Thursday, June 21, 2007

Insecurity again

Just over two years ago, I wrote
Fact: the new superduper multilinked know-everything-about-everyone complex of databases that the White House wants, will be just as fallible and easy to compromise as LexisNexis' systems were, because they will be staffed by the same people: undertrained, underpaid, unrespected employment agency temps. It doesn't matter how good the database security is, if a gullible fool is answering the phone. Properly trained people, intelligent enough to hear an alarm bell when a stranger offers them candy, will not work for peanuts; and even in these days of homeland security everybody wants things done cheaply.
A half-dozen recent articles indicate that I was right, for instance:
The Homeland Security Department, the lead U.S. agency for fighting cyber threats, suffered more than 800 hacker break-ins, virus outbreaks and other computer security problems over two years, senior officials acknowledged to Congress.

In one instance, hacker tools for stealing passwords and other files were found on two internal Homeland Security computer systems. The agency's headquarters sought forensic help from the department's own Security Operations Center and the U.S. Computer Emergency Readiness Team it operates with Carnegie Mellon University.

In other cases, computer workstations in the Coast Guard and the Transportation Security Administration were infected with malicious software detected trying to communicate with outsiders; laptops were discovered missing; and agency Web sites suffered break-ins.
Congress asked Homeland Security's chief information officer, Scott Charbo, who has a Masters in plant science, to account for more than 800 self-reported vulnerabilities over the last two years and for recently uncovered systemic security problems in US-VISIT, the massive computer network intended to screen and collect the fingerprints and photos of visitors to the United States. [...]

US-VISIT has a long history of security problems and failing government audits. Though the system is supposed to be self-contained,some undisclosed number of US-VISIT computers running Microsoft 2000 were infected by the Zotob worm in August of 2005, revealing not only that the system lacked good patch management, but that somehow the system touches the internet. DHS attempted to hide the evidence, but a persistent government sunshine lawsuit from Wired revealed the infection in the fall of 2006.
Expect harsh words from the Committee's chair Bennie Thompson who is slated to pound DHS for hypocrisy: with questions like "How can the Department of Homeland Security be a real advocate for sound cybersecurity practices without following some of its own advice?" and "How can we ask the private sector to better train employees and implement more consistent access controls when DHS allows employees to send classified emails over unclassified networks and contractors to attach unapproved laptops to the network?"
I told you so. Colour me "smug."

Labels: ,


Blogger JoeinVegas said...

Maybe you can get a contract with the deparment of homeland security and advise them on security. Oh, wait a minute,

June 21, 2007 at 5:26:00 p.m. GMT+2  
Blogger Pacian said...

Okay. That's kind of an orangey colour, right?

June 21, 2007 at 8:48:00 p.m. GMT+2  
Blogger Joseph K said...

Rightfully smug. Alas!

June 24, 2007 at 5:44:00 p.m. GMT+2  
Blogger Udge said...

Joe: nah, I wouldn't wish to work for the current government, I'd be unable to hold my head up in the company of sewer workers and slaughterhousemen.

Pacian: orange? I thought rather a plummy dark red.

Joseph K: thanks, and welcome aboard.

June 24, 2007 at 10:21:00 p.m. GMT+2  

Post a Comment

<< Home