Slashdot Mirror
800 Break-ins at Dept. of Homeland Security
WrongSizeGlass writes "Yahoo is reporting about the computer security nightmare going on at the Department of Homeland Security. Senior DHS officials admitted to Congress that over a two year period there were 800 hacker break-ins, virus outbreaks and in one instance, hacker tools for stealing passwords and other files were found on two internal Homeland Security computer systems. I guess it's true what they say ... a mechanic's car is always the last to get fixed."
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I guess it's true what they say ... a mechanic's car is always the last to get fixed.
That's very true.
Especially when the mechanic is incompetent, and more interested in throwing around political weight than actually trying to accomplish anything useful.
Microsoft is to software what Budweiser is to beer.
The people that are smart enough to really do this IT stuff properly for the DHS are smart enough to earn more money elsewhere.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Apparently cyber-terrorism isn't important then?
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
...that failed to deliver when it came to 9/11 warnings by layering on a new bureaucracy on top of the failed bureaucracy.
Clearly what we need is a new Dept. of Homeland Security Security.
Point 1: Considering the complete inability of standard technical solutions to security problems to prevent a significant number of attacks/infections from being successful, this is not like the mechanics car getting fixed last. It's called "the security industry and standard methodologies continue their long history of consistent failure at organizations, both public and private"
Point 2: Those numbers are a completely meaningless abstraction without tying them back to type of attack, actual damage, importance of the data on those systems or their roles in launching further attacks, what kind of infections occurred and their damage potential, and finally what those numbers look like compared to other orgs of the same size.
Point 3: Homeland Security is comprised of multiple mostly-independant sub orgs (like Coast Guard, TSA, etc)....so..saying DHS had so many attacks is misleading without clarification
Point 4: Not saying theyre not making mistakes, just that those "facts" dont tell you either way what the actual state of things is.
When you are a primary target like the DHS, I would imagine that the attacks they face are probably harder and longer than most possible victims. I would be interested to know how many hack attempts failed to see what kind of success rate such a high profile agency has. No security is perfect.
""What the department is doing on its own networks speaks so loudly that the message is not getting across," Thompson said."
Meh, whatever. This seems to me to dismiss the high profile nature of the DHS. Most other businesses might not even survive the onslaught faced by the DHS and other government sites.
Could they do more? Sure. There is ALWAYS more that can be done from the user level up to systems and network admin.
"All the problems involved the department's unclassified computer networks..."
That is good to know.
Bearded Dragon
No, it's not. Cyber-terrorism is a buzzword made up by idiots.
even by Slashdot pundits, when we learned of the huge Dell and Microsoft contracts that were being awarded by the DHS.
Those who wanted the DHS to be a braintrust of security were sorely disappointed, and indeed we can see that it is nothing more than another bureaucracy more interested in distributing taxpayer funds to corporate friends than really doing anything for the health and welfare of the nation.
This is how Rome fell.
--
$tar -xvf
DHS was started by a number of folks from the marines (I worked for one). They were ALL windows believers ( but the ones that I knew were very so-so in the tech work). They were adamant about not being like NSA in spite of the fact that NSA has 2 missions; 1) obtain any info that they can on others 2) secure our boxes. NSA has a LARGE number of mathematicians as well as computer geeks. And windows is only allowed in none secured arenas or have their network capability severed at a hardware level (i.e. no nic or usb). If DHS had been ran by professionals and not politicians from the military (ALL of the tops one were W.s, Cheney's and esp. Rumsfeld's friend), then they would not have had the break-ins.
I prefer the "u" in honour as it seems to be missing these days.
That was how I read the summary and it made me think - Dang the Dept of Homeland Security is so (dis)organised that you can phone in break in requests to their systems
I am Slashdot. Are you Slashdot as well?
Look at any government agency or corporate IT infrastructure - 800 break-ins is not a big number. I have been conducting information security analyses for many years for corporate networks and government entities and 800 is not a high figure. What you have to find out before considering this a valid story is; was integrity, confidentiality or availability of their infrastructure effected by these break-ins or was it just dorks poking their nose through the DMZ to see what they could find.
That's nothing. A password cracker is included in the OS load of every server here. Our security auditing program uses it! Better yet, it would normally be detected by our antivirus program, but a guy here is paid to remove it's pattern from the vscan updates before they're sent out. When an unedited vscan pattern file manages to make it's way on to the machine somehow, it nukes the audit program. How's that for "administratively broken"?
Part of their mandate and jurisdiction is Information Security; they are charged with protecting the computing infrastructure of the country.
--
$tar -xvf
Kinda like "War on Terror"?
It goes from God, to Jerry, to me.
Thank you for that clarification. I feel so much better now knowing that the department in charge of protecting the U.S. from terrorists has no technical skills.
I'm not tense. I'm just terribly, terribly, alert.
This is no exaggeration. As with virtually any other government employment, the DHS is filled with people who just want titles and a paycheck. Most morons know how to install windows and office and a few of those can even install a server and exchange email. Whether they know anything useful or not, they don't really care about doing more than the bare minimum to keep their paychecks flowing. I blame the way government pays and oversees people for this. There is not much in the way of pay or advancement by merit in government employ. Everyone's too afraid of descrimination suits and the like. So the only measured basis one can use safely is time in service really. Other than that, the culture is to keep your head down and do the bare minimum.
And if you think the creation of DHS was a carefully planned and well-thought-out move, I think the historical evidence speaks to the contrary.
The only solution is for detailed requirements for security and data handling. It would be more effective than not having any... they really don't have much in place now. How secure can they be with Microsoft everything running their offices?
they are charged with protecting the computing infrastructure of the country.
What's Chinese for "pwned"?
Blank until
...that you could fly a 747 through!
Oops, that was in bad taste.
technical writing / development
DHS was created in response to the 9/11 attacks as a purely political move to make it look like we were serious about fighting terrorism. It created a huge bureaucracy, gave it an impossibly broad mandate, and made it more difficult for existing agencies (that were moved under DHS because they were at least tangentially related to protecting the country against various things) to do their jobs. As a result, the government is far less capable of intelligently defending against attack than it was before. It is only capable of wildly overreacting to perceived threats (like someone slipping through airport security with 4 ounces of hand soap rather than the mandated maximum of 3), again so it can appear as if it is on top of things.
DHS was a bad idea that was implemented poorly out of a panicked need to do *something* following the attacks.
Gotta agree with that. If they were competent, they'd have their own house in order.
Just as anyone here who's competent with a computer has their systems up-to-date and tuned.
I think the reason that people see any irony at all in these type of stories is the fact that they actually expect that the government is as good as its hyperreal image. Of course government agencies aren't infallible, but to suggest this is to deny this hyperreal, overemphasized "we're efficient, intelligent and we know things about you you don't even know" public persona. Without a sufficient belief in the agencies like the CIA and the FBI, and the belief that they are actually more informed than the masses and that the government is more in the know than anyone is aware (unless they are in the government), people would want to know where all this security spending is going (which is a problem for anyone). The government is an inept, massive body of people that is unable to act upon information quickly due to its many layers of bureaucratic bullshit and the legality of everything. The only solution to this problem is to eliminate some of the bureaucracy (firing people, which, of course, can't be done), or to eliminate the red tape (legislation, which, if you eliminate too much becomes a Bush-like grab for power), neither of which will ever be done due to the nature of the politicians in charge. So the federal government, no matter what the politicians say will continue to grow as a monolithic, insecure and ineffective beast while feeding you the image of a secure, fast, intelligent and best of class organization and terrorists with their small but efficient plans will continue to find gaping holes in the system. And that's why irony in this case can be saved for the naive and the uninformed, the rest of us see things like this coming a mile away.
Judges and senates have been bought for gold; Esteem and love were never to be sold.
Ok so here is the deal. DHS' network is a mesh of multiple other networks that were already in existence. This is problematic in itself as it involves a heavy amount of integration and also borders upon borders of perimeter security (each disparate agency is part of the whole but may have its own controlled interfaces for some level of separation...
Now lets go to the article. To the laymen you say 800 compromises and they go into "WOW THAT IS SO BAD" mode, but seriously come on. The compromises are mostly workstations. Now that doesn't mean they get a free pass, but its not like they have had their core servers owned by foreign states... What they should be doing is not only scanning apps, DBs, and servers and patching/hardening them appropriately, but also client-side firewalling, config control of workstations, baseline security mechanisms for remote users, centralized virus/vulnerability patching... This article does not surprise me what-so-ever and it really is not an indication that DHS security is horrible. Its not the best, but 800 is not that bad.
News Reporters Make Tasty Polar Bear Treats!
Outsourced.
The article actually says "800 hacker break-ins, virus outbreaks and other computer security problems over two years".
These numbers are remarkably low, if true. I once cleaned over 1000 virii, rootkits and spyware apps off the computer of a busy, filesharing teenager. 800 from 200,000 employees is pretty low. Not to mention that these are on public terminals since the real important data passes across private DoD networks (SIPRNET and JWICS. another clueless article written by another clueless reporter spreading FUD to the clueless liberal masses.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
I work for DHS in the Science & Technology Directorate (S&T), and while DHS has a long way to go, there are very smart people here that have sacrificed lucrative careers to dedicate themselves to service to the nation. With a Ph.D. in computational biology from Stanford (i.e., I consider myself to have technical skills), I decided the morning of 9/11 that I would not seek a job at a Biotech or Pharma company in the Bay Area upon graduation, but would rather try to get involved and help the nation with whatever talent and education I have been given. There are many others like myself in S&T - thankfully S&T has not (yet!) turned into the typical government clock-punching organization. People here are top-tier, driven, bright, and creative. I am proud of where DHS has come (at least in my corner of it), while acknowledging that we have a long long way to go. Oh, and for the record, DHS employees are not required to be members of the Republican party.
TSA (Not covered by CIA, FBI or other Law Enforcement)
4 .shtm
FEMA
Customs and Border Protection
Immigration (Former INS)
Secret Service (Not covered by CIA, FBI or any other Law Enforcement)
Coast Guards (Not covered by CIA, FBI or other Law Enforcement)
I'm no fan of them, but how about you take a look at their website if you want to know what they are supposed to do:
http://www.dhs.gov/xabout/structure/editorial_064
I am assuming you mean S&T, not DHS overall. Science & Technology is the primary research and development arm of the Department - we're different from other science-related organizations like NIH, NSF, etc., in that our work must have clear line-of-sight to security applications. Not to say we don't have some focus in the basic sciences, but rather to say that it's only about a 20% focus. We also have a portion of our research budget that goes to high-risk things that will probably fail. Thankfully our leadership hear in S&T understands that in science, you need to have at least some fraction of your research portfolio 'on the edge' - that's where you find the home-runs, and not always in the 'safe' stuff. This is hard to defend though, since Congress doesn't hearing that you're spending research dollars on 'risky' projects expected to fail. In addition to research, the 'T' in S&T means that we develop technologies for the first responders and other users (i.e., interoperable radios and communication, Chemical and Biological detectors, other miscellaneous cool widgets, etc.) You may also (correctly) guess that any significant effort to prevent terrorist use of WMD requires top-notch scientific and technical expertise as well, so we do a lot of WMD-related work. Hope that helps.
Secret Service (Not covered by CIA, FBI or any other Law Enforcement) Treasury Department, which is why they go after counterfiters
Coast Guards (Not covered by CIA, FBI or other Law Enforcement) Commerce Department, except during times of way, when hey become part of the DOD.
And FEMA used to be independent and have an almost cabinet level leader.
Your ad here. Ask me how!