Feds Own Cybersecurity Efforts Are A Joke: Employees Have 'Gone Rogue' To Avoid 'Ineptitude' Of IT Staff
from the get-your-house-in-order dept
One of the key parts of the various cybersecurity bills that have been pushed over the past few years is the idea that the federal government would help the private sector better protect against attacks. Of course, for that to makes sense, you'd think that the federal government would have its own "cybersecurity" house in order. However, a report from the Senate shows what even it describes as "ineptitude" by various government agencies. Pick your agency and you'll find problems. Let's take a look at Homeland Security, one of the agencies that has been vying for control of the federal cybersecurity budget. Turns out that DHS's own cybersecurity team repeatedly failed to install basic security updates for easy targets of hackers like Microsoft applications and Java (tip: if you're using Java, you're probably not secure). As the report notes, this is "the sort of basic security measure just about any American with a computer has performed." But not DHS cybersecurity employees!What else? Well, just in DHS, there were the following problems:
Sensitive databases protected by weak or default passwords. At NPPD, which oversees DHS’s cybersecurity programs, the IG found multiple accounts protected by weak passwords. For FEMA’s Enterprise Data Warehouse, which handles reports on FEMA’s disaster deployment readiness and generates other reports accessing Personally Identifying Information (PII), the IG found accounts protected by “default” passwords, and improperly configured password controls.Oh, and then there's the following concerning our good friends at ICE, Immigrations and Customs Enforcement, the group that styles themselves as Hollywood's personal police force:
Computers controlling physical access to DHS facilities whose antivirus software was out of date. Twelve of the 14 computer servers the IG checked in 2012 had anti-virus definitions most recently updated in August 2011. Several of the servers also lacked patches to critical software components.
To take just one example, weaknesses found in the office of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For Official Use Only) documents left out, three keys, six unlocked laptops-- even two credit cards left out.Moving on to the Nuclear Regulatory Commission. Here things are so bad that the report notes that NRC employees believe their own IT staff is "inept" and they've "gone rogue."
Perceived ineptitude of NRC technology experts. There is such “a general lack of confidence” in the NRC’s information technology division that NRC offices have effectively gone rogue–by buying and deploying their own computers and networks without the knowledge or involvement of the department’s so-called IT experts. Such “shadow IT” systems “can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies,” the NRC Inspector General reported in December 2013.And this has resulted in a bunch of problems, such as storing sensitive data on unsecured shared drives, including the details of the NRC's cybersecurity programs. Also on an unsecured shared drive? A commissioner's passport photo, credit card image, home address and phone number. The NRC also failed to report security breaches:
How often does the NRC lose track of or accidentally expose sensitive information to possible release? The NRC can't say, because it has no official process for reporting such breaches.Moving on to everyone's favorite government agency: the IRS. The report notes that every year the GAO finds 100 cybersecurity weaknesses in IRS systems, and the IRS fixes half of them. Then the GAO does another audit... and finds another 100 problems with the IRS's cybersecurity. Among the problems? Failure to encrypt sensitive data. Failure to fix known vulnerabilities. And, the ever popular weak passwords:
Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the agency’s name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards and Technology. In some cases, IRS users had not changed their passwords in nearly two years. As a result someone might gain unauthorized access to taxpayers’ personal information and it “would be virtually undetectable,” potentially for years. GAO has cited IRS for allowing old, weak passwords in every one of its reports on IRS’ information security for the past six years.How about an organization like the SEC, who deals with tons of sensitive information? Apparently, they're so careless and cavalier about this stuff they used personal email accounts, unencrypted information and often used unsecured open WiFi connections -- including once at "a convention of computer hackers."
Team members transmitted sensitive non-public information about major financial institutions using their personal e-mail accounts. They used unencrypted laptops to store sensitive information, in violation of SEC policy--and contravening their own advice to the stock exchanges. Their laptops also lacked antivirus software. The laptops contained “vulnerability assessments and maps and networking diagrams of how to hack into the exchanges,” according to one SEC official.And yet these folks claim they can help secure everyone else's computers?
The investigation also found that members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits. They also appeared to have connected laptops containing sensitive information to unprotected wi-fi networks at public locations like hotels--in at least one reported case, at a convention of computer hackers.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, dhs, federal government, homeland security, irs, nrc, sec, senate
Reader Comments
Subscribe: RSS
View by: Time | Thread
Of course they can!
[ link to this | view in chronology ]
The insecurities in Java stem from its use to run applets in a Web browser. This usage dated from long before Dynamic HTML became as powerful as it is today. Java applets are obsolete and nobody should be using them any more.
Howver, other uses of Java (e.g. for desktop apps) are no more insecure than any other programming language. Consider the trouble you can get into with C and C++, yet nobody claims those languages are �insecure�.
(Dis)claimer: I use Java for Android programming, but only because I have to. I freely admit that it is a verbose and repetitive language. When normal people say that programming is a tedious and boring activity, they clearly have languages like Java and PHP in mind.
Want a language that offers great power and flexibility and is fun to use? Try Python.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Java, the most dangerous software on the Internet
"The insecurities in Java stem from" Oracle degrading the quality of Java applet programming such that the original default sandboxing was DESTROYED. Don't expect Oracle to fix it. Obviously, they'd rather keep cleaning up after their puppy suffering PWN-The-User diarrhea.
My advice: Just say 'NO' to the Java Internet plug-in. If any website dares require it, tell them to get rid of it. Java is the single most dangerous software you can run on the Internet.
Oh and Oracle: I Hate You.
[ link to this | view in chronology ]
Re: Re: Java, the most dangerous software on the Internet
Oracle happened. Makes perfect sense. The OpenOffice shenanigans weren't bad enough; they had to rip holes in Java's security. Super.
Sign me up for the "I Hate Oracle" club.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Say what?
Isn't the fact that they're "not subject to the same security measures that are applied to supported technologies" rather the point?
[ link to this | view in chronology ]
Re: Say what?
Honestly I've been on both sides of this argument... As an IT support person who's had to go in and take over a rogue operation after it self destructed spectacularly, and a "rogue operator" who had to deal with an IT department that grew up around our existing infrastructure and slowly tried to whittle away our autonomy. In both cases I felt my group was in the right, and I could spend hours telling you why, but I'm obviously a bit biased.
Funnily enough, the second case was a Federal agency (the FAA), and I did think some particularly unkind things at our IT...
[ link to this | view in chronology ]
Re: Re: Say what?
Effective IT security has to be very much a two-way street. IT has to be competent enough and responsive enough that users don't NEED to set up their own systems to get their work done. Otherwise, the two go their separate ways, and both of Mr Best's stories are, unfortunately, very predictable!
[ link to this | view in chronology ]
Re: Re: Say what?
[ link to this | view in chronology ]
Re: Re: Say what?
I used to collect the PC viruses that came over the wire to my department's Macs. IT's solution was to isolate the Macs as a potential vector for viruses.
Typical Hammer thinking.
[ link to this | view in chronology ]
Re: Re: Say what?
If the official IT guys are going around setting everybody's password to 'password' then almost any homegrown scheme will be superior -- even if it's just adding a number to the password against the IT department's orders.
[ link to this | view in chronology ]
Re: Say what Christopher Best?
hxxp://gizmodo.com/sochi-official-our-shower-surveillance-footage-says-ho-1517435247?utm_campaign=so cialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow
I agree, it is unsightly! The UTM's are for Google, or other web analytics "campaign metrics". I strip them away whenever I post or send a URL. They look cheezy. Even if I'm using a URL shortener, I want that crud gone. I was curious why the person you were IM chatting with didn't post this instead,
hxxp://gizmodo.com/sochi-official-our-shower-surveillance-footage-says-ho-1517435247
Is it considered immoral or rude to excise the crud, because the URL creator can't surveil (track?) as well? That URL was so lengthy that it forced the sidebar chat widget to scroll out to 4 times width!
For etiquette's sake, I'll return to the current topic. Why don't these comments have any respect for IT? IT departments are NOT always clueless bureaucrats who don't know how to set a password other than to "password". Someone else described how their IT department isolated Macs because of PC viruses (I didn't say that quite right, it's down below). Just maybe, the IT guys know something that the users don't know, about security. The user's job, in this case, is to be a developer. IT doesn't sit around all day doing nothing. Their job, among other things, is to be real-time up to date about viruses. Macs are not immune, regardless of OS used. Even computers running Linux can be vulnerable.
As for getting in the way of business and customers, I learned the hard way that IT needs to be consulted. I worked on a project using PHI (protected health information). At the beginning, before we bid on the contract, one of our IT guys warned us that there would be problems with using VolP as part oF the dEliverable, that HIPAA didn't allow it, in that context. Client said it would be okay, but didn't check with their own IT guy, nor anyone else. So we did months of work and sure enough, our IT guy was right. We should have spent some time to see if he were correct, before proceeding further. We were still paid, nothing terrible happened. Client had to spend more though, for us to do (lots of tedious) changes.
IT security can be a huge pain to deal with, like a law enforcement bureaucracy in your midst, e.g. a visit from Tyler in Data Security was much worse than having the Assistant District Attorney stop by to "ask you a few questions"! It is management's job to reign in overzealous IT, or replace any who are incompetent.
[ link to this | view in chronology ]
No cloud sharing?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Wow
[ link to this | view in chronology ]
But... "Data wants to be free!" -- Why worry about this?
[You kids are welcome to censor this too, only shows why no one reasonable should post here. Seems to be a deal of resistance to the clear fact that every one of the tactics available to you has a drawback, but you keep on doing it! I name it "out_of_the_blue effect".]
If you like yapping ankle-biters, you'll love Techdirt! (25 of 195)
09:32:48[k-025-3]
[ link to this | view in chronology ]
Re: But... "Data wants to be free!" -- Why worry about this?
And no one said that it should be easy to get private data, especially with all of the info the government insist on keeping on everyone.
BTW blue, you keep getting reported for ranting and raving about things that are usually completely off topic, like google. BTW, I do NOT like them. Their search is not that great, still better than most, and their ad service is beyond intrusive, but any competent person can install an app to cull unwanted ads and scripts. I primarily use an ad/script blocker as a matter of security. Getting rid of the cruft is an added bonus.
[ link to this | view in chronology ]
How Secure are the Armed Forces?
We had card keys that MUST be plugged into the machine to work, and when you unplugged them the computers auto-locked. Not to mention to open basically any door you also needed said key card, so very very few computers were ever left unlocked.
I just wonder how the Armed Forces fared for said IT audit.
[ link to this | view in chronology ]
Re: How Secure are the Armed Forces?
Usually, I could convince them to change default passwords. A few times I had to threaten to quit to get my point across. One facility absolutely refused and I did leave, but they didn't work with anything important, just aircraft carriers and fast attack submarines.
Prior to Y2K, a facility I was working at was warned of a possible cyber-terrorism event. Their solution was to unplug everything. Literally. We worked for three days labeling every cable (power, network, SCSI, keyboards, monitors, mice) that went in and out of every machine in our facility. Then we powered them down and unplugged everything. EVERYTHING. At both ends.
There was actually a procedure developed for how to place floor tiles in the server room so Naval Intelligence could verify machines were disconnected from their power supply.
Because cyber terrorism apparently figured out a way to defeat the insulating properties of air gaps.
We took everything down for multiple mission critical national defense systems that directly supported (hmm, best way to say this?) "capabilities" two days before Y2K, and left them that way for almost a week. We even disconnected the UPS. Because, terrorism.
We still had to come in to work. No phones. No network. No building security because the card scanners were powered off, just Marines checking your ID at the doors that (no joke) had been taped open. No computers. The only thing that had power were the lights and the coffee makers in the break rooms.
When I pointed out that we were essentially doing, on our own, what the terrorists reportedly intended to do, I was told that this was "on our terms."
[ link to this | view in chronology ]
I don't know about you, but if my IT dept were inept, I wouldn't want my hardware or software subject to the same standards they're using.
[ link to this | view in chronology ]
Matthew 7:3
but considerest not the beam that is in thine own eye? (KJV)
"Why do you look at the speck of sawdust in your brother's eye
and pay no attention to the plank in your own eye? (NIV)
[ link to this | view in chronology ]
Re: Matthew 7:3
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
User passwords had to change every 90 days, has to contain x number of characters, etc, but any user could self promote to admin on any machine to reduce the call load to the help desk.
Users where instructed to not install unauthorized software, but never saw anyone disciplined for doing so. About twice a year Firefox would be remotely uninstalled from my machine and the next day I would self promote myself and reinstall it again.
Their security basically boiled down to telling users what they should and shouldn't do without really enforcing any of it.
[ link to this | view in chronology ]
Leaving the PWN Gates Open
I don't expect much better IT competence today. Instead, the federal response has been to go off the rails PWNing the PWNers as well is unconstitutionally surveilling US citizen on US soil without 'probably cause', therefore without a legal warrant. #MyStupidGovernment at work.
How about a new revolution folks!
[ link to this | view in chronology ]
Hell, wall of sheep is all they need to prove that the "good guys" aren't good at computer security. Most of wall of sheep is folks trolling, but there still are an awful lot of unencrypted SMTP/POP3 traffic at any of those conferences going to .mil and .gov servers.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Even if they had, there are still very, very good reasons that private email accounts should never be used for company (and especially government) business:
1) Accountability. in many cases, particularly with the government, there is a requirement to keep emails archived for accountability purposes. Using a private account bypasses those systems and enables corrupt practices.
2) Companies can harden email systems in ways that you'd never tolerate for your personal email. Good security always comes at the cost of convenience.
3) Security that you are in control of is better than security you're relying on other parties to provide. Relying on Yahoo, Google, or whatever to give make you secure is a compromise you might be willing to accept (see point #2), but it isn't something that a company should be willing to do.
4) More limited attack surface. If you're using a major email provider, the attack surface is also much larger. A proper company email system can have a really small attack surface. Small attack surface means it's harder for an attacker to find a way to compromise the system.
5) Liability. If you have sensitive company data sitting in emails in your personal account, and that account is compromised, the fault is yours and you can be held liable. If you keep it on company servers, you have no such exposure.
[ link to this | view in chronology ]
Re: Re:
The word "compromised" should be right after "not".
[ link to this | view in chronology ]
NRC was a joke
We had a team of developers that thought it would be funny to code a joke into one of their applications to mess with specific "troublesome" operators by generating random, meaningless error messages for those individuals and force them to restart the application.
[ link to this | view in chronology ]
If you go to any of our network ports you can't just plug in a computer and have it connect to the network. You MUST be on the domain with all the right proxy settings and other items.
They IT staff really must have been incompetent for the shadow IT groups to even have a capability to get off the ground.
[ link to this | view in chronology ]
RE: RE
It's also a joke to hear Target talk about chips in credit cards as a security cure when employees use default passwords. Ask RSA if the biggest problems are hackers or users.
[ link to this | view in chronology ]
SEC OMG!
I knew about the NRC having no reporting procedure to track breaches pertaining to accidental release of sensitive information, because I noticed an entry in the Federal Register (or somewhere similar) saying that they needed to draft and instate one, in October or November last year. I wasn't aware of the pervasive carelessness in so many other U.S. government departments though.
The SEC is my primary interest. Lax security increases exchange infrastructure vulnerability. There is another concern, namely, the always-tempting opportunity to exploit and profit from unauthorized access to material non-public information.
[ link to this | view in chronology ]