FBI, US Marshals Hit By Virus 156
Norsefire writes "The FBI and US Marshals were forced to shut down part of their computer network after being hit by a 'mystery virus.' FBI spokesman Mike Kortan said, 'We are evaluating a network issue on our external, unclassified network that's affecting several government agencies.' Nikki Credic, spokeswoman for the US Marshals, said that no data has been compromised but the type of virus and its origin is unknown."
Sensitive networks should be treated as such (Score:5, Interesting)
More and more, sensitive corporate and government networks will need to be isolated or at least mostly isolated from non-sensitive networks and the Internet.
They may not need an air gap [wikipedia.org] but they will need to be isolated enough to prevent general problems like viruses.
They also need to be run with the philosophy of "every other machine or user on my network could become compromised (infected or bribed) at any time."
A couple of possible solutions:
*Give employees 2 computers with a KVM, one for surfing the web and access to non-secure data, one to access secure data.
*Give employees a multi-homed, ROM+read-only-USB-stick-for-configuration-data-boot "thin client" that's stripped down and hardened, with no copy-and-paste, no network bridging, and other designed way for one remote server to influence the other. Then have them connect to different servers on different networks for different needs.
If your security requirements are extreme, use an air gap.
In either case, don't forget to take countermeasures against human idiocy, ignorance, and bribery/blackmail.
Re:Linux... (Score:5, Interesting)
How do they know ? (Score:4, Interesting)
The spokeswoman said :
"no data has been compromised but the type of virus and its origin is unknown"
That is an extraordinary statement. How would they know ?
If I was head of IT there I would assume that that was not true. Even if there was a completely different computer system for any sensitive information, data has a way of leaking to where it shouldn't be. Of thousands of people, not one put notes or passwords or whatever on the insecure side of the line ?
Regardless of what they tell the press, I hope that internally they are assuming that this is a breach, and acting accordingly.
Re:Linux... (Score:2, Interesting)
classified vs sensitive (Score:3, Interesting)
True, US-government-classified material does have to be regulated.
But what about the human resource database of the United States Postal Service, with its employee birth dates and social security numbers? What about the customer database at American Airlines, with its juicy collection of credit card numbers? What about your medical insurer, which may have lots of information about your or your children's health you don't want entering the public domain? What about the bank teller whose terminal let's her do almost anything with people's money?
It's probably a bad idea to let computers which have access to that kind of data, particularly write-access, to access the Internet or an unsecured network unless absolutely necessary to do the job. Sometimes, you have to allow such access if you are going to allow certain services, like allowing people to order products or services with credit cards from home, or do home banking. However, at least in these cases you can limit the potential damage to what that customer is allowed to access. If you allow people with wholesale access to sensitive databases to "work from home," give them a separate, secure computer that runs on an isolated LAN at the person's house, tunnel everything over a VPN, and block all non-VPN traffic except that needed to establish the VPN. Better yet, give them a separate real connection straight back to the corporate glass tower, bypassing the Internet entirely. Even better yet, don't let them work from home.
In other news... (Score:4, Interesting)
700,000 desktops in the US Army are going to be upgraded to Vista. [slashdot.org]
multilevel security (Score:1, Interesting)
*Give employees 2 computers with a KVM, one for surfing the web and access to non-secure data, one to access secure data.
Or use one operating system that allows different levels of security on one system, with different applications each running at different levels, and with access to variously segmented networks spanning from unclassified to top secret:
http://en.wikipedia.org/wiki/Trusted_Solaris
It's called multi-level security, and the DoD already uses it.
Re:Linux... (Score:4, Interesting)
Especially 2. I work for a government contractor. The amount of stupid pointless shit we have to do in the name of "security" while leaving HUGE GAPING HOLES untouched just hurts my head. It's like our security policy is designed by ADD addled five year olds. They read about something in a magazine and think "Oh, shiny!" They quickly write some insane, over the top, policy to "solve" the "problem" and keep reading the magazine. It's great assuming that the article covers all possible security problems ever, or that it contained actual solutions instead of stuff that kinda sounds like it ought to fix a problem.
The latest brainstorm is that we are switching to 12 character passwords which change every 60 days. This is almost certain to result in:
a) People forgetting their passwords, requiring continuous password resets
b) People writing down their impossible to remember, constantly changing, password
c) Both (a) and (b)
Meanwhile, we still have a number of systems that use rsh (No, not Kerberized rsh, the plain 30 year old version with .rlogin files.). Granted this is an isolated network, with no Internet access at all. We're not likely to be attacked by outside entities. But if you trust the users of the isolated network enough to assume that they are not going to take advantage of the multiple and well published rsh vulnerabilities, why don't you trust them enough to assume that they are not running password crackers?
Re:Linux... (Score:3, Interesting)
Everyday I have to run apt-get update && apt-get upgrade to keep my system secure. Not everyday it is a possible remote exploit, but there is always some security related bug to fix. Linux may have a better implementation to keep those risks from escalating quickly compared to windows, but I would not run nation-critical apps on it. Not at this point in time.
I think you're making the classic mistake of equating the number of patches seen with the actual number, and severity, of vulnerabilities. Of course Debian gets more patches more often than Windows: the Debian security team sends out fixes for security vulnerabilities as soon as they're discovered, rather than leaving users exposed by waiting up to a month and fixing (some, but often not all) of the most critical known vulnerabilities in monthly roll-ups. And of course Debian sees more patches, when nearly all of the desktop applications on a Debian system are handled by apt; Windows Update only takes care of patching the operating system itself.
So when it comes to a question of which operating system to run sensitive government services on, patch counting is worse than useless. Things that are worth considering are the tractibility of the system's security model, and exploit mitigation techniques or fine-grained mechanisms for least-privilege, such as SELinux.
Re:Bold claim (Score:3, Interesting)
How do they know that there was no data compromised if they don't even know the type of the virus?
For the same reason that if I got a virus, none of your data would be comporomised. Seperate network, like it said in the summary. :P