800 Break-ins at Dept. of Homeland Security

WrongSizeGlass writes "Yahoo is reporting about the computer security nightmare going on at the Department of Homeland Security. Senior DHS officials admitted to Congress that over a two year period there were 800 hacker break-ins, virus outbreaks and in one instance, hacker tools for stealing passwords and other files were found on two internal Homeland Security computer systems. I guess it's true what they say ... a mechanic's car is always the last to get fixed."

I'll only say...

[damn_registrars]

That ending line is far too kind.

"a mechanic's car is always the last to get fixed" Assumes that the DHS is somehow competent to fix anything at all.

Re:I'll only say...

[Intron]

Never mind competent. What exactly do they do? I can understand the purpose of the FBI, CIA, NSA, Treasury, FDA, FAA and SEC in law enforcement. What does DHS do that isn't covered already? The only thing I can find is publishing the threat level (currently Yellow = Run and Hide, except the airline industry is at Orange = Don't Bring Juice). Does anyone pay attention to that?

Do we really need a whole beurocracy to make the various departments share information and cooperate with each other? Aren't they run by grownups?

Re:I'll only say...

[statusbar]

Homeland Security = Homeland Insecurity

What they DO is they bring insecurity to every sector of government and society that they touch, in the name of "Security"

It is all about optics... It doesn't matter that their computers are insecure... obviously the problem is that the fact that their computers are insecure should be a top-secret fact. It is not something that they feel needs to be fixed. They are only there for the illusion.

--jeffk++

Re:I'll only say...

[hachete]

At times of great political crisis for the Republican Party, the threat level goes up.

Troll or humour, I don't know meself.

Re:I'll only say...

[bberens]

You see, the Department of Homeland Security is the 'People Person' of the national security industry. They take the top secret files from the FBI to the CIA. Usually their secretaries do it, but sometimes they do it personally. This is an important task so that the FBI doesn't have to deal with the CIA.

Re:I'll only say...

We're putting new coversheets on all the secret files before they go out now. So if you could go ahead and try to remember to do that from now on, that'd be great.

Re:I'll only say...

[bdjacobson]

It is all about optics... It doesn't matter that their computers are insecure... obviously the problem is that the fact that their computers are insecure should be a top-secret fact. It is not something that they feel needs to be fixed. They are only there for the illusion.

--jeffk++ Further, they have a vested interest in allowing these sorts of things to happen. That way they can go "See? We told you to give up those rights..."

Re:I'll only say...

[rtb61]

No all of that is about establishing fear in the public for political purposes. Also as a measure of training, so that the poor with our influence get used to the idea of being randomly searched and the property being subject to random inspection ie. any possible threat to the rich with influence should be curbed, controlled and constrained.

They are establishing as system of three distinct classes, one that is subject to physical degradation, dehumanisation and control, and another that escapes it and enforces it upon others, and the over seers that look down upon the animals in their pens.

Are the wealthy in their private planes and charter flights subject to those inspections, are politicians subject to those inspections, are the authorities agents of control subject to those inspections. Freedom is always hard to gain and a struggle to achieve, where as, simple indifference will see it disappear, to be taken away piece by piece.

Big assumption

[Tony]

I guess it's true what they say ... a mechanic's car is always the last to get fixed.

That's very true.

Especially when the mechanic is incompetent, and more interested in throwing around political weight than actually trying to accomplish anything useful.

Re:Big assumption

[TubeSteak]

Especially when the mechanic is incompetent, more interested in throwing around political weight than actually trying to accomplish anything useful.

You show me a mechanic who has to deal with multiple bureaucracies to get things done & I'll show you a mechanic who has to build up and throw around 'political' influence in order to get results.

If the Dept of Homeland Security was a car, it'd have incompatible parts from every car manufactured over the last hundred years.

What's with the car analogies anyways?
They usually suck.

Re:Big assumption

[misanthrope101]

Not only that, but the car would be made of incompatible parts that the auto makers coughed up when they were directed to hand over parts to a competing agency--i.e. the parts that the company found least useful and valuable. There aren't many bosses who, when told to give up people, wouldn't use it as an excuse to jettison all the incompetents, whiners, bullies, and troublemakers they couldn't manage to fire earlier. So the DHS is comprised of rejects, and has no discernable mission, and has to deal with bureaucratic infighting.

Re:Big assumption

[An+ominous+Cow+art]

What's with the car analogies anyways?
They usually suck. A good car analogy is like a car that lasts many years, without excessive maintenance bills, gets good mileage, is safe, roomy, and stylish.

A bad car analogy is like a lemon.

Re:Big assumption

[dgatwood]

I can see it now.

DHS Mechanic: Umm... why does this car have five steering wheels and no brakes?

FBI Engineer: Oh, it's okay. We determined that you didn't need brakes. All you have to do is put your feet down through the missing section of floor there and drag them until you stop.

DHS Mechanic: Won't that break your legs?

FBI Engineer: Oh, you wanted a safe car? You should have specified that on requisition form 27B-6.

Yeah.... Our government at its finest.

Homeland Security != Information Security

[EveryNickIsTaken]

I guess it's true what they say ... a mechanic's car is always the last to get fixed. Since this analogy isn't applicable in this case, maybe you're confused (?)... DHS was created in response to the 9/11 attacks, and responds to potential terrorist threats and attacks on US soil. They're not a group of IT guys or white hats.

Re:Homeland Security != Information Security

[damn_registrars]

Apparently cyber-terrorism isn't important then?

Re:Homeland Security != Information Security

[EveryNickIsTaken]

No, it's not. Cyber-terrorism is a buzzword made up by idiots.

Re:Homeland Security != Information Security

[Johnny+Mnemonic]

Part of their mandate and jurisdiction is Information Security; they are charged with protecting the computing infrastructure of the country.

Re:Homeland Security != Information Security

[mcpkaaos]

Kinda like "War on Terror"?

Re:Homeland Security != Information Security

[The+Angry+Mick]

They're not a group of IT guys or white hats.

Thank you for that clarification. I feel so much better now knowing that the department in charge of protecting the U.S. from terrorists has no technical skills.

Re:Homeland Security != Information Security

I believe you are trying to say it is a cyber-buzzword.

Re:Homeland Security != Information Security

[Farmer+Tim]

they are charged with protecting the computing infrastructure of the country.

What's Chinese for "pwned"?

Re:Homeland Security != Information Security

[morgan_greywolf]

Part of their mandate and jurisdiction is Information Security; they are charged with protecting the computing infrastructure of the country.

I heard they were farming that out to Microsoft India... ;)

Re:Homeland Security != Information Security

[EveryNickIsTaken]

Would you support another breaucracy to take care of electronic threats? Perhaps the EPA - I'd imagine even those tree-huggers could do a better job of securing networks than the clowns in the DHS.

Re:Homeland Security != Information Security

[eln]

DHS was created in response to the 9/11 attacks as a purely political move to make it look like we were serious about fighting terrorism. It created a huge bureaucracy, gave it an impossibly broad mandate, and made it more difficult for existing agencies (that were moved under DHS because they were at least tangentially related to protecting the country against various things) to do their jobs. As a result, the government is far less capable of intelligently defending against attack than it was before. It is only capable of wildly overreacting to perceived threats (like someone slipping through airport security with 4 ounces of hand soap rather than the mandated maximum of 3), again so it can appear as if it is on top of things.

DHS was a bad idea that was implemented poorly out of a panicked need to do *something* following the attacks.

Re:Homeland Security != Information Security

[TheRaven64]

Cyber-terrorism has the potential to be a much more effective method of terrorism than violence. Just before Christmas, the airports in London were closed. A lot of people had to sleep in (cold) airports, and many didn't make it home to spend Christmas with their families.

In absolute terms, this didn't have the same impact as killing a load of people; no one actually died to my knowledge. For the people involved, however, it was far more personal that some people they'd never met being blown up, and a lot more people were affected than in most terrorist actions.

A similar effect could be had by infecting the air traffic control computers, for example, or even the airlines booking computers (imagine if they were hacked to allow every seat to be booked twice...).

There's a great bit in Good Omens where a group of demons are recounting their day's work, and none of the old crowd can understand why tying up the London mobile phone networks for a couple of hours over lunch is evil. Just because no one dies, doesn't mean that there isn't real damage. It's also much easier for people who aren't directly affected to sympathise with terrorists who don't kill anyone than with ones that do.

Re:Homeland Security != Information Security

[_Sprocket_]

What's Chinese for "pwned"?

Outsourced.

Re:Homeland Security != Information Security

[eln]

It was attacked twice 8 years apart. By that metric, we aren't due for another attack until 2009. In the meantime, there have been several attacks on US interests abroad. Terrorist attacks on US soil were extremely rare before DHS, and are extremely rare now.

Re:Homeland Security != Information Security

[encino]

I work for DHS in the Science & Technology Directorate (S&T), and while DHS has a long way to go, there are very smart people here that have sacrificed lucrative careers to dedicate themselves to service to the nation. With a Ph.D. in computational biology from Stanford (i.e., I consider myself to have technical skills), I decided the morning of 9/11 that I would not seek a job at a Biotech or Pharma company in the Bay Area upon graduation, but would rather try to get involved and help the nation with whatever talent and education I have been given. There are many others like myself in S&T - thankfully S&T has not (yet!) turned into the typical government clock-punching organization. People here are top-tier, driven, bright, and creative. I am proud of where DHS has come (at least in my corner of it), while acknowledging that we have a long long way to go. Oh, and for the record, DHS employees are not required to be members of the Republican party.

Re:Homeland Security != Information Security

[encino]

I am assuming you mean S&T, not DHS overall. Science & Technology is the primary research and development arm of the Department - we're different from other science-related organizations like NIH, NSF, etc., in that our work must have clear line-of-sight to security applications. Not to say we don't have some focus in the basic sciences, but rather to say that it's only about a 20% focus. We also have a portion of our research budget that goes to high-risk things that will probably fail. Thankfully our leadership hear in S&T understands that in science, you need to have at least some fraction of your research portfolio 'on the edge' - that's where you find the home-runs, and not always in the 'safe' stuff. This is hard to defend though, since Congress doesn't hearing that you're spending research dollars on 'risky' projects expected to fail. In addition to research, the 'T' in S&T means that we develop technologies for the first responders and other users (i.e., interoperable radios and communication, Chemical and Biological detectors, other miscellaneous cool widgets, etc.) You may also (correctly) guess that any significant effort to prevent terrorist use of WMD requires top-notch scientific and technical expertise as well, so we do a lot of WMD-related work. Hope that helps.

Re:Homeland Security != Information Security

[ArsenneLupin]

I am assuming you mean S&T, And I assume that GP was just being sarcastic...

One thing is for sure.

[AltGrendel]

The people that are smart enough to really do this IT stuff properly for the DHS are smart enough to earn more money elsewhere.

Re:One thing is for sure.

[Guppy06]

"The people that are smart enough to really do this IT stuff properly for the DHS are smart enough to earn more money elsewhere."

And even if the pay was the same, there's still the many months and ungodly amount of paperwork involved in trying to get a government job. Are you going to go for the offering that's available next month or next year?

Re:One thing is for sure.

[jimicus]

Further, the people who are likely to be seriously interested in infiltrating the DHS are quite able to find and finance someone with the capability to do so.

Re:One thing is for sure.

[jofny]

And lo! Slashdot accidentally discovers the reason for the lucrative concept of "government contracting". Of course the government cant compete with pay - they also cant hire or fire in any reasonable manner, so most of the staff consists of long term contractors...which partially negates the "blame X on government employee salaries" habit in a lot of these conversations.

Thank god we fixed a 40 billion dollar bureaucracy

...that failed to deliver when it came to 9/11 warnings by layering on a new bureaucracy on top of the failed bureaucracy.

Clearly what we need is a new Dept. of Homeland Security Security.

800 is a lot compared to who?

[jofny]

Point 1: Considering the complete inability of standard technical solutions to security problems to prevent a significant number of attacks/infections from being successful, this is not like the mechanics car getting fixed last. It's called "the security industry and standard methodologies continue their long history of consistent failure at organizations, both public and private"

Point 2: Those numbers are a completely meaningless abstraction without tying them back to type of attack, actual damage, importance of the data on those systems or their roles in launching further attacks, what kind of infections occurred and their damage potential, and finally what those numbers look like compared to other orgs of the same size.

Point 3: Homeland Security is comprised of multiple mostly-independant sub orgs (like Coast Guard, TSA, etc)....so..saying DHS had so many attacks is misleading without clarification

Point 4: Not saying theyre not making mistakes, just that those "facts" dont tell you either way what the actual state of things is.

When you are a primary target

[Ngarrang]

When you are a primary target like the DHS, I would imagine that the attacks they face are probably harder and longer than most possible victims. I would be interested to know how many hack attempts failed to see what kind of success rate such a high profile agency has. No security is perfect.

""What the department is doing on its own networks speaks so loudly that the message is not getting across," Thompson said."

Meh, whatever. This seems to me to dismiss the high profile nature of the DHS. Most other businesses might not even survive the onslaught faced by the DHS and other government sites.

Could they do more? Sure. There is ALWAYS more that can be done from the user level up to systems and network admin.

"All the problems involved the department's unclassified computer networks..."

That is good to know.

Re:When you are a primary target

[Critical+Facilities]

Most other businesses might not even survive the onslaught faced by the DHS and other government sites.
I agree with you that DHS is a "juicier" target than some businesses, I'm willing to bet that the attacks (and the frequency of them) against Bank of America, Citibank, Equifax, etc, are just as bad if not worse.

Re:When you are a primary target

[darthnoodles]

harder and longer

This post failed to pass my spam checker.

Re:When you are a primary target

[jimicus]

I think you've made a very good point there.

The DHS could guarantee that all computer-based attacks would be fruitless overnight. They'd just have to get rid of all their computers and resort to pocket calculators, slide rules and abacuses.

Unfortunately, that's about the only way to provide a 100% cast-iron guarantee that there's no way in hell the computer systems will be hacked.

Even if you did take such an extreme measure, the result would be that anyone that interested in getting information about what the DHS is doing would plant a few individuals in there.

This was predicted

[Johnny+Mnemonic]

even by Slashdot pundits, when we learned of the huge Dell and Microsoft contracts that were being awarded by the DHS.

Those who wanted the DHS to be a braintrust of security were sorely disappointed, and indeed we can see that it is nothing more than another bureaucracy more interested in distributing taxpayer funds to corporate friends than really doing anything for the health and welfare of the nation.

This is how Rome fell.

Re:This was predicted

[Timesprout]

Never mind predicted, this is desirable for the DHS, it's further 'proof' there are bazillions of terrorists out there hell bent on destroying the US.

Well, it makes sense

[WindBourne]

DHS was started by a number of folks from the marines (I worked for one). They were ALL windows believers ( but the ones that I knew were very so-so in the tech work). They were adamant about not being like NSA in spite of the fact that NSA has 2 missions; 1) obtain any info that they can on others 2) secure our boxes. NSA has a LARGE number of mathematicians as well as computer geeks. And windows is only allowed in none secured arenas or have their network capability severed at a hardware level (i.e. no nic or usb). If DHS had been ran by professionals and not politicians from the military (ALL of the tops one were W.s, Cheney's and esp. Rumsfeld's friend), then they would not have had the break-ins.

1-800-Break-Ins

[OzPeter]

That was how I read the summary and it made me think - Dang the Dept of Homeland Security is so (dis)organised that you can phone in break in requests to their systems

Out of Context

[WarpSnotTheDark]

Look at any government agency or corporate IT infrastructure - 800 break-ins is not a big number. I have been conducting information security analyses for many years for corporate networks and government entities and 800 is not a high figure. What you have to find out before considering this a valid story is; was integrity, confidentiality or availability of their infrastructure effected by these break-ins or was it just dorks poking their nose through the DMZ to see what they could find.

Re:Out of Context

[scatters]

The problem is that 800 is the number they know about. What's the real number?

Re:Out of Context

[jofny]

Considering the fact that there IS monitoring going on, Id say the 800 figure is probably much closer to the "truth" than a lot of other organizations' numbers who DONT monitor. Exchange often attributed to an anonymous officer at DoD: "My systems have never been broken into!" "How do you know, have you looked?" -Silence-

Re:Out of Context

[WarpSnotTheDark]

You're right; 800 is the number they know about and a large part of that number comes from reports generated by Signature-Based Intrusion Detection Systems. Do a little research on Intrusion Detection Systems and you will find that they inherently have an extremely high false-positive rate: A poorly written program or improperly configured access permissions will trigger a high number of false positives - this is by design because it is generally safer to assume an action was malicious so that you have to track it down and find out what really happened, then update your signatures (who ever does that?) rather than assume it was a new printer with UPNP making a nuisance of itself. 800 is the number they know about and I can guarantee you that this number is pretty darn close to being dead-on. Additionally, unauthorized hits on their boundary defenses are counted - also counted are inexperienced hackers who get sucked into the honeypot. I know you want to believe that DHS is a bunch of incompetent fools running around with no idea what they should be doing, but I know, first hand, that they are a seriously organized (though overly bureaucratized) group of organizations (you do realize the scope of DHS don't you? It's absolutely ENORMOUS!).

Ha!

That's nothing. A password cracker is included in the OS load of every server here. Our security auditing program uses it! Better yet, it would normally be detected by our antivirus program, but a guy here is paid to remove it's pattern from the vscan updates before they're sent out. When an unedited vscan pattern file manages to make it's way on to the machine somehow, it nukes the audit program. How's that for "administratively broken"?

Usual illiteracy...

[Otter]

800 Break-ins at Dept. of Homeland Security

No, there were over 800 incidents ranging from a single (if I'm understanding correctly) break-in to other problems from malware and less.

By the way, seven comments already and not one anguished wail from a 14-year-old pretending to be a grizzled veteran upset about the changing meaning of "hacker"? Get a move on, guys!

Break-ins at Homeland Security

[Rik+Sweeney]

Article needs the following tag:

Irony

Re:On the good side...

[Reverend528]

In other cases, computer workstations in the Coast Guard and the Transportation Security Administration were infected with malicious software detected trying to communicate with outsiders; laptops were discovered missing; and agency Web sites suffered break-ins.

I'll admit that "discovered missing" was probably a poor choice of words, but the article pretty clearly states that there were lost laptops.

Re:On the good side...

[gethoht]

They haven't lost a laptop that we know about, but how about a hard drive with thousands of SSN#'s on it?

http://www.toptechnews.com/story.xhtml?story_id=03 3003P6Z4B6

"The agency said it did not know whether the device is still within headquarters or was stolen."

My brief experience in DHS

[erroneus]

This is no exaggeration. As with virtually any other government employment, the DHS is filled with people who just want titles and a paycheck. Most morons know how to install windows and office and a few of those can even install a server and exchange email. Whether they know anything useful or not, they don't really care about doing more than the bare minimum to keep their paychecks flowing. I blame the way government pays and oversees people for this. There is not much in the way of pay or advancement by merit in government employ. Everyone's too afraid of descrimination suits and the like. So the only measured basis one can use safely is time in service really. Other than that, the culture is to keep your head down and do the bare minimum.

And if you think the creation of DHS was a carefully planned and well-thought-out move, I think the historical evidence speaks to the contrary.

The only solution is for detailed requirements for security and data handling. It would be more effective than not having any... they really don't have much in place now. How secure can they be with Microsoft everything running their offices?

800 is that really high?

[Seventh+Magpie]

800 includes virus infections as well. Lets see there are about 150,000 employees of DHS, so assumining there is at least 1 computer per employee, there must somewhere in the range of150,000 computers? Lets be conservative and say 100,000 computers. 800 incidents, that is less then 1%. Now take any other enterprise with that many computers, you IT guys tell me, is under 1% rate for computers without virus infections or intrusions a failure? Hell it isn't perfect, but it should be expected.

The bottom line is I dont care what kind of agency, business, enterprise, securing that many computers is impossible no matter what. You always have the human factor involved. Once you get 150,000 people thinking security (impossible to do) then you can be close to perfect..

It is to be expected ...

[arthurpaliden]

When the first question out of the DHS pruchasing agent after the demo is 'And the name of your Congressman is?'

Yes, this really happened, it is recorded in my lab book.

They have holes in their security...

[athloi]

...that you could fly a 747 through!

Oops, that was in bad taste.

Re:Thank god we fixed a 40 billion dollar bureaucr

[jimicus]

Let's be honest, that's about all governments ever do. When was the last time you heard of a government organisation made more effective by simplifying things?

you people don't get it

[Lord+Ender]

Most companies' security strategies primarily rely on two things: patching and virus scanning.

Maybe break-ins are rare for you, and you think you are doing security really well. In reality, your success is based primarily on the fact that nobody good is targeting you. The people who discover flaws, write the exploits, and create the effective viruses do NOT target your pissant little company. They target governments and financial institutions.

Once the flaws and viruses are discovered by the primary targets, you get the luxury of updating your software and signature files before anyone gets around to target you.

DHS may have security a million times better than yours, but they are a primary target, so they get hit a billion times harder.

Re:you people don't get it

[_Sharp'r_]

A few years ago I was the technical manager for a company that developed and hosted major ecommerce sites. Sites for the largest retail brands in the world. They were very, very, high profile. Any downtime was usually measured in millions of dollars of revenue lost. We went months at a time without any downtime at all, not even scheduled downtime.

We never once had a break-in. We never once had a tripwire report that a single file had been changed by someone without authorization.

We also ran primarily Solaris, Tru64 unix, FreeBSD and Linux (for internal IT stuff like the office mail servers), with windows essentially confined to some desktops on an isolated network.

We also had layered, physically divided networks, with stateful firewalls between layers, switches with ACLs on ports controlling traffic, and all server and workstation OS's hardened before deployment as if they were going to be exposed directly to the internet. Oh yeah, and commercial IDS devices on each network. Users weren't root/administrator on anything, except for the lead developers tracked using sudo on their solaris sandbox and the Sys Admins using sudo elsewhere.

We also did a randomly scheduled once-a-month walkthrough of the work spaces to ensure that no passwords were written down anyplace someone with physical access could get them. We also didn't use stupid change-every-month password policies, but instead instructed staff to create phrases and combinations that mentally translated into their secure personal passwords and also further used ssh keys and keygen dongles where appropriate.

Root passwords were randomly generated and stuck in an envelope in a safe, just in case we ever needed them. If ever used (for example, for console access on a box booting in single user mode due to a hardware problem) they were immediately changed once the use was complete.

We also had multiple QA and staging environments for configuration, content management, security, functional, and performance code testing before deployment. We also had full redundancy and load balancing for every essential server and device.

Oh yeah, we also had a major annual security audit by a good third-party IT security specialist firm. They never once found anything exploitable, despite their best efforts and even given internal network access.

Of course, the previous developer/hoster of the largest brand we supported, when it came time for the transition to our platform, went ahead and decided to physically mail us a dvd with all of their customer's personal and credit card information on it in plain text to use for testing the customer import process. So the above standards aren't exactly universally true of private companies.

But while I've heard lots of bad security stories about government agencies (I knew a network guy contracted to the Department of Agriculture who found out one day that the firewalls for the entire department of agriculture had been set to pass all traffic for 6 months since they were too much trouble to keep configured properly) and about government IT project fiascos (they all take 2-3X as long as expected, cost 2-3X, then never get finished, but instead get rolled into a new project to do the same thing), I've never heard of an actual government IT success story.

My computer is always the FIRST to get fixed.

[khasim]

Gotta agree with that. If they were competent, they'd have their own house in order.

Just as anyone here who's competent with a computer has their systems up-to-date and tuned.

The department of "homeland security"

[danpsmith]

I think the reason that people see any irony at all in these type of stories is the fact that they actually expect that the government is as good as its hyperreal image. Of course government agencies aren't infallible, but to suggest this is to deny this hyperreal, overemphasized "we're efficient, intelligent and we know things about you you don't even know" public persona. Without a sufficient belief in the agencies like the CIA and the FBI, and the belief that they are actually more informed than the masses and that the government is more in the know than anyone is aware (unless they are in the government), people would want to know where all this security spending is going (which is a problem for anyone). The government is an inept, massive body of people that is unable to act upon information quickly due to its many layers of bureaucratic bullshit and the legality of everything. The only solution to this problem is to eliminate some of the bureaucracy (firing people, which, of course, can't be done), or to eliminate the red tape (legislation, which, if you eliminate too much becomes a Bush-like grab for power), neither of which will ever be done due to the nature of the politicians in charge. So the federal government, no matter what the politicians say will continue to grow as a monolithic, insecure and ineffective beast while feeding you the image of a secure, fast, intelligent and best of class organization and terrorists with their small but efficient plans will continue to find gaping holes in the system. And that's why irony in this case can be saved for the naive and the uninformed, the rest of us see things like this coming a mile away.

FUD Article

[Evil+W1zard]

Ok so here is the deal. DHS' network is a mesh of multiple other networks that were already in existence. This is problematic in itself as it involves a heavy amount of integration and also borders upon borders of perimeter security (each disparate agency is part of the whole but may have its own controlled interfaces for some level of separation...

Now lets go to the article. To the laymen you say 800 compromises and they go into "WOW THAT IS SO BAD" mode, but seriously come on. The compromises are mostly workstations. Now that doesn't mean they get a free pass, but its not like they have had their core servers owned by foreign states... What they should be doing is not only scanning apps, DBs, and servers and patching/hardening them appropriately, but also client-side firewalling, config control of workstations, baseline security mechanisms for remote users, centralized virus/vulnerability patching... This article does not surprise me what-so-ever and it really is not an indication that DHS security is horrible. Its not the best, but 800 is not that bad.

Salient FACTS

[N8F8]

The DHS has around 200,000 employees.

The article actually says "800 hacker break-ins, virus outbreaks and other computer security problems over two years".

These numbers are remarkably low, if true. I once cleaned over 1000 virii, rootkits and spyware apps off the computer of a busy, filesharing teenager. 800 from 200,000 employees is pretty low. Not to mention that these are on public terminals since the real important data passes across private DoD networks (SIPRNET and JWICS. another clueless article written by another clueless reporter spreading FUD to the clueless liberal masses.

Mechanics are IT for cars

[bussdriver]

Anybody notice how similar mechanics can be to IT support? The jobs are similar even if the skill set is not.

congressional hearings

[pprboy]

Today's hearing is expected to examine specific incidents that took place on the DHS servers, including "rootkits, classified leaks, compromised websites, bot infections, unauthorized use of networks by contractors, and viruses." The subcommittee has also identified a specific DHS network that is "riddled with ... weaknesses" and could result in data leakage.

so it includes servers

Homeland Security means:

[droopycom]

TSA (Not covered by CIA, FBI or other Law Enforcement)
FEMA
Customs and Border Protection
Immigration (Former INS)
Secret Service (Not covered by CIA, FBI or any other Law Enforcement)
Coast Guards (Not covered by CIA, FBI or other Law Enforcement)

I'm no fan of them, but how about you take a look at their website if you want to know what they are supposed to do:

http://www.dhs.gov/xabout/structure/editorial_0644 .shtm

Re:Homeland Security means:

[cayenne8]

"TSA (Not covered by CIA, FBI or other Law Enforcement)>

FEMA>

Customs and Border Protection>

Immigration (Former INS)>

Secret Service (Not covered by CIA, FBI or any other Law Enforcement)>

Coast Guards (Not covered by CIA, FBI or other Law Enforcement)>

>

I'm no fan of them, but how about you take a look at their website if you want to know what they are supposed to do"

Well, they don't seem to be doing very well at many of their tasks....

• TSA - Mostly act at a PITA, and don't seem to know or want to show the applicable laws (like not having to show ID)
• FEMA - First hand observation of them and their continued incompetance in New Orleans. Fortunately I've not had to deal that much with them myself, but, I feel for the people that have. I worry for the next community that gets hit by a disaster, if NOLA is any indication how they act, you're in for a lot of trouble and heartache.
• Customs and Border Protection - Well, I think we ALL know how bad a failure this is....the people flooding in from down south hasn't slowed a bit, even though the majority of the US wants the borders secured.
• Immigration (Former INS) - Well, this obviously doesn't work at all. People wanting to get in legally can't seem to hardly work the system, and we're certainly NOT deporting people here illegally we find and catch. I think the last reference to this working was in the original Cheech and Chong movie, Up in Smoke. The INS gave them a free ride to Mexico, last time I heard of INS every sending someone home that wasn't here legally.
• Secret Service (Not covered by CIA, FBI or any other Law Enforcement) - Ok...they seem to do ok, but, then again, they were great before DHS oversight.
• Coast Guards (Not covered by CIA, FBI or other Law Enforcement) - Good before DHS, and so far, no signs of bastardization...keep up the good work boys.

YEah...lots of progress with DHS. Lots of nothing....

Already covered....

[Actually,+I+do+RTFA]

Secret Service (Not covered by CIA, FBI or any other Law Enforcement) Treasury Department, which is why they go after counterfiters

Coast Guards (Not covered by CIA, FBI or other Law Enforcement) Commerce Department, except during times of way, when hey become part of the DOD.

And FEMA used to be independent and have an almost cabinet level leader.