Slashdot Mirror

← Back to Stories (view on slashdot.org)

State Department Joins NOAA, USPS In Club of Hacked Federal Agencies

Posted by timothy on from the more-funding-next-year dept.

Hot on the heels of recent cyber attacks on NOAA, the USPS, and the White House, the New York Times reports that the U.S. State Department has also suffered an online security breach, though it's not clear who to blame. “This has impacted some of our unclassified email traffic and our access to public websites from our main unclassified system,” said one senior State Department official, adding that the department expected its systems to be up soon. ....The breach at the White House was believed to be the work of hackers in Russia, while the breaches at NOAA and the Postal Service were believed to the work of hackers inside China. Attributing attacks to a group or nation is difficult because hackers typically tend to route their attack through compromised web servers all over the world. A senior State Department official said the breach was discovered after “activity of concern” was detected on portions of its unclassified computer system. Officials did not say how long hackers may have been lurking in those systems, but security improvements were being added to them on Sunday.

54 comments

  1. FISMA Security huh by Eosi · · Score: 2, Interesting

    All of these agencies had to follow FISMA (among others regs). Perhaps its time to stop letting politicians tell us how to do security?

    1. Re:FISMA Security huh by Lumpy · · Score: 3, Insightful

      I always found it entertaining that In govt you have zero education people dictating IT and IS policies.

      But it's the same way in corporate america, I have yet to meet a CIO or CTO that has a clue.

      --
      Do not look at laser with remaining good eye.
    2. Re:FISMA Security huh by i+kan+reed · · Score: 2

      They have lots of education, more than the average citizen of our country, by a hefty margin. It's just the average type of their degrees are located firmly in law schools. They know how to be completely unambiguous in how they describe their wrong beliefs.

    3. Re:FISMA Security huh by tomhath · · Score: 1

      Same could be said about many other things, e.g. healthcare, education, broadband...

    4. Re:FISMA Security huh by Eosi · · Score: 1

      Education does not make you smart. It just means you can memorize a lot of things. Using that knowledge is where WISDOM comes in. We need Wise people in congress to make the laws. Ones who have experienced things from the beginning. Getting a CISSP when you have only done account management does not make you an expert on physical security, compliance or legal issues around security.... Experience does. How many new managers have you met, that can barely manage themselves???

    5. Re:FISMA Security huh by swb · · Score: 1

      They know how to be completely unambiguous in how they describe their wrong beliefs.

      I would describe it as knowing how to be completely ambiguous when they believe they are wrong.

    6. Re:FISMA Security huh by ArcadeMan · · Score: 1

      They have lots of education...

      "The true sign of intelligence is not knowledge but imagination." - Albert Einstein

      --
      Get free satoshi (Bitcoin) and Dogecoins
    7. Re:FISMA Security huh by i+kan+reed · · Score: 1

      No one said they are smart. And your "wisdom" is nonsense. Overextending the human propensity for pattern recognition with no formal tools to reduce the effects confirmation bias. Every serious system of formal study works on a body of knowledge that is constantly reworked for new information by some kind of critical process: the scientific method, the historical method, critical frameworks, with the occasionally argued exception for arts.

      Education isn't sufficient to be smart about something, but it's often necessary.

    8. Re:FISMA Security huh by i+kan+reed · · Score: 1

      Look, congress sucks, and they aren't our country's absolute best and brightest by any stretch. But the depressing fact of the matter is that they probably are, on average, at least a little smarter than the average American for almost any metric you come up with. That's more of an indictment of Americans than it is praise of congress.

      It takes a little bit of skill to "fool most of the people most of the time".

    9. Re:FISMA Security huh by Eosi · · Score: 0

      I'm sorry, but are you saying that you do not want people to have Wisdom, when running this country? Experience makes you wiser. Reading a book only gives you the writer's opinion. Reading a wood working magazine may show you the 10 steps to build a cabinet, but that does not mean you can tell a master cabinet maker that they are doing it wrong because you read a book.... That's what we have by Congress telling Security personnel how to secure the network and data with all the regs like FISMA and such. Thanks for the input, but allow the people with the Wisdom to do their job....

    10. Re:FISMA Security huh by gstoddart · · Score: 1

      It's just the average type of their degrees are located firmly in law schools. They know how to be completely unambiguous in how they describe their wrong beliefs.

      Oh no ... they know how to be completely ambigious and open ended in their wrong beliefs, just like a lawyer.

      Give yourself lots of wiggle room, and some extra play for the people who paid you, and take no ownership and responsibility for what you do.

      Lawyers know how to turn ambiguity to their benefit.

      --
      Lost at C:>. Found at C.
    11. Re:FISMA Security huh by DigiShaman · · Score: 1

      Depending on the size of the organization: CxO's view is abstracted to only focus on the business side of things. Core concepts and paradigms that match expected work-flow and ROI. It's truly the the layers below that actually choose the tools (technology) and implement them. In some cases the CIO will choose the tool (being clueless and going on buzzwords features alone), but really it's the IT Director that does the implementation to make all that magic work.

      CIO: I want product X because it does ZY. Make it happen #1 (IT Dir)!
      IT Dir: Ok, but here are the prerequisites and expected time to completion. I have the OK? Good *cracks whip*. IT staff, start working on this new project. That include Network, Workstation, and Server group.

      --
      Life is not for the lazy.
    12. Re:FISMA Security huh by Anonymous Coward · · Score: 0

      MBA doesn't count.

    13. Re:FISMA Security huh by Anonymous Coward · · Score: 1

      The ironic thing is that when I was applying for jobs a few years ago, I'd get asked if I either had a CISSP or a clearance, and regardless of qualifications, if I had neither, I'd be shown the door in minutes.

      People bash certificates, but lets be real... the alphabet soup of characters does get you in the door and up the ladder. Management doesn't see how good/bad people perform. They see the certs though, and guess who makes the HR decisions?

    14. Re:FISMA Security huh by mlts · · Score: 1

      FISMA regs are pretty sane as this stuff goes (especially for government work). I'm pretty sure had they been followed, this most likely would not have happened.

      FISMA, NIST guidelines, and PIV cards cover a lot of issues. The only real one that remains is creating a government network like NIPRNet or SIPRNet, but for all entities, and have that completely separate from the Internet, using dedicated lines, virtual circuits, and end to end encryption. That way, if two machines are not expressly allowed to communicate with each other, they can't.

    15. Re:FISMA Security huh by Anonymous Coward · · Score: 0

      Sociopathy isn't a skill.

    16. Re:FISMA Security huh by Lumpy · · Score: 1

      Then they need to be BANNED From making any policy decisions in regards to Security or operation.

      In fact not only banned, but must wear a collar that allows any IT employee to TAZE them when they say something stupid.

      --
      Do not look at laser with remaining good eye.
    17. Re:FISMA Security huh by sumdumass · · Score: 1

      Its largely a coya situation. Whether you are a complete imbecile or the grand daddy of all neck beards who shared part of creating computers, the cert is the only way a mid level manager is going to be able to pass the blame on you not doing it corectly rather than himself for hiring you if something goes wrong. It likely allows them to escape punitive damages if sued over it too- of course qe hired a qualified person, ignore the fact he's the owners neighbor's kid, he has all these certs.

    18. Re:FISMA Security huh by mlts · · Score: 1

      Regardless of the method, education is needed. There are few worst things than being clueless.

      Cluelessness of the law can get one arrested. There are people who don't realize that one stupid thing like saying "no" when asked to leave can mean six months to a year in the county can for trespass, or that driving a car when a passenger is carrying dope can mean the car becomes property of the county and the driver becomes property of the local correction system for 2-10. Cluelessness is doing anything other than hanging up with some phishing bill collector demands you pay some debt (which you never incurred) from a company you never heard of. Say anything, they will sue and said the debt was acknowledged. Cluelessness is someone shrugging and being apologetic because some shitbag rear-ended them... and said shitbag then uses that apology in court as admission of guilt.

      In the wild, cluelessness is someone going on a camping trip, then wondering what to do when hiking and gets surrounded by feral dogs looking for an easy meal.

      Look at the US. The education system is what makes a country great or hamstrings it.

    19. Re:FISMA Security huh by Anonymous Coward · · Score: 0

      the county jail has better and much cheaper health care then the GOP plan even more so if you have a pre existing conditions

    20. Re:FISMA Security huh by orgelspieler · · Score: 1

      It's not really right to compare CIO and CTO in this regard. The CTO at my company is a PE and damn smart. But he doesn't know squat about IT security. That's not his job. The T in CTO stands for technology, but it refers to the technology that the company makes, not information technology.

    21. Re:FISMA Security huh by spamking · · Score: 1

      I always found it entertaining that In govt you have zero education people dictating IT and IS policies.

      But it's the same way in corporate america, I have yet to meet a CIO or CTO that has a clue.

      This is so true. They often ask us to interpret a policy for them and ignore it when it's an answer they don't want to hear. We (the Federal government) do a great job of setting ourselves up for failure.

    22. Re:FISMA Security huh by ldconfig · · Score: 1

      All these "hacks" are nothing more than fancy Wall Street rich pukes trying to scare our elected leaders into giving them billions and billions of tax dollars.

      --
      The spelling and grammar police can kiss my ass
    23. Re:FISMA Security huh by Anonymous Coward · · Score: 0

      They have lots of education, more than the average citizen of our country, by a hefty margin. It's just the average type of their degrees are located firmly in law schools. They know how to be completely ambiguous in how they describe their wrong beliefs.

      Fixed that for you. Since having non-ambigious laws would be too limiting for them.

  2. "our main unclassified system" by Gravis+Zero · · Score: 1

    do they ever say when their classified system gets breached? no, of course not, it would let people know how laughable their security really is.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:"our main unclassified system" by Anonymous Coward · · Score: 0

      Considering that information itself is likely classified... it's not very surprising. You could take a piss in a SCIF and it'd be labeled as classified

    2. Re:"our main unclassified system" by The+MAZZTer · · Score: 1

      Any sane classified network should have an air gap. You would have to physically move data off the network to get it.

    3. Re:"our main unclassified system" by Anonymous Coward · · Score: 0

      > do they ever say when their classified system gets breached? no, of course not,

      Yes they do.

      > it would let people know how laughable their security really is.

      They don't generally talk about what happens on a classified network because, it is a classified network.

    4. Re:"our main unclassified system" by Anonymous Coward · · Score: 0

      > You could take a piss in a SCIF and it'd be labeled as classified.

      I have literally taken a piss in a SCIF because the procedure to close it up and then re-open it was about 20 minutes which was too much hassle for a 2 minute pee-break. I pissed in an empty 2-litre soda bottle and did not mark it classified, walked out with it when my shift was done.

    5. Re:"our main unclassified system" by Tablizer · · Score: 1

      Wouldn't a breach turn it into an "unclassified" system? Is "classified" based on intent, or on who actually knows? (Where's that Security Terminology Lawyer when you need him/her?)

      --
      Table-ized A.I.
    6. Re:"our main unclassified system" by Anonymous Coward · · Score: 0

      Classification does not change because it has been breached. If you will recall, people who hold security clearances are not permitted to read classified documents published by wikileaks because those documents remain classified.

  3. supposed to. Compliance orthogonal to security by raymorris · · Score: 1

    Well, they were SUPPOSED to follow the regs. Of course that doesn't mean they did. As you suggest, though compliance and security are not only not the same thing, but they are only very loosely coupled, of it all. In some cases we've had security regulations require the use of insecure methods, such as MD5. I spent 15 years doing security for small companies before I just recently started learning compliance with all of these "security " standards.

    PCI is pretty good, though. It's not comprehensive, but it doesn't require insecurity.

    1. Re:supposed to. Compliance orthogonal to security by spamking · · Score: 1

      Well, they were SUPPOSED to follow the regs. Of course that doesn't mean they did. As you suggest, though compliance and security are not only not the same thing, but they are only very loosely coupled, of it all. In some cases we've had security regulations require the use of insecure methods, such as MD5. I spent 15 years doing security for small companies before I just recently started learning compliance with all of these "security " standards.

      PCI is pretty good, though. It's not comprehensive, but it doesn't require insecurity.

      There are many influences on these regulations that are intended to offer some illusion of security, but all they seem to do is increase the cost to meet them and decrease the quality of services Federal Agencies are charged with providing to the American public. The Agency I'm in is fully expected to meet these requirements as laid out by HITECH and Meaningful Use. However, the ROI is not remotely worth the effort. Let's spend millions meeting some requirement so we can increase our collections by some very small percentage. Spend millions attempting to meet some requirement that will never be met . . .

      Drives me crazy.

  4. Now it gets real by Anonymous Coward · · Score: 0

    NOAA, USPS? Yawn. But State Depaetment is a big deal.

    1. Re:Now it gets real by TheCastro1689 · · Score: 3, Insightful

      NOAA was taken down and it almost effected everyone that uses the weather/sea info. And that's a lot of companies and organizations.

  5. USPS is not a Federal Agency by Anonymous Coward · · Score: 0

    USPS is a Government Sponsored Enterprise, not a Federal Agency.

    1. Re:USPS is not a Federal Agency by Eosi · · Score: 0

      Sorta correct. They have to abide by many federal standards though, including Federal Holidays and things such as FISMA. I believe that they are also classified as government workers, or at least there were back in the 90's when my family worked for them. (They used to hire Marines and Army people as they left service and they got their government pension.)

  6. Unclassified e-mail by Anonymous Coward · · Score: 0

    I wonder if, in the middle of a huge pile of unclassified e-mail, there might be some little bit of classified material that got sent over the wrong channel, due to an honest mistake or because of a misplaced "damn the regulations I'm getting this done now no matter what" moment.

  7. It's easy these days by Anonymous Coward · · Score: 0

    It's easy these days to just throw your hands in the air, say you were hacked, and point fingers at the rivaling world powers. Yes, we are speaking of Americans, but to think that the U.S. government wouldn't be able to secure its networks, and that only the Chinese and Russians would be trying to "get in", is ridiculous. This is nothing but baseless propaganda.

  8. Damn pesky Russians! by Severus+Snape · · Score: 3, Insightful

    Hot on the heels of recent cyber attacks on NOAA, the USPS, and the White House, the New York Times Reports that the U.S. State Department has also suffered an online security breach, though it's not clear who to blame.

    For a moment there I thought TFA was not going to blindly name drop China or Russia. Don't worry folks, they did not forget!

  9. Bleah by RogueWarrior65 · · Score: 1

    Dealing with the State Department is already a byzantine process. It'll only get worse now.

  10. Re:Gay Wigger Association of DICE by Anonymous Coward · · Score: 1

    [ ] I am gay
    [ ] I am a wigger
    [X] I have used SLASHDOT BETA to find a sex partner

  11. they can't. people build it, people break it by raymorris · · Score: 3, Informative

    > but to think that the U.S. government wouldn't be able to secure its networks, and that only the Chinese and Russians would be trying to "get in", is ridiculous.

    For $5000, you can buy a heavy safe made of concrete and steel. For $32, I can rent a concrete saw made to cut concrete and steel. You can't secure ANYTHING and have it still be useful. The question is "how hard should it be to breqk in?" The state department network should be pretty hard to breqk into. It'll never, ever be impossible.

    The government of China isn't stupid. They know that if you are going to have a military and be a world power, it makes sense to also have significant cyber resources - so they do. They use them regularly, especially since the US allows it. The US doesn't respond to cyber attacks the same way they'd respond to physical attacks.

    1. Re:they can't. people build it, people break it by Anonymous Coward · · Score: 0

      Your analogy with the safe and saw is lacking of understanding of the topic. You also seem to think that the U.S. is the prime embodiment of justice, innocence and conduct, while nothing could be further from the truth. The fact that the U.S. itself violates and conducts greater and more wide-spread spying than any other country makes these outcries even more pathetic and laughable.

    2. Re:they can't. people build it, people break it by trawg · · Score: 1

      And now is probably the BEST time to be doing it. Threat of physical retaliation is extremely low for most major powers, but the intelligence that can be gained - both in terms of identifying potential weak points in infrastructure and systems, and ways to improve defence against attacks - must be priceless.

  12. Story is a hoax by Anonymous Coward · · Score: 1

    With the huge surveillance state we have, such hackings are impossible. It has to be a hoax. There is no other explanation.

  13. Security in any organization is an afterthought by ErichTheRed · · Score: 3, Interesting

    I can see 2 things as the main root cause of this:
    - Layers and layers of outsourced IT. Especially when dealing with a federal agency, almost every IT service in any agency has been outsourced. Those outsourcers hire other outsourcers and it becomes a big mess when you try to do anything that affects multiple parts of a system. I see this in the private sector as well working for an outsourcer...our team does their best to help but it's really maddening to see how much things slow down when the control gets dispersed. The network team has to talk to the storage team, who has to talk to the server team, who needs to open a ticket with the field services team to implement change #C9348673634. I do systems architecture work, so it's really painful to have to design around a garbage system like this rather than having a few smart people who know the system end-to-end.
    - Security is tough and no one wants to be bothered. It wouldn't be impossible to enable 802.1x on a network, implement proper PKI to enable its effective use, and encrypt hard drives. But often, it either becomes too difficult to support or no one has the will to say things must be done in a certain way. Plus, user education is impossible. No matter how stringent the password policy is, they just write them down. People leave unencrypted laptops on trains with company data on them. It's just not possible to get them to care, full stop. They could be working with top secret nuclear weapons designs and it would mean nothing to them.

    Of these two, I think the first is the hardest to overcome. Once a company or government agency has given up control of its IT environment to a company that needs to squeeze every nickel out of a contract, nothing difficult will get done. If an organization retains some sort of control and mandates change, it can be done at least to some degree. Look at how the attack on Target was carried out -- the group responsible figured out that the outsourced HVAC repair company had a connection to the store network, which (idiotically,) the POS systems were also directly attached to. So by the time the outsourced IT services team figured out they had a problem, it was too late. This is what leads companies to delay things like patching and updates to equipment, because the process is too painful when dealing with the 25 third parties you have to line up for such a change.

  14. All Agencies Have Been Hacked by SwashbucklingCowboy · · Score: 1

    Some just don't know it...

  15. Where do you see any of that? How many CVEs? by raymorris · · Score: 1

    > You also seem to think that the U.S. is the prime embodiment of justice, innocence and conduct,

    Where do you see any of that? You might note that the only thing I said about the US is that they don't respond to cyberattacks the same way they respond to physical attacks. You seem to be smoking something pretty strong that gives you textual hallucinations any time an expert disagrees with your guess.

    > Your analogy with the safe and saw is lacking of understanding of the topic.

    Let's look at your CVEs and mine and see who is lacking understanding of the topic. Oh, your name isn't on any CVEs? Okay, we'll compare kernel contributions. Whoever is mentioned most in the kernel changelog probably knows a little something about what they're talking about. Oh, not a contributor, are you? Maybe a different metric - the security system I wrote only protects about 34,000 ecommerce sites. If yours protects more, you win.

    1. Re:Where do you see any of that? How many CVEs? by Anonymous Coward · · Score: 0

      You're very quick throw your "CVEs" around, and your work on "the kernel", as if everyone would then instantly know who you are. It seems like a desperate way of asserting yourself, but that kind of dick-fencing isn't going to make this any less bullshit.

      There has never been any definitive proof that Russia and China has ever broken into U.S. gov systems. There are only accusations, flowing out of the mouth of a government that itself engages in more spying and propaganda than any other. It is bullshit, period.

  16. Internet 3 by ThatsNotPudding · · Score: 1

    Maybe it's time for FedGov to build their own Internet that is intentionally incompatible with the foundational building blocks of the Internet (except at well-controlled, secure interface conversion gateways).

  17. Being on the USAs current shitlist? by lippydude · · Score: 1

    What's the correlation between being on the current State Department shitlist and getting accused of 'hacking'?