Slashdot Mirror
Govt. Report Slams FBI's Internal Network Security
An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."
I've worked in another agency in a related line of work. FBI security is a joke. Everyone knows it. An FBI agent's idea of "information security" is carrying a gun when he brings home Top Secret documents in his glove compartment. Their security flaws are a reason intelligence organizations are reluctant to cooperate.
They run that Sh!tH*le like it's some cruddy Government institution, ferchrissake!
"Flyin' in just a sweet place,
Never been known to fail..."
Goooood, means it's possible to get to those x-files after all....
"we've got trenchcoats and bad attitudes" - John Constantine, HellBlazer
I think they use Windows OS on their servers...
Unpatched they may be, but when they come bursting through your door, you'd sure-as-hell better welcome them as your new digital overlords...
Perhaps they are unpatched due to a misunderstanding with the RIAA when they agreed not to be pirates?
oh snap, they got SLAMMED. Good thing they didn't get chastised or scolded.
From TFA: "The bureau, which had the opportunity to review the GAO's findings before publication" ...
I wonder what "review" means in this context? Read through? Edit? Sanitize?
Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?
After all, crime fighting stats don't rise for not catching these who didn't manage to break law, because it was too difficult.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
This could not be possible because the FBI is one of the government's largest agencies, if it is true the situation should be reversed and the funding for security should be studied further. This be the case for the government to provide better security for the homeland, but how can it be if even the agencies are lacking of it...
Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?
Well, it might be nice if you want to ACTUALLY CATCH THEM! How are you supposed to do that when they overwrite your files?
Oh, I see, you don't care if the arrested is actually guilty. I'll be quit now. Forget I said anything. You guys are doing great, keep up the good work and help yourself to some real Wow software or something. Bye.
Friends don't help friends install M$ junk.
Try:
In Soviet FBI, bad guy is YOU!
Friends don't help friends install M$ junk.
[blah bla] writes to inform us that the Government Accountability Office was attacked earlier today.
Nobody knows who done the attack, but the FBI said it was a swift and tactical raid, everyone dead, and one bin on fire with what appears to be a report from the remains, the title read FB... nal.. ty, thats all that could be read at the time.
'I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"? ;)'
Carefully, though. You might end up penetrating Guantanamo.
I am sure that there are many other solipsists out there.
All you have to do is turn a Yagi toward the local police station from a block or more away hook into their wireless then into their FBI connection and have a look around.
IT-Security is not handled by the technical department when it comes to the feds. It's handled by the legal department.
Then again, that's how many companies deal with it, too. Don't you dare to steal, or we sue you into oblivion.
The fallacy about that is that you first of all have to find the culprit. Or, rather, you first of all have to find out that something went missing. The problem about data theft is that you don't immediately notice it. It's not like your door is broken down and your belongings searched, with your family heirlooms missing. All your data is still there, and you won't even know someone went through your stuff before it's too late.
And those people should be trusted with my information?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The FBI has blamed its blatant longterm abuseof the Bush privacy-invasion toy "National Security Letters" on its broken database.
Since, as usual, no one at Bush's FBI has suffered after disclosure of this destructive abuse, the excuse will of course multiply in popularity.
Funny how Bush Gang "mistakes" always seem to benefit Bush, though his gang claims it's all just accident and happenstance. Random distributions that always favor Bush must be "miracles".
--
make install -not war
Things like this bring to mind my dad's grumbling about them. He was a Customs special agent, and used to grumble about how the FBI spent more of its time posing in front of the camera as though it were the hottest shit in the federal law enforcement world, than doing good casework. The FBI are camera hounds compared to the other agencies. They are a highly dysfunctional agency, and 9-11 proved that. Three of their offices noticed serious warning signs about Islamic activity in the US, but didn't work together because of rivalry and turf. Sounds more like a group of federalized local cops if you ask me...
This comes not long after the FBI blew $500M on a series of hardware and software upgrades. Is anyone surprised that this agency can't get its act together by now?
The GAO has always been the "General Accounting Office" and works for Congress. Similar in function to the "Inspector General" in the military, investigate problems and report to superiors with evidence.
Professional Politicians are not the solution, they ARE the problem.
We need more gov't transparency. Appointing stooges to the DOJ to fire the noncompliant, limiting free-speech, obfuscating information to the journalists, and distrusting the American public to the point of borderline treason, I would hope that somewhere, somehow, eventually true, honest, and open people get hold of information that will shed light on the gov't actions in the last 6 years. /Woops... *removes tin foil hat, jumps in the ocean, swims, far*.
We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
To be gratuitously paranoid for the moment, do announcements like this make anyone suspicious? As in, purposely leaking "our security is teh s uck" reports to lure in a few daring souls who don't know any better, and who are then easily busted trying to crack a system that isn't all that teh s uck after all. They then get to lock up another round of curious script kiddies, which looks great on paper and shows the higher-ups how clever they are and why they need more funding to be even more clever in future. Like traffic cops setting up extra hidden speed traps at quota time.
... in 2004
If you mod me down, I shall become more powerful than you could possibly imagine.
If you are aware, I believe to continue your claim, they spent a BIG WASTEFUL sum of money developing this supposed NEW tcp/ip filtering technology called CARNIVORE, hence it to say, after all the spending, they ended up scraping the idea, and started all over with a new APP. which guess what, also needed same amount of funding......
Then you wonder where all our money goes to when they say we have to increase our taxes due to lack of money for our federal budget
This is incorrect.
The FBI, likes all other government agencies, has a CIO with an office of security under him responsible for securing their IT systems.
http://www.fbi.gov/hq/ocio/ocio_home.htm
I heard that they cut funding to a couple of their security programs earlier this year. This is just another example of misplaced priorities. If your in the industry this shouldn't come as a surprise.
(1) configure network devices and services securely to prevent unauthorized insider access;
(2) identify and authenticate users to prevent unauthorized access;
(3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate;
(4) apply strong encryption techniques to protect sensitive data on its networks;
(5) log, audit, or monitor security-related events;
(6) protect the physical security of its network; and
(7) patch key servers and workstations in a timely manner. Insider attack is always a risk, full solutions against it are 1) Impossible 2) Infinitely costly (see 1)
I work in Financial Services a lot - these solutions aren't necessarily all implemented that strongly, the limitation is cost. Without seeing a costing plan for the above utopian remediation I'm not so sure it is needed. I'm not saying the FBI are necessarily good - just that the report language is too general/pipe dreamish to know.
Yes, of course such a thing exists. But generally, my experience is that IT security is handled through legal rather than technical means.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The fact that the FBI is computer-challenged has been known for years. It goes well beyond information security.
When the police were investigating the DC area sniper case, the FBI brought in a computer system to help coordinate the leads. They wound up having everybody looking for a "white box truck", while there was an overlooked report about a blue Chevvy. The snipers' vehicle turned out to be the blue Chevvy. IIRC, the FBI's computer system didn't help much in actually catching the snipers.
Some years ago the chief of FBI information security turned out to be a spy for the Soviet Union. There wasn't anyone at the FBI who knew enough about computers or information security to realize that he was compromising them.
A major FBI system development was one of the huge systems canceled in the 1990's because it wasn't properly managed and became impossible to complete.
I suppose geeks don't meet image the FBI wants for its people. Computer-illiterates do. That's the way things go there.
GAO had to know what 'right'
Keep in mind the audit and disclosure is probably politically motivated. Maybe the FBI wants a bigger IT budget? Maybe the head of another agency wants to discredit the FBI? I can tell you from experience, this is more likely rather than plain old incompetence.
The GAO looks like they are doing their job, but that's about it. Having set up NIST compliant LAN and desktops. I promise you they are not _that_ secure. It's better than a default windows desktop, but not remarkable. It's windows after all.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
And these guys are getting full access to our credit card data, credit histories, purchase histories and flight data. -- I don't think EU realizes what kind of security risks they are subjecting their own (more affluent) citizens by giving USA full access to all this data when clearly they don't give proper consideration to it's security. There is ample opportunity for spying and illicit uses, and where there is opportunity, there is also traditionally abuse.
Americans need to give EU data on their own citizens in return. This one sided "pulling of our pants down" is not OK.
GAO and IG reports to/on U.S. federal agencies are shared with the agency first. Typically, the agency writes a short response (Generally along the lines of "A, B, and C were cited as problems. At the time of the review: A was being revised and is now fixed; the methodology used to find problems in B were faulty and we refute the finding; C was a valid problem and we've formed a committee to find solutions.") that's normally added to the report as an addendum before it goes to final publishing. Only in rare cases is the agency not allowed to have a couple of pages at the back of the report to defend itself; that's a good sign of political shenanigans. In even rarer cases, if the agency points out grievous errors in the report, the GAO or IG authoring the report will go back and re-write. The authors of the report don't want to look stupid, so if the agency manages to catch them in a dumb mistake, they'll either fix it in the main body of the report or (I've seen this a couple of times) tack on an extra, typically single-paragraph appendix that replies to the agency reply.
No stock price to piss off shareholders, who beat up on a board of directors. No CEO for them to beat on, so he can then beat up on his CIO, who then beats up on directors who beat up on team leads, who work hard to create tight solutions. Money is generally a better motivator than standards compliance.
Some years ago, the FAA began a restructuring effort in order to modernize its infrastructure and get rid of unmaintainable, decades old equipment. Each time they put a set of requirements out for bid and selected a vendor, lawsuits and political lobbying ensued. The FAA's systems are a big (and lucrative) enough target for every two-bit vendor with political connections that no selection of Vendor A over Vendor B was allowed to stand without the losing party either taking the decision to court or creating trouble in various congressional appropriations committees. Worse yet, suggestions that they (the FAA) build something in-house was answered with threats from industry lobbyists to get their funding cut so severely, they would barely have the money for normal operations.
The FBI is in a similar position. Particularly following 9/11 and the subsequent application of practically unlimited anti-terrorism funds, the vultures are circling. Having read some of the articles relating to the FBI's troubles, many of the players look to be the same ones that suckled on the FAA's tit for years.
Have gnu, will travel.
I'm typing this post from a hacked FBI computer.
See ya.
I work for a federal agency as a contractor doing web application development. I worked for the Navy as a federal employee for 21 years before that, 13 in IT, eight at my last job as an IT officer. In my current environment, I see a dramatic difference in security, mostly because of the higher level of classification we have here. Some differences to what you state:
CAC cards are used, but terminal servers and websites for teleworking still allow username/password.
We use CAC cards for the unclass systems (on the NIPRNET). 95% of the work people do on computers here is on the SIPRNET, which requires no CAC card, but may in the future. No telework here. Hell, we can't even access our unclassified e-mail accounts using Outlook Web access anymore. For me, this is mostly a good thing.
Blackberries get CAC card readers for encrypted email, while flash drives and external hard drives are thrown into purses and bags.
Blackberries? Hell, I know of exactly three people in this organizations that have them, and they're at the highest levels. They require them for very specific operational purposes. Here's what the rest of us have in regard to Blackberries, phones, flash drives and thumbdrives: NADA. No one is even permitted to bring any of the aforementioned items into the building. Ever. Doing so is a major security violation and could get a contractor like me canned in about an hour. This list also includes mp3 players, walkman-type devices, laptops, PDAs, radios, televisions, CDs/DVDs (audio, video and data), diskettes of any type, basically any item or device that can record, save, store or transmit any kind of electronic signal. A few months ago, someone in hardware support installed a new PC in the building where I work, and the PC had an active wireless adapter installed and transmitting. Security went nuts for an afternoon trying to track down the source of the signal, which was detected during a routine sweep. No one thought to look at this new PC stowed under someone's desk. This place is anal.
Remote computers co-located at contractor facilities STILL store LM hashes and don't have the physical security of a DoD office.
If our folks don't install it, it doesn't get used. This includes anything remote.
EVERYONE writes down passwords because they have a dozen passwords to keep track of and each one is kept very similar to the next. Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."
I've seen far less of this here, and they don't kid around with passwords. With the CAC, all you have to remember is a PIN which you put on the card, and it never expires (unless the card is updated). On the high side, we have to use long passwords (12-char minimum) with at least one upper case letter and one number and a change every 90 days. No reuse of a password until you've changed it 25 times. Although I'm sure some people do it, writing a password down is severely frowned upon. The support folks never ask for passwords...they don't have to. The sysadmins and customer service folks have good control and implementation of passwords and permissions, so any tech using a system will either have you log in (if an issue is with your account) or will log in with their own higher-access account.
Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.
Heh, I wish. We can do NOTHING on any workstation. App installations have to be requested through customer service and are frequently pushed from servers. The lockdown of these machines is are more anal than anything I ever did at my last job, even on the NIPR/unclass side. The only way to get around some of these restrictions is to make friends with one of the guys in the Windows branch, and even then, he or she
Joe Dougherty, Florida, USA
The words I thought I brought, I left behind. So, never mind.
They don't have time to secure their own networks, much less crack encryption on seized evidence.
http://shorterlink.org/2405
Me thinks that it's time to download TrueCrypt.
I work on a daily basis on various FBI networks. I've read the GAO report from cover to cover and find it really vague. Within the FBI there are several network infrastructures that support different programs at different levels of security. The higher the level of security and the more widespread the network is, the more levels of authentication that are required for physical and electronic access to the space. Don't get me wrong, the FBI is way behind the curve, but the days of running Win98 and using 56k leased lines for backbone network connections is a thing of the past.
just as offtopic http://free-game-downloads.mosw.com
I'm half kidding, with the way we're restructuring our government to resemble 19th century Russia, but there is knowledge of how to do secure networks in other TLA agencies. Think XML bridges instead of routers.
It seems a shame to re-invent the wheel for the FBI. I thought Jamie Gorelick's wall was properly and completely smashed post 9/11?
You'd think they could have one of the boys from Virginia over for lunch for a proper "you frikkin' idiots"-ing. Note: I expect that there are plenty of line techs who get this - the conversation would need to take place on the top floor, not in Mulder's office.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)