800 Break-ins at Dept. of Homeland Security 276
WrongSizeGlass writes "Yahoo is reporting about the computer security nightmare going on at the Department of Homeland Security. Senior DHS officials admitted to Congress that over a two year period there were 800 hacker break-ins, virus outbreaks and in one instance, hacker tools for stealing passwords and other files were found on two internal Homeland Security computer systems. I guess it's true what they say ... a mechanic's car is always the last to get fixed."
When you are a primary target (Score:4, Interesting)
""What the department is doing on its own networks speaks so loudly that the message is not getting across," Thompson said."
Meh, whatever. This seems to me to dismiss the high profile nature of the DHS. Most other businesses might not even survive the onslaught faced by the DHS and other government sites.
Could they do more? Sure. There is ALWAYS more that can be done from the user level up to systems and network admin.
"All the problems involved the department's unclassified computer networks..."
That is good to know.
This was predicted (Score:4, Interesting)
even by Slashdot pundits, when we learned of the huge Dell and Microsoft contracts that were being awarded by the DHS.
Those who wanted the DHS to be a braintrust of security were sorely disappointed, and indeed we can see that it is nothing more than another bureaucracy more interested in distributing taxpayer funds to corporate friends than really doing anything for the health and welfare of the nation.
This is how Rome fell.
Ha! (Score:4, Interesting)
Networking (Score:1, Interesting)
Re:One thing is for sure. (Score:4, Interesting)
Re:Thank god we fixed a 40 billion dollar bureaucr (Score:3, Interesting)
Re:When you are a primary target (Score:3, Interesting)
The DHS could guarantee that all computer-based attacks would be fruitless overnight. They'd just have to get rid of all their computers and resort to pocket calculators, slide rules and abacuses.
Unfortunately, that's about the only way to provide a 100% cast-iron guarantee that there's no way in hell the computer systems will be hacked.
Even if you did take such an extreme measure, the result would be that anyone that interested in getting information about what the DHS is doing would plant a few individuals in there.
Deputy chief information officer had a fake degree (Score:1, Interesting)
wikipedia: "According to Department of Labor employees later interviewed by the media, Callahan had become increasingly difficult to work for, reacting in
a hostile way when questioned on her unusual decisions, and frequently belittling employees for not understanding the complex technological jargon she said she had acquired while studying for her doctorate." - sounds like a real asshole
The department of "homeland security" (Score:5, Interesting)
Re:Big assumption (Score:1, Interesting)
There is a reason why the US government of today dwarfs the US government of only 100 years ago, both in revenue and power over the people, and it's not because making government bigger is unprofitable for those in the business of government.
Like most government programs, the "Department of Homeland Security" was created to fix problems that were created by government in the first place. How will they do it? By (surprise surprise) shoveling even more tax money and power into the hands of the elite who control government.
When the department of homeland security fails, what do you think the solution will be? To abolish the empire and the huge amounts of revenue and power that came with it? [Insert maniacal laughter here.]
You're not in the business of government, are you?
Re:Homeland Security != Information Security (Score:3, Interesting)
Re:you people don't get it (Score:3, Interesting)
We never once had a break-in. We never once had a tripwire report that a single file had been changed by someone without authorization.
We also ran primarily Solaris, Tru64 unix, FreeBSD and Linux (for internal IT stuff like the office mail servers), with windows essentially confined to some desktops on an isolated network.
We also had layered, physically divided networks, with stateful firewalls between layers, switches with ACLs on ports controlling traffic, and all server and workstation OS's hardened before deployment as if they were going to be exposed directly to the internet. Oh yeah, and commercial IDS devices on each network. Users weren't root/administrator on anything, except for the lead developers tracked using sudo on their solaris sandbox and the Sys Admins using sudo elsewhere.
We also did a randomly scheduled once-a-month walkthrough of the work spaces to ensure that no passwords were written down anyplace someone with physical access could get them. We also didn't use stupid change-every-month password policies, but instead instructed staff to create phrases and combinations that mentally translated into their secure personal passwords and also further used ssh keys and keygen dongles where appropriate.
Root passwords were randomly generated and stuck in an envelope in a safe, just in case we ever needed them. If ever used (for example, for console access on a box booting in single user mode due to a hardware problem) they were immediately changed once the use was complete.
We also had multiple QA and staging environments for configuration, content management, security, functional, and performance code testing before deployment. We also had full redundancy and load balancing for every essential server and device.
Oh yeah, we also had a major annual security audit by a good third-party IT security specialist firm. They never once found anything exploitable, despite their best efforts and even given internal network access.
Of course, the previous developer/hoster of the largest brand we supported, when it came time for the transition to our platform, went ahead and decided to physically mail us a dvd with all of their customer's personal and credit card information on it in plain text to use for testing the customer import process. So the above standards aren't exactly universally true of private companies.
But while I've heard lots of bad security stories about government agencies (I knew a network guy contracted to the Department of Agriculture who found out one day that the firewalls for the entire department of agriculture had been set to pass all traffic for 6 months since they were too much trouble to keep configured properly) and about government IT project fiascos (they all take 2-3X as long as expected, cost 2-3X, then never get finished, but instead get rolled into a new project to do the same thing), I've never heard of an actual government IT success story.
Re:Homeland Security means: (Score:4, Interesting)
FEMA>
Customs and Border Protection>
Immigration (Former INS)>
Secret Service (Not covered by CIA, FBI or any other Law Enforcement)>
Coast Guards (Not covered by CIA, FBI or other Law Enforcement)>
>
I'm no fan of them, but how about you take a look at their website if you want to know what they are supposed to do"
Well, they don't seem to be doing very well at many of their tasks....
YEah...lots of progress with DHS. Lots of nothing....