Slashdot Mirror

← Back to Stories (view on slashdot.org)

US State Department Can't Get Rid of Email Hackers

Posted by Soulskill on from the your-government's-computer-is-broadcasting-an-IP-address dept.

An anonymous reader sends this quote from a Wall Street Journal report: Three months after the State Department confirmed hackers breached its unclassified email system, the government still hasn't been able to evict them from the network, say three people familiar with the investigation. Government officials, assisted by outside contractors and the National Security Agency, have repeatedly scanned the network and taken some systems offline. But investigators still see signs of the hackers on State Department computers, the people familiar with the matter said. Each time investigators find a hacker tool and block it, these people said, the intruders tweak it slightly to attempt to sneak past defenses. It isn't clear how much data the hackers have taken, the people said. They reaffirmed what the State Department said in November: that the hackers appear to have access only to unclassified email. Still, unclassified material can contain sensitive intelligence.

2 of 86 comments (clear)

  1. Okaaaaay.... Lemme take a couple guesses here... by Narcocide · · Score: 3, Interesting

    Assuming its not actually one of their own employees/consultants helping re-infect the systems maybe one or more of these fairly common situations applies:

    * Using Cisco routers with default configurations and firmware that hasn't been updated in years...
    * Using unencrypted, plain text authentication for systems instead of public key auth...
    * No password strength standards (some employees predictably using "911" or "123456" for their passwords)
    * Employees allowed to re-use the same passwords after the supposed "clean sweep"
    * Windows filesharing services
    * Wireless networking at all, or possibly using WEP or even completely open
    * Microsoft office documents from outside sources
    * HP printers, or really any network/wifi enabled printers
    * That one old Windows XP box nobody is allowed to reformat clean because its "mission critical"
    * Employees are allowed to bring in their own laptops/cellphones and other usb/bluetooth/wifi enabled devices

    Did I miss anything? Anyone else seen this crap enough times to know the intrusion vector is probably nothing highly advanced or original?

  2. Re:Blacklist by Em+Adespoton · · Score: 4, Interesting

    The security hole is likely end users. The software being "tweaked" is probably Word documents pushing Dyreza malware. The issue they face is that if they want to allow Office documents with embedded VBA macros (this is probably heavily embedded in their office workflows), it doesn't matter that they've identified the security hole, they can't close it without making massive changes to how they do business (or significantly change their IT security policies for desktop endpoint use).

    Based on the mincemeat the Office macro payloads have been making of everyone's security lately, this is probably all it is. There's probably no targeted hacking going on at all; just a failure to keep up with the latest generic malware attacks, like with almost everyone else. Of course, since the attackers probably realize by this point where they've gotten into, they're going to ensure they stay there by using the same methods.

    That said, it could be just about anyone else employing APT methods too -- wouldn't be all that difficult; just more difficult than deploying the already common crimeware packages you can get on the darknet at a discount.