Slashdot Mirror
Unisys Investigated For Covering Up Cyber-Attacks
Stony Stevenson writes "Unisys, a major government IT contractor, is reportedly being investigated for failing to detect cyber-attacks, and then covering up its failings. Two US congressmen have called for an investigation into cyber-attacks aimed at the Department of Homeland Security, along with a contractor (that would be Unisys) charged with securing those networks. 'The House Committee on Homeland Security's investigations led them to believe the department is under attack by foreign powers, and could be at risk because of "incompetent and possibly illegal activity" by a US contractor. The congressmen didn't name the contractor in the letter. However, the Washington Post on Monday reported that the FBI is investigating Unisys, a major information technology firm with a $1.7 billion Department of Homeland Security contract, for allegedly failing to detect cyber break-ins traced to a Chinese-language Web site and then trying to cover up its deficiencies.'" Unisys denies it all.
Dr. Evil: Here's the plan. We get the warhead, and we hold the Department of Homeland Security ransomed for.....One MILLION DOLLARS!!
No.2: Ahem...well, don't you think we should maybe ask for *more* than a million dollars? I mean, a million dollars isn't exactly a lot of money these days. Unisys alone makes over one million dollars a year!
Dr. Evil: Really?
No.2: Mm-hmm.
Dr. Evil: That's a number. Okay then. We hold the Department of Homeland Security ransom for.....One Point Seven BILLION DOLLARS!!
If you mod me down, I shall become more powerful than you could possibly imagine.
...those nice and jolly GIF-Patent folks? i really do love'em!
Yes, Unisys may have screwed up, but then again, its all about the better mousetrap and all...
Fighting over religion is like seeing whose imaginary friend is best.
I guess if nobody reads the article, they figure it's not that important where they (don't) start reading from? Or else Stony Stevenson likes to read articles from back to front? I wonder how many /. readers will even notice.
Here is page 1 anyway: http://www.washingtonpost.com/wp-dyn/content/article/2007/09/23/AR2007092301471.html?nav=rss_business
Negative moral value of force outweighs the positive value of good intentions.
Can people please stop abusing the term "cyber". I mean, it once had a useful meaning (electronic control of physical processes) that is now on the verge of being lost.
Shouldn't the government be hiding their own ineptitude? Lou dobbs should be rolling in his..oh..he's alive ain't he.
Security of critical gov't systems SHOULDN'T be left to some missionary IT support. It should be done in house. period.
I highly doubt that. As with most government contracts you have to have a clearance to actually work on it, something not easily obtained by a lot of U.S. Citizens much less someone from a country that we really don't trust all that much. So I'm fairly certain that most of the people involved with the program are U.S. Citizens born and bred or at least naturalized from another trusted nation i.e. Great Britain, Canada, Australia.
"Some books contain the machinery required to create and sustain universes."-Tycho
And that means what, exactly? That they adhere to some law which was passed with the intention to generate security and is circumvented with the intention to generate revenue.
For reference, see SOX.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is nothing new. Think of Blackwater, Halliburton, Boeing, ..., ...
Big contractors like these simply get slapped on the wrist and keep going on with business as usual. The same thing will happen with UNISYS
And here I thought the free market would protect me from that stuff.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
Among my various other gigs, I've often worked as a contractor doing certification and accreditation (C&A) paperwork for half a dozen fed. govt. agencies. "C&A" is the required paperwork that is supposed to certify that an agency's systems have been secured in accordance with applicable NIST, DoD, etc. standards. Understand that many, if not most, agencies devote far more time, money, and effort to making the paperwork look good than they do to actually securing the systems. Some agencies, and some of their contractors, think the NIST SP 800-37 C&A process, DIACAP, FISMA reporting, etc. is just a worthless paper shuffle. Some are even still using SP 800-26 risk assessment questionnaires in lieu of a full C&A. I can't tell you how many job interviews I've gone on where the contractor company's hiring manager would actually brag about how they are going to falsify the C&A and snow the agency's inspector general, OMB, or whomever. My standard response to that has been, "Can I visit you in prison?" (Usually this spells the end of that particular interview process.) Since, up to now, nobody has actually gone to federal prison for submitting bogus C&A documentation, some people thought they could get away with this kind of bogosity forever. A strange and unlikely confluence of events caused the Unisys situation: they (allegedly) cheated on the C&A process, AND the intruders pwned the DHS network, including the main admin password. The successful intrusions caused an audit which exposed the C&A fraud (which otherwise would have slid on by). Too bad, so sad.
"Security Unleashed - At Unisys, we're looking at security in an entirely new way. Security is no longer a defensive measure. It's an enabling catalyst for achievement. Unisys Secure Business Operations help to unleash your full potential." taken from Unisys web it says they can make everything possibility with their motto "we help you adapt quickly to meet ever-changing market demands and be resilient, agile and open" is a trash after all and hoping for a big fish to come after.. but the quote that they had used doesn't fit them a lot with this news. again, i think there not too good for this job.
This is a big part of the problem. The vast majority of Government Contractors are only marginally qualified and got their jobs by having the clearance, not by being technically proficient. This is known as "warm bodies" syndrome since many contracts pay per position filled. Getting a clearance can take years, depending on the level, and usually takes months, so this is a high barrier to entry and keeps a lot of smart people out.
There are many very capable and well-qualified people in Government Contracting, but they are a minority. Of course, Management, being what it is, doesn't want to give bad news to a customer, so sometimes they "muddy the waters".
In the land of the blind, the one-eyed man is usually crucified.
Any hacker worth his salt covers his tracks and leaves no traces, what did they expect?
Uh... Unisys had a patent on LZW, which CompuServe subsequently used w/o permission in their GIF format specification.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
You'll notice that I didn't make any mention of the qualifications of those people. I agree with you very through and through. I was just stating that the people involved in that contract were most likely not offshore.
"Some books contain the machinery required to create and sustain universes."-Tycho
Let's just say I have insight into the subject and it would be extremely difficult to do. Heavy auditing, random inspections, random pen testing, and many many myriad things would get in the way of that. Also most networks in govt. are totally segregated (reference air-gap) from the rest of the world, so with anything actually sensitive it would be completely impossible. I know that you're going to scoff at that statement, but trust me when I say that the cost of offshoring anything like that would be extremely expensive not to mention illegal and when dealing with govt. contracts you play by their rules. They are very lucrative contracts and one violation can lose the entire thing, so it really isn't in a company's best interest to even try it with govt. contracts the risk vs. reward is much to great.
"Some books contain the machinery required to create and sustain universes."-Tycho
Actually, Unisys hires through temp agencies and the temps only have to pass an FBI background check.
I know this, because I worked for IBM in a government data center at the time. We handled the big iron (oddly enough, including some machines from Sun and some ancient AS/400s) and the Unisys flunkies did operations and tape library stuff (cartridge and reel to reel). DOT, IRS, etc stuff. Believe it or not, they had PCs in there running Win95 and NT4 with no egress filtering to the internet... There were quite a few Ukrainians, Chinese, Russian and Estonian employees working there for Unisys. Over in the other room Lockheed Martin had their stuff running. No one but U.S. citizens allowed in there, and no outside internet access. I pitied the network admins (not really).
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
Heh, I love my job. =P Just sayin.
"Some books contain the machinery required to create and sustain universes."-Tycho
Shame I'm out of mod points. (Hint: Overrated)
How did "never made it out of the seventies" and "probably outsourced... to india" make it into the same post? Might I recommend you read and/or watch The Commanding Heights by Daniel Yergin?
http://en.wikipedia.org/wiki/Commanding_Heights:_The_Battle_for_the_World_Economy
The press office must be having a great day... http://www.tradingmarkets.com/.site/news/Stock%20News/637040/
or at least naturalized from another trusted nation i.e. Great Britain, Canada, Australia.
I fart in your general direction !
``Unisys probably outsourced...,,
Did you take some time before speculating? Because it's obvious you don't even know the basics:
``just another tech dinosaur that never made it out of the seventies,,
Unisys was formed in 86. As always, the least one can do before posting on Slashdot is to glance at http://en.wikipedia.org/wiki/Unisys
"Unisys denies it all."
They Have the Way Out!(TM)
No, my 13 year old fixed my 15 year olds computer. I just watched.
If I could get her to lie about her age I swear I'd rent her out as a consultant. She can evrn make the VCR stop flashing 12.
Come to think of it I'll paypal anybody $5 who can show me a picture of a vcr flashing 12 inside Unisys.
Need Mercedes parts ?
As I recall (can't find a copy of the actual strip, it's in the collection "What is it, Tink, is Pan in trouble?") the real punchline for the whole series went something like this:
Rick Redfern: "That's it! That's the story! The coverup!"
Source: "That's what I thought. Should I just toss the file?"
If there's a story here at all (after all, 'someone got trolled through IE' isn't a story at all... or if it is it's Microsoft who should be investigated), it's the coverup.
Anyone that has worked inside government IT whether directly or as a contractor will know that this is government politics at play. There are exceptions, but most highly skilled and trained system administrators are going where the money is, and it's not working as a gov't employee. I know. A gov't IT department may have policies and procedures up the wazoo, but at the same time no budget or authority to ensure compliance. Exception is the rule in gov't. Here's an example:
"Sir, there appears to be attacks against our systems from China"
"Are you telling me that China is attacking us? Can you provide proof beyond a doubt that it is China attacking our systems? How did you detect this attack?"
"Sir, it shows up in the firewall and IDS logs"
"What are firewalls or IDS? Did you get that report done...blahblahblah that I asked for? Why are you looking at the logs when I need real work done. What is the status of project A, B, C? Go help fix a computer somewhere."
"Sir, should I not be looking at the logs?"
"What, are you stupid, did I TELL you to look at the logs? Go fix a computer or something"
So, you train a govt IT person in computer security and they get a CISSP and maybe a SANS cert or two. But, they have to continue working with people who won't allow them to use the knowledge. They're leaving.
Generally speaking, my experience is that many departments in gov't don't follow their own process or rules and they breed an air of idiotic compliance. Then fire the blame gun when a problem erupts.
I was told by a long term employee when I asked how to survive in gov't so long..."for every situation, always have a putz lined up." Smart sysadmins in gov't learn that they will be the putz and leave.
Unisys are just another tech dinosaur that never made it out of the seventies.
FWIW, Unisys didn't exist in the seventies. I was there. I worked on both types of kit (in those days you either went with the herd and learned to use IBM, or you learned to be versatile).
IIRC it came about via the merging of Burroughs and Sperry/UNIVAC in about 1986 (in fact, to be specific, I think Burroughs swallowed Sperry).
That's bogus generalization. I've worked for several contractors including Unisys and I can tell you that while it is true that obtaining a clearance is a hurdle, the increase in pay you get with a clearance makes it worth the effort. Also, how do you think people get a clearance to begin with? Someone like Unisys sponsors them. Of course, if you're already cleared you're a more attractive candidate, but it is totally false to say that contractors only hire people on the basis of their clearance rather than their technical proficiency. If anything, people who are technically proficient are attracted to government contracting because the work is really interesting and the pay is better than you can expect to make as a government employee or in the commercial world. The problem with Unisys is that they treat their people like garbage, so anyone who is smart goes to work for another contractor. You're right to say they adhere to the "warm bodies" syndrome, but wrong to assert that all contractors do that. True IT services firms like Booz Allen, KPMG, CACI, do not.
Contracts dictate what level of clearance contracting staff must possess. So if you worked on a contract with foreign nationals who only possessed FBI background checks, it's because the government specified that's all that was necessary. So Unisys hiring practices (along with all other contracting companies) vary from contract to contract.
From the Wash Post article: "...under the follow-on contract, "DHS, citing lack of funding, elected to stop paying for security monitoring services," but that the firm continued to provide the monitoring anyway." The follow-up contract started in '05. DHS wasn't PAYING for security monitoring, but Unisys did it anyway (which is illegal, I believe). Therefore during the breach in 2006, DHS basically got what they paid for. This is DHS's management utterly failing and Unisys getting the blame for it.
My boss always said, "If you have a clearance and can spell C plus plus, you can get a job in the government IT industry..."
-Tom
No, you're wrong. And these days, Unisys' business is far more service oriented, rather than providing 1970's dinosaur technology. And the services are in line with (competitive with) the services other contractors provide.
Out-of-country non-nationals are not about to be supporting contracts to DoD or DHS that require security clearances.
Someone should mod this up.
I worked for Unisys some time ago as helpdesk support for their DHS account, and this is no surprise to me at all. They are absolutely inept and have no concern for security. Among the things that just amazed me:
1. When a user asked for a password change, we were not supposed to challenge them in any way. This included people as high up as the Secretary(or more accurately-the secretary's assistant), but we didn't even have a list of who his assistants were.
2. Each desk had two systems, one Unisys and one DHS. The building had no physical security and the systems were not locked down. Also, nobody ever locked their desktops.
3. The head of cybersecurity resigned at one point, stating that nobody took network security seriously. Two weeks later, his account was still active.
4. I worked there for about 8 months before I decided to get out. In that time, I never received any sort of security clearance.
Those are just the big ones. That was my first and last job for a government contractor.
Didn't you guys read the memo? Paying for resources to detect/prevent cyber-attacks is way more expensive than simply covering up the tracks after a cyber-attack. They're just watching out for their bottom line like every other corporation in America. Can't blame them for that.
;)
If you were offended by anything I said... No, I'm not sorry. Please lighten up.
Sometimes yes, sometimes no. I'm a former full-time employee of Unisys, and used to do pre-sales architecture and systems engineering for them. On one particular contract we worked on, there were a couple of us full-timers to do architecture, another to handle the PM angle, several short-timers to do write code and DBA work, and a couple of outsourced coders.
Also, a PM outsourced from our Indian contractor. That was weird.
I think we can find a government contractor that will put Mr. Dobbs in a position to roll, however due to this month's annual red tape increase, we might have to form a committee to discuss the appointment of those that will oversee the bidding procedure of the swiss banks that will reroute the deferred compensation from the winning contractor to the appropriately untraceable accounts. The whole process might realistically be completed in 50 years or so, which may seem like a long time, but rest assured the contract accrual process will continue regardless of any death of Mr Dobbs. We know thats what he would have wanted.
Well.. maybe. Or Maybe not. But Definitely not sort of.
More to the point, when companies lose contracts they lose to them to a small
circle of competitors and those competitors rehire most of the people who were on the contract.
In fact that is so common you usually take your tenure / seniority with you to the
next company. When a contract changes hands, it really means the management layer
and the interface between management and the government is being changed. Workers
by and large keep their jobs.
"Unisys probably outsourced their techs to India. "
I know this was meant as a joke, but just like all blond jokes annoy blonds, this annoys me, why, cause I'm an Indian. Further, I have been competing quite well against the best and the brightest US of A has to offer. There are a significant number of Indians in the silicon valley. Further, those crappy tech support are crappy not because they are in India, but because Corporate American Enterprises owning them want them that way, simply its cheap. hires Bachelor of History graduates to do tech support after a couple of weeks crash course in English accent, support and tech. Hence your get what you get when you call them.
Here is a humorous incident that took place some time back,
Traveling to US two years back, this petrol station clerk asked me where I was from, I said Canada, he said, "thats somewhere in New York, right!". Now lets say this guy is sitting at tech support in US and a European calls him!
What I want to know is what the hell could cost 1.7 billion dollars? Are they putting HA systems with redundant fiber channel SANs on every desktop? How big is the DHS? If were talking even 100,000 people that's over $17,000 per person in IT costs. For that kind of money they should have had big time segmentation with all kinds of traffic monitoring and IDSes along with honeypots and tarpits. Hell, for that kinda money I would even include fart detectors.
Who is John Galt?
Not bloody likely.
-a.d.-
I'm Erwin Schrodinger and I approve of this message, and I do not approve of this message!
Can anyone just go out and apply for a clearance? Or do you have to be sponsored by a company? Sounds like it would be a nice feature on a resume.
damnit Unisys! I TOLD you to turn off telnet in your inetd.conf!! but you just didn't listen..
*plays the Apogee theme song music*
Further, those crappy tech support are crappy not because they are in India, but because Corporate American Enterprises owning them want them that way, simply its cheap. hires Bachelor of History graduates to do tech support after a couple of weeks crash course in English accent, support and tech. Hence your get what you get when you call them.
Quite. Any non-techy performing technical support off a script, whether they have annoying New Yorker accents or arguably more understandable South Asian ones, are going to suck.
You have to be sponsored. One's clearance is usually tied to a specific contract or clearance granting organization. Department of Defense has a different set of rules than Department of Energy for example. They're transferable, but that's not an easy process. A lot of people in DoD get clearances in the military.
That was an old ad campaign. Unisys actually supports running Linux on its biggest servers, as well as Windows, the Clearpath MCP Operating system, and the OS2200 operating system.
Yes. That patent has now expired in the U.S., and I think was soon to expire elsewhere. Unisys actually made hundreds of millions by licensing LZW (Lempel-Ziv-Welch) compression.