Got Malware? Get a Hammer! 254
FuzzNugget writes "After the Economic Development Administration (EDA) was alerted by the DHS to a possible malware infection, they took extraordinary measures. Fearing a targeted attack by a nation-state, they shut down their entire IT operations, isolating their network from the outside world, disabling their email services and leaving their regional offices high and dry, unable to access the centrally-stored databases. A security contractor ultimately declared the systems largely clean, finding only six computers infected with untargeted, garden-variety malware and easily repaired by reimaging. But that wasn't enough for the EDA: taking gross incompetence to a whole new level, they proceeded to physically destroy $170,500 worth of equipment (PDF), including uninfected systems, printers, cameras, keyboards and mice. After the destruction was halted — only because they ran out of money to continue smashing up perfectly good hardware — they had racked up a total of $2.3 million in service costs, temporary infrastructure acquisitions and equipment destruction."
We Still Have a Budget for This Crap... (Score:3, Insightful)
... and yet I'm still furloughed on Friday...
Outdated Equipment (Score:4, Insightful)
It sounds like they were using this as an excuse to buy new equipment, so they destroyed extra equipment hoping that someone would allow them to chalk up the expense to the virus and thus give them shiny new stuff.
Re:Economic Development Administration? (Score:3, Insightful)
And why the hell would there be $2.3 million in service costs to destroy $170,500 worth of equipment?
Shutting down one entire government agency? (Score:4, Insightful)
Sounds like a good start.
Re:Economic Development Administration? (Score:5, Insightful)
Because, RTFA?
"The total cost to the taxpayer of this incident was $2.7 million: $823,000 went to the security contractor for its investigation and advice, $1,061,000 for the acquisition of temporary infrastructure (requisitioned from the Census Bureau), $4,300 to destroy $170,500 in IT equipment, and $688,000 paid to contractors to assist in development a long-term response. Full recovery took close to a year."
Re:Economic Development Administration? (Score:4, Insightful)
Any IT upgrade could be spun exactly like this story, if you wanted... "why did you get a new mouse with that new system, the old one was working perfectly fine and now it's going in the trash!"
Re:Economic Development Administration? (Score:5, Insightful)
Yup. Likely what happened here is that the million-dollar security contractors gave the advice to do this bug hunt in the first place, and then provided the temporary replacement infrastructure, and walked away from the whole fiasco with a tidy profit. The reason this happens is because the government isn't generally allowed to hire people to do work like this, because "private industry is better." Of course, this sort of private industry is just a mechanism for siphoning off tax dollars, and the people who believe that hiring government employees to do government work is wasteful are actually responsible for fiascos like this, which are depressingly common.
Even when the contractors aren't crooked, the cost of employing them instead of federal employees is typically several times higher. But "corporations good, government wasteful." If we keep repeating that long enough maybe it will come true.
Re:Not entirely incompetent (Score:4, Insightful)
No reason to believe it wasn't cleaned up.
If they truly believe that it was the work of a nation-state, there is every reason to think it isn't cleaned up. Stuxnet didn't even reside just in computers. It infected programmable logic controllers attached to centrifuges, and then could re-infect computers on the network after they've been cleaned. If you really believe that Russia, or China has really compromised their network, and you have information that's worth more than a million dollars to them, then you should assume that everything (printers, routers, video-conferencing equipment, everything with a jack, plus the bios of all your computers) may be infected.
People tend to view $170,000 as a lot of money. But it's not. Computers for office workers can easily run under $1000. Hourly labor to clean things may be $50 per hour when you include overhead and benefits. And you're not even sure you got rid of the infection. If you mostly run apps that are resident on hardened servers, use imaging to make it easy to deploy new PCs, and don't have a lot of high end hardware, it may make sense to just replace everything with clean hardware. Honestly, for departments where you do think that there's stuff that sophisticated attackers may want, it may make sense to occasionally do this kind of purge occasionally even if you don't know there's been an attack. Take a look at the Sony Playstation breach for an idea of what getting compromised can cost. It's a hell of a lot more than $170,000.
Re:Economic Development Administration? (Score:3, Insightful)
Yeah baby, it's a great way to stimulate the economy. We know whst gets done is less important than things get done, and money gets pushed from person to person.
Buying computers to destroy employs people, as does destroying them. Hell, what we should do is just increase taxes and hire the tens of millions of unemployed to dig ditches and then fill them back in over and over.
Re:A Ripleydyne Security LLC Whitepaper! (Score:4, Insightful)
Oh, don't get me wrong, I'm combining my love for Alien and my inexplicable whoring for 'funny' upmods(that don't even net me the 'karma' I don't care about), rather than phoning in a reliable 'insightful' rant about THem Gummunit Union Beurocrats! in part because it amuses me more, and in part because (especially if your hardware is old shit) a sledgehammer is probably the best approach if you actually think that a state-caliber attacker is on your ass(for larger jobs consider a shredder [ssiworld.com] rather than a hammer).
In this specificcase, given that their analysis found only a small quantity of chickenshit malware, and because the EDA is kind of a low-priority target for the really cool attacks, I strongly suspect that it was an overrreaction(and, if it wasn't an overreaction, doing more aggressive analysis, in order to better understand the adversary's capabilities, in terms of OS, Application, and hardware/firmware level malware would have been more responsible than just shredding it all).
That said, though, you'd be hard pressed to be paranoid enough about the potential for even seemingly innocuous devices, in the hands of a capable attacker, to be malicious. The BIOS has had slightly unnerving powers ever since SMM [wikipedia.org]; but these days it's a second OS, more or less, USB devices are highly likely to be full, potentially reprogrammable, devices that are just implementing whatever they are supposed to be in software(OEM cost-cutting reduces the risk that there would be space/power to hide anything really cool; but some pretty weedy microcontrollers can handle being whatever flavor of USB slave device they are set to emulate. Even monitors get a full i2c bus for DDC, no idea how well your graphics driver, occupying its position of relative privilege within the system, watches that interface...
I would say that they screwed up, because if they genuinely suspected the worst, shredding the evidence rather than analyzing it is unhelpful in preventing future attacks, and if they didn't suspect the worst, dumping clean images on the systems and getting on with life would have been a lot cheaper; but it is true that, if you suspect a genuinely capable attacker, you are sufficiently fucked that just burning it with fire is probably the cheapest option...
Re:Economic Development Administration? (Score:4, Insightful)
Re:Economic Development Administration? (Score:5, Insightful)
It seems to be a symptom of some underlying pathology in a democracy when so much effort is put into protecting the head of government. At least in the ideal it doesn't matter who is president;
You're completely missing the point of protecting the Head of State - it's not because an assassination would cause a change in policies, but to keep extremists from using threat of assassination to to blackmail a Head of State into changing those policies.
In other words, if the POTUS has to fear for his life as a result of every decision he makes, he is going to be pressured to cater to the most radical and violent groups.