Slashdot Mirror


DHS Seeks "Ethical Hackers" To Protect Federal Net Infrastructure

Death Metal sends this excerpt from an AP report: "General Dynamics Information Technology put out an ad last month on behalf of the Homeland Security Department seeking someone who could 'think like the bad guy.' Applicants, it said, must understand hackers' tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems. In the Pentagon's budget request submitted last week, Defense Secretary Robert Gates said the Pentagon will increase the number of cyberexperts it can train each year from 80 to 250 by 2011. With warnings that the US is ill-prepared for a cyberattack, the White House conducted a 60-day study of how the government can better manage and use technology (PDF) to protect everything from the electrical grid and stock markets to tax data, airline flight systems, and nuclear launch codes. ... Nadia Short, vice president at General Dynamics Advanced Information Systems, said the job posting for ethical hackers fills a critical need for the government."

1 of 133 comments (clear)

  1. Re:airline flight systems, and nuclear launch code by JWSmythe · · Score: 4, Interesting

        Your question is your answer.

        You'll find, even in the happiest secure network, there can be a security hole.

        Think of this. It shouldn't happen, but I know it has. You have two networks jacks on your wall. One is green. One is red. Unclassified machines can be plugged into the green one. Classified machines an be plugged into the red one. A user who's annoyed that he can't be on both with the same machine, yet has two network interfaces on his PC plugs into both.

        Now, your nice secure network has a compromise. If that unclassified machine, on the unclassified network, becomes compromised, they have a nice portal into the classified network.

        Just because your network doesn't have any connections to the outside world, doesn't mean you shouldn't treat it as if it has a public IP on the Internet.

        What's happened more times than is funny is, some user decides he needs a wireless connection to his laptop, so he can put his laptop on another desk without an extra wire going to it. Since he's just a user, and picked up the AP at a retail store, he may not have set up security. "I'm 10 stories up in a secure building, I have nothing to worry about." Yup, nothing to worry about, until someone sits in the next building with a high gain antenna, and stumbles on the fact that there's an open AP begging for them to come in. Stores have been bitten by this. Schools have been bitten by this. Even banks have. Plenty of companies have had the same problem.

        I found a school once that did this. I found their printers very quickly. I installed the drivers for the printer, and printed a simple note. "Your network has an unencrypted access point on it. It is allowing anyone to access your network. Please call your network security administrator to correct this."

        I found a casino in Las Vegas did the same thing several years ago. I couldn't get in from outside, but from a legitimately purchased hotel room, I found I had access to every display board in the casino. I logged enough traffic to see how it worked. When I got home, I got a hold of the network security admin for the casino. I sent him the logs, the floor I was on, and exactly what I did. He thanked me for finding the mistake and not taking advantage of it. He said it was fixed within hours of my report. I'm sure it was an oversight when someone else did the install, and no one had ever looked at it as an outside hacker inside the building. Who would bother hack the casino network from a room in the hotel in Las Vegas. Oh ya, and DefCon was 3 months away. :) The only reason I was looking was, they didn't provide internet access in the rooms, and I was hoping to pick up an AP in the lobby or somewhere that was available for guests. Unfortunately, they didn't have one that I could reach the Internet with. No email for 3 days. :)

        Always be a good guy. Never be a bad guy. If you find a problem, report it with details. Trust me, the guy who would have gotten fired over it would prefer to know about the problem first so he can fix it.

    --
    Serious? Seriousness is well above my pay grade.