on IRS.gov? Magic?
Classified computers do not have access to the normal internet, so when you see these break-in stories, no classified information was compromised, unless some dope went out of his way to get info from a class system to an unclass one.
Help me take back Slashdot. When did 'News for Nerds' become 'FUD and Conspiracy Theories for Extremist Nutjobs'?
"said U.S. officials familiar with the hacking"
When did they hire anyone like that? I call their bluff!
Perhaps they hired some first-rate plumbers - they know how to "hack" into tubes.
After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet.
Wait a minute, they actually disabled their security after they got hit with an attack??!? Someone tell me if I'm wrong about secure sockets layer being a security measure of sorts.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Without direct access to microsoft servers the OS can't automatically update itself. Does this mean that airgapped systems are less secure?
http://michaelsmith.id.au
Any company or government department that has any internet exposed servers that hold critical or sensitive information must be soo stupid they deserve to be broken into. What ever happened to having separated internet from internal servers etc..
This is a clear case of cracking, not hacking. Please tag this article as such, as if IT experts use the correct tems for activities, maybe the word "hacking" can be saved?
RMS or such other famous nerd: I'm a hacker
Justice, influenced by Fox: Off to Gitmo for you then, hacker means computer terrorist.
Uh, software update server? Its easy to automatically update Windows systems without access to the Internet.
1.) Announce problem...place blame on shoulders of nearest competitor in need of demonizing
2.) Request new budget to deal with problem
3.) Call architect about new weekend home in the mountains...
I don't care if it is the local Highway Patrol or Congress, you can bet the only 'problem' these wonks always have is figuring a way to line their pockets.
Actually, yes we do. As long as we have to trust it with our things, we want it to be able to hold onto those things and not let just anybody see them or use them against us. If the government expects to claim that it's protecting us and our personal information, it has to deliver on that protection.
However, you're conflating security with transparency , when in fact they're both important. Security is the ability to keep the secret things secret against prying eyes. Transparency is the ability to unlock and inspect certain documents on demand to make sure that the government is functioning as it should. And ideally, the minimum amount of information should be classified secret: the smaller the pile of sensitive information is and the less it moves around, the less likely it'll get violated.
The role of the free press is to report. It could be said that the role of the free press in a healthy democracy is to act as watchdog, to report when the system's security breaks so people can be warned and take measures for their own security, or to use the transparency to report problems. And it could be further argued that when transparency breaks down and secrets are kept unnecessarily, the best thing a reporter can do is intentionally break that bad kind of security. When the Pentagon Papers were exposed and the illegal acts of the Nixon administration were revealed, that was the free press's finest hour.
Nowadays, government security and government transparency are both oxymorons, and the "free press" provides spin, runs interference, and distracts people with the missing-blond-girl-du-jour (I'm looking at you, Fox "News"). Oh, and a significant portion of the people are okay with that.
My question is, where do we start the triage? Any one we start to fix will give us trouble from the other three.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
That actually isn't 100% true. The requirement of physical seperation does not apply to all classified networks.
...there are certainly dire consequences -if- the government wants there to be. Just look at the money tracing operations and their exposure: President Bush openly and fiercely attacked those newspapers who have reported on it, stating that they have hurt the U.S.'s cause in tracking down terrorists -and- have done damage to the security of the United States and its citizens. He has done this repeatedly, with the full support of other government officials and branches, and guess what? Recent polls showed that the nation is divided roughly in half on the issue at this time, while when the story was published most people really just didn't care too much -or- were outraged that the U.S. government once again pried in their personal affairs. That is now 50% of people agreeing that they feel less secure now that papers, specifically The New York Times, reported on this secret program, and that they shouldn't have done it and -should- be prohibited from doing so in the future. The U.S. government is doing a great job of making the papers out to be 'the bad guys', and one can only imagine that it's certainly not helping their subscribership.
So yes, they can report whatever they want, but the government can very much make them feel sorry for doing so in financial terms. Thankfully the majority of the papers who have reported it -don't- feel sorry in terms of 'doing the right thing'; as one of the editors said - if they can't report on this, then what's next? Not reporting on Abu Ghraib? Not reporting on 'accidental' bombings of civilians? All in the name of supposed national security.
I can understand - and papers should certainly be wise enough to make this decision for themselves - that papers should -not- publish information regarding specific individuals or programs that would severely compromise those individuals or programs; e.g. operatives abroad who have infiltrated: you don't go publishing their names and photos. Investigations into a terrorist sleeper cell in Hicksville: you don't go publishing that they are under investigation. But for something as broad as "The U.S. government is tracking your international money transfers", there is -no- compromise of the program. If nothing else, sad as it is, most people probably expect that the U.S. government was doing that already, and the U.S. government can happily continue doing so; they can't honestly believe that terrorists will suddenly go "oh dear, I say... they are tracing our money wires.. perhaps we should stop using that.".
Elections must be coming up again soon...
I had to ask because I am not a windows person myself. The windows admins where I work have a fairly kludgy tool which they run to remotely install stuff on the windows boxen. It occasionally raises dialogs on our screens asking questions like "do you want to continue?", etc. I wondered if the update mechanism could be used to cleanly feed config and binary changes to the workstations and based on your reply this seems to be the case. Its a pity it doesn't get used.
http://michaelsmith.id.au
I can sympathise with a desire to see the correct terminology used, but in this instance, I'm not sure I can see the harm.
The trouble is that hacking is, in terms of human society, comparatively new. Everyone understands the times when it is right or wrong to enter someone else's house. The same is not clear for remote computer access.
So, it makes sense to look for an situation analagous to unathorised access and reason from that starting point. A lot of people, myself included, find the housebreaking metaphor apt.
Of course, it remains an analogy, and necessarily inexact, but it does provide a useful frame of reference. I'm not sure it's possible to consdier the issue without one. Is there anything intrinsically good or bad in accessing a computer system? Why should permission alter the scenario? At least if we talk about houses and bolts we make our presumptions clear from the start.
Do you think the analogy is unhelpful? Do you have a better starting point? I can't see how else to approach the problem.
Don't let THEM immanentize the Eschaton!
From the article:
...snip...
"Tracing the origin of such break-ins is difficult. But employees told AP the hackers appeared to hit computers especially hard at headquarters and inside the Bureau of East Asian and Pacific Affairs, which coordinates diplomacy in countries including China, the Koreas and Japan.
But China also is home to a large number of insecure computers and networks that hackers in other countries could use to disguise their locations and launch attacks."
It would seem that China now has a vested interest in windows insecurity - due to botnets of rooted winboxes, their own efforts at computer warfare can easily be explained away in this manner...
But, but... it wasn't *us*!!!
Can we at least have a 2-sided discussion here? I mean, for example:
Must we assume that whatever was compromised was an unpatched machine that was unusually vulnerable? Call me crazy, but 0-day exploits?
Must we, by the same reasoning, can we assume that it wasn't some fool-headed diplomat's lackey that opened "worldpeace.exe" hoping to save US/China relations?
Must we assume that the shutdown of SSL afterwards was a stupid move? What if the exploit involved services running SSL, or if the worm/virus/trojan/badthing used SSL to communicate?
Must we just go and flatly state that because a government entity can be hacked, we should never give them our information? If you want to use that logic, then I suggest you go ahead and move off the Internet entirely and go be an off-the-grid tinfoil hat wearer. You're assuming the government is *always* purposefully irresponsible with your data, and you're also assuming things listed above. Hey, keep reading, there will be time after this for people to post about the V.A. data exposure, so we can lump every gov. agency together with that mistake and be +X insightful.
And holy crap people...you gave "why do gov. computers have internet access" a +4 insightful? GET A GRIP. You know what? A better idea. Let us take away Internet access from every agency and company, and just watch that productivity skyrocket because they aren't getting hacked from the outside anymore. I'm sure the modern world can safely go back to doing business over the phone and through snail-mail.
Sometimes these discussions end up being rumor-driven, speculation-rewarded, techno-mob mentality flame fests. Way to be logical about it all folks and to think this through.
I'm not trying to go out of my way to defend the government here, but when it's such a one-sided argument, a rational Devil's Advocate has little choice.
Thanks for the answer even though I don't remember Joshua used in the movie, but then it has been years (only saw it once) since I saw it. :)
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
At least as of five years ago, most State Department computers had a single monitor, keyboard and mouse plugged into a switch that in turn ran to two different CPUs. One CPU, with big red stickers on it, was the classified ("class") machine; the other, with big green stickers on it, was the unclassified ("unclass") machine. The class machine had an ethernet hookup to the State Department intranet, to handle Lotus Notes and access to Cable Express, the computerized version of State's old Telex cable system. That intranet was completely disconnected from the internet. The unclass machine had a connection to the internet.
The hard disk in the class machine had a barrel lock on it. At the end of the working day, you powered down your machine, unlocked and removed the hard drive, and locked the drive in your safe. (The safe is less fancy than it sounds: a standard four-drawer file cabinet with two u-flanges welded onto it; you slid a long steel bar through both flanges and padlocked it into place. Cheap, but pretty effective.) The unclass machine's hard disk remained in place, and those machines were rarely turned off.
As the story mentioned, most of the hacks target unclass machines, for the simple reason that they can't reach class machines. Give State some credit; on the hardware side at least, they did the right thing by building two networks.
The problem with this setup is this: say you're writing a report that will include some classified information but that will also have background research perhaps from the internet. In theory, you should write the report on the class machine. You should do the internet research on the unclass machine, write up whatever you want to add to the report, copy it to a floppy or flash drive, and copy it onto the class machine. The document from the class machine should never appear on the floppy or the flash drive, much less the unclass machine. In practice, as you can imagine, people often put the file on the portable medium so that they can avoid wrangling with version control (most foreign-service officers don't know what version control is, but they know they don't like to wrangle with it). Once you start doing that, it's only a matter of time before classified information ends up on an unclassified machine.
Just for the record, a lot of classified information is, frankly, uninteresting. If an embassy staffer covers a rally in the foreign capital and writes a cable that has six paragraphs of description of the rally and one paragraph of commentary on the rally, he'll often mark his comments confidential; this in turn makes the cable classified. This tendency to classify TOO MANY THINGS only adds to the report-writing problem I mentioned above, since often the necessary reference material is unclassified description within a classified cable.
Frankly, if you can come up with a way to sort out this state of affairs, I think the State Department would be pretty willing to listen to it. At least, based on watching diplomatic security officers tear their hair out at the potential security breaches that their own employees commit, I think they would be.
They changed it to a much stronger password: superman
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Right....Classified systems are on a seperate network...until, that is, some network eng. patches them together to make his/her job easier. Have you ever done a audit of a military/government network? I personally have, and found over 60 paths to so called "Secured" networks from a machine which was Internet accessable...Let's stop cherry picking, and call it like it is...totally kludged up, non-functonal, messy security at best.
----- I have bad karma for a reason! -----
No, they use JDAM munitions for bunker shots. Or maybe those clever new mini-nukes that are somehow less offensive than the regular genocidal ones... :-)
And what relationship to the public internet does a desire to decrease paperwork have?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
This is exactly why I am agianst allowing the government to implement OS level backdoor. They will simply lose the information on the backdoor to hackers and then no computer will be safe!
Since 9-11, we pay lip service to security and democracy. At the same time, Bush has been paying back support and pushing loads of Windows boxes. For example, DHS (the group who is into faterland, rather than motherland) has pushed windows. Yet, the stats clearly show that it is the worst. We are now paying the price for allowing our country to become a fascists nation in spite of warnings from such as Eisenhower and even Warren Buffett.
It can do, your admins arent doing a good job :) Even without SUS there are many third party tools to do this (Zenworks comes to mind).
I blame their hiring practices.
/ infomanage.html
http://careers.state.gov/specialist/opportunities
Check out the inordinate amount of weight they place on such meaningless shit as A+/Network+ certification. Those are the most absurdly easy, and yet off-topic/useless metrics ever written by man. Also, it's a Windows shop. This was bound to happen.
Hook, line, sinker. Bagged, cleaned, cooked, served.
That's awesome! Support for Plug and Play Missile Launchers.I think that should be the number one reason to "Make the switch" to Linux. If that doesn't secure your machine secure I can't imagine what would (except maybe plug and play nuclear ICBMs).
I'm wondering whether these are real break-ins, or just the common crap that I am removing from Windoze machines every day?
Oh well, what the hell...
The sad thing about Cliff Stoll (and several other experts) is that he's succumbed to the same poo-poo behavior as the people he complained about in his book. ..." where I then finished his quote "... don't think Zebras". He, then for whatever reason, without hearing (what little more) I had to say began to surmise (very) simplistic scenarios for this obvious break in.
I was having a problem with very unique break ins last year and contacted several experts including Cliff.
Having read his book many years ago and after doing "my homework" (months) I approached some of these folks, Mr. Stoll is a Teacher now and I'm sure very busy, but managed to return my call. His voice is as you would imagine, bright and cheerful, a very engaging fellow. I (began to) explained my situation and he stopped me several times to question me on some basic tenets of deductions, I continued, where he then just stopped me and (basically) started to quote from his book " when hearing hoofbeats
My point here is not to malign Mr. Stoll, but to illustrate an overall complacency in the arena of security.
This complacency is our Achilles' heel, and I'm not talking passwords.
People don't understand what the growing numbers of hardware Gurus have always known:
Hardware trumps root.
I finally found my expert, and we're working on it now.
~hylas
fire the moron who decided that it was okay to put sensitive information in
a machine that was online.
Non sequitur: Your facts are uncoordinated.
Read the law...
"With respect to information dissemination, the Director shall develop and oversee the implementation of policies, principles, standards, and guidelines to--
apply to Federal agency dissemination of public information, regardless of the form or format in which such information is disseminated; and
promote public access to public information and fulfill the purposes of this chapter, including through the effective use of information technology."
B.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
At least as of five years ago, most State Department computers had a single monitor, keyboard and mouse plugged into a switch that in turn ran to two different CPUs.
Thanks for the 411. One keyboard firmware worm coming right up! :-P Seriously though, we all know most hacks are an inside job. So, the China/Korea angle just plausible BS in all likelihood.
I'm sure this is no more than a red herring to get people to swallow more draconian, fascist, Constitution trashing 'laws' to allow them to "protect us" from these cyber-terrorists.
Happened to notice that they're charging everyone with 'terrorism' these days? Even guys that hold up convenience stores.
http://tachspot.blogspot.com/
The only people that have benefited from this report is the hacker spys who will now know not to use their back doors and get caught.
Thank a veteran -- George