Extent of Government Computers Infected By Bots Uncertain

Krishna Dagli writes to mention findings by the company Trend Micro on the extent of bot infection in U.S. Government computers. The article by Information Week indicates that, while the 'original' findings were much harsher, the security vendor has since backed down from some of its claims. Still, the extent to which information-stealing software has penetrated our national infrastructure is enough to take note. From the article: "While it may be tempting to discount the warnings of security vendors as self serving--bot fever means more business for Trend Micro--there's unanimity about the growing risk of cybercrime. In its list of the top 10 computer security developments to watch for in 2007, released last week, the SANS Institute warns that targeted attacks will become more prevalent, particularly against government agencies. 'Targeted cyber attacks by nation states against U.S. government systems over the past three years have been enormously successful, demonstrating the failure of federal cyber security activities,' SANS director of research Alan Paller says in an e-mail. 'Other antagonistic nations and terrorist groups, aware of the vulnerabilities, will radically expand the number of attacks.'"

Why, that means

[Geminii]

- we have a new excuse for legalising illegal wiretapping and making it mandatory for Americans' PCs to spy on their owners! Because if we don't, those strangely elusive terrorists will have won. Again.

Re:Why, that means

[thrillseeker]

That would mean holding government people to the same laws as civilians. When do we do that?

Daily.

Granny != Uncle Sam

[Rob+T+Firefly]

Insert the standard grumbling about government mismanagement and IT provided by the lowest bidder, but this is really extra sad. If people like me can keep bots off our grandmothers' computers for the low, low price of a smile, a hug, and some melted sweets which date back to the Carter administration, why can't the people who built the damn Internet manage?

Re:Granny != Uncle Sam

[rwhamann]

Because many of Uncle Sam's employees have the tech skills of granny. Just like a home users, convenience often trumps security - "don't break the mission!"

Re:Granny != Uncle Sam

[mad_minstrel]

Because nobody wants to be hugged by 50 year old suits?

Re:Granny != Uncle Sam

[rahrens]

"No generalization is worth a damn, including this one." - Oliver Wendell Holmes.

Neither is yours.

I work for a Federal agency (see my post below) and we have a large number of skilled IT workers (some as contractors, some as Feds) that diligently keep our network up, running, as as safe as several million dollars a year can manage.

For your (and the parent poster's) information, it is not as easy to manage millions of computers spread over the entire globe and keep them as safe as your granny's PC. If you think it is, then you need to find another profession.

Every Department is separately managed and funded. They all have different tasks, goals and operational requirements. Funding is and has been for years, getting slimmer and harder to come by. Virtually every government agency is underfunded just for core operations, never mind little things like computer operations.

If you think this is easy, then try working with us for a while; you'll not be so glib in just a month.

Re:Granny != Uncle Sam

[rahrens]

I think you need a reality check.

The US government is a large, diverse entity with over a million people working for it in places all over the world. It takes a lot of money to make it work, and as with any government, that money has to be coerced out of the population by law; You don't pay for services, mostly, as you would from, say, your local air conditioning service company.

In a lot of ways, I agree that many of the people, especially in Congress, fit your characterization, as do a few government managers. But by and large, most do not.

Sure, there are managers that don't always focus on the right ways to do things, often becasue they're looking in the wrong direction at the wrong time. But under the current fiscal constraints the government is working under, almost all agancies are working under very tight monetary conditions. It isn't easy for many agancies to just do their core mission, much less things Congress considers fripperies.

As always, it isn't easy to get the management to understand what we in IT need in order to do the job that they ask of us. They are not, after all, technically oriented. We, on the other hand, are technically oriented, but not always able to properly communicate to them in language they understand just what we need. So the wheel turns, and things some time go to shit.

But guess what? Things do that in private corporations, too! Or don't you read the news?

if you want to gripe, gripe about managers everywhere, not just in government.

If you'd read my posts, you would see that in my agency, the management is actually paying some attention to us, with good, predictable results.

Bots accounting for questionable browser habits

[Neil+Watson]

How many of these bots are there to generate hits for porn sites thus making the employees look bad?

It's the bureaucracy that's the biggest problem

[elrous0]

As someone who has worked in government IT, I can tell you that the biggest problem that we faced security-wise was the bureaucracy of the government. Want to hire a consultant, buy a piece of security software? Then you have to go through the long and arduous procurement process (forget any nimbleness or adapatability). Want to fire someone who is incompetant? Forget it (firing anyone is a HUGE pain in the ass, especially in the federal system). What you end up with in government IT (and, hence cyber-security) is often a bunch of guys used to doing the same thing every day; never learning anything new; who have grown burned-out, disenchanted, and cynical with the whole process.

-Eric

And Yet Still Windows

[blueZhift]

I know it's always fashionable to bash Windows here on /., but stories like this really do beg the question of why the government is not seriously looking at a more secure operating platform. In particular, while Linux is not perfect, it would be much less likely to fall prey to the ills that are epidemic on Windows without much, if any, added cost post transition. I suppose someone will have to die before getting off of Windows is seriously considered, if even then.

Re:And Yet Still Windows

[enharmonix]

In particular, while Linux is not perfect, it would be much less likely to fall prey to the ills that are epidemic on Windows without much, if any, added cost post transition.

I am not convinced that OSS is really all that more secure than closed-source software. Not saying Windows is not vulnerable (otherwise we wouldn't be having this discussion), but let's be realistic here. The cheif advantage to OSS is the peer-review process, but in a large company like MS, peer review is probably mandatory as well. If you actually look at some of the technology coming out of Redmond, it's not a thousand monkeys banging on keyboards.

I think the real reason that you see so many security vulnerabilities is because you have experts (not just script kiddies, but blackhat experts) trying to break into Windows on a daily basis. Now ask yourself, how many people really concentrate on inflitrating Linux? Yeah. Not that many. The main (but certainly not only) reason Linux is so secure is that people just don't bother exploiting it. The same argument people use about Mac security applies here as well. If Linux took over 90% of the world's desktops and was used to in the majority of US government infrastructure, I bet you'd see a disproportionate number of vulnerabilities and exploits of Linux. Brain teaser: Would Windows be more or less secure if malware authors had access to the Windows source code?

Anyway, I'm not trying to start a flame war by saying Linux's security <= Windows' security. Another of Linux's strengths (and a weakness as well) is its diversity. An exploit will probably only work on a fraction of the boxes exposed. But with One Distro To Rule Them All (i.e., Windows XP, with Automatic Updates), you've got near zero diversity in the genepool. To ensure maximum application compatibility, MS has also ensured maximum malware compatibility. So I think the answer to the Fed's (and public's) problem with malware is to diversify the computing environment.

Re:And Yet Still Windows

[Lumpy]

Because they typically will not pay enough for competent IT staff and admins.

Government IT jobs are some of the lowest paying and have the absolutely lowest job satisfaction. Government does not want idea people, they want people that will do what they are told without question.

I know, I was there. Started my career as a Government IT employee. Hated it badly, and could not stand the supervisor that knew nothing about IT yet constantly micromanaged us, even telling us to do things that are insane-wrong then yelled when we did exactly what we were told screwed up something. I got my kicks out of listening to the council meetings where he tried to sound like he knew what was going on and knew his job while he threw around random acronyms. Many a public audience member snickered at thigs he said that were way off or nuts.

Funny part was I almost had him approve naming a new file server "PHUCK".... that last week there was the most fun I ever had :-)

Gawd working for Govt sucked, working Govt IT sucked even more.

Re:And Yet Still Windows

[Sloppy]

I think the real reason that you see so many security vulnerabilities is because you have experts (not just script kiddies, but blackhat experts) trying to break into Windows on a daily basis.

That may be an aggravating factor, but it's definitely not the main problem. Windows' biggest problem isn't just that it's proprietary software -- it's that it just plain sucks even within the realm of proprietary software. It's the one platform where

• Web browser was designed to download and execute binary code from web pages. I'm not talking about accidents and bugs like buffer overflows -- I'm talking about an intended feature. It's horrifically dangerous on purpose.
• Mailreader executes attached scripts (supposedly this is mostly fixed nowdays?)
• Word processor and spreadsheet execute macros when loading document -- and those macros can do just about anything.

These aren't merely bugs that Microsoft failed to catch before the product shipped. Free vs proprietary software issues aside, Windows is dangerous by design. It's not just about lack of peer review or poor code quality. It's about trying to serve interests other than the users'. Switching to anything, even other proprietary systems, would almost certainly be better, because the above "features" are things that nobody else would dare to implement.

If another platform were as dominant as Windows and there was still a lack of diversity, the situation wouldn't be as bad. Whether it were free software such as Linux, or a proprietary system such as MacOS, you'd still have a different situation. Bugs would still exist, and vulnerabilities would still be found. But the software wouldn't be designed to treat external (and therefore potentially hostile) content as executable code. You just can't do worse than Windows.

It's just the Patriot Act

[Yfrwlf]

Spying/eavesdropping/wiretapping? That's just the Patriot Act, come on. You guys made it legal yourselves, and now you're complaining when others do it back to you? Maybe I'm concerned about terrorists running this country, so I should be able to eavesdrop on all government communications. That's the same fantastic excuse you guys use, fair is fair.

Re:Wouldn't it be fitting...

[Hijacked+Public]

But they would never 'discover' that, because they can't sell themselves or their peers security software. A more newsworthy headline, even aside from the fact that 'Extent of Government Computers Infected by Bots Uncertain' really has no relevant meaning at all and anyone who paid to get a report with that title should demand a refund, would be if a security software company audited someone's machines and reached the conclusion that no, you do not need to buy anything from us.

Budget cutbacks and incompetence

[RingDev]

I used to work both as a consultant, and an LTE for a department of a state government. I did software development, all of our Network resources were managed by the Department of Administration (DOA, appropriately enough). DOA may have started out as a good idea, one centralized agency that maintained licensing, contracts, support, purchasing, etc... But cutbacks led to them continuously cutting pay and positions. By the time I left, the only representatives from the DOA that I knew of were two LTE college students, and one former manager who took a demotion to a tech position to stay employed (which just happened to bump one of the last skilled technicians out of the department).

Anyways, under their watch we had numerous security breaches. One of our servers was hosting a child porn collection and IRC channel. Another server had been crippled by viruses, and we had seen other signs of intrusion time after time. The child porn server was confiscated by the FBI when they tracked it down. They returned the server to the DOA when they had finished so that the DOA could learn from the breach and correct the security issue, but there was no one employed with the DOA who could identify the failure or what to do about it.

Anyways, my rough guess is that given what I've seen of state networks, I would think they are heavily botnetted. The other side of the public sector though, atleast the Marine Corps network, is a pretty impressive setup. I've seen those guys in action and I would be extremely suprised if there is a lick of traffic that escapes their pipes with out their express knowledge.

-Rick

Re:Budget cutbacks and incompetence

[Fr05t]

"I've seen those guys in action and I would be extremely suprised if there is a lick of traffic that escapes their pipes with out their express knowledge."

I'm terrible with conversions, but isn't 1 lick approximately equal to 142 bytes?

this takes $$$ time and energy

[rahrens]

If an Agency is willing to spend the money, time and energy to put in place the protections that the typical Government information system deserves, this wouldn't be a problem.

My agency uses a multi layered defense to protect us against these issues. There are network level protections, PC level protections and desk-side support level protections. We also regularly send out warnings about current threats as well as require personnel to undergo annual IT security awareness training.

Individual PCs that are found to be broadcasting unknown signals to unknown or unverifiable outside destinations are removed from the network and reimaged immediately.

If, from a complaint to the help line, we find that a PC is infected with spyware, we don't even try to remove it; it is immediately reimaged.

We have instituted a locked down desktop policy; users are NOT allowed admin access except through application to a special committee for good business cases, based upon the use of special software that requires such access to run. We bend over backwards to alter those situations to avoid that access whenever possible.

Laptops are imaged using an image that is encrypted using a good encryption program that encrypts the entire hard drive using a 512 bit key, and NO laptops are allowed to be bought without going through our recieving process where that image is installed.

We have spent millions of dollars of your tax money in the last five years bringing this system online, but now that we have, we believe that we have as safe a system that we can get without just unplugging it or spending twice as much.

We don't have classified material, but we do have information that is confidential by law and must be protected from public release. (proprietary information belonging to firms we regulate.) This limits the measures we need to use, since classified material requires a completely different level of protection.

If the VA had used a system like ours, they would never have been embarrassed by the recent theft. The theft may still have occurred, but the information would never have been at risk.

It is not a perfect system, and it takes constant dilligence to maintain and periodically upgrade, but I think we do a pretty good job.

Speaking of which

[wiredog]

Commerce Department Targeted; Hackers Traced to China

Hackers operating through Chinese Internet servers have launched a debilitating attack on the computer system of a sensitive Commerce Department bureau, forcing it to replace hundreds of workstations and block employees from regular use of the Internet for more than a month, Commerce officials said yesterday.

The attack targeted the computers of the Bureau of Industry and Security, which is responsible for controlling U.S. exports of commodities, software and technology having both commercial and military uses. The bureau has stepped up its activity in regulating trade with China in recent years as the United States increased its exports of such dual-use items to the growing Chinese market.

Re:Don't bet on it

[RingDev]

There were a few notables I saw while I was active duty in the Marine Corps as a 4067 (Computer Programmer). My first experience with the MITNOC was in Okinawa, Japan. One of the network/pc techs had put up a geocities page that had references to UNC paths inside the network. It worked great for him because he could go to any PC on any of the bases and get to all of the tools/software/installs he needed for most of his work. The links were only worth a damn if you could get into the network though. Unfortunately someone else (I believe it may have been 'Hackers for Girls') also discovered the links. The same weekend in 1998 that CNN was disrupted, the MITNOT (Located in Quantico, VA) noticed a huge flood of attacks on the Oki network. With in a few hours, the MITNOC had the website taken down, a mirror image of the PC tech's hard drive, his browsing history for the last 3 months (printed and digital), and 3 Marines on a plan to Japan.

Another notable environment I saw was one of the Office buildings in Quantico, VA. Each new building for the most part had it's own network design team that would configure the building prior to people moving in, and they would design and configure everything. Once the regular staff showed up, the design team would hand off control of the network to the local IT department. The guys at the Marsh Center had this down to a science. When I left Quantico, the only thing those networks would get out of their chairs for was to clear a printer jam or replace failed hardware. Everything else was locked down, automated, network pushed, and other whys control remotely. A truly beautiful environment for both the IT support team, and us developers.

-Rick