Word Vulnerability Compromised US State Dept.

hf256 writes "Apparently hackers using an undisclosed (at the time) vulnerability compromised the State Departments network using a Word document sent as an email attachment. Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"

Re:Great news for open formats

[drago177]

It would be so easy to just install StarOffice on each computer (keep Word), and ask the more technical departments to start using it, if only to save docs in Word format at first. I did this with the last company I worked at, nobody ever even complained. The cost was very minimal, and it actually saved a lot of money and time when an excel file corrupted itself. MS could not open it, but SO opened then re-saved it in MS format, then it worked fine.

Opendoc

[Billly Gates]

Well its a good thing the government standardizes on opendoc and does not cater to special interests like Microsofts lobbiests when making requirements for secure workstations.

Re:Scary

[shawn(at)fsu]

Why would you ever open anything not from a source you know if you where in the State Department? ...
FTA (which isn't entirely clear.
The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as back door communications with the hackers.
It's not clear but I wouldn't be so quick to say the employee was stupid for opening an email with out knowing the source. If it appeared legit and it was just a plain word doc with not VB scripts then it's not all his/her fault.

And why are you taking aim at governments in particular, any government corporation or single home user could have been fooled by this.

Microsoft is Like Internet of Old

[tymbow]

I had an interesting discussion the other day with some colleagues and we came to a consensus that many Microsoft products were and still are, or at least inherit, a design philosophy similar to that of the Internet when it was first created. The Internet was built on a basis of implied trust and as we have seen in present times, particularly with e-mail and the SMTP protocol, this model of design is a poor foundation. To counter these issues we need to design more and cleverer countermeasures in an escalating war with miscreants; a parallel we also see in Microsoft products with never ending cycle of Anti-Virus and Anti-Spyware updates and patches required to deal with both programming flaws are poor design choices that assumed trust (recall the ILOVEYOU debacle). The real kicker is that you could argue that many of the problems we now face on the Internet are largely due to poor design in Microsoft software which as I noted parallels an original design methodology of the Internet. We've had several articles earlier in the week pushing a view that the Internet needed to be re-architected due to its flawed security design (although I think it's more about commerce and control but I won't go there for now) - is it not also time to re-architect Microsoft and their approach to developing products? Would we even have these problems if not for Microsoft? My two cents.

Re:Scary

[Architect_sasyr]

It's interesting to note that the compromises on our machines don't occur on our terminal servers or the critical PC's, they only occur on the one's that "absolutely must have" administrative access on their local machine.

A properly configured windows system is as secure as a properly configured linux system (well, in this case anyway!). And in case your wondering: If our helpdesk can't solve the issue within 15 minutes the PC is re-imaged no questions asked no data saved. People store stuff on network servers because they're told to, anyone who doesn't comply with IT is made to suffer the consequences.

Re:Great news for open formats

[Anonymous McCartneyf]

But if Open Document Text does almost everything .doc files do, how can we be sure it doesn't have similar back doors?

Re:Scary

[tftp]

A properly configured windows system is as secure as a properly configured linux system

It is also unmanageable by the operator. The IT does not have time to run around and help everyone when he needs to connect to a printer, for example, or install an approved, free or site-licensed piece of software. A simple XP user can't even change his own preferences in Word; a power user can't connect to a printer (but can install some software.) The XP privileges and their effects are as chaotic as they can be.

Re:Great news for open formats

[drago177]

I heard the install was faster/easier, and it was. You're right about the support - never tried it, but I did want to contribute to the open source concept, and $ rules the world. I knew those above me wouldn't notice an extra $20 on each pc, but they were scared of 'non-professional software', so to be able to tell them there was support was a necessary safeguard.

Oh, btw, they were using that excel sheet to keep track of a fleet of buses (this co was archaic in their IT dept when I got there). A radio dispatcher was frantically telling the bus drivers there was a computer problem and to 'hold tight' for 15 minutes till I got there, then 5-10 more minutes to figure out MS file recovery wouldnt cut it, and 5 to install SO from network and fix the prob. The only serious occasion that pitted MS vs SO and the results were stark. So no Im not on Sun's payroll, but the story ought to be a commercial, and I walked out like a hero so I'm happy to tell it.

oh good lord

[Essequemodeia]

Thank god there are no file sharing users/security risks at the State Department. It's better to populate an important governmental agency with drones as opposed to internet savvy employees who can't assist network administrators by giving them a slightly more informed heads up regarding odd or bizarre 'puter goings-ons. I hate my own sarcasm. Hate it.

slight modification to your proposal

[drachenstern]

One of our clients email is setup so that if you send them an attachment without a particular second attachment, their firewall drops the attachment and only gives you the file. Lemme spell it out for the slow students in the class.

A customer needed an instruction for how to remove the lid from a specialty box. (for field support purposes, the field guys could be morons, so better to have something from the vendor)

He calls me and asks for it, I whip something up in PDF and shoot it over to him.

He calls me and says, got your email but not the attachment.
Me: Huh?
Him: When I send this email, reply to it and keep the attachment that's there and attach the ddoc again.

So, why is the US Govt not using the same thing? Can it really cost that much to implement (obv not)

Re:Scary

[dave1g]

actually you can. you just have to be hard core like the military. I work for a military contractor (a university research lab) we received an email telling us to not use word documents what so ever for a certain period of time. and if we didnt comply we lose our contracts. all attachments were being made in rich text format, some of the non techies were scrambling to figure out how to do it but life went on.

not trying to excuse microsoft for their shitty product, just saying you can tell people to stop using word for a few weeks if there are real consequences.

Scanning at the mail server.

[MulluskO]

A sane email policy blocks executable files and archives containing executables, but allowing dot docs in is probably unavoidable.

I wonder then, if it might be possible to scan a Word document for stuff that's not needed. Treat all dot docs that have VB in them as executables and block them out. You might go so far as to attempt intelligent analysis of the document to make sure it consists only of code that would reasonably be generated by a human being. Perform sanity checks on certain variables and so on.

Re:Scary

[Architect_sasyr]

Actually its a very effective method for both the IT team and the people who desperately need the administrative access. IT aren't required to understand every little john doe program that these people can want to install so they don't have to support them (this is very clearly communicated to these users).

It also means that we have a relativly standardised form across the board despite having PC's everywhere and very quickly weed out the users who think they're smart but aren't really.

An example of a good operator: there's a bloke over in administration who I would swear used to work in IT. He's got Open Office installed when everyone else uses Microsoft Office, he uses firefox, thunderbird and trillian for his messenger. About 500 theme packs and a few other bits of software. According to our helpdesk logging system he has only ever called once, and this was when he patched himself for the new daylight savings time last year. Everyone else had the problem as well.

Also, so that those who aren't aware know, you don't have to be a local administrator to install a network printer. Anyone hooking a printer directly to a PC in a corporate environment is either a director or an IT who has lots to learn.

Re:Scary

[Raideen]

As the GP stated, "People store stuff on network servers because they're told to, anyone who doesn't comply with IT is made to suffer the consequences." Keeping data on the individual PCs is costly. In an environment that's setup properly (folder redirection at least, no write access to the hard drive outside of the home directory, maybe the addition of roaming profiles), there's no reason to worry about data stored on the local disk. If they re-image the machine and you still have issues, swap out the hardware and you're working again. Such policies can easily save a user hours of downtime and it also saves the time of the IT staffer. It all translates into saving money for the company.

Re:(Insert Troll Here)

[jimicus]

You joke, but I'd point out that a government department (particularly in a large, powerful country like the US) will always be a very attractive target - particularly for blackhats who know what they're doing rather than script kiddies.

Yet the same government has politicians who are nobbled by Microsoft into saying that open source is less secure because anyone can look through it for security bugs.

Re:Scary

[Architect_sasyr]

Data: Storing the data on a samba share, and mapped network drives. To the GP, I would suggest that you haven't had a large corporation to support. We support a nation wide network (ok, so it's australia, we're still a nation!) with only 13 support staff including our in-house development team. The bloke in administration wants to be able to have his funky theme pack, and use OO.o, Firefox and Thunderbird. These are not standard across the organisation, and he understands this. The IT Support team is not there to fix every little problem, and as I mentioned, not every person has the PC or the administrative access on said PC. The IT Support team is there to fix the standard problems with the company standard software. The parent to this post has it right, all data is stored on a network drive any data on the local machine is considered loseable, and the users understand this.

It's an interesting statistic that our IT department get more calls than any other department in the corporation (we're a transport company, so we get a lot of calls to arrange pickups/delivery's). The users know that they can call us, they know that we'll try to fix their problem. 15 minutes isn't a hard and fast rule but the users understand that if we feel it is necessary we will call it in.

My userbase respects my team. They know that we work hard to keep things going for them and they are willing to wait for us to find a resolution to their problem.

Perhaps this is unique to my company, or perhaps this is unique to Australia and the "she'll be right mate" attitude we're so famous for, or perhaps this is just the way we support our staff and the relationship with them. I leave it to each slashdotter to decide.

Oh and we only use certain printers across the company (standards again ;) so each image comes with all the print drivers the user should ever need.