Slashdot Mirror
Govt. Report Slams FBI's Internal Network Security
An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."
I've worked in another agency in a related line of work. FBI security is a joke. Everyone knows it. An FBI agent's idea of "information security" is carrying a gun when he brings home Top Secret documents in his glove compartment. Their security flaws are a reason intelligence organizations are reluctant to cooperate.
They run that Sh!tH*le like it's some cruddy Government institution, ferchrissake!
"Flyin' in just a sweet place,
Never been known to fail..."
Goooood, means it's possible to get to those x-files after all....
"we've got trenchcoats and bad attitudes" - John Constantine, HellBlazer
All windows bashing aside, does it matter? Internal Network Security could be lacking because rather than installing and configuring sudo half the team is given the root passwords to su with.
;)
That said... I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"?
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Unpatched they may be, but when they come bursting through your door, you'd sure-as-hell better welcome them as your new digital overlords...
Perhaps they are unpatched due to a misunderstanding with the RIAA when they agreed not to be pirates?
In most cases, yes.
However I doubt FBI security is as good as DISA (they handle information security for the military). They have a PKI (public key infrastructure) CAC (control access card) system for authenticating users wherever they go (logging into computers, opening doors, etc). Whether this is better than more traditional systems is another topic of debate, as very few people (as in, none of the users) really understand how PKI works.
At the absolute minimum the FBI needs at least some sort of two-factor authentication with a OTP (one time password) generator. Relying on Active Directory security with Windows passwords is an absolute joke, especially when you are reusing those passwords over and over in many different systems. Even if you aren't reusing passwords between systems, users won't remember 20 different case sensitive passwords all containing 12 random characters each. Which is most likely why the FBI might not be using high security on their networks - the usability suffers in a big way.
They would really need to rebuild the IT infrastructure from the ground up with added security in mind. Everyone would need to be retrained on the use of PKI/OTP/2-factor-auth/etc and other DISA-like security used in more secure environments. Especially with a Windows platform these changes would be expensive... but the FBI has never had problems spending money on IT/software (*wink*) so I don't see what is holding them back.
Also notice the use of 10 million acronyms above... the FBI is getting NOTHING without adding at least 450 new acronyms to their vocabulary. That is government IT for you!
Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?
After all, crime fighting stats don't rise for not catching these who didn't manage to break law, because it was too difficult.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I've worked for private companies, local government and federal government. IT in some federal agencies is very scary.
CAC cards are used, but terminal servers and websites for teleworking still allow username/password.
Blackberries get CAC card readers for encrypted email, while flash drives and external hard drives are thrown into purses and bags.
Remote computers co-located at contractor facilities STILL store LM hashes and don't have the physical security of a DoD office.
EVERYONE writes down passwords because they have a dozen passwords to keep track of and each one is kept very similar to the next.
Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."
Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.
Don't even get me started on how the systems are managed. No folder redirection, no user storage on servers. Everyone stores their data on the local hard drive, and because they are local admins they put it anywhere. I've seen a guy storing his documents in c:\windows\system32.
Things like this bring to mind my dad's grumbling about them. He was a Customs special agent, and used to grumble about how the FBI spent more of its time posing in front of the camera as though it were the hottest shit in the federal law enforcement world, than doing good casework. The FBI are camera hounds compared to the other agencies. They are a highly dysfunctional agency, and 9-11 proved that. Three of their offices noticed serious warning signs about Islamic activity in the US, but didn't work together because of rivalry and turf. Sounds more like a group of federalized local cops if you ask me...
This comes not long after the FBI blew $500M on a series of hardware and software upgrades. Is anyone surprised that this agency can't get its act together by now?