800 Break-ins at Dept. of Homeland Security 276
WrongSizeGlass writes "Yahoo is reporting about the computer security nightmare going on at the Department of Homeland Security. Senior DHS officials admitted to Congress that over a two year period there were 800 hacker break-ins, virus outbreaks and in one instance, hacker tools for stealing passwords and other files were found on two internal Homeland Security computer systems. I guess it's true what they say ... a mechanic's car is always the last to get fixed."
I'll only say... (Score:5, Insightful)
Big assumption (Score:5, Insightful)
That's very true.
Especially when the mechanic is incompetent, and more interested in throwing around political weight than actually trying to accomplish anything useful.
Homeland Security != Information Security (Score:2, Insightful)
One thing is for sure. (Score:5, Insightful)
800 is a lot compared to who? (Score:5, Insightful)
Point 2: Those numbers are a completely meaningless abstraction without tying them back to type of attack, actual damage, importance of the data on those systems or their roles in launching further attacks, what kind of infections occurred and their damage potential, and finally what those numbers look like compared to other orgs of the same size.
Point 3: Homeland Security is comprised of multiple mostly-independant sub orgs (like Coast Guard, TSA, etc)....so..saying DHS had so many attacks is misleading without clarification
Point 4: Not saying theyre not making mistakes, just that those "facts" dont tell you either way what the actual state of things is.
If you want to..... (Score:1, Insightful)
Out of Context (Score:3, Insightful)
Re:When you are a primary target (Score:4, Insightful)
I agree with you that DHS is a "juicier" target than some businesses, I'm willing to bet that the attacks (and the frequency of them) against Bank of America, [bankofamerica.com] Citibank, [citibank.com] Equifax, [equifax.com] etc, are just as bad if not worse.
Re:Out of Context (Score:2, Insightful)
Re:One thing is for sure. (Score:5, Insightful)
And even if the pay was the same, there's still the many months and ungodly amount of paperwork involved in trying to get a government job. Are you going to go for the offering that's available next month or next year?
My brief experience in DHS (Score:4, Insightful)
And if you think the creation of DHS was a carefully planned and well-thought-out move, I think the historical evidence speaks to the contrary.
The only solution is for detailed requirements for security and data handling. It would be more effective than not having any... they really don't have much in place now. How secure can they be with Microsoft everything running their offices?
Re:This was predicted (Score:4, Insightful)
Re:Out of Context (Score:3, Insightful)
800 is that really high? (Score:2, Insightful)
The bottom line is I dont care what kind of agency, business, enterprise, securing that many computers is impossible no matter what. You always have the human factor involved. Once you get 150,000 people thinking security (impossible to do) then you can be close to perfect..
Re:Homeland Security != Information Security (Score:5, Insightful)
DHS was a bad idea that was implemented poorly out of a panicked need to do *something* following the attacks.
you people don't get it (Score:3, Insightful)
Maybe break-ins are rare for you, and you think you are doing security really well. In reality, your success is based primarily on the fact that nobody good is targeting you. The people who discover flaws, write the exploits, and create the effective viruses do NOT target your pissant little company. They target governments and financial institutions.
Once the flaws and viruses are discovered by the primary targets, you get the luxury of updating your software and signature files before anyone gets around to target you.
DHS may have security a million times better than yours, but they are a primary target, so they get hit a billion times harder.
Re:Homeland Security != Information Security (Score:3, Insightful)
Cyber-terrorism has the potential to be a much more effective method of terrorism than violence. Just before Christmas, the airports in London were closed. A lot of people had to sleep in (cold) airports, and many didn't make it home to spend Christmas with their families.
In absolute terms, this didn't have the same impact as killing a load of people; no one actually died to my knowledge. For the people involved, however, it was far more personal that some people they'd never met being blown up, and a lot more people were affected than in most terrorist actions.
A similar effect could be had by infecting the air traffic control computers, for example, or even the airlines booking computers (imagine if they were hacked to allow every seat to be booked twice...).
There's a great bit in Good Omens where a group of demons are recounting their day's work, and none of the old crowd can understand why tying up the London mobile phone networks for a couple of hours over lunch is evil. Just because no one dies, doesn't mean that there isn't real damage. It's also much easier for people who aren't directly affected to sympathise with terrorists who don't kill anyone than with ones that do.
My computer is always the FIRST to get fixed. (Score:5, Insightful)
Just as anyone here who's competent with a computer has their systems up-to-date and tuned.
Re:I'll only say... (Score:1, Insightful)
Another day, another round of Slashbots turning a complete inability to read into an opportunity to hold forth on how much smarter they are than the people in the story they're unable to read correctly.
Its more than just simplification (Score:1, Insightful)
Other than Rumsfeld and a couple of low-level stooges from Abu Griab, no one seems to have been fired.
We reward incompetence with bigger budgets which breeds more incompetence.
FUD Article (Score:5, Insightful)
Now lets go to the article. To the laymen you say 800 compromises and they go into "WOW THAT IS SO BAD" mode, but seriously come on. The compromises are mostly workstations. Now that doesn't mean they get a free pass, but its not like they have had their core servers owned by foreign states... What they should be doing is not only scanning apps, DBs, and servers and patching/hardening them appropriately, but also client-side firewalling, config control of workstations, baseline security mechanisms for remote users, centralized virus/vulnerability patching... This article does not surprise me what-so-ever and it really is not an indication that DHS security is horrible. Its not the best, but 800 is not that bad.
Re:I'll only say... (Score:5, Insightful)
Do we really need a whole beurocracy to make the various departments share information and cooperate with each other? Aren't they run by grownups?
Re:I'll only say... (Score:5, Insightful)
What they DO is they bring insecurity to every sector of government and society that they touch, in the name of "Security"
It is all about optics... It doesn't matter that their computers are insecure... obviously the problem is that the fact that their computers are insecure should be a top-secret fact. It is not something that they feel needs to be fixed. They are only there for the illusion.
--jeffk++
Re:I'll only say... (Score:4, Insightful)
Troll or humour, I don't know meself.
Re:Big assumption (Score:4, Insightful)
Re:One thing is for sure. (Score:5, Insightful)
Re:Homeland Security != Information Security (Score:3, Insightful)
Re:Out of Context (Score:2, Insightful)
Re:Homeland Security != Information Security (Score:1, Insightful)
Besides, all the big terror busts have been because of traditional detective work. The idiots that were going to shoot up the NJ base got caught by a guy at the film processing center, and the JFK plot was blown by a drug dealer turned informant. Neither of them had anything to do with DHS, so really, what good is it as an agency?
Re:I'll only say... (Score:2, Insightful)
--jeffk++
Re:I'll only say... (Score:3, Insightful)
They are establishing as system of three distinct classes, one that is subject to physical degradation, dehumanisation and control, and another that escapes it and enforces it upon others, and the over seers that look down upon the animals in their pens.
Are the wealthy in their private planes and charter flights subject to those inspections, are politicians subject to those inspections, are the authorities agents of control subject to those inspections. Freedom is always hard to gain and a struggle to achieve, where as, simple indifference will see it disappear, to be taken away piece by piece.