Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DHS CyberSecurity Misses 1085 Holes On Own Network

CmdrTaco posted more than 4 years ago | from the do-as-i-say dept.

Software 86

Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."

Sorry! There are no comments related to the filter you selected.

Idiots (2, Informative)

Zeek40 (1017978) | more than 4 years ago | (#33520178)

This is why the government always ends up hiring contractors to do the jobs they already pay their own staff to do.

Re:Idiots (-1, Troll)

Anonymous Coward | more than 4 years ago | (#33520360)

That's what happens when you use an inferior solution like Linux. They should have been using AIX or a BSD instead of that cobbled together mess.

Re:Idiots (1)

Ex-MislTech (557759) | more than 4 years ago | (#33525582)

"Adobe Acrobat, Sun’s Java and some Microsoft applications."

I think you did not read the article, but that is common isn't it ???

no this is what you get with outsourced IT VA (1)

Joe The Dragon (967727) | more than 4 years ago | (#33520464)

no this is what you get with outsourced IT The state of VA went with Northrop Grumman that did not work that good.

Re:no this is what you get with outsourced IT VA (5, Informative)

erroneus (253617) | more than 4 years ago | (#33520684)

This is exactly correct. They would rather hire contractors who CLAIM they will do things so that they can fire them later when they don't do it. If they actually hire good people, they have additional egg on their faces when things don't go right and the blame game is even harder to sort out. This is all about blame shifting and the appearance of easy "correction." Having worked for DHS for a couple of years, I saw a lot of rather disgusting and disturbing things about the way they hire contractors and then don't oversee their activities. When security screeners were being hired, I witnessed an 18 year old girl being hired as a supervisor and this was her VERY FIRST JOB. She had absolutely zero employment experience and was hired on in a leadership role. Nothing explains this adequately. They had contractors doing the hiring and staffing for that operation and it didn't work out so well. I heard that somewhere between 20 and 25% of the people initially hired didn't pass the background check and were subsequently let go more than a year later so I got to see the process repeat itself AGAIN where they used contractors to do another round of mass hiring and staffing. They never learn.

Re:no this is what you get with outsourced IT VA (1, Informative)

Paracelcus (151056) | more than 4 years ago | (#33522880)

"18 year old girl being hired as a supervisor and this was her VERY FIRST JOB"

I guess if I was getting my pole waxed by an 18 year old girl, I'd give her any job she wanted too!

Re:no this is what you get with outsourced IT VA (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33526398)

It could also have been a family member that got her the job. This being VA, the two might not be mutually exclusive.

Re:no this is what you get with outsourced IT VA (0)

Anonymous Coward | more than 4 years ago | (#33524108)

Several things explain an 18 yr old in leadership position quite adequately.

1. "Broken oath of office." (FIOS Splitters, Failure to regulate the monetary sys, Torture, Spying, data hacking, fucking bs, hell on earth pain weapons, and abuse of electronics and physics, or training young minds with unconstitutional bullshit)

2. "Brainwashed Propaganda Replacing the United States Constitution and Bill of Rights" (MIAC REPORT, UN, UNEP, IMF, IPCC, TC, PNAC, AIPAC, CFR, CARBON TAX/POPULATION CONTROL (un/unep/ipcc/imf), FLORIDE(local), VACCINES(cdc/who/local), AND A ZILLION OTHER THINGS YOU FUCKING CORPORATIONS YOU'D BEST MAKE SURE YOUR FUCKIN CANDIDATE ISN'T AFFILIATED WITH, ALONG WITH THE CORPORATE MEDIA OWNING 90% OF THE FUCKING PUBLIC SPECTRUM-SHITTING ON YOUR INTELLIGENCE)

3. "Corruption protected by State Secrets" catch 22, and "No Expedited, Clearly Written Procedures, for taking out a Oath Breaker" (not to be confused with this never-ending-unconstitutional-undeclared-fucking-invisible-war-on-terror)

Re:no this is what you get with outsourced IT VA (1)

AnAdventurer (1548515) | more than 4 years ago | (#33525200)

Yup, I too was hired by DHS via a contractor. My UA was hot for Benzo (I was in the middle of a messy divorce, but had no script), I told the Dr at the physical and they passed me through. I left for the same reason you mention. No rhyme or reason for speciality hires. Myself and another highly qualified co-worker applied for a IED detection instructor position and it was awarded to a 55+ year old woman who had probably never seen an explosive in her life. I left a few weeks later. My co-worker lasted a few more months until he threw in the towel and moved into private security.

Re:no this is what you get with outsourced IT VA (1)

random coward (527722) | more than 4 years ago | (#33528244)

"This is all about blame shifting and the appearance of easy 'correction.'"


Congratulations! You just gave the best definition of what a bureaucracy is!

Re:no this is what you get with outsourced IT VA (4, Informative)

Divide By Zero (70303) | more than 4 years ago | (#33520982)

Commonwealth of Virginia != Department of Homeland Security.

This is an entirely different issue. The Virginia thing was a waste of money and an added frustration which, as anyone who's been to Virginia DMV can tell you, is NOT necessary.

What we're looking at here is the one Cabinet-level department specifically charged with maintaining IT infrastructure getting nailed by their IG for having a security profile slightly better than your average baby's candy protection perimeter.

While it's very difficult to keep out an experienced, dedicated attacker, you could at least shore up the defenses enough to keep the /b/tards and script kiddies out.

Re:no this is what you get with outsourced IT VA (2, Insightful)

Hylandr (813770) | more than 4 years ago | (#33521562)

I have done work with the government and had to participate in this scanning before bringing new hardware aboard a military facility.

Their scanning software requires remote access to the registry from a central scanning computer and looks for every "recommended" patch, setting, or configuration and throws a flag for every non-compliant instance it finds. The list of recommended settings are often security theatre regimen or disastrously harmful to performance. But someone convinced congressman Y,Y,Z that this setting was imperative to have enabled or disabled.

Performance was so horrible we had to disable the scanner's access in order to perform our demonstration.

- Dan. .

Re:no this is what you get with outsourced IT VA (0)

Anonymous Coward | more than 4 years ago | (#33523152)

Their scanning software requires remote access to the registry from a central scanning computer

LOL. You had me right there, I mean, what could possibly go wrong? :)

Re:no this is what you get with outsourced IT VA (1)

Divide By Zero (70303) | more than 4 years ago | (#33534186)

I don't know that what you experienced is quite what the article's talking about.

I'm not at DHS-OIG, but in reading their report, it looks to me like it's a pen test or internal vulnerability scan, not an inventory of what patches they have installed. Nessus exists to find actual holes, not just see what patches you had installed compared to FDCC. The report said a Nessus scan found 202 high-risk security holes (as well as 338 medium- and low-risk) in 1085 instances on 174 computers, not just missing patches for systems that aren't actual vulnerabilities.

I'd like to be able to see the report that says exactly what the holes are, but I suspect that that level of detail is probably classified. Given the other findings and recommendations in the report, I'd be inclined to believe that there are real problems and not just a few missing patches.

I hate security theater as much as anybody, but I think this vulnerability scan might be serving a worthwhile purpose.

Re:no this is what you get with outsourced IT VA (0)

Anonymous Coward | more than 4 years ago | (#33522394)

I'd be so bold as to say that the baby's candy protection perimeter was a bit more secure, based on the reports we're seeing.

Re:no this is what you get with outsourced IT VA (1)

human-cyborg (450395) | more than 4 years ago | (#33522454)

What we're looking at here is the one Cabinet-level department specifically charged with maintaining IT infrastructure getting nailed by their IG for having a security profile slightly better than your average baby's candy protection perimeter.

?!? Where are you getting this analogy from? ?!?

Can't you think of an appropriate car-themed analogy?

Re:Idiots (0)

Anonymous Coward | more than 4 years ago | (#33520516)

And having had to work with those contractors ...

It doesn't help.

Re:Idiots (1)

Neil Watson (60859) | more than 4 years ago | (#33520694)

More likely this is what happens an organization does not have processes for execution and validation. Regardless of whether they are contractors of FT's if no one audits their work this can happen.

Re:Idiots (5, Insightful)

mcgrew (92797) | more than 4 years ago | (#33521078)

No, its that DHS has nothing to do with true security. Their job is security theater, as evidenced at any airport. The Armed Forces and National Guard are there for the real security.

DHS is a waste of good tax money. It should be spent on infrastructure.

Re:Idiots (2, Insightful)

Bigjeff5 (1143585) | more than 4 years ago | (#33523136)

It's almost like "The Ministry of Truth" in Orwell's 1984 - it was the propaganda machine for the government, and therefor was responsible for spreading lies far and wide.

DHS is similar, though not exactly a polar opposite of what its Orwellian name would suggest. It spreads the feeling of security without securing anything. The guys who are actually doing anything to prevent terrorist attacks are folks like the CIA and FBI. DHS doesn't do shit.

For example, I know a guy who accidentally brought a box cutter in his carry-on at least half a dozen times when he was flying. It wasn't until he found it in the bottom of his bag that he realized it was there and removed it. That's the same damn weapon the 19 hijackers all used, yet here at least six of them would have gotten though.

And yet we have to take our shoes off, just in case someone put a bomb in our shoes. Give me a break.

Re:Idiots - The guys who are actually.... (1)

OldHawk777 (19923) | more than 4 years ago | (#33525576)

The folks who are actually collecting big paychecks are well certified, qualified, legitimized... and they got BM (business management) degrees.

Also, DHS provides many more big paychecks for the DC, Virginia, and Maryland .gov+.mil+.com money pit.

If you are unemployable, move to the DC, Virginia, and Maryland area where more .gov+.mil+.com easy-jobs move every year. They need janitors and maids. The other jobs are for family and friends of family; Hence, an 18yo woman can be a fully certified, qualified, legitimized... boss (eventually with a business management).

Re:Idiots (1)

Locutus (9039) | more than 4 years ago | (#33523724)

The DHS was Bush's jobs program. I thought it should have been called the "New Central Central Intelligence Agency".

LoB

Re:Idiots (1)

ChiRaven (800537) | more than 4 years ago | (#33524554)

One correction. The DHS LOCAL affiliates, the county Emergency management agencies, usually do a pretty good job of mobilizing local resources (like the Red Cross, etc.) to respond to local situations like tornados and minor flooding. These are the LOCAL groups that are affiliated with FEMA, which is under DHS. They get overloaded when there is a major emergency and the federal people have to take over, but in a local situation these people do a tremendous job.

Re:Idiots (1)

timeOday (582209) | more than 4 years ago | (#33525494)

this is what happens an organization does not have processes for execution and validation

They do, or this story wouldn't exist. The DHS audited its own systems and this is what they found. If they were a company, they would just quietly fix the problem (or not) and move on. Since it's government, they self-report and we get the daily anti-government whine.

Re:Idiots (0, Troll)

NatasRevol (731260) | more than 4 years ago | (#33525872)

Dammit. I was here for the anti-MS whine.

Cause I knew MS would be at fault just by the title :-)

Re:Idiots (1)

spamking (967666) | more than 4 years ago | (#33521974)

They can transfer the risk all they want, but they are still ultimately responsible.

Re:Idiots (1)

hesaigo999ca (786966) | more than 4 years ago | (#33524388)

They should fire everyone IT related in Virginia for this offense, and replace them with more competent individuals.

Re:Idiots and real Idiots, Reality Check! (1)

OldHawk777 (19923) | more than 4 years ago | (#33525340)

The government always ends up hiring contractors, this is why the jobs are already contractors, because .Gov/.Mil/.Com C*O/management get to blame-storm the contractors, the contractors can blame-storm each other, and the public thinks civil servants can't do the job. I know a few .Gov IT/Services folks and they know security basics very well, but they cannot interfere with the contractors doing a questionable job, until post-audit or post-incident.

Go discover how many contractors are on the .gov/.mil payroll. Are contractors more competent? Well from this incident and many others, I suspect, the answer is NO!

Re:Idiots (2, Interesting)

inanet (1033718) | more than 4 years ago | (#33528120)

I wonder how well the audit was done? I have seen really poor security audits done by professional auditing companies in the past that just showed the lack of ability with the auditors, as an example we got the following from an audit on a few unix boxes: "Security risk - High: Telnet not disabled" "Security risk - High: SSH passwords don't expire" "Security risk - High: FTP not disabled" our response? - no risk, telnet not installed. port not open. - no risk, ftp not installed. port not open. - ssh uses a key mechanism. passwords are invalid in all cases. basically they had a script they ran that would check to see if things like ftp and telnet had been disabled, and if the correct password expiry was set, they had no idea that you could configure a system that didn't actually _have_ ftp or telnet installed, or that you could set up ssh in such a way that a password was never any good. I just mention this, even though its great to hate on security - govt. depts. you never know how good the actually auditing is, there is a saying that those that can, do, those that can't audit* * this may not actually be the saying. I'm just saying.

Re:Idiots (1)

BlindRobin (768267) | more than 4 years ago | (#33531474)

Hiring contractors by the government does not increase efficiency, competence or quality, it just pushes more money into different places and muddies things up even more. In my experience, the contractors (with whom I have had contact) hired by the various USGOV agencies and their departments are marginally competent leeches whose ability to acquire contracts has more to do with relationships that have little to do with actually accomplishing their stated mission. While I haven't worked in Washington since 2005, I doubt that this has changed.

It's shit like this (2, Insightful)

tsalmark (1265778) | more than 4 years ago | (#33520200)

It's shit like this that needs to make it to main stream media. To show how messed up the fear mongering side of the Government really is.

Re:It's shit like this (1)

slick7 (1703596) | more than 4 years ago | (#33521306)

It's shit like this that needs to make it to main stream media. To show how messed up the fear mongering side of the Government really is.

Exposing the inadequacies of the government will just result in more "National Security" obfuscation. The more holes in security equates in more money to fill those holes. It's only a matter of time until Haliburton gets involved.
The powers that be have no intention of letting their senior bosses know the truth. They will throw more money at it until some major incident occurs and it airs on "60 Minutes", at which time the incompetence will be swept under the rug. When the issue becomes so tangled with corporate wrangling, senate hearings, an actual loss of security, DHS will just go dark, thereby allowing the matter to be taken up as an internal affair. In the meantime, security hole exploitation will become the raison de guerre.(excuse my french)

Re:It's shit like this gooooooood (1)

OldHawk777 (19923) | more than 4 years ago | (#33525638)

Gooooooood is either god or good with too many "o".

Haliburton can really help with obscurity security, I'm sure.

Do as I say... (1)

Arrepiadd (688829) | more than 4 years ago | (#33520254)

... not as I do.

bureaucracy maybe? (2, Insightful)

metalmaster (1005171) | more than 4 years ago | (#33520454)

Its possible that even IT drones that work in bureaucracy have to deal with the red tape. A good number of these holes might have been fixed by installing the "latest" version of software. At most of the companies i have worked with software installs have to be vetted by corporate suits that would rather play golf.

Im not going to defend software that simply requires an update. Stuff that needs a fresh install or a new software package altogether can be a pain in the ass.

Re:bureaucracy maybe? (0)

Anonymous Coward | more than 4 years ago | (#33520780)

Pretty much this. The iron law of bureaucracy no doubt is in place.

Where I work, to get any change done, requires going through 2 committees for approval from people who have no knowledge of the technology in the first place. Then you send in a ticket for the work to get done outside your control (network changes, san assignments) which sits in a queue for months. Eventually, people just give up bothering to patch or upgrade systems. Too much hassle and they get paid whether or not it gets done.

Re:bureaucracy maybe? (1)

Neil Watson (60859) | more than 4 years ago | (#33520864)

At some organizations it can take months to get schedule and get approval for patching. When someone claims the business needs a service to be available all of the time it's difficult to find a business level advocate for patching.

Re:bureaucracy maybe? So... (1)

OldHawk777 (19923) | more than 4 years ago | (#33525692)

C*O/Business management is about the same in .com as in .gov/.mil? Limit to 0.6666... average for both suffering the technology peter-principle, then I agree.

DItch Windows (1)

jdigriz (676802) | more than 4 years ago | (#33520512)

Well, obviously they need to run some instances of Windows for research and testing purposes to protect the public, but you'd think the organization devoted to cybersecurity would run something with fewer targeted attacks designed especially for it.

Re:DItch Windows (1)

AHuxley (892839) | more than 4 years ago | (#33520826)

One big honeypot to see what is been used?
If some new tool works well with 'secure' MS, the US can use them too around the world.
The endless contractor cash supply is cute too.

Re:DItch Windows (0)

Anonymous Coward | more than 4 years ago | (#33521436)

in my experience using nessus at work, the linux machines actually turn up with more "vulnerabilities" than the windows boxes. the problem is that you need to tune your scans, it generates a lot of false positives.

Meh... (0)

Anonymous Coward | more than 4 years ago | (#33520518)

This is blown out of proportion. Vulnerability scanners will report lots of things as "MAC I vulnerabilities", and since they are automated, a lot of the time they report non-risks. Things like file permissions when the OS is fully patched, ports locked down, and so on.

You can scan a single fresh updated copy of red hat and get 50+ high-risk items, for instance.

On a whole network, this result isn't bad because it is basically impossible to meet the moving target of a perfect score on a vulnerability scanner in a constantly evolving large network.

Re:Meh... (1)

Neil Watson (60859) | more than 4 years ago | (#33520942)

Very true. I've seen auditors report that users default Umask was incorrectly set. When you try to explain that any user can set any Umask they want so why bother they stare at you like you just told them the Sun was blue.

Re:Meh... (0)

Anonymous Coward | more than 4 years ago | (#33522368)

I've gone through quite a few external security audits. They had absolutely stupid things. The fact that an ICMP ping wasn't returned (we were dropping inbound ICMP) counted as a point against us. I changed the firewall rules to allow pings, and then we had a point against us for returning the ICMP ping. There was no "right" way to do that.

    That was just one of many items. It was an absolute pain in the ass. There were about a dozen low to moderate threat items that had to be fixed. Most didn't even apply to us, and a few were outside of our control, like the time it took to resolve our name. Their nameserver was slow, not ours.

    I really don't mind security audits. If your company is large enough, you'll be getting them all the time by people who want to break into your network. The audits really need to be delivered by someone who knows network security, that you can discuss the failure points. As it was, we only had communication with a glorified CSR who could only say "fix it or else".

Re:Meh... (1)

qwijibo (101731) | more than 4 years ago | (#33523280)

I gave up on trying to educate auditors. They often have the logical reasoning capability of a brick, without the value of being a building material. Compliance auditing is about reducing a complex set of circumstances and requirements into simple numbers. Comprehension of the underlying issues is not a job requirement.

The reason why that's a checklist item is that 99+% of users are have access to, but not knowledge required to set a umask, therefore making your point moot.

My recent favorite audit vulnerability was mode 644 on wtmpx. If someone has an account on a system (which is already limited to legitimate need anyway), I'm not deeply concerned if they can find out who has recently logged into the server. In fact, I'd rather that simple troubleshooting be done by unprivileged users, some of which fall into the 99+%, rather than requiring they get root access to look at harmless information.

The best part is when one compliance program says that SSHD should have PermitRootLogin=No, but another group needs it to be Yes to allow all of the root passwords to be centrally managed to meet some other compliance requirement.

Re:Meh... (1)

Rubinstien (6077) | more than 4 years ago | (#33531392)

The most ludicrous (on multiple levels) I have had to deal with was an audit by one of our customers flagging our software for SQL injection, simply because the 'Defects Addressed' section of the release notes contained the text of an ODBC error administrators may have seen in the server log in prior releases, that had now been fixed. They would absolutely not allow the software into production until this 'critical vulnerability' in the static HTML release notes had been fixed. The scripts that spell-check our release notes now flag 'ODBC', and suggest that this acronym be replaced with the HTML numeric entities . This lets us pass the audit. I wonder how many real SQL injection vulnerabilities get passed over by this audit software because the output is encoded in some way?

i've seen nessus reports (4, Interesting)

mrzaph0d (25646) | more than 4 years ago | (#33520650)

unless the people running the scans are experts in setting up and configuring nessus for scanning, i wouldn't assume every one of those is a true vulnerability.

Re:i've seen nessus reports (2, Interesting)

SocialEngineer (673690) | more than 4 years ago | (#33520706)

Exactly. Just running Nessus does not a proper security audit make.

Re:i've seen nessus reports (1)

nicolas.kassis (875270) | more than 4 years ago | (#33521028)

Yup. nessus isn't magical, unless you instruct it to use the vulnerability and attack the host (no suggested) then you can never be certain the vulnerability exists.

Re:i've seen nessus reports (1)

Larryish (1215510) | more than 4 years ago | (#33522114)

Very wise you are.

Re:i've seen nessus reports (2, Insightful)

qwijibo (101731) | more than 4 years ago | (#33523392)

Running Nessus produces numbers. Those numbers are then the metrics which management uses to judge how well people are doing their jobs. Lower numbers are always good and higher numbers are always bad.

Comprehension of what the numbers represent, or if they're accurate, is not really relevant from a management perspective. If you show that your numbers are small and keep getting smaller, then any security vulnerability can't be your fault, because the magic number machine says your compliant. It's the same thinking that says anyone who got a free virus scanner installed on their computer when they bought it 7 years ago is intrinsically safe.

Tools like Nessus can be useful from a technical perspective, but far more often are used for political reasons.

Re:i've seen nessus reports (1)

Bigjeff5 (1143585) | more than 4 years ago | (#33523154)

Well considering it was a failed audit, and not just a failed scan, I'm sure they know what they are doing.

Re:i've seen nessus reports (1)

carp3_noct3m (1185697) | more than 4 years ago | (#33524648)

It should be noted that there are various certifications which any company hiring vulnerability assessment should look for, many of them cover in depth how to properly use Nessus, Saint, etc.

Obvious solution to this.. (4, Funny)

Lakitu (136170) | more than 4 years ago | (#33520926)

We need to create a Department of Department of Homeland Security Security immediately.

Re:Obvious solution to this.. (0)

Anonymous Coward | more than 4 years ago | (#33521912)

Yo dawg, i herd you like security holes, so i put a dept. of homeland security in your dept. of homeland security so you can be insecure while your being insecure!

Quick! (0)

Anonymous Coward | more than 4 years ago | (#33520940)

Let's all hack the motherfuckers before they fix the holes!

Re:Quick! (1)

Paracelcus (151056) | more than 4 years ago | (#33522956)

Listen! they're coming up the driveway, out the back door! ;-)...

I think it speaks more to the tools available (1)

joeflies (529536) | more than 4 years ago | (#33521004)

Managing configuration for one box is easy. Sometimes managing configuration for multiples of the same box is doable. But managing configuration for a large scale multi-vendor deployment is a headache that nobody solves particularly well, and the tools for checking the various things (patch level, logs, configuration scanning, etc) typically all come from different security vendors and those don't work together either.

Re:I think, Excuses... (1)

OldHawk777 (19923) | more than 4 years ago | (#33525854)

Excuses are a major security problem.

In fact, excuses cause major security problems.

No, I am not saying fire the person, because shit happens. Unless the person is the problem looking for excuses for all the shit happening.

good (-1, Offtopic)

kidsuggboots (1897302) | more than 4 years ago | (#33521088)

mbt chapa shoes [mbtblack.com] , mbt chapa shoes

Acrobat, Java, and Microsoft (2, Informative)

MrTripps (1306469) | more than 4 years ago | (#33521100)

The article says most of the flaws were unpatched installations of Java, Acrobat, and Windows. When new patches for those come out every week it is easy to let that slip without some sort of patch management tool. I wonder what they used other then WSUS.

Re:Acrobat, Java, and Microsoft (1)

idiotnot (302133) | more than 4 years ago | (#33521930)

A thousand times this.

But, then, I suppose the people who wrote TFA, or are commenting here, don't have a single unpatched copy of Acrobat Reader or JRE around. Am I right?

Cluestick time: while there's problems in government IT, I can guarantee you that many, many large corporations would have fared worse on a similar audit.

Re:Acrobat, Java, and Microsoft (1)

mcgrew (92797) | more than 4 years ago | (#33522268)

Indeed. I guess the day before yesterday was Patch Tuesday, because as soon as I got home from work and turned my netbook on it said there were "critical updates".

Last night I got another one for Adobe's PDF viewer. Then BitTorrent asked me if I wanted to update it.

I rebooted that thing more in the last two days than I have since I bought it in April. At least BT didn't need a reboot. It was annoying, because I'm trying to DL and try Kubantu with BT and seed my novel and Mandriva with it, and all that rebooting cut into my uplodaing and downloading and beer drinking.

Re:Acrobat, Java, and Microsoft (0)

Anonymous Coward | more than 4 years ago | (#33529804)

Cool story bro.

FUD (1)

setrops (101212) | more than 4 years ago | (#33521152)

The lack of details in the paper makes it so that it is impossible to know exactly what they found. Scanners such as Nessus, Foundstone, Languard are really noisy and can report normal system operation as a high vulnerability irregardless of system configuration.

Something like telnet will be a high, but put the proper mitigation such as access list, 2 factor authentication and you can show it as a medium or low.

It's all subjective.

Re:FUD (2, Insightful)

crypticwun (1735798) | more than 4 years ago | (#33521706)

Actually, reading the report tells me that the problems were almost certainly Windows desktop systems lacking a cohesive patch management solution. Also, if you read further the IG even states that as of the time this report was published all the problems were already remediated including acquisition and deployment of a "software management" solution. Further, the IG claims that NCSD is not following FISMA. NSCD is not a legally recognized entity (agency) under statute, so that means *DHS* is the responsible party for FISMA reporting. FINALLY, US-CERT != the troubled network. US-CERT uses that network, but has no control over the operations of that network. Both the IG and Wired go out of their way to NOT make the distinction on that.

if you read the actual report pdf (0)

Anonymous Coward | more than 4 years ago | (#33521222)

you find the most grotesque microsoft powerpoint like data crap: a half page picture that is a pie chart with two sectons (figure 4, page 9 in the pdf)
Anyone who would put together such a bs piece of eye candy isn't competant to pound sand down a rathole, even if they do use their spellchecker

Re:if you read the actual report pdf (1)

flydpnkrtn (114575) | more than 4 years ago | (#33521734)

you find the most grotesque microsoft powerpoint like data crap: a half page picture that is a pie chart with two sectons (figure 4, page 9 in the pdf)
Anyone who would put together such a bs piece of eye candy isn't competant to pound sand down a rathole, even if they do use their spellchecker

Have you ever briefed such a report to management? Management wants to see the 'bottom line' type of information, not piles of information packed into slides.

Pie charts are common on these types of high level reports... remember that managers are looking at this. To get into the nitty gritty and fix vulnerabilities (or invalidate scan findings if they're false positives) the Information Assurance techs would look at the actual Nessus scan findings, not the pretty pie chart (that's for management).

Re:if you read the actual report pdf (2, Interesting)

setrops (101212) | more than 4 years ago | (#33525778)

Yes actually I do this quaterly.

We divide the vulnerabilities in 3 category.

OS patching.
OS Hardening.
Application Patching.

By doing this you can focus to the root cause of the issues. System owners, Application owners. It's a nice 2 page report with colours. they love it.

Administrators who care and are not tied up in red tape tend to really shine in these reports.

Another thing to realise is that in a corporate production environment, nothing will ever be 100% secure 100% of the time.

obvious (2, Funny)

slick7 (1703596) | more than 4 years ago | (#33521386)

This looks like a job for Kevin Mitnick...naaah.

Security? (1)

Caradoc (15903) | more than 4 years ago | (#33521480)

So the Department of Homeland Security's network security measures are approximately equivalent to the security measures on the border between Mexico and the United States.

I am Jack's Complete Lack of Surprise.

The Department of Homeland Security's primary mission is not "security." Its mission is "training the public to be properly responsive to idiotic demands from the Federal Government."

Re:Security? (1)

flynns (639641) | more than 4 years ago | (#33521724)

Heh, that was the first thing I thought of when I read this: "I am Jack's complete lack of surprise."

Which, of course, made me go here. [z31-ae.com]

Remember.... (0)

Anonymous Coward | more than 4 years ago | (#33521820)

Gary McKinnon? He got into .mil/.gov systems with superuser access with extreme ease/simplicity...

BLANK passwords.

And these are the same people that think pot is bad for you, alcohol is good for you and all the red on their budgets look fine. Pshhh.

Grain of salt (4, Informative)

Spazmania (174582) | more than 4 years ago | (#33521894)

Take it with a grain of salt. The security scan was checklist-based, taking no account of the context. Worse, it's was based on version to database matches, utterly failing to account for backported security patches and similar protections that render specific vulnerabilities moot.

I have no personal knowledge of this specific case. But I've seen it enough times to know what this report really means.

It gets worse. (0, Offtopic)

140Mandak262Jamuna (970587) | more than 4 years ago | (#33522042)

Imam Rauf is building mosques on 900 of these holes. Rev Bigot is burning Q`ran in 984 of these holes and Osama Bin Laden is hiding in the last one.

Doesn't surprise me at all... (0)

Anonymous Coward | more than 4 years ago | (#33522320)

... there is nobody in the 'visible' Three-Lettter-Acronym agencies that can do computer security, and very few people in the 'invisible' TLA contractors/agencies that are allowed to speak about how they prolong that problem in order to stay employed.

Taken with a grain of salt.... (1)

Kalidor (94097) | more than 4 years ago | (#33522468)

Several years ago I was working at a company hired to do a similar outside audit, who ... was in turn of course hired to fix the situation.

I was handed a Nessus by the fellow who did the audit that pointed out several servers were missing critical windows patches in the audit the week before ... and to please go out and patch them. Small problem when I arrived on site ... servers were running Debian. So Nessus might be a great auditing tool, but any report is only as good as the people that ran the tool.

misleading (1)

Lord Ender (156273) | more than 4 years ago | (#33522578)

With Nessus, the "high" severity results are the only ones that really matter. And even then they sometimes don't. For example: "you are using a version of PHP with a security hole in one of the API calls your programs might use" is high, but it isn't a real vulnerability unless you actually use that specific call.

Just like the old saying (2, Insightful)

Thyamine (531612) | more than 4 years ago | (#33522610)

Something about the carpenter's house or the cobbler's kids have no shoes. I work for a computer support company, and this happens to us and everyone else. Backups/patches/etc don't get tended to unless someone up the chain knows how important they are and makes it get done. Even then it's hard to keep on top of _everything_ unless you really have people dedicated to it. It's no surprise, and I don't think it's any reason to be angry. It just shows that they need to get better organized about it like everyone does..

DHS runs Security checks all the time (2, Interesting)

realsilly (186931) | more than 4 years ago | (#33522618)

The Govt. runs security scans on all of their systesm all of the time. They are using tools that are designed to help them make their security tighter and more difficult to hack, and they are improving this all the time. As new security tools come to market they evaluate them just like any corporation. And before they let new applications on their networks, and before any releases upgrades are performed they check security on those applications. All security issues identified must be addressed before applications are put on their systems.

I would have like to have seen a comparison of our Governments security run against some of the Banks and Wallstreet system that hold our financial data. I would suspect you'll find as many or more on the public sector as you will on Govt. sector systems.

1085 high vulnerabilities... (1)

idcard_1 (953648) | more than 4 years ago | (#33522656)

across 174 MOE computers scanned of 202 unique vulnerabilities... which comes out to be about 6.2356 vulnerabilities per computer.

You insensitive clod? (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#33523770)

needs OS. Now BSDI reciprocating been sitting here To the original s\urveys show that Be fun. It used some of you have again. There are

FAILURE (TM) (1)

myspace-cn (1094627) | more than 4 years ago | (#33524286)

Step one, outsource everything

Several things explain an 18 yr old in leadership position quite adequately.

1. "Broken oath of office." (FIOS Splitters, Failure to regulate the monetary sys, Torture, Spying, data hacking, fucking bs, hell on earth pain weapons, and abuse of electronics and physics, or training young minds with unconstitutional bullshit)

2. "Brainwashed Propaganda Replacing the United States Constitution and Bill of Rights" (MIAC REPORT, UN, UNEP, IMF, IPCC, TC, PNAC, AIPAC, CFR, CARBON TAX/POPULATION CONTROL (un/unep/ipcc/imf), FLORIDE(local), VACCINES(cdc/who/local), AND A ZILLION OTHER CORPORATIONS YOU'D BEST MAKE SURE YOUR FUCKIN CANDIDATE ISN'T AFFILIATED WITH, ALONG WITH THE DANGEROUS CORPORATE MEDIA CULT OWNING 90% OF THE FUCKING PUBLIC SPECTRUM [neopagan.net] -SHITTING ON YOUR INTELLIGENCE)

3. "Corruption protected by State Secrets" catch 22, and "No Expedited, Clearly Written Procedures, for taking out a Oath Breaker" (not to be confused with this never-ending-unconstitutional-undeclared-fucking-invisible-war-on-terror)

Computer Maintenance since 1961, therefore... (0)

Anonymous Coward | more than 4 years ago | (#33525072)

Check InZerosystems.com... TOTAL security! btw, The name is posted with a smile)))

In other news... (1)

Type44Q (1233630) | more than 4 years ago | (#33527042)

DHS CyberSecurity Misses 1085 Holes On Own Network

In other news, bears found to shit in woods. News at eleven!

Dept of Holy Security (1)

NSN A392-99-964-5927 (1559367) | more than 4 years ago | (#33530954)

Not to be cynical here... well yes I am... what do you expect from a COFEE http://www.microsoft.com/industry/government/solutions/cofee/default.aspx [microsoft.com] drinking and Donuts eating https://www.dunkindonuts.com/ [dunkindonuts.com] lazy system admins. Some people who work for the DHS cannot be bothered and are still trying to figure out the FBI's Carnivore, swiftly changed to code named Magic Latern.... "You rub it and a Genie pops out with 3 wishes".
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?