DHS Offering Free Vulnerability Scans, Penetration Tests

tsu doh nimh writes: The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies -- mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help 'critical infrastructure' companies shore up their computer and network defenses against real-world adversaries. And it's all free of charge (well, on the U.S. taxpayer's dime). Brian Krebs examines some of the pros and cons, and the story has some interesting feedback from some banks and others who have apparently taken DHS up on its offer.

The TSA does this every day

[mveloso]

Most people don't enjoy the TSA scans and penetration tests, but I guess different strokes for different folks.

Re:The TSA does this every day

And just like the TSA's tests, I expect the DHS to be just as competent at cyber security as they are with physical security.

Note that this isn't the NSA or CIA doing it, it's the DHS, of which the TSA is part of it. They're known mostly for being utterly useless at everything they try and do.

Re:The TSA does this every day

[davester666]

Bankers are big on BSDMbsdm

Re:The TSA does this every day

[thoughtlover]

With a headline like that, I expected to be laughing at the comments.

Re:The TSA does this every day

[rtb61]

Nothing funny, legally it is a very bad idea as under law the DHS is allowed to lie to you, so the penetration tests have, under law, zero value. They are far more likely to not declare any holes they have found in case they can use them for investigatory purposes or put holes in place they can use for investigatory purposes. Basically under law you can not trust US investigatory agencies unless any those claims and declarations are made in a court of law, the only place they are legally required to tell the truth. Stupid people routinely write stupid laws and routinely allowing them to lie is as stupid as it gets.

Re:The TSA does this every day

[Type44Q]

penetration tests

I'm still waiting for the "National Sheep Association" jokes...

Heh...

[MobSwatter]

Like penetrating pretty much anything these days would be a challenge after the NSA rooted everything.

Re:Heh...

[wyHunter]

The only solution any longer is not to use electronics for anything significant.

Re:Heh...

[dank101]

But that's only for national security and stopping terrorism! And in no way whatsoever in any universe could the NSA be lying, right? Right?

Re:Heh...

[MobSwatter]

But that's only for national security and stopping terrorism! And in no way whatsoever in any universe could the NSA be lying, right?

Right?

Which is actually about NSA and revolving political 'theater' following orders of banksters, preservation of a fiat currency propped up on the petro dollar since '71 because the banksters swindled their own bank, department of energy prospects, corporate espionage and enslaving and sticking us with the check. If the place is going to continue to be run by foreign thieving superstitious closet case Nazi pedophiles, perhaps they should just push the button by picking a fight directly with Putin instead of the cat and mouse proxy war BS.

It's a trap!

[Nidi62]

The newest scam call: (cue heavy Russian accent)"Hello, my name is Steven. I am calling from the Department of your Homeland Security and am definitely not former KGB agent. For limited time only we are offering free computer vulnerability scans and identity theft testing. Please give us your computer login credentials and bank information that we may begin our testing."(end heavy Russian accent)

Re:It's a trap!

[DoofusOfDeath]

(end heavy Russian accent)

Glad you remembered closing tag. Otherwise rest of comments would also have Russian accent.

Re:It's a trap!

[TheCarp]

Hmmm the text doesn't read like a very convincing russian accent, as it has a somewhat distinct grammar that goes with it. Particularly, skipping use of the definite article, and less superfluous preposition usage:

I would expect it to be more like "Hello, my name is Steven. I am calling from Homeland Security Department and definitely not former KGB agent." That seems more like the flow I have come to expect from a person with a heavy russian accent.

I know there are likely a lot of russians who have learned more normalized English grammar, but remember, scammers actually have very little reason to try too hard. They want the kind of person who isn't going to question a person in a bad accent asking for their personal details.

Re:It's a trap!

[Nidi62]

Hmmm the text doesn't read like a very convincing russian accent, as it has a somewhat distinct grammar that goes with it. Particularly, skipping use of the definite article, and less superfluous preposition usage:

Which is exactlywhy a "smart" scammer would make sure to use definite articles and prepositions, probably to the point of overcompensating and using them too much.

Re:It's a trap!

[RealGene]

More like "Hello, I am Steven of Homeland Security Directorate, ahh Department".

Re:It's a trap!

Doris would agree...

CAP === 'vacuous'

Re:It's a trap!

Your post reads like it was written by a Russian.

Re:It's a trap!

[TheCarp]

Yes but even that is more work and more expensive. Pretty sure its cheaper to just hire the people with the bad accents to get on the phone for you.

My assumption is they are so bad because there is no value in being better, not because there is so much value in being bad that they go out of their way.

Re:It's a trap!

[alexhs]

Now you closed it a second time ! Let's match opening and closing tags !

(cue heavy Russian accent)

Voilà ! Much better now.

A physicist, a biologist and a mathematician are sitting in a street café watching people entering and leaving the house on the other side of the street. First they see two people entering the house. Time passes. After a while they notice three people leaving the house. The physicist says, "The measurement wasn't accurate." The biologist says, "They must have reproduced." The mathematician says, "If one more person enters the house then it will be empty.

Sounds easy enough.

[NMBob]

...and all you have to do is install this one little piece of code. It will delete itself when the test is over. Really! Honest! ...What are you looking like that for!?

Obligatory Sneakers Reference

"So, people pay you to break into their places....to make sure no one can break into their places?"

"It's a living."

"Not a very good one."

Re:Obligatory Sneakers Reference

"Great. Now we got to look for a cocktail party... ...on the other side of the railroad track."

Gotta love Sneakers.

taxpayer

And it's all free of charge (well, on the U.S. taxpayer's dime)

What??? Those lazy bastards are sucking the government's tits? Oh, it's corporations you say... ok, go on, have these billions for fossil fuel as well.

Must have extend to all levels of DHS

[XxtraLarGe]

The TSA has been scanning for vulnerabilities & performing free penetration tests for over a decade now.

Re:Must have extend to all levels of DHS

TSA patdowns and naked body scanners started in 2010.

OPM only had to do it once...

[Defenestrar]

I'm sure they're very thorough. You can have your system vetted and as secure as OPM.

Re:OPM only had to do it once...

[Fire_Wraith]

One of the problems that the US-CERT/ICS-CERT/etc folks at DHS had (aside from the fact that they were/are forced to be part of DHS) was that while they could tell various Federal agencies that their systems had more holes than swiss cheese, what they didn't have was the authority to tell other federal agencies that they had to fix it, or else. I believe there's been a push to try and fix that problem, though I'm not aware of how far it's come, and it certainly wasn't in time for OPM.

I used to work there, in fact (at least until I found something in the private sector that was better for my sanity/soul/salary*). While I'm not familiar with anything to do with OPM in specific, that sort of scenario popped up all the time. It works much the same in the private sector, in that you can be the best pentester in the world, but if the customer you ran it for doesn't intend to spend the money fixing the holes you pointed out, or drags their feet in doing so, they're still going to get owned despite your best efforts.

As to whether DHS is competent - I knew a lot of really good people (and some less so) when I was there. I know many that went on to work at better jobs doing more interesting things in the private sector, for better pay, so the best of the best aren't going to stick around, but that doesn't mean there aren't competent people there. ICS-CERT (the group focused on critical infrastructure/control systems/etc) in particular always seemed pretty competent to me, and are probably about as different from the usual impression of DHS as you'd expect. To give an example, they showed up at Defcon this past year with an awesome hands-on setup, including an entire mock plant setup with all the controllers that people were free to plug in to and go nuts. (Granted, they never mentioned the fact that they were DHS, but then, would you?)

So certainly I wouldn't expect DHS to be outdoing the best of the best when it comes to penetration testing, but for that municipal water plant in West Nowhere, Texas, that doesn't have the money to hire the best, it's a much better solution than just not doing anything.

Re:OPM only had to do it once...

[KGIII]

As this is done with our tax dollars, do we get the results? How about via the FOIA?

Re: OPM only had to do it once...

I would hope they would do a redacted version that is vague but gives you a sense of how good or bad security is. If they hand out the actual report before a fix is in then they are causing an issue, however, post fix they should release a list like health code inspections are handled in restaurants.

Re:OPM only had to do it once...

[Fire_Wraith]

My guess is no - much as you'd expect to sign an NDA covering anything you found in a commercial penetration test/vulnerability scan etc, the Government would likely mark the results as Protected Critical Infrastructure Information, which is not subject to FOIA, though it's not considered "classified" in the traditional sense. I believe the idea is that without that protection, and reassurance that their competitors won't be FOIA'ing it, nevermind regulatory agencies, the companies would never let DHS look at their stuff in the first place, and that it's better to be able to try and improve the security than not.

Re: OPM only had to do it once...

[KGIII]

Yeah, I'd also think it would have research value like, "most common issues found in x scenario." It'd give the private sector something to look for as well as provide just general research data that might be of value to someone. Definitely redacted. I mean, yeah - I paid for it, can't I see the results and use those results? Well, not me personally but me the citizen. I'm retired and happy for it.

Re:OPM only had to do it once...

[KGIII]

Maybe they could/should munge the data so it's not identifiable or release it to a university research facility with strict release criteria? Even the aggregate results might be of value to some. Presumably, these companies have hardened their systems due to the results and would no longer be subject to the exploits found but you're probably right about both the critical infrastructure and their unwillingness to undergo the tests without such protections.

I see this as a potentially beneficial service though I'd suspect the companies can pay or pay a sliding fee. Erf... I'd almost agree to the idea of this being mandatory, or something similar, if a company wants to retain PPI. I'd take some convincing because I'm pretty much against the idea of additional regulations as a general rule. I'm not a crazy zealot so I don't see it as a black and white thing and would make exceptions for good laws that actually had a tangible benefit. (I'm not an anarchist or even a minarchist, really.)

Get out of jail free.

[xxxJonBoyxxx]

>> The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’

This.

>> They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.

Simple solution: put in a regulation that says if you get breached, you agree to take down your online services for two weeks to get your house in order. Something like that would free up money for preventative solutions in a hurry. Furthermore, we KNOW the inspected organizations have some security personnel (which aren't cheap) because the permission form asks for specific contacts who might be smart enough to interpret any results.

Re:Get out of jail free.

The cynic in me says they're just indexing every companies systems maybe even harvesting data and using this as a cover if caught.

Re:Get out of jail free.

[schwit1]

What is the punishment for government agencies? OPM knew they had been hacked for a long time but CHOSE to remain online so OPM business was not interrupted.

In Soviet America

[TheCarp]

Security Penetrates YOU!

Seriously though, who would want their systems compromised by a group of motivated liars who have a demonstrated track record of covering up their own wrongdoing and misusing any access they do get?

Anyone who wants that deserves every inch of penetration they are going to get.

Scope creep

DHS once again proving it can't figure out what its mission is.

Re:Scope creep

[TheCarp]

"Job Creation" covers the entire spectrum. Pretty sure they know EXACTLY what their "mission" is.....expand their employment opportunities.

Whaddya know

[Tablizer]

...the fox will test your hen-house for free.

Why is this free of charge?

[rsborg]

Another example of corporate welfare... pen-testing costs time and money, why should I as a taxpayer be out this money?

Re:Why is this free of charge?

Because every vuln left open means your odds of financial fuckage skyrocket.

Re:Why is this free of charge?

You think corporate welfare is the angle the DHS is using? I guess you think we need to give up more rights to be safe also?

Re:Why is this free of charge?

[micahraleigh]

So the people writing commercial (good) security software can lose their jobs when the market goes to the free option.

Re:Why is this free of charge?

Because every vuln left open means your odds of financial fuckage skyrocket.

That's because there's no liability in the computer world for fucking things up.

Build a bridge that fails and you go to jail.

Build a crappy computer system that fails and you get paid more money to fix it.

Re:Why is this free of charge?

[MobyDisk]

Corporations pay taxes too. In theory.

Re:Why is this free of charge?

[rsborg]

You think corporate welfare is the angle the DHS is using? I guess you think we need to give up more rights to be safe also?

No I want valuable services rendered to be paid for. I also don't want to have to pay for banks (who are insanely profitable) should be paying for themselves. Government should mandate compliance for online security, and let the private sector handle the audits. The DHS testers can be the "meta-mod". I'd be wiling to part with taxes for that.

Re:Why is this free of charge?

I think you missed the part where this is for critical infrastructure. Banks, power plants, water companies. I'll agree that banks can sure as hell afford pay for this type of testing but they have no monetary incentive to get ahead of identity theft or the myriad of other problems their policies cause.

Re:Why is this free of charge?

HAHAHAHAHHAHAHAHAAH

Government

"I'm from the government -- I'm here to help *cough* you *cough* get *cough* rooted *cough*."

Weird use of Government resources

[avandesande]

How about publishing a set of standards and tests that critical infrastructure companies must utilize?

Re:Weird use of Government resources

it's really just a way for them to legitimize their own hacking and data collection habits.

Re:Weird use of Government resources

[Culture20]

it's really just a way for them to legitimize their own hacking and data collection habits.

It's like the local fire department asking if there are any fields farmers would like to burn or houses they can burn for practice stopping fires.

Re:Weird use of Government resources

Because those standards and tests are either so abstract as to be open to wide interpretation or they are obsolete by the time they are published.

Re:Weird use of Government resources

Standards and best practices are there - they are called STIG. But I don't know a (l)user that will put them on their system because... UX and features.. You apply all STIGs and you have a computer from the late 90s, which is just enough to do all you need to, just not shiny to the social media (l)user.

Re:Weird use of Government resources

[AHuxley]

The free offer is just a talking point to make new contacts in the private sector.
The "free" testing has a few different ideas behind it:
An offer to upper level private sector stakeholders to talk about security threat assessments and protective measures. Basically upper management get a fancy digital version of see something, say something and an offer of a special card just for them.
Long term a free offer to host a new server might be made to split and compare all real time data flows to shared police and international databases (fast per file checksum in near real time reporting).
It is the enterprise server version of an older idea going back a few years:
"FBI asks computer shops to help fight cybercrime" (February 5, 2004)
http://the.honoluluadvertiser....
".. any overtly criminal activity they find in customers' computers.

Hopefully more thorough

[The-Ixian]

than the stupid port scan tests that some credit card companies require you to do before they let you have a credit card processing machine.

Re:Hopefully more thorough

You mean the port scan testing on an old IP address no longer assigned to my place of business and it keeps passing their automated scans and they are not even scanning my actual business? yeah those are fucking stupid. PCI compliance means absolutely NOTHING. It's doing nothing other than lining some company's pockets. Just like the TSA

Place your bets

[ThatsNotPudding]

These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help 'critical infrastructure' companies shore up their computer and network defenses against real-world adversaries.

What are the odds DHS didn't even bother to make sure the rest of FedGovs house is in order before moving onto the private sector? Though it does nicely prove DHS, et al are all lapdogs to almighty corporate profits.

Your tax dollars at work...for a change

[Bearhouse]

Well good; I'm guessing that a lot of organisations (outside of Federal) that use this "free" service are ones too cheap to go private.
Just as long as they don't think that they'll get the same breadth and depth of experience as you would with some other options - you don't attack a bank the way you attack a power station so better to go to the specialists for your situation.
Still, if it leads to the DHS overall getting more of a clue then I'm all for it.
But somehow I doubt it...

Now, getting a "tested clear" certificate from the NSA on the other hand would be cool...if you could believe that during the audit they'd not raped your data and installed another 50 backdoors.

DHS: Let us test (Hack) your PC...

And if they can't they'll know where to allocate hacking skills. If you run Linux you can run the hardening tool "Lynis", Windows users should just unplug their PC, nothing is going to secure that pos.

Penetration?

[redshirt]

I get penetrated by the government with every goddamn paycheck.

Re:Penetration?

Yeah having roads, schools, water, power, internet, military, police, emergency response is terrible. No one should have to pay for that! Why can't a private industry take that stuff over?

Re:Penetration?

He complaining about income tax? That's piddle poo compared to my property tax. I've rented houses for less than I have to save every month for property tax.

free with a price

they also offer free facebook profiling at no cost to everyone!

Free vulnerability scans and penetration tests

[Chris+Mattern]

Even if you didn't ask for them!

'DHS' and 'penetrate' . . .

[mmell]

Are these even words we ever want used in the same sentence?

The Government is better because why?

[s.petry]

Yeah, vulnerabilities cost money. If you get hacked you could be put out of business. That means that if you care about your customers and want to stay in business you pay for the right tools and people to ensure you are secure.

How does a Government who can't handle basic things like medical care for Veterans have a better chance of protecting you than a private company who will be out of a job if they are not effective? What is your repercussion against the DHS when they fail and you go under? What penalties will the Government face when it's found that they simply take tax money and claim to scan, but never ran a scanner? Do you really believe that you will get your day in court and have recovery within your lifetime when your business fails? (Ask an American Indian about their experiences with timely recovery of damages).

People demanding "more" government are simply lunatics, often demanding more because they get "free" stuff for now. I can not comprehend the level of delusion required for people to believe that contrary to everything the Government does or has done, we are better off with the Government monopolizing services.

Re:The Government is better because why?

Yeah, vulnerabilities cost money. If you get hacked you could be put out of business. That means that if you care about your customers and want to stay in business you pay for the right tools and people to ensure you are secure.

How does a Government who can't handle basic things like medical care for Veterans have a better chance of protecting you than a private company who will be out of a job if they are not effective? What is your repercussion against the DHS when they fail and you go under? What penalties will the Government face when it's found that they simply take tax money and claim to scan, but never ran a scanner? Do you really believe that you will get your day in court and have recovery within your lifetime when your business fails? (Ask an American Indian about their experiences with timely recovery of damages).

People demanding "more" government are simply lunatics, often demanding more because they get "free" stuff for now. I can not comprehend the level of delusion required for people to believe that contrary to everything the Government does or has done, we are better off with the Government monopolizing services.

Yeah, vote Republican, so the fine folks at Comcast can expand their fine customer service to health care, domestic law enforcement and military procurement. Because a company I don't own at all is so much better than 1/60,000,000th of a vote.

Just kidding, the Republicans want bigger government spending than the Dems do, they just want it funneled through different hands via different private companies.

Re:The Government is better because why?

How does a Government who can't handle basic things like medical care for Veterans have a better chance of protecting you than a private company who will be out of a job if they are not effective?

s.petry, usually your posts make sense, but ... to suggest that private companies would do a better job for veterans than the government?
I suspect you've never worked in the medical care industry on either the insurance or hospital side (I have, most of my life). Turning over veterans' medical care to those people would be the biggest ass-raping of soldiers in history. Medical insurance companies don't go out of business when they are ineffective, they have a larger stock dividend.

Trust me, 99% of what you hear of V.A. scandals is an attempt by asshole congressmen to defund veteran's care (I prefer soldier's who weren't captured kind of attitude) and the medical insurance companies wanting to get their hands on whatever dollars are leftover.

Re:The Government is better because why?

[s.petry]

As a veteran and a person who has worked in IT for Government, Medical,Insurance, Automotive, DOD, and Telecom, I say you are simply wrong. Medical care in the US is not a private market, it's a government controlled monopoly. Having the direct authority for care, like the VA, is simply putting the biggest turd on the top of the pile.

Mr. Fox guarding the henhouse?

[ugen]

And if they discover vulnerabilities, those will be passed on to NSA first?

DHS Security Plan: Prison

No thanks D suckers.

Ha ha

Oh, the hypocracy

[sdinfoserv]

"You hypocrite, first take the plank out of your own eye, and then you will see clearly to remove the speck from your brother's eye." - Matthew 7:5

OPM ?!? Anyone?!? OPM?!?
DHS Might want to PERFERT their methods on GOVT agencies first...

Wait, why do you run from me?

"I'm here from the government and we're here to help."

"Wait! Stop running.
No, we don't have any means to create IT jobs for you, but we have plenty of H1B visas to go around."

"STOP!"

Leading Problem is Unsupported Unix

[Etherwalk]

According to the report that reads more like a summary with hardly a data point, the most common vulnerability was an "Unsupported Unix Operating System."

At Least This One Is Free

I saw this as well. According to their obviously flawed testing requirements, use of non-current or "unsupported" operating systems is a critical vulnerability. This is a lazy and absurd assertion. Every single firewall out there will fail this test as an unsupported Linux version.

That the vendor or distribution has chosen to increment the OS version does not obsolete the previous version. The previous and likely mature version could have no vulnerabilities whatsoever. Furthermore, many vulnerabilities in unsupported OSes can be easily mitigated with a standard firewall.

Their other "big risk" is old/weak ciphers still in use for SSL/TLS. This report reads like the BS of PCI DSS consultants.

At least this one is free.

Mandatory Security Compliance

[rsborg]

I think you missed the part where this is for critical infrastructure. Banks, power plants, water companies. I'll agree that banks can sure as hell afford pay for this type of testing but they have no monetary incentive to get ahead of identity theft or the myriad of other problems their policies cause.

Make these industrial giants get audited. Make sure their software, hardware, and processes are certified. The compliance framework and confirmation of mandates (i.e., the meta-mod function) is what government does best. The actual pen-testing should be left to industry, and hell, make them craft and adhere to a certification as well.

DHS/TSA Taste My Cum

How better to stay awake during a 26hr or longer travel.

I welcome the TSA GLBTQ groper to suck my dick and taste my cum. Wheaties, the fucker breakfast of GLBTQ Champions.

Ha ha Fuckers

DHS Offering Free Vulnerability Scans, Penetration

[rge270]

so this is how elites bugger J&J Sixpack! :(

      they ask for volunteers, and then just sit back and wait for free prostitution

(of ALL kinds; no homo sapiens phobia of any kind whatsoever with these folks)