Slashdot Mirror
Govt. Report Slams FBI's Internal Network Security
An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."
I've worked in another agency in a related line of work. FBI security is a joke. Everyone knows it. An FBI agent's idea of "information security" is carrying a gun when he brings home Top Secret documents in his glove compartment. Their security flaws are a reason intelligence organizations are reluctant to cooperate.
They run that Sh!tH*le like it's some cruddy Government institution, ferchrissake!
"Flyin' in just a sweet place,
Never been known to fail..."
Goooood, means it's possible to get to those x-files after all....
"we've got trenchcoats and bad attitudes" - John Constantine, HellBlazer
All windows bashing aside, does it matter? Internal Network Security could be lacking because rather than installing and configuring sudo half the team is given the root passwords to su with.
;)
That said... I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"?
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Unpatched they may be, but when they come bursting through your door, you'd sure-as-hell better welcome them as your new digital overlords...
Perhaps they are unpatched due to a misunderstanding with the RIAA when they agreed not to be pirates?
In most cases, yes.
However I doubt FBI security is as good as DISA (they handle information security for the military). They have a PKI (public key infrastructure) CAC (control access card) system for authenticating users wherever they go (logging into computers, opening doors, etc). Whether this is better than more traditional systems is another topic of debate, as very few people (as in, none of the users) really understand how PKI works.
At the absolute minimum the FBI needs at least some sort of two-factor authentication with a OTP (one time password) generator. Relying on Active Directory security with Windows passwords is an absolute joke, especially when you are reusing those passwords over and over in many different systems. Even if you aren't reusing passwords between systems, users won't remember 20 different case sensitive passwords all containing 12 random characters each. Which is most likely why the FBI might not be using high security on their networks - the usability suffers in a big way.
They would really need to rebuild the IT infrastructure from the ground up with added security in mind. Everyone would need to be retrained on the use of PKI/OTP/2-factor-auth/etc and other DISA-like security used in more secure environments. Especially with a Windows platform these changes would be expensive... but the FBI has never had problems spending money on IT/software (*wink*) so I don't see what is holding them back.
Also notice the use of 10 million acronyms above... the FBI is getting NOTHING without adding at least 450 new acronyms to their vocabulary. That is government IT for you!
From TFA: "The bureau, which had the opportunity to review the GAO's findings before publication" ...
I wonder what "review" means in this context? Read through? Edit? Sanitize?
Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?
After all, crime fighting stats don't rise for not catching these who didn't manage to break law, because it was too difficult.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?
Well, it might be nice if you want to ACTUALLY CATCH THEM! How are you supposed to do that when they overwrite your files?
Oh, I see, you don't care if the arrested is actually guilty. I'll be quit now. Forget I said anything. You guys are doing great, keep up the good work and help yourself to some real Wow software or something. Bye.
Friends don't help friends install M$ junk.
[blah bla] writes to inform us that the Government Accountability Office was attacked earlier today.
Nobody knows who done the attack, but the FBI said it was a swift and tactical raid, everyone dead, and one bin on fire with what appears to be a report from the remains, the title read FB... nal.. ty, thats all that could be read at the time.
'I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"? ;)'
Carefully, though. You might end up penetrating Guantanamo.
I am sure that there are many other solipsists out there.
I've worked for private companies, local government and federal government. IT in some federal agencies is very scary.
CAC cards are used, but terminal servers and websites for teleworking still allow username/password.
Blackberries get CAC card readers for encrypted email, while flash drives and external hard drives are thrown into purses and bags.
Remote computers co-located at contractor facilities STILL store LM hashes and don't have the physical security of a DoD office.
EVERYONE writes down passwords because they have a dozen passwords to keep track of and each one is kept very similar to the next.
Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."
Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.
Don't even get me started on how the systems are managed. No folder redirection, no user storage on servers. Everyone stores their data on the local hard drive, and because they are local admins they put it anywhere. I've seen a guy storing his documents in c:\windows\system32.
IT-Security is not handled by the technical department when it comes to the feds. It's handled by the legal department.
Then again, that's how many companies deal with it, too. Don't you dare to steal, or we sue you into oblivion.
The fallacy about that is that you first of all have to find the culprit. Or, rather, you first of all have to find out that something went missing. The problem about data theft is that you don't immediately notice it. It's not like your door is broken down and your belongings searched, with your family heirlooms missing. All your data is still there, and you won't even know someone went through your stuff before it's too late.
And those people should be trusted with my information?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The FBI has blamed its blatant longterm abuseof the Bush privacy-invasion toy "National Security Letters" on its broken database.
Since, as usual, no one at Bush's FBI has suffered after disclosure of this destructive abuse, the excuse will of course multiply in popularity.
Funny how Bush Gang "mistakes" always seem to benefit Bush, though his gang claims it's all just accident and happenstance. Random distributions that always favor Bush must be "miracles".
--
make install -not war
Things like this bring to mind my dad's grumbling about them. He was a Customs special agent, and used to grumble about how the FBI spent more of its time posing in front of the camera as though it were the hottest shit in the federal law enforcement world, than doing good casework. The FBI are camera hounds compared to the other agencies. They are a highly dysfunctional agency, and 9-11 proved that. Three of their offices noticed serious warning signs about Islamic activity in the US, but didn't work together because of rivalry and turf. Sounds more like a group of federalized local cops if you ask me...
This comes not long after the FBI blew $500M on a series of hardware and software upgrades. Is anyone surprised that this agency can't get its act together by now?
We need more gov't transparency. Appointing stooges to the DOJ to fire the noncompliant, limiting free-speech, obfuscating information to the journalists, and distrusting the American public to the point of borderline treason, I would hope that somewhere, somehow, eventually true, honest, and open people get hold of information that will shed light on the gov't actions in the last 6 years. /Woops... *removes tin foil hat, jumps in the ocean, swims, far*.
We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
This is incorrect.
The FBI, likes all other government agencies, has a CIO with an office of security under him responsible for securing their IT systems.
http://www.fbi.gov/hq/ocio/ocio_home.htm
(1) configure network devices and services securely to prevent unauthorized insider access;
(2) identify and authenticate users to prevent unauthorized access;
(3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate;
(4) apply strong encryption techniques to protect sensitive data on its networks;
(5) log, audit, or monitor security-related events;
(6) protect the physical security of its network; and
(7) patch key servers and workstations in a timely manner. Insider attack is always a risk, full solutions against it are 1) Impossible 2) Infinitely costly (see 1)
I work in Financial Services a lot - these solutions aren't necessarily all implemented that strongly, the limitation is cost. Without seeing a costing plan for the above utopian remediation I'm not so sure it is needed. I'm not saying the FBI are necessarily good - just that the report language is too general/pipe dreamish to know.
The fact that the FBI is computer-challenged has been known for years. It goes well beyond information security.
When the police were investigating the DC area sniper case, the FBI brought in a computer system to help coordinate the leads. They wound up having everybody looking for a "white box truck", while there was an overlooked report about a blue Chevvy. The snipers' vehicle turned out to be the blue Chevvy. IIRC, the FBI's computer system didn't help much in actually catching the snipers.
Some years ago the chief of FBI information security turned out to be a spy for the Soviet Union. There wasn't anyone at the FBI who knew enough about computers or information security to realize that he was compromising them.
A major FBI system development was one of the huge systems canceled in the 1990's because it wasn't properly managed and became impossible to complete.
I suppose geeks don't meet image the FBI wants for its people. Computer-illiterates do. That's the way things go there.
No stock price to piss off shareholders, who beat up on a board of directors. No CEO for them to beat on, so he can then beat up on his CIO, who then beats up on directors who beat up on team leads, who work hard to create tight solutions. Money is generally a better motivator than standards compliance.
Some years ago, the FAA began a restructuring effort in order to modernize its infrastructure and get rid of unmaintainable, decades old equipment. Each time they put a set of requirements out for bid and selected a vendor, lawsuits and political lobbying ensued. The FAA's systems are a big (and lucrative) enough target for every two-bit vendor with political connections that no selection of Vendor A over Vendor B was allowed to stand without the losing party either taking the decision to court or creating trouble in various congressional appropriations committees. Worse yet, suggestions that they (the FAA) build something in-house was answered with threats from industry lobbyists to get their funding cut so severely, they would barely have the money for normal operations.
The FBI is in a similar position. Particularly following 9/11 and the subsequent application of practically unlimited anti-terrorism funds, the vultures are circling. Having read some of the articles relating to the FBI's troubles, many of the players look to be the same ones that suckled on the FAA's tit for years.
Have gnu, will travel.