Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Homeland Security Employees Locked Out of Computer Networks (reuters.com)

Posted by msmash on from the trouble-in-connection dept.

Dustin Volz, reporting for Reuters: Some U.S. Department of Homeland Security employees in the Washington area and Philadelphia were unable to access some agency computer networks on Tuesday, according to three sources familiar with the matter. It was not clear how widespread the issue was or how significantly it affected daily functions at DHS, a large government agency whose responsibilities include immigration services, border security and cyber defense. In a statement, a DHS official confirmed a network outage that temporarily affected four U.S. Citizenship and Immigration Services (USCIS) facilities in the Washington area due to an "expired DHS certificate." Reuters first reported the incident earlier Tuesday, which a source familiar with the matter said also affected a USCIS facility in Philadelphia. Employees began experiencing problems logging into networks Tuesday morning due to a problem related to domain controllers, or servers that process authentication requests, which could not validate personal identity verification (PIV) cards used by federal workers and contractors to access certain information systems, according to the source.

7 of 133 comments (clear)

  1. Security focused by Fire_Wraith · · Score: 5, Insightful

    DHS is the primary government agency responsible for protecting the country's civilian infrastructure, including the internet and computer networks. I feel so much better knowing that they're so good at keeping their own systems secure, that even their own workers can't access them.

    1. Re:Security focused by Anonymous Coward · · Score: 5, Insightful

      What's so insecure about denying access due to an expired certificate? Isn't that an example of security measures working as expected?

    2. Re:Security focused by Notabadguy · · Score: 4, Insightful

      Plot twist, the government doesn't manage their own networks anymore, for a while now they've been getting rid of military trained personnel and replacing them with civilian contractors.

      Keep in mind that Department of Homeland security != Military; the Department of Defense (military) is a separate department. And many DHS personnel are unskilled, uneducated workers. TSA and all the security theater is part of DHS. This news article is as special as "Exxon gas station cashiers locked out of computer network."

      Baggage handlers, X-Ray viewers, clerks, and even janitorial staff proudly introduce themselves in public as "I'm with Homeland Security." It sounds a lot better than "I'm a baggage handler at the airport."

  2. Doing more with less.. by lionchild · · Score: 5, Insightful

    I think I'd like to take this opportunity to point out that this is what happens as we do more and more with IT on less and less staff. While I understand sometimes we think of IT as a cost-center and not a revenue generator, it probably needs to be thought of as more like a utility; because without the lights, water, phones...and internet, you can't do business very effectively these days.

    That being said, this happens more and more. Someone is responsible for renewing certificates, but as we renew them for longer and longer periods, that means we simply start to forget about them. Then with the certificate issuer sends out an notification to that IT staffer who used to do that, but was 'right sized' a year and a half ago...no one gets the email. So, the certificate expires and this happens. Same song, different, louder verse, apparently when it happens to DHS, and likely more embarrassing.

    Bottom line: Doing more with less, isn't always in everyone's best interest.

    --
    Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
    1. Re:Doing more with less.. by TechyImmigrant · · Score: 4, Insightful

      That being said, this happens more and more. Someone is responsible for renewing certificates, but as we renew them for longer and longer periods, that means we simply start to forget about them.

      An alternative viewpoint is that this is one of the ludicrously bad failings of PKI. Requiring someone to remember to do an infrequent and short task at a point 1 or 2 years in the future, or the whole system collapses when they forget or leave or get booted. We could fix (I.E. delete and replace) PKI and this specific failure would not happen, so the overworked IT staff can go back to deploying Windows NT patches.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:Doing more with less.. by EndlessNameless · · Score: 4, Informative

      Requiring someone to remember to do an infrequent and short task at a point 1 or 2 years in the future

      Bullshit.

      I could write a PowerShell script in maybe 10 minutes that will list all of the computers in the domain, connect to them, and check for expiring certificates. I can get a reminder in advance---90 days, 30 days, a week, whatever I want. All I have to do is one thing: understand my job.

      Alternatively, some tools (like Nessus, which is FOSS) have audits which automatically check for expiring certificates. They can be configured to email a report, and you can notified every day/week/month if you have expiring certs.

      This is a stupid, incompetent failure. You can build or buy a tool to avoid this problem very easily. Compared to using passwords, the only reasonable complaint is that you require decent sys admins.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  3. Re:Stop the presses! Someone in IT fucked up! by Archangel+Michael · · Score: 3, Interesting

    All News is fake depending on who is reporting and who is the reader/viewer.

    Kind of like "Planned Parenthood doesn't use public funding for abortion services". Technically "accurate", but really not even close to being accurate.

    A woman comes in for an abortion, but gets six other "tests" and diagnostics done. Pregancy test, Pap smear .... etc. All those other "tests" are paid for by government money, none of which are part of the actual "abortion" procedure. Since that Planned Parenthood clinic provides mostly abortion related services, they are "government funded" and would fold if they didn't get any other funding. They subsidize the Abortion with federal monies, using loopholes.

    Technically it is "true" that PP doesn't use federal dollars for "abortion". Realistically it is fully subsidized procedure using loopholes. Both sides are considered "alternative facts" by the other side. And the reason we can't have civil discourse about anything any more.

    And watch this get modded "Troll" since I used the inflammatory "Planned Parenthood / Abortion" example by people who can't actually debate the actual topic.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.