Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security United States

Govt. Report Slams FBI's Internal Network Security 70

Posted by CowboyNeal
from the uncle-sam's-open-doors dept.
An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."
This discussion has been archived. No new comments can be posted.

Govt. Report Slams FBI's Internal Network Security

Comments Filter:
  • Common Knowledge (Score:5, Informative)

    by Anonymous Coward on Friday May 25, 2007 @01:50AM (#19266389)
    I've worked in another agency in a related line of work. FBI security is a joke. Everyone knows it. An FBI agent's idea of "information security" is carrying a gun when he brings home Top Secret documents in his glove compartment. Their security flaws are a reason intelligence organizations are reluctant to cooperate.
    • TFR

      Specifically, FBI did not consistently
      (1) configure network devices and services securely to prevent unauthorized insider access;
      (2) identify and authenticate users to prevent unauthorized access;
      (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate;
      (4) apply strong encryption techniques to protect sensitive data on its networks;
      (5) log, audit, or monitor security-related events;
      (6) protect the physical security of its network; and
      (7) patch key servers and workstations in a timely manner.

      Insider attack is always a risk, full solutions against it are 1) Impossible 2) Infinitely costly (see 1)
      I work in Financial Services a lot - these solutions aren't necessarily all implemented that strongly, the limitation is cost. Without seeing a costing plan for the above utopian remediation I'm not so sure it is needed. I'm not saying the FBI are necessarily good - just that the report language is too general/pipe dreamish to know.

  • Holy Crap! (Score:5, Funny)

    by Jeremiah Cornelius (137) on Friday May 25, 2007 @01:50AM (#19266395) Homepage Journal
    They run that Sh!tH*le like it's some cruddy Government institution, ferchrissake!
    • Re: (Score:3, Insightful)

      by Aoreias (721149)
      Obviously not all the government is bad at computer security. Clearly the GAO had to know what 'right' is to be able to criticize the FBI for not having adequate security measures.

      It's not that the government is filled with people that don't have a clue, but rather that the technically able people usually get frustrated by bureaucracy, politics, and poor management.

      • by conureman (748753)
        Well, I am SURE that SOME branch of our government is not being run by incompetent losers. The FBI ain't it.
      • GAO had to know what 'right'

        Keep in mind the audit and disclosure is probably politically motivated. Maybe the FBI wants a bigger IT budget? Maybe the head of another agency wants to discredit the FBI? I can tell you from experience, this is more likely rather than plain old incompetence.

        The GAO looks like they are doing their job, but that's about it. Having set up NIST compliant LAN and desktops. I promise you they are not _that_ secure. It's better than a default windows desktop, but not remarkable.
      • GAO doesn't "know" any better. They hire outside contractors- like SAIC - who do. The report is then issued under GAO covers.
  • Good... (Score:5, Funny)

    by Mystery00 (1100379) on Friday May 25, 2007 @01:55AM (#19266427)
    Goooood, means it's possible to get to those x-files after all....
  • Windows ? (Score:1, Funny)

    by linuxIsLife (1044762)
    I think they use Windows OS on their servers...
    • Re:Windows ? (Score:5, Interesting)

      by Architect_sasyr (938685) on Friday May 25, 2007 @02:13AM (#19266527)
      All windows bashing aside, does it matter? Internal Network Security could be lacking because rather than installing and configuring sudo half the team is given the root passwords to su with.

      That said... I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"? ;)
      • 'I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"? ;)'

        Carefully, though. You might end up penetrating Guantanamo.
        • Re: (Score:1, Funny)

          by Anonymous Coward
          In Soviet (Russia|America), Guantanamo penetrates you!
      • Re: (Score:1, Funny)

        by Anonymous Coward
        I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"? ;)

        Nice pick-up line! Mind if I borrow it?
    • Re:Windows ? (Score:4, Insightful)

      by Anonymous Coward on Friday May 25, 2007 @02:38AM (#19266657)
      In most cases, yes.

      However I doubt FBI security is as good as DISA (they handle information security for the military). They have a PKI (public key infrastructure) CAC (control access card) system for authenticating users wherever they go (logging into computers, opening doors, etc). Whether this is better than more traditional systems is another topic of debate, as very few people (as in, none of the users) really understand how PKI works.

      At the absolute minimum the FBI needs at least some sort of two-factor authentication with a OTP (one time password) generator. Relying on Active Directory security with Windows passwords is an absolute joke, especially when you are reusing those passwords over and over in many different systems. Even if you aren't reusing passwords between systems, users won't remember 20 different case sensitive passwords all containing 12 random characters each. Which is most likely why the FBI might not be using high security on their networks - the usability suffers in a big way.

      They would really need to rebuild the IT infrastructure from the ground up with added security in mind. Everyone would need to be retrained on the use of PKI/OTP/2-factor-auth/etc and other DISA-like security used in more secure environments. Especially with a Windows platform these changes would be expensive... but the FBI has never had problems spending money on IT/software (*wink*) so I don't see what is holding them back.

      Also notice the use of 10 million acronyms above... the FBI is getting NOTHING without adding at least 450 new acronyms to their vocabulary. That is government IT for you!
      • Re:Windows ? (Score:5, Interesting)

        by Lord_Frederick (642312) on Friday May 25, 2007 @06:33AM (#19267785)
        I've worked for private companies, local government and federal government. IT in some federal agencies is very scary.

        CAC cards are used, but terminal servers and websites for teleworking still allow username/password.

        Blackberries get CAC card readers for encrypted email, while flash drives and external hard drives are thrown into purses and bags.

        Remote computers co-located at contractor facilities STILL store LM hashes and don't have the physical security of a DoD office.

        EVERYONE writes down passwords because they have a dozen passwords to keep track of and each one is kept very similar to the next.

        Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."

        Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.

        Don't even get me started on how the systems are managed. No folder redirection, no user storage on servers. Everyone stores their data on the local hard drive, and because they are local admins they put it anywhere. I've seen a guy storing his documents in c:\windows\system32.

        • How long DID you work at Microsoft?
        • I can give you some insight into how much better things are here than your experiences have shown.

          IT in some federal agencies is very scary.

          Thank you for the qualifier "SOME federal agencies". Such may be the case, but not where I work - the IRS.

          CAC cards are used, but terminal servers and websites for teleworking still allow username/password.

          No access to our networks comes in from outside except via encrypted VPN. The phrase "website for teleworking" isn't in our vocabulary.

          Blackberries get

        • Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."


          Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.

          I work for state government and these two items take place where I work. When I moved to where I am now (higher position and pay), I found out those

        • I work for a federal agency as a contractor doing web application development. I worked for the Navy as a federal employee for 21 years before that, 13 in IT, eight at my last job as an IT officer. In my current environment, I see a dramatic difference in security, mostly because of the higher level of classification we have here. Some differences to what you state:

          CAC cards are used, but terminal servers and websites for teleworking still allow username/password.

          We use CAC cards for the unclass syste
        • It's stories like this and the FISMA scores that pushes me to contend that the Financial Vertical is still on top of the security pyramid. It mostly has to do with being able to quantify and measure risk.

          "To measure is to know."

          "If you can not measure it, you can not improve it."

          -Lord Kelvin [zapatopi.net]
      • I always wondered why text-based passwords are still being used on high-speed networks.

        How about this: When a person gets an ID for one of these systems, they have to submit a series of 20 personal photos. Every time they log in, the system puts up five of the pictures. The user has to sort them by date taken to successfully log in.
        • by pedalman (958492)

          Every time they log in, the system puts up five of the pictures. The user has to sort them by date taken to successfully log in.
          Yeah, it would be just our luck that when these photos are taken, the camera will put the timestamp in the lower-right corner of each one. That'll really complicate things and thwart suspicious activity. ;)
        • That would be a very quick brute force attack... 20^5, are you serious?
  • by Anonymous Coward on Friday May 25, 2007 @02:17AM (#19266553)
    Unpatched they may be, but when they come bursting through your door, you'd sure-as-hell better welcome them as your new digital overlords...

    Perhaps they are unpatched due to a misunderstanding with the RIAA when they agreed not to be pirates?
  • Reviewed? (Score:3, Insightful)

    by palemantle (1007299) on Friday May 25, 2007 @02:47AM (#19266725)
    From TFA: "The bureau, which had the opportunity to review the GAO's findings before publication" ...

    I wonder what "review" means in this context? Read through? Edit? Sanitize?
    • by Plutonite (999141)
      Sanitize.
    • GAO and IG reports to/on U.S. federal agencies are shared with the agency first. Typically, the agency writes a short response (Generally along the lines of "A, B, and C were cited as problems. At the time of the review: A was being revised and is now fixed; the methodology used to find problems in B were faulty and we refute the finding; C was a valid problem and we've formed a committee to find solutions.") that's normally added to the report as an addendum before it goes to final publishing. Only in r
  • by SharpFang (651121) on Friday May 25, 2007 @03:02AM (#19266813) Homepage Journal
    Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?
    After all, crime fighting stats don't rise for not catching these who didn't manage to break law, because it was too difficult.
    • Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?

      Well, it might be nice if you want to ACTUALLY CATCH THEM! How are you supposed to do that when they overwrite your files?

      Oh, I see, you don't care if the arrested is actually guilty. I'll be quit now. Forget I said anything. You guys are doing great, keep up the good work and help yourself to some real Wow software or something. Bye.

    • Could be because a successful intrusion is invisible? Just a thought.
  • This could not be possible because the FBI is one of the government's largest agencies, if it is true the situation should be reversed and the funding for security should be studied further. This be the case for the government to provide better security for the homeland, but how can it be if even the agencies are lacking of it...
  • [blah bla] writes to inform us that the Government Accountability Office was attacked earlier today.
    Nobody knows who done the attack, but the FBI said it was a swift and tactical raid, everyone dead, and one bin on fire with what appears to be a report from the remains, the title read FB... nal.. ty, thats all that could be read at the time.
  • by Opportunist (166417) on Friday May 25, 2007 @06:54AM (#19267923)
    IT-Security is not handled by the technical department when it comes to the feds. It's handled by the legal department.

    Then again, that's how many companies deal with it, too. Don't you dare to steal, or we sue you into oblivion.

    The fallacy about that is that you first of all have to find the culprit. Or, rather, you first of all have to find out that something went missing. The problem about data theft is that you don't immediately notice it. It's not like your door is broken down and your belongings searched, with your family heirlooms missing. All your data is still there, and you won't even know someone went through your stuff before it's too late.

    And those people should be trusted with my information?
  • by Doc Ruby (173196) on Friday May 25, 2007 @07:09AM (#19268021) Homepage Journal
    The FBI has blamed its blatant longterm abuse [techdirt.com]of the Bush privacy-invasion toy "National Security Letters" on its broken database.

    Since, as usual, no one at Bush's FBI has suffered after disclosure of this destructive abuse, the excuse will of course multiply in popularity.

    Funny how Bush Gang "mistakes" always seem to benefit Bush, though his gang claims it's all just accident and happenstance. Random distributions that always favor Bush must be "miracles".
  • Good old FBI (Score:5, Insightful)

    by MikeRT (947531) on Friday May 25, 2007 @07:20AM (#19268083) Homepage
    Things like this bring to mind my dad's grumbling about them. He was a Customs special agent, and used to grumble about how the FBI spent more of its time posing in front of the camera as though it were the hottest shit in the federal law enforcement world, than doing good casework. The FBI are camera hounds compared to the other agencies. They are a highly dysfunctional agency, and 9-11 proved that. Three of their offices noticed serious warning signs about Islamic activity in the US, but didn't work together because of rivalry and turf. Sounds more like a group of federalized local cops if you ask me...

    This comes not long after the FBI blew $500M on a series of hardware and software upgrades. Is anyone surprised that this agency can't get its act together by now?
    • If you are aware, I believe to continue your claim, they spent a BIG WASTEFUL sum of money developing this supposed NEW tcp/ip filtering technology called CARNIVORE, hence it to say, after all the spending, they ended up scraping the idea, and started all over with a new APP. which guess what, also needed same amount of funding......

      Then you wonder where all our money goes to when they say we have to increase our taxes due to lack of money for our federal budget
  • The GAO has always been the "General Accounting Office" and works for Congress. Similar in function to the "Inspector General" in the military, investigate problems and report to superiors with evidence.
  • by dj42 (765300) on Friday May 25, 2007 @07:51AM (#19268399) Journal
    We need more gov't transparency. Appointing stooges to the DOJ to fire the noncompliant, limiting free-speech, obfuscating information to the journalists, and distrusting the American public to the point of borderline treason, I would hope that somewhere, somehow, eventually true, honest, and open people get hold of information that will shed light on the gov't actions in the last 6 years. /Woops... *removes tin foil hat, jumps in the ocean, swims, far*.
  • The fact that the FBI is computer-challenged has been known for years. It goes well beyond information security.

    When the police were investigating the DC area sniper case, the FBI brought in a computer system to help coordinate the leads. They wound up having everybody looking for a "white box truck", while there was an overlooked report about a blue Chevvy. The snipers' vehicle turned out to be the blue Chevvy. IIRC, the FBI's computer system didn't help much in actually catching the snipers.

    Some years
  • No stock price to piss off shareholders, who beat up on a board of directors. No CEO for them to beat on, so he can then beat up on his CIO, who then beats up on directors who beat up on team leads, who work hard to create tight solutions. Money is generally a better motivator than standards compliance.
  • by PPH (736903) on Friday May 25, 2007 @12:56PM (#19273051)
    The stories about the FBI's ongoing IT restructuring troubles have been covered extensively in the industry news over the past few years. Having been involved in similar work for another (in)famous gov't agency, the problems look all too familiar.


    Some years ago, the FAA began a restructuring effort in order to modernize its infrastructure and get rid of unmaintainable, decades old equipment. Each time they put a set of requirements out for bid and selected a vendor, lawsuits and political lobbying ensued. The FAA's systems are a big (and lucrative) enough target for every two-bit vendor with political connections that no selection of Vendor A over Vendor B was allowed to stand without the losing party either taking the decision to court or creating trouble in various congressional appropriations committees. Worse yet, suggestions that they (the FAA) build something in-house was answered with threats from industry lobbyists to get their funding cut so severely, they would barely have the money for normal operations.


    The FBI is in a similar position. Particularly following 9/11 and the subsequent application of practically unlimited anti-terrorism funds, the vultures are circling. Having read some of the articles relating to the FBI's troubles, many of the players look to be the same ones that suckled on the FAA's tit for years.

  • I'm half kidding, with the way we're restructuring our government to resemble 19th century Russia, but there is knowledge of how to do secure networks in other TLA agencies. Think XML bridges instead of routers.

    It seems a shame to re-invent the wheel for the FBI. I thought Jamie Gorelick's wall was properly and completely smashed post 9/11?

    You'd think they could have one of the boys from Virginia over for lunch for a proper "you frikkin' idiots"-ing. Note: I expect that there are plenty of line techs who

FORTRAN rots the brain. -- John McQuillin

Working...