Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
United States Government Security IT

State Department Joins NOAA, USPS In Club of Hacked Federal Agencies 54

Hot on the heels of recent cyber attacks on NOAA, the USPS, and the White House, the New York Times reports that the U.S. State Department has also suffered an online security breach, though it's not clear who to blame. “This has impacted some of our unclassified email traffic and our access to public websites from our main unclassified system,” said one senior State Department official, adding that the department expected its systems to be up soon. ....The breach at the White House was believed to be the work of hackers in Russia, while the breaches at NOAA and the Postal Service were believed to the work of hackers inside China. Attributing attacks to a group or nation is difficult because hackers typically tend to route their attack through compromised web servers all over the world. A senior State Department official said the breach was discovered after “activity of concern” was detected on portions of its unclassified computer system. Officials did not say how long hackers may have been lurking in those systems, but security improvements were being added to them on Sunday.
This discussion has been archived. No new comments can be posted.

State Department Joins NOAA, USPS In Club of Hacked Federal Agencies

Comments Filter:
  • FISMA Security huh (Score:2, Interesting)

    by Eosi ( 3781645 )
    All of these agencies had to follow FISMA (among others regs). Perhaps its time to stop letting politicians tell us how to do security?
    • by Lumpy ( 12016 ) on Monday November 17, 2014 @08:37AM (#48401345) Homepage

      I always found it entertaining that In govt you have zero education people dictating IT and IS policies.

      But it's the same way in corporate america, I have yet to meet a CIO or CTO that has a clue.

      • They have lots of education, more than the average citizen of our country, by a hefty margin. It's just the average type of their degrees are located firmly in law schools. They know how to be completely unambiguous in how they describe their wrong beliefs.

        • by Eosi ( 3781645 )
          Education does not make you smart. It just means you can memorize a lot of things. Using that knowledge is where WISDOM comes in. We need Wise people in congress to make the laws. Ones who have experienced things from the beginning. Getting a CISSP when you have only done account management does not make you an expert on physical security, compliance or legal issues around security.... Experience does. How many new managers have you met, that can barely manage themselves???
          • No one said they are smart. And your "wisdom" is nonsense. Overextending the human propensity for pattern recognition with no formal tools to reduce the effects confirmation bias. Every serious system of formal study works on a body of knowledge that is constantly reworked for new information by some kind of critical process: the scientific method, the historical method, critical frameworks, with the occasionally argued exception for arts.

            Education isn't sufficient to be smart about something, but it's o

            • by mlts ( 1038732 )

              Regardless of the method, education is needed. There are few worst things than being clueless.

              Cluelessness of the law can get one arrested. There are people who don't realize that one stupid thing like saying "no" when asked to leave can mean six months to a year in the county can for trespass, or that driving a car when a passenger is carrying dope can mean the car becomes property of the county and the driver becomes property of the local correction system for 2-10. Cluelessness is doing anything other

          • by Anonymous Coward

            The ironic thing is that when I was applying for jobs a few years ago, I'd get asked if I either had a CISSP or a clearance, and regardless of qualifications, if I had neither, I'd be shown the door in minutes.

            People bash certificates, but lets be real... the alphabet soup of characters does get you in the door and up the ladder. Management doesn't see how good/bad people perform. They see the certs though, and guess who makes the HR decisions?

            • Its largely a coya situation. Whether you are a complete imbecile or the grand daddy of all neck beards who shared part of creating computers, the cert is the only way a mid level manager is going to be able to pass the blame on you not doing it corectly rather than himself for hiring you if something goes wrong. It likely allows them to escape punitive damages if sued over it too- of course qe hired a qualified person, ignore the fact he's the owners neighbor's kid, he has all these certs.

        • by swb ( 14022 )

          They know how to be completely unambiguous in how they describe their wrong beliefs.

          I would describe it as knowing how to be completely ambiguous when they believe they are wrong.

        • They have lots of education...

          "The true sign of intelligence is not knowledge but imagination." - Albert Einstein

          • Look, congress sucks, and they aren't our country's absolute best and brightest by any stretch. But the depressing fact of the matter is that they probably are, on average, at least a little smarter than the average American for almost any metric you come up with. That's more of an indictment of Americans than it is praise of congress.

            It takes a little bit of skill to "fool most of the people most of the time".

        • It's just the average type of their degrees are located firmly in law schools. They know how to be completely unambiguous in how they describe their wrong beliefs.

          Oh no ... they know how to be completely ambigious and open ended in their wrong beliefs, just like a lawyer.

          Give yourself lots of wiggle room, and some extra play for the people who paid you, and take no ownership and responsibility for what you do.

          Lawyers know how to turn ambiguity to their benefit.

      • Comment removed based on user account deletion
        • by Lumpy ( 12016 )

          Then they need to be BANNED From making any policy decisions in regards to Security or operation.

          In fact not only banned, but must wear a collar that allows any IT employee to TAZE them when they say something stupid.

      • It's not really right to compare CIO and CTO in this regard. The CTO at my company is a PE and damn smart. But he doesn't know squat about IT security. That's not his job. The T in CTO stands for technology, but it refers to the technology that the company makes, not information technology.
      • I always found it entertaining that In govt you have zero education people dictating IT and IS policies.

        But it's the same way in corporate america, I have yet to meet a CIO or CTO that has a clue.

        This is so true. They often ask us to interpret a policy for them and ignore it when it's an answer they don't want to hear. We (the Federal government) do a great job of setting ourselves up for failure.

      • All these "hacks" are nothing more than fancy Wall Street rich pukes trying to scare our elected leaders into giving them billions and billions of tax dollars.
    • Well, they were SUPPOSED to follow the regs. Of course that doesn't mean they did. As you suggest, though compliance and security are not only not the same thing, but they are only very loosely coupled, of it all. In some cases we've had security regulations require the use of insecure methods, such as MD5. I spent 15 years doing security for small companies before I just recently started learning compliance with all of these "security " standards.

      PCI is pretty good, though. It's not comprehensive,

      • Well, they were SUPPOSED to follow the regs. Of course that doesn't mean they did. As you suggest, though compliance and security are not only not the same thing, but they are only very loosely coupled, of it all. In some cases we've had security regulations require the use of insecure methods, such as MD5. I spent 15 years doing security for small companies before I just recently started learning compliance with all of these "security " standards.

        PCI is pretty good, though. It's not comprehensive, but it doesn't require insecurity.

        There are many influences on these regulations that are intended to offer some illusion of security, but all they seem to do is increase the cost to meet them and decrease the quality of services Federal Agencies are charged with providing to the American public. The Agency I'm in is fully expected to meet these requirements as laid out by HITECH and Meaningful Use. However, the ROI is not remotely worth the effort. Let's spend millions meeting some requirement so we can increase our collections by some

    • by tomhath ( 637240 )
      Same could be said about many other things, e.g. healthcare, education, broadband...
    • by mlts ( 1038732 )

      FISMA regs are pretty sane as this stuff goes (especially for government work). I'm pretty sure had they been followed, this most likely would not have happened.

      FISMA, NIST guidelines, and PIV cards cover a lot of issues. The only real one that remains is creating a government network like NIPRNet or SIPRNet, but for all entities, and have that completely separate from the Internet, using dedicated lines, virtual circuits, and end to end encryption. That way, if two machines are not expressly allowed to

  • do they ever say when their classified system gets breached? no, of course not, it would let people know how laughable their security really is.

    • Any sane classified network should have an air gap. You would have to physically move data off the network to get it.
  • by Severus Snape ( 2376318 ) on Monday November 17, 2014 @09:38AM (#48401673)

    Hot on the heels of recent cyber attacks on NOAA, the USPS, and the White House, the New York Times Reports that the U.S. State Department has also suffered an online security breach, though it's not clear who to blame.

    For a moment there I thought TFA was not going to blindly name drop China or Russia. Don't worry folks, they did not forget!

  • Dealing with the State Department is already a byzantine process. It'll only get worse now.

  • by Anonymous Coward

    With the huge surveillance state we have, such hackings are impossible. It has to be a hoax. There is no other explanation.

  • by ErichTheRed ( 39327 ) on Monday November 17, 2014 @10:44AM (#48402095)

    I can see 2 things as the main root cause of this:
    - Layers and layers of outsourced IT. Especially when dealing with a federal agency, almost every IT service in any agency has been outsourced. Those outsourcers hire other outsourcers and it becomes a big mess when you try to do anything that affects multiple parts of a system. I see this in the private sector as well working for an outsourcer...our team does their best to help but it's really maddening to see how much things slow down when the control gets dispersed. The network team has to talk to the storage team, who has to talk to the server team, who needs to open a ticket with the field services team to implement change #C9348673634. I do systems architecture work, so it's really painful to have to design around a garbage system like this rather than having a few smart people who know the system end-to-end.
    - Security is tough and no one wants to be bothered. It wouldn't be impossible to enable 802.1x on a network, implement proper PKI to enable its effective use, and encrypt hard drives. But often, it either becomes too difficult to support or no one has the will to say things must be done in a certain way. Plus, user education is impossible. No matter how stringent the password policy is, they just write them down. People leave unencrypted laptops on trains with company data on them. It's just not possible to get them to care, full stop. They could be working with top secret nuclear weapons designs and it would mean nothing to them.

    Of these two, I think the first is the hardest to overcome. Once a company or government agency has given up control of its IT environment to a company that needs to squeeze every nickel out of a contract, nothing difficult will get done. If an organization retains some sort of control and mandates change, it can be done at least to some degree. Look at how the attack on Target was carried out -- the group responsible figured out that the outsourced HVAC repair company had a connection to the store network, which (idiotically,) the POS systems were also directly attached to. So by the time the outsourced IT services team figured out they had a problem, it was too late. This is what leads companies to delay things like patching and updates to equipment, because the process is too painful when dealing with the 25 third parties you have to line up for such a change.

  • Some just don't know it...

  • Maybe it's time for FedGov to build their own Internet that is intentionally incompatible with the foundational building blocks of the Internet (except at well-controlled, secure interface conversion gateways).
  • What's the correlation between being on the current State Department shitlist and getting accused of 'hacking'?

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...