800 Break-ins at Dept. of Homeland Security

WrongSizeGlass writes "Yahoo is reporting about the computer security nightmare going on at the Department of Homeland Security. Senior DHS officials admitted to Congress that over a two year period there were 800 hacker break-ins, virus outbreaks and in one instance, hacker tools for stealing passwords and other files were found on two internal Homeland Security computer systems. I guess it's true what they say ... a mechanic's car is always the last to get fixed."

When you are a primary target

[Ngarrang]

When you are a primary target like the DHS, I would imagine that the attacks they face are probably harder and longer than most possible victims. I would be interested to know how many hack attempts failed to see what kind of success rate such a high profile agency has. No security is perfect.

""What the department is doing on its own networks speaks so loudly that the message is not getting across," Thompson said."

Meh, whatever. This seems to me to dismiss the high profile nature of the DHS. Most other businesses might not even survive the onslaught faced by the DHS and other government sites.

Could they do more? Sure. There is ALWAYS more that can be done from the user level up to systems and network admin.

"All the problems involved the department's unclassified computer networks..."

That is good to know.

This was predicted

[Johnny Mnemonic]

even by Slashdot pundits, when we learned of the huge Dell and Microsoft contracts that were being awarded by the DHS.

Those who wanted the DHS to be a braintrust of security were sorely disappointed, and indeed we can see that it is nothing more than another bureaucracy more interested in distributing taxpayer funds to corporate friends than really doing anything for the health and welfare of the nation.

This is how Rome fell.

Ha!

[Anonymous Coward]

That's nothing. A password cracker is included in the OS load of every server here. Our security auditing program uses it! Better yet, it would normally be detected by our antivirus program, but a guy here is paid to remove it's pattern from the vscan updates before they're sent out. When an unedited vscan pattern file manages to make it's way on to the machine somehow, it nukes the audit program. How's that for "administratively broken"?

Networking

[G1369311007]

Why don't they just move the whole operation to a classified network behind NSA Type I devices? So what if they can't surf the internet. At least they'd get work done without having to worry about people going to doublewidefantasies.com and picking up some malware.p

Re:One thing is for sure.

[jimicus]

Further, the people who are likely to be seriously interested in infiltrating the DHS are quite able to find and finance someone with the capability to do so.

Re:Thank god we fixed a 40 billion dollar bureaucr

[jimicus]

Let's be honest, that's about all governments ever do. When was the last time you heard of a government organisation made more effective by simplifying things?

Re:When you are a primary target

[jimicus]

I think you've made a very good point there.

The DHS could guarantee that all computer-based attacks would be fruitless overnight. They'd just have to get rid of all their computers and resort to pocket calculators, slide rules and abacuses.

Unfortunately, that's about the only way to provide a 100% cast-iron guarantee that there's no way in hell the computer systems will be hacked.

Even if you did take such an extreme measure, the result would be that anyone that interested in getting information about what the DHS is doing would plant a few individuals in there.

Deputy chief information officer had a fake degree

[Anonymous Coward]

In 2003 it was found out that that a PhD claimed by the Homeland Security Department's deputy chief information officer, Laura Callahan, was from Hamilton University of Wyoming, a known diploma mill.

wikipedia: "According to Department of Labor employees later interviewed by the media, Callahan had become increasingly difficult to work for, reacting in
a hostile way when questioned on her unusual decisions, and frequently belittling employees for not understanding the complex technological jargon she said she had acquired while studying for her doctorate." - sounds like a real asshole

The department of "homeland security"

[danpsmith]

I think the reason that people see any irony at all in these type of stories is the fact that they actually expect that the government is as good as its hyperreal image [wikipedia.org]. Of course government agencies aren't infallible, but to suggest this is to deny this hyperreal, overemphasized "we're efficient, intelligent and we know things about you you don't even know" public persona. Without a sufficient belief in the agencies like the CIA and the FBI, and the belief that they are actually more informed than the masses and that the government is more in the know than anyone is aware (unless they are in the government), people would want to know where all this security spending is going (which is a problem for anyone). The government is an inept, massive body of people that is unable to act upon information quickly due to its many layers of bureaucratic bullshit and the legality of everything. The only solution to this problem is to eliminate some of the bureaucracy (firing people, which, of course, can't be done), or to eliminate the red tape (legislation, which, if you eliminate too much becomes a Bush-like grab for power), neither of which will ever be done due to the nature of the politicians in charge. So the federal government, no matter what the politicians say will continue to grow as a monolithic, insecure and ineffective beast while feeding you the image of a secure, fast, intelligent and best of class organization and terrorists with their small but efficient plans will continue to find gaping holes in the system. And that's why irony in this case can be saved for the naive and the uninformed, the rest of us see things like this coming a mile away.

Re:Big assumption

[Anonymous Coward]

Remember that in the business of government, failure is rewarded with more power and revenue. How many millions do you think it will take to "fix" this "problem"?

There is a reason why the US government of today dwarfs the US government of only 100 years ago, both in revenue and power over the people, and it's not because making government bigger is unprofitable for those in the business of government.

Like most government programs, the "Department of Homeland Security" was created to fix problems that were created by government in the first place. How will they do it? By (surprise surprise) shoveling even more tax money and power into the hands of the elite who control government.

When the department of homeland security fails, what do you think the solution will be? To abolish the empire and the huge amounts of revenue and power that came with it? [Insert maniacal laughter here.]

You're not in the business of government, are you? ;)

Re:Homeland Security != Information Security

[encino]

I work for DHS in the Science & Technology Directorate (S&T), and while DHS has a long way to go, there are very smart people here that have sacrificed lucrative careers to dedicate themselves to service to the nation. With a Ph.D. in computational biology from Stanford (i.e., I consider myself to have technical skills), I decided the morning of 9/11 that I would not seek a job at a Biotech or Pharma company in the Bay Area upon graduation, but would rather try to get involved and help the nation with whatever talent and education I have been given. There are many others like myself in S&T - thankfully S&T has not (yet!) turned into the typical government clock-punching organization. People here are top-tier, driven, bright, and creative. I am proud of where DHS has come (at least in my corner of it), while acknowledging that we have a long long way to go. Oh, and for the record, DHS employees are not required to be members of the Republican party.

Re:you people don't get it

[_Sharp'r_]

A few years ago I was the technical manager for a company that developed and hosted major ecommerce sites. Sites for the largest retail brands in the world. They were very, very, high profile. Any downtime was usually measured in millions of dollars of revenue lost. We went months at a time without any downtime at all, not even scheduled downtime.

We never once had a break-in. We never once had a tripwire report that a single file had been changed by someone without authorization.

We also ran primarily Solaris, Tru64 unix, FreeBSD and Linux (for internal IT stuff like the office mail servers), with windows essentially confined to some desktops on an isolated network.

We also had layered, physically divided networks, with stateful firewalls between layers, switches with ACLs on ports controlling traffic, and all server and workstation OS's hardened before deployment as if they were going to be exposed directly to the internet. Oh yeah, and commercial IDS devices on each network. Users weren't root/administrator on anything, except for the lead developers tracked using sudo on their solaris sandbox and the Sys Admins using sudo elsewhere.

We also did a randomly scheduled once-a-month walkthrough of the work spaces to ensure that no passwords were written down anyplace someone with physical access could get them. We also didn't use stupid change-every-month password policies, but instead instructed staff to create phrases and combinations that mentally translated into their secure personal passwords and also further used ssh keys and keygen dongles where appropriate.

Root passwords were randomly generated and stuck in an envelope in a safe, just in case we ever needed them. If ever used (for example, for console access on a box booting in single user mode due to a hardware problem) they were immediately changed once the use was complete.

We also had multiple QA and staging environments for configuration, content management, security, functional, and performance code testing before deployment. We also had full redundancy and load balancing for every essential server and device.

Oh yeah, we also had a major annual security audit by a good third-party IT security specialist firm. They never once found anything exploitable, despite their best efforts and even given internal network access.

Of course, the previous developer/hoster of the largest brand we supported, when it came time for the transition to our platform, went ahead and decided to physically mail us a dvd with all of their customer's personal and credit card information on it in plain text to use for testing the customer import process. So the above standards aren't exactly universally true of private companies.

But while I've heard lots of bad security stories about government agencies (I knew a network guy contracted to the Department of Agriculture who found out one day that the firewalls for the entire department of agriculture had been set to pass all traffic for 6 months since they were too much trouble to keep configured properly) and about government IT project fiascos (they all take 2-3X as long as expected, cost 2-3X, then never get finished, but instead get rolled into a new project to do the same thing), I've never heard of an actual government IT success story.

Re:Homeland Security means:

[cayenne8]

"TSA (Not covered by CIA, FBI or other Law Enforcement)>

FEMA>

Customs and Border Protection>

Immigration (Former INS)>

Secret Service (Not covered by CIA, FBI or any other Law Enforcement)>

Coast Guards (Not covered by CIA, FBI or other Law Enforcement)>

>

I'm no fan of them, but how about you take a look at their website if you want to know what they are supposed to do"

Well, they don't seem to be doing very well at many of their tasks....

• TSA - Mostly act at a PITA, and don't seem to know or want to show the applicable laws (like not having to show ID)
• FEMA - First hand observation of them and their continued incompetance in New Orleans. Fortunately I've not had to deal that much with them myself, but, I feel for the people that have. I worry for the next community that gets hit by a disaster, if NOLA is any indication how they act, you're in for a lot of trouble and heartache.
• Customs and Border Protection - Well, I think we ALL know how bad a failure this is....the people flooding in from down south hasn't slowed a bit, even though the majority of the US wants the borders secured.
• Immigration (Former INS) - Well, this obviously doesn't work at all. People wanting to get in legally can't seem to hardly work the system, and we're certainly NOT deporting people here illegally we find and catch. I think the last reference to this working was in the original Cheech and Chong movie, Up in Smoke. The INS gave them a free ride to Mexico, last time I heard of INS every sending someone home that wasn't here legally.
• Secret Service (Not covered by CIA, FBI or any other Law Enforcement) - Ok...they seem to do ok, but, then again, they were great before DHS oversight.
• Coast Guards (Not covered by CIA, FBI or other Law Enforcement) - Good before DHS, and so far, no signs of bastardization...keep up the good work boys.

YEah...lots of progress with DHS. Lots of nothing....