Slashdot Mirror
Unisys Investigated For Covering Up Cyber-Attacks
Stony Stevenson writes "Unisys, a major government IT contractor, is reportedly being investigated for failing to detect cyber-attacks, and then covering up its failings. Two US congressmen have called for an investigation into cyber-attacks aimed at the Department of Homeland Security, along with a contractor (that would be Unisys) charged with securing those networks. 'The House Committee on Homeland Security's investigations led them to believe the department is under attack by foreign powers, and could be at risk because of "incompetent and possibly illegal activity" by a US contractor. The congressmen didn't name the contractor in the letter. However, the Washington Post on Monday reported that the FBI is investigating Unisys, a major information technology firm with a $1.7 billion Department of Homeland Security contract, for allegedly failing to detect cyber break-ins traced to a Chinese-language Web site and then trying to cover up its deficiencies.'" Unisys denies it all.
Unisys probably outsourced their techs to india. Unisys are just another tech dinosaur that never made it out of the seventies.
"You can't fight in here, this is the war room!"
Dr. Evil: Here's the plan. We get the warhead, and we hold the Department of Homeland Security ransomed for.....One MILLION DOLLARS!!
No.2: Ahem...well, don't you think we should maybe ask for *more* than a million dollars? I mean, a million dollars isn't exactly a lot of money these days. Unisys alone makes over one million dollars a year!
Dr. Evil: Really?
No.2: Mm-hmm.
Dr. Evil: That's a number. Okay then. We hold the Department of Homeland Security ransom for.....One Point Seven BILLION DOLLARS!!
If you mod me down, I shall become more powerful than you could possibly imagine.
...those nice and jolly GIF-Patent folks? i really do love'em!
Yes, Unisys may have screwed up, but then again, its all about the better mousetrap and all...
Fighting over religion is like seeing whose imaginary friend is best.
I guess if nobody reads the article, they figure it's not that important where they (don't) start reading from? Or else Stony Stevenson likes to read articles from back to front? I wonder how many /. readers will even notice.
Here is page 1 anyway: http://www.washingtonpost.com/wp-dyn/content/article/2007/09/23/AR2007092301471.html?nav=rss_business
Negative moral value of force outweighs the positive value of good intentions.
Can people please stop abusing the term "cyber". I mean, it once had a useful meaning (electronic control of physical processes) that is now on the verge of being lost.
Shouldn't the government be hiding their own ineptitude? Lou dobbs should be rolling in his..oh..he's alive ain't he.
Security of critical gov't systems SHOULDN'T be left to some missionary IT support. It should be done in house. period.
missionary = mercenary
... is this the same Unisys that held the GIF LZW patent and tried to sue everyone for it, even though it was developed by Compuserv?
Excuse me while I don't shed a tear.
XML is like violence. If it doesn't solve the problem, use more.
DHS has been associated with some serious clusterfucks. The fact that they cant secure their own servers while they are supposed to be in charge of "security" is pollitically .... difficult.... for the current administration.
This is nothing new. Think of Blackwater, Halliburton, Boeing, ..., ...
Big contractors like these simply get slapped on the wrist and keep going on with business as usual. The same thing will happen with UNISYS
Translation: some wonk at DHS caught an MSN IM virus from a chick on a dating site.
Hey DHS, look for servicer.exe in the registry. Put a semi colon in front of the key. I'll sent you a bill. With lots of zeros.
Need Mercedes parts ?
And here I thought the free market would protect me from that stuff.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
Among my various other gigs, I've often worked as a contractor doing certification and accreditation (C&A) paperwork for half a dozen fed. govt. agencies. "C&A" is the required paperwork that is supposed to certify that an agency's systems have been secured in accordance with applicable NIST, DoD, etc. standards. Understand that many, if not most, agencies devote far more time, money, and effort to making the paperwork look good than they do to actually securing the systems. Some agencies, and some of their contractors, think the NIST SP 800-37 C&A process, DIACAP, FISMA reporting, etc. is just a worthless paper shuffle. Some are even still using SP 800-26 risk assessment questionnaires in lieu of a full C&A. I can't tell you how many job interviews I've gone on where the contractor company's hiring manager would actually brag about how they are going to falsify the C&A and snow the agency's inspector general, OMB, or whomever. My standard response to that has been, "Can I visit you in prison?" (Usually this spells the end of that particular interview process.) Since, up to now, nobody has actually gone to federal prison for submitting bogus C&A documentation, some people thought they could get away with this kind of bogosity forever. A strange and unlikely confluence of events caused the Unisys situation: they (allegedly) cheated on the C&A process, AND the intruders pwned the DHS network, including the main admin password. The successful intrusions caused an audit which exposed the C&A fraud (which otherwise would have slid on by). Too bad, so sad.
"Security Unleashed - At Unisys, we're looking at security in an entirely new way. Security is no longer a defensive measure. It's an enabling catalyst for achievement. Unisys Secure Business Operations help to unleash your full potential." taken from Unisys web it says they can make everything possibility with their motto "we help you adapt quickly to meet ever-changing market demands and be resilient, agile and open" is a trash after all and hoping for a big fish to come after.. but the quote that they had used doesn't fit them a lot with this news. again, i think there not too good for this job.
How do we stop websites from doing cyber attacks on their own?
Any hacker worth his salt covers his tracks and leaves no traces, what did they expect?
The press office must be having a great day... http://www.tradingmarkets.com/.site/news/Stock%20News/637040/
``Unisys probably outsourced...,,
Did you take some time before speculating? Because it's obvious you don't even know the basics:
``just another tech dinosaur that never made it out of the seventies,,
Unisys was formed in 86. As always, the least one can do before posting on Slashdot is to glance at http://en.wikipedia.org/wiki/Unisys
"Unisys denies it all."
They Have the Way Out!(TM)
As I recall (can't find a copy of the actual strip, it's in the collection "What is it, Tink, is Pan in trouble?") the real punchline for the whole series went something like this:
Rick Redfern: "That's it! That's the story! The coverup!"
Source: "That's what I thought. Should I just toss the file?"
If there's a story here at all (after all, 'someone got trolled through IE' isn't a story at all... or if it is it's Microsoft who should be investigated), it's the coverup.
Anyone that has worked inside government IT whether directly or as a contractor will know that this is government politics at play. There are exceptions, but most highly skilled and trained system administrators are going where the money is, and it's not working as a gov't employee. I know. A gov't IT department may have policies and procedures up the wazoo, but at the same time no budget or authority to ensure compliance. Exception is the rule in gov't. Here's an example:
"Sir, there appears to be attacks against our systems from China"
"Are you telling me that China is attacking us? Can you provide proof beyond a doubt that it is China attacking our systems? How did you detect this attack?"
"Sir, it shows up in the firewall and IDS logs"
"What are firewalls or IDS? Did you get that report done...blahblahblah that I asked for? Why are you looking at the logs when I need real work done. What is the status of project A, B, C? Go help fix a computer somewhere."
"Sir, should I not be looking at the logs?"
"What, are you stupid, did I TELL you to look at the logs? Go fix a computer or something"
So, you train a govt IT person in computer security and they get a CISSP and maybe a SANS cert or two. But, they have to continue working with people who won't allow them to use the knowledge. They're leaving.
Generally speaking, my experience is that many departments in gov't don't follow their own process or rules and they breed an air of idiotic compliance. Then fire the blame gun when a problem erupts.
I was told by a long term employee when I asked how to survive in gov't so long..."for every situation, always have a putz lined up." Smart sysadmins in gov't learn that they will be the putz and leave.
Unisys are just another tech dinosaur that never made it out of the seventies.
FWIW, Unisys didn't exist in the seventies. I was there. I worked on both types of kit (in those days you either went with the herd and learned to use IBM, or you learned to be versatile).
IIRC it came about via the merging of Burroughs and Sperry/UNIVAC in about 1986 (in fact, to be specific, I think Burroughs swallowed Sperry).
From the Wash Post article: "...under the follow-on contract, "DHS, citing lack of funding, elected to stop paying for security monitoring services," but that the firm continued to provide the monitoring anyway." The follow-up contract started in '05. DHS wasn't PAYING for security monitoring, but Unisys did it anyway (which is illegal, I believe). Therefore during the breach in 2006, DHS basically got what they paid for. This is DHS's management utterly failing and Unisys getting the blame for it.
Someone should mod this up.
I worked for Unisys some time ago as helpdesk support for their DHS account, and this is no surprise to me at all. They are absolutely inept and have no concern for security. Among the things that just amazed me:
1. When a user asked for a password change, we were not supposed to challenge them in any way. This included people as high up as the Secretary(or more accurately-the secretary's assistant), but we didn't even have a list of who his assistants were.
2. Each desk had two systems, one Unisys and one DHS. The building had no physical security and the systems were not locked down. Also, nobody ever locked their desktops.
3. The head of cybersecurity resigned at one point, stating that nobody took network security seriously. Two weeks later, his account was still active.
4. I worked there for about 8 months before I decided to get out. In that time, I never received any sort of security clearance.
Those are just the big ones. That was my first and last job for a government contractor.
Didn't you guys read the memo? Paying for resources to detect/prevent cyber-attacks is way more expensive than simply covering up the tracks after a cyber-attack. They're just watching out for their bottom line like every other corporation in America. Can't blame them for that.
;)
If you were offended by anything I said... No, I'm not sorry. Please lighten up.
I assume by in house you mean the govt/military. Believe me you don't want this. If the military guys are doing it the more proficient guys are usually put in charge of the less proficient and therefore spend less time doing actual hands on work. A second problem is the lack of corporate knowledge, since they are pretty much guaranteed to change jobs/locations every 2-3 years you never get that guy that has been there since most of the systems were installed. This causes the same mistakes to be made every couple of years or every time the system is upgraded/replaced. As for the govt guys they are the epitome of not hiring the most qualified person for a job(yes that is a generalization but in the hands on tech field it is very true). Go out to usajobs.com and search for jobs in an area, at the bottom of the page there is a spot that talks about Applicant Eligibility, take a look at the difference in the number of jobs available by just changing that from no to yes. There are a lot of jobs out there held for only former govt/military people. Just clicking on AK - Ft. Richardson in location and changing it from no to yes changes the number of jobs found from 13 to 31.
I think we can find a government contractor that will put Mr. Dobbs in a position to roll, however due to this month's annual red tape increase, we might have to form a committee to discuss the appointment of those that will oversee the bidding procedure of the swiss banks that will reroute the deferred compensation from the winning contractor to the appropriately untraceable accounts. The whole process might realistically be completed in 50 years or so, which may seem like a long time, but rest assured the contract accrual process will continue regardless of any death of Mr Dobbs. We know thats what he would have wanted.
Well.. maybe. Or Maybe not. But Definitely not sort of.
They can just do what every IT department at every job I've ever had does, blame it on the users! Currently our server difficulties are being explained to me as "Employees are using to many wildcard searches of the database" and somehow that explanation has so far appeased the managers... luckily for the IT department management is baffled by complex techie speak such as "wildcard searchs" and will likely put out a memo declaring "Wildcard searches are bad for the computers, please refrain from using wildcard searches on company computers" *sigh
What I want to know is what the hell could cost 1.7 billion dollars? Are they putting HA systems with redundant fiber channel SANs on every desktop? How big is the DHS? If were talking even 100,000 people that's over $17,000 per person in IT costs. For that kind of money they should have had big time segmentation with all kinds of traffic monitoring and IDSes along with honeypots and tarpits. Hell, for that kinda money I would even include fart detectors.
Who is John Galt?
Not bloody likely.
-a.d.-
I'm Erwin Schrodinger and I approve of this message, and I do not approve of this message!
damnit Unisys! I TOLD you to turn off telnet in your inetd.conf!! but you just didn't listen..
*plays the Apogee theme song music*
Why are you surprised by this? This is Katrina inside the DHS. It's Blackwater, Halliburton, and the Coalition Provisional Authority pissing away BILLIONS OF TAX DOLLARS. Your want a specific example?
http://www.iht.com/articles/2007/02/07/america/web.0207money.phpThe Unisys screw up is small change. All they did was compromise national security, not anything important like Janet Jackson showing her tit at the Superbowl and netting CBS a $550,000 fine. Nothing to see here, move along.
The military should not be blaming Unisys for the breakin. Untimatly its the governments responsibility to secure these systems. In the military there is an old rule that you can delegate authority, but not responsibility. They sould not be hiring a corporate lacky to do the job they should be doing themselves.
I think it is about time that we role over and admit that we are inferior to the Chinese and Mexicans. We have no hope. Leave the country start studying a foreigh language. We have not the will nor intelligence to be anything but someones bitch in today's geopolitical arena. Look at the guys that you work with, and the people you commute to work with. Chances are that 3/4 of them are idiots. There is no reason to believe that a country of idiouts should do anything but collapse in upon itself
Thanks
That was an old ad campaign. Unisys actually supports running Linux on its biggest servers, as well as Windows, the Clearpath MCP Operating system, and the OS2200 operating system.