Slashdot Mirror
DHS CyberSecurity Misses 1085 Holes On Own Network
Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."
This is why the government always ends up hiring contractors to do the jobs they already pay their own staff to do.
It's shit like this that needs to make it to main stream media. To show how messed up the fear mongering side of the Government really is.
... not as I do.
Its possible that even IT drones that work in bureaucracy have to deal with the red tape. A good number of these holes might have been fixed by installing the "latest" version of software. At most of the companies i have worked with software installs have to be vetted by corporate suits that would rather play golf.
Im not going to defend software that simply requires an update. Stuff that needs a fresh install or a new software package altogether can be a pain in the ass.
no this is what you get with outsourced IT The state of VA went with Northrop Grumman that did not work that good.
Well, obviously they need to run some instances of Windows for research and testing purposes to protect the public, but you'd think the organization devoted to cybersecurity would run something with fewer targeted attacks designed especially for it.
This is blown out of proportion. Vulnerability scanners will report lots of things as "MAC I vulnerabilities", and since they are automated, a lot of the time they report non-risks. Things like file permissions when the OS is fully patched, ports locked down, and so on.
You can scan a single fresh updated copy of red hat and get 50+ high-risk items, for instance.
On a whole network, this result isn't bad because it is basically impossible to meet the moving target of a perfect score on a vulnerability scanner in a constantly evolving large network.
unless the people running the scans are experts in setting up and configuring nessus for scanning, i wouldn't assume every one of those is a true vulnerability.
this is just a placeholder till i send back my real sig from the future.
This is exactly correct. They would rather hire contractors who CLAIM they will do things so that they can fire them later when they don't do it. If they actually hire good people, they have additional egg on their faces when things don't go right and the blame game is even harder to sort out. This is all about blame shifting and the appearance of easy "correction." Having worked for DHS for a couple of years, I saw a lot of rather disgusting and disturbing things about the way they hire contractors and then don't oversee their activities. When security screeners were being hired, I witnessed an 18 year old girl being hired as a supervisor and this was her VERY FIRST JOB. She had absolutely zero employment experience and was hired on in a leadership role. Nothing explains this adequately. They had contractors doing the hiring and staffing for that operation and it didn't work out so well. I heard that somewhere between 20 and 25% of the people initially hired didn't pass the background check and were subsequently let go more than a year later so I got to see the process repeat itself AGAIN where they used contractors to do another round of mass hiring and staffing. They never learn.
We need to create a Department of Department of Homeland Security Security immediately.
Let's all hack the motherfuckers before they fix the holes!
This is an entirely different issue. The Virginia thing was a waste of money and an added frustration which, as anyone who's been to Virginia DMV can tell you, is NOT necessary.
What we're looking at here is the one Cabinet-level department specifically charged with maintaining IT infrastructure getting nailed by their IG for having a security profile slightly better than your average baby's candy protection perimeter.
While it's very difficult to keep out an experienced, dedicated attacker, you could at least shore up the defenses enough to keep the /b/tards and script kiddies out.
Dare to Hope. Prepare to be Disappointed.
Managing configuration for one box is easy. Sometimes managing configuration for multiples of the same box is doable. But managing configuration for a large scale multi-vendor deployment is a headache that nobody solves particularly well, and the tools for checking the various things (patch level, logs, configuration scanning, etc) typically all come from different security vendors and those don't work together either.
The article says most of the flaws were unpatched installations of Java, Acrobat, and Windows. When new patches for those come out every week it is easy to let that slip without some sort of patch management tool. I wonder what they used other then WSUS.
"I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
The lack of details in the paper makes it so that it is impossible to know exactly what they found. Scanners such as Nessus, Foundstone, Languard are really noisy and can report normal system operation as a high vulnerability irregardless of system configuration.
Something like telnet will be a high, but put the proper mitigation such as access list, 2 factor authentication and you can show it as a medium or low.
It's all subjective.
you find the most grotesque microsoft powerpoint like data crap: a half page picture that is a pie chart with two sectons (figure 4, page 9 in the pdf)
Anyone who would put together such a bs piece of eye candy isn't competant to pound sand down a rathole, even if they do use their spellchecker
This looks like a job for Kevin Mitnick...naaah.
The mind conceives, the body achieves, the spirit manifests.
So the Department of Homeland Security's network security measures are approximately equivalent to the security measures on the border between Mexico and the United States.
I am Jack's Complete Lack of Surprise.
The Department of Homeland Security's primary mission is not "security." Its mission is "training the public to be properly responsive to idiotic demands from the Federal Government."
Specialization is for insects. - R.A.H.
I have done work with the government and had to participate in this scanning before bringing new hardware aboard a military facility.
Their scanning software requires remote access to the registry from a central scanning computer and looks for every "recommended" patch, setting, or configuration and throws a flag for every non-compliant instance it finds. The list of recommended settings are often security theatre regimen or disastrously harmful to performance. But someone convinced congressman Y,Y,Z that this setting was imperative to have enabled or disabled.
Performance was so horrible we had to disable the scanner's access in order to perform our demonstration.
- Dan. .
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Gary McKinnon? He got into .mil/.gov systems with superuser access with extreme ease/simplicity...
BLANK passwords.
And these are the same people that think pot is bad for you, alcohol is good for you and all the red on their budgets look fine. Pshhh.
Take it with a grain of salt. The security scan was checklist-based, taking no account of the context. Worse, it's was based on version to database matches, utterly failing to account for backported security patches and similar protections that render specific vulnerabilities moot.
I have no personal knowledge of this specific case. But I've seen it enough times to know what this report really means.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Imam Rauf is building mosques on 900 of these holes. Rev Bigot is burning Q`ran in 984 of these holes and Osama Bin Laden is hiding in the last one.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
... there is nobody in the 'visible' Three-Lettter-Acronym agencies that can do computer security, and very few people in the 'invisible' TLA contractors/agencies that are allowed to speak about how they prolong that problem in order to stay employed.
I'd be so bold as to say that the baby's candy protection perimeter was a bit more secure, based on the reports we're seeing.
What we're looking at here is the one Cabinet-level department specifically charged with maintaining IT infrastructure getting nailed by their IG for having a security profile slightly better than your average baby's candy protection perimeter.
?!? Where are you getting this analogy from? ?!?
Can't you think of an appropriate car-themed analogy?
Several years ago I was working at a company hired to do a similar outside audit, who ... was in turn of course hired to fix the situation.
I was handed a Nessus by the fellow who did the audit that pointed out several servers were missing critical windows patches in the audit the week before ... and to please go out and patch them. Small problem when I arrived on site ... servers were running Debian. So Nessus might be a great auditing tool, but any report is only as good as the people that ran the tool.
Code softly but carry a big magnet.
With Nessus, the "high" severity results are the only ones that really matter. And even then they sometimes don't. For example: "you are using a version of PHP with a security hole in one of the API calls your programs might use" is high, but it isn't a real vulnerability unless you actually use that specific call.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Something about the carpenter's house or the cobbler's kids have no shoes. I work for a computer support company, and this happens to us and everyone else. Backups/patches/etc don't get tended to unless someone up the chain knows how important they are and makes it get done. Even then it's hard to keep on top of _everything_ unless you really have people dedicated to it. It's no surprise, and I don't think it's any reason to be angry. It just shows that they need to get better organized about it like everyone does..
I will shred my adversaries. Pull their eyes out just enough to turn them towards their mewing, mutilated faces. Illyria
The Govt. runs security scans on all of their systesm all of the time. They are using tools that are designed to help them make their security tighter and more difficult to hack, and they are improving this all the time. As new security tools come to market they evaluate them just like any corporation. And before they let new applications on their networks, and before any releases upgrades are performed they check security on those applications. All security issues identified must be addressed before applications are put on their systems.
I would have like to have seen a comparison of our Governments security run against some of the Banks and Wallstreet system that hold our financial data. I would suspect you'll find as many or more on the public sector as you will on Govt. sector systems.
Life takes interesting turns, but the most interest is when you're off the beaten path.
across 174 MOE computers scanned of 202 unique vulnerabilities... which comes out to be about 6.2356 vulnerabilities per computer.
"18 year old girl being hired as a supervisor and this was her VERY FIRST JOB"
I guess if I was getting my pole waxed by an 18 year old girl, I'd give her any job she wanted too!
I killed da wabbit -Elmer Fudd
LOL. You had me right there, I mean, what could possibly go wrong? :)
Several things explain an 18 yr old in leadership position quite adequately.
1. "Broken oath of office." (FIOS Splitters, Failure to regulate the monetary sys, Torture, Spying, data hacking, fucking bs, hell on earth pain weapons, and abuse of electronics and physics, or training young minds with unconstitutional bullshit)
2. "Brainwashed Propaganda Replacing the United States Constitution and Bill of Rights" (MIAC REPORT, UN, UNEP, IMF, IPCC, TC, PNAC, AIPAC, CFR, CARBON TAX/POPULATION CONTROL (un/unep/ipcc/imf), FLORIDE(local), VACCINES(cdc/who/local), AND A ZILLION OTHER THINGS YOU FUCKING CORPORATIONS YOU'D BEST MAKE SURE YOUR FUCKIN CANDIDATE ISN'T AFFILIATED WITH, ALONG WITH THE CORPORATE MEDIA OWNING 90% OF THE FUCKING PUBLIC SPECTRUM-SHITTING ON YOUR INTELLIGENCE)
3. "Corruption protected by State Secrets" catch 22, and "No Expedited, Clearly Written Procedures, for taking out a Oath Breaker" (not to be confused with this never-ending-unconstitutional-undeclared-fucking-invisible-war-on-terror)
Step one, outsource everything
Several things explain an 18 yr old in leadership position quite adequately.
1. "Broken oath of office." (FIOS Splitters, Failure to regulate the monetary sys, Torture, Spying, data hacking, fucking bs, hell on earth pain weapons, and abuse of electronics and physics, or training young minds with unconstitutional bullshit)
2. "Brainwashed Propaganda Replacing the United States Constitution and Bill of Rights" (MIAC REPORT, UN, UNEP, IMF, IPCC, TC, PNAC, AIPAC, CFR, CARBON TAX/POPULATION CONTROL (un/unep/ipcc/imf), FLORIDE(local), VACCINES(cdc/who/local), AND A ZILLION OTHER CORPORATIONS YOU'D BEST MAKE SURE YOUR FUCKIN CANDIDATE ISN'T AFFILIATED WITH, ALONG WITH THE DANGEROUS CORPORATE MEDIA CULT OWNING 90% OF THE FUCKING PUBLIC SPECTRUM-SHITTING ON YOUR INTELLIGENCE)
3. "Corruption protected by State Secrets" catch 22, and "No Expedited, Clearly Written Procedures, for taking out a Oath Breaker" (not to be confused with this never-ending-unconstitutional-undeclared-fucking-invisible-war-on-terror)
Check InZerosystems.com... TOTAL security! btw, The name is posted with a smile)))
Yup, I too was hired by DHS via a contractor. My UA was hot for Benzo (I was in the middle of a messy divorce, but had no script), I told the Dr at the physical and they passed me through. I left for the same reason you mention. No rhyme or reason for speciality hires. Myself and another highly qualified co-worker applied for a IED detection instructor position and it was awarded to a 55+ year old woman who had probably never seen an explosive in her life. I left a few weeks later. My co-worker lasted a few more months until he threw in the towel and moved into private security.
6.8SPC TR of 550, l xwind at 6, drift rt at 26" drops 77". AT has 503 ft-lbs at 1403 fps. FT 0.86
The government always ends up hiring contractors, this is why the jobs are already contractors, because .Gov/.Mil/.Com C*O/management get to blame-storm the contractors, the contractors can blame-storm each other, and the public thinks civil servants can't do the job. I know a few .Gov IT/Services folks and they know security basics very well, but they cannot interfere with the contractors doing a questionable job, until post-audit or post-incident.
Go discover how many contractors are on the .gov/.mil payroll. Are contractors more competent? Well from this incident and many others, I suspect, the answer is NO!
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
The folks who are actually collecting big paychecks are well certified, qualified, legitimized... and they got BM (business management) degrees.
Also, DHS provides many more big paychecks for the DC, Virginia, and Maryland .gov+.mil+.com money pit.
If you are unemployable, move to the DC, Virginia, and Maryland area where more .gov+.mil+.com easy-jobs move every year. They need janitors and maids. The other jobs are for family and friends of family; Hence, an 18yo woman can be a fully certified, qualified, legitimized... boss (eventually with a business management).
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Gooooooood is either god or good with too many "o".
Haliburton can really help with obscurity security, I'm sure.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
C*O/Business management is about the same in .com as in .gov/.mil? Limit to 0.6666... average for both suffering the technology peter-principle, then I agree.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Excuses are a major security problem.
In fact, excuses cause major security problems.
No, I am not saying fire the person, because shit happens. Unless the person is the problem looking for excuses for all the shit happening.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
It could also have been a family member that got her the job. This being VA, the two might not be mutually exclusive.
DHS CyberSecurity Misses 1085 Holes On Own Network
In other news, bears found to shit in woods. News at eleven!
"This is all about blame shifting and the appearance of easy 'correction.'"
Congratulations! You just gave the best definition of what a bureaucracy is!
Not to be cynical here... well yes I am... what do you expect from a COFEE http://www.microsoft.com/industry/government/solutions/cofee/default.aspx drinking and Donuts eating https://www.dunkindonuts.com/ lazy system admins. Some people who work for the DHS cannot be bothered and are still trying to figure out the FBI's Carnivore, swiftly changed to code named Magic Latern.... "You rub it and a Genie pops out with 3 wishes".
All cows eat grass!
I don't know that what you experienced is quite what the article's talking about.
I'm not at DHS-OIG, but in reading their report, it looks to me like it's a pen test or internal vulnerability scan, not an inventory of what patches they have installed. Nessus exists to find actual holes, not just see what patches you had installed compared to FDCC. The report said a Nessus scan found 202 high-risk security holes (as well as 338 medium- and low-risk) in 1085 instances on 174 computers, not just missing patches for systems that aren't actual vulnerabilities.
I'd like to be able to see the report that says exactly what the holes are, but I suspect that that level of detail is probably classified. Given the other findings and recommendations in the report, I'd be inclined to believe that there are real problems and not just a few missing patches.
I hate security theater as much as anybody, but I think this vulnerability scan might be serving a worthwhile purpose.
Dare to Hope. Prepare to be Disappointed.