State Department Joins NOAA, USPS In Club of Hacked Federal Agencies 54
Hot on the heels of recent cyber attacks on NOAA, the USPS, and the White House, the New York Times reports that the U.S. State Department has also suffered an online security breach, though it's not clear who to blame.
“This has impacted some of our unclassified email traffic and our access to public websites from our main unclassified system,” said one senior State Department official, adding that the department expected its systems to be up soon. ....The breach at the White House was believed to be the work of hackers in Russia, while the breaches at NOAA and the Postal Service were believed to the work of hackers inside China. Attributing attacks to a group or nation is difficult because hackers typically tend to route their attack through compromised web servers all over the world. A senior State Department official said the breach was discovered after “activity of concern” was detected on portions of its unclassified computer system. Officials did not say how long hackers may have been lurking in those systems, but security improvements were being added to them on Sunday.
FISMA Security huh (Score:2, Interesting)
Re:FISMA Security huh (Score:4, Insightful)
I always found it entertaining that In govt you have zero education people dictating IT and IS policies.
But it's the same way in corporate america, I have yet to meet a CIO or CTO that has a clue.
Re: (Score:2)
They have lots of education, more than the average citizen of our country, by a hefty margin. It's just the average type of their degrees are located firmly in law schools. They know how to be completely unambiguous in how they describe their wrong beliefs.
Re: (Score:1)
Re: (Score:1)
No one said they are smart. And your "wisdom" is nonsense. Overextending the human propensity for pattern recognition with no formal tools to reduce the effects confirmation bias. Every serious system of formal study works on a body of knowledge that is constantly reworked for new information by some kind of critical process: the scientific method, the historical method, critical frameworks, with the occasionally argued exception for arts.
Education isn't sufficient to be smart about something, but it's o
Re: (Score:2)
Regardless of the method, education is needed. There are few worst things than being clueless.
Cluelessness of the law can get one arrested. There are people who don't realize that one stupid thing like saying "no" when asked to leave can mean six months to a year in the county can for trespass, or that driving a car when a passenger is carrying dope can mean the car becomes property of the county and the driver becomes property of the local correction system for 2-10. Cluelessness is doing anything other
Re: (Score:1)
The ironic thing is that when I was applying for jobs a few years ago, I'd get asked if I either had a CISSP or a clearance, and regardless of qualifications, if I had neither, I'd be shown the door in minutes.
People bash certificates, but lets be real... the alphabet soup of characters does get you in the door and up the ladder. Management doesn't see how good/bad people perform. They see the certs though, and guess who makes the HR decisions?
Re: (Score:2)
Its largely a coya situation. Whether you are a complete imbecile or the grand daddy of all neck beards who shared part of creating computers, the cert is the only way a mid level manager is going to be able to pass the blame on you not doing it corectly rather than himself for hiring you if something goes wrong. It likely allows them to escape punitive damages if sued over it too- of course qe hired a qualified person, ignore the fact he's the owners neighbor's kid, he has all these certs.
Re: (Score:2)
They know how to be completely unambiguous in how they describe their wrong beliefs.
I would describe it as knowing how to be completely ambiguous when they believe they are wrong.
Re: (Score:2)
"The true sign of intelligence is not knowledge but imagination." - Albert Einstein
Re: (Score:1)
Look, congress sucks, and they aren't our country's absolute best and brightest by any stretch. But the depressing fact of the matter is that they probably are, on average, at least a little smarter than the average American for almost any metric you come up with. That's more of an indictment of Americans than it is praise of congress.
It takes a little bit of skill to "fool most of the people most of the time".
Re: (Score:2)
Oh no ... they know how to be completely ambigious and open ended in their wrong beliefs, just like a lawyer.
Give yourself lots of wiggle room, and some extra play for the people who paid you, and take no ownership and responsibility for what you do.
Lawyers know how to turn ambiguity to their benefit.
Re: (Score:2)
Re: (Score:2)
Then they need to be BANNED From making any policy decisions in regards to Security or operation.
In fact not only banned, but must wear a collar that allows any IT employee to TAZE them when they say something stupid.
Re: (Score:2)
Re: (Score:2)
I always found it entertaining that In govt you have zero education people dictating IT and IS policies.
But it's the same way in corporate america, I have yet to meet a CIO or CTO that has a clue.
This is so true. They often ask us to interpret a policy for them and ignore it when it's an answer they don't want to hear. We (the Federal government) do a great job of setting ourselves up for failure.
Re: (Score:1)
supposed to. Compliance orthogonal to security (Score:2)
Well, they were SUPPOSED to follow the regs. Of course that doesn't mean they did. As you suggest, though compliance and security are not only not the same thing, but they are only very loosely coupled, of it all. In some cases we've had security regulations require the use of insecure methods, such as MD5. I spent 15 years doing security for small companies before I just recently started learning compliance with all of these "security " standards.
PCI is pretty good, though. It's not comprehensive,
Re: (Score:2)
Well, they were SUPPOSED to follow the regs. Of course that doesn't mean they did. As you suggest, though compliance and security are not only not the same thing, but they are only very loosely coupled, of it all. In some cases we've had security regulations require the use of insecure methods, such as MD5. I spent 15 years doing security for small companies before I just recently started learning compliance with all of these "security " standards.
PCI is pretty good, though. It's not comprehensive, but it doesn't require insecurity.
There are many influences on these regulations that are intended to offer some illusion of security, but all they seem to do is increase the cost to meet them and decrease the quality of services Federal Agencies are charged with providing to the American public. The Agency I'm in is fully expected to meet these requirements as laid out by HITECH and Meaningful Use. However, the ROI is not remotely worth the effort. Let's spend millions meeting some requirement so we can increase our collections by some
Re: (Score:2)
Re: (Score:2)
FISMA regs are pretty sane as this stuff goes (especially for government work). I'm pretty sure had they been followed, this most likely would not have happened.
FISMA, NIST guidelines, and PIV cards cover a lot of issues. The only real one that remains is creating a government network like NIPRNet or SIPRNet, but for all entities, and have that completely separate from the Internet, using dedicated lines, virtual circuits, and end to end encryption. That way, if two machines are not expressly allowed to
Re: (Score:1)
[ ] I am gay
[ ] I am a wigger
[X] I have used SLASHDOT BETA to find a sex partner
"our main unclassified system" (Score:2)
do they ever say when their classified system gets breached? no, of course not, it would let people know how laughable their security really is.
Re: (Score:2)
Re: (Score:1)
Wouldn't a breach turn it into an "unclassified" system? Is "classified" based on intent, or on who actually knows? (Where's that Security Terminology Lawyer when you need him/her?)
Re:Now it gets real (Score:4, Insightful)
they can't. people build it, people break it (Score:4, Informative)
> but to think that the U.S. government wouldn't be able to secure its networks, and that only the Chinese and Russians would be trying to "get in", is ridiculous.
For $5000, you can buy a heavy safe made of concrete and steel. For $32, I can rent a concrete saw made to cut concrete and steel. You can't secure ANYTHING and have it still be useful. The question is "how hard should it be to breqk in?" The state department network should be pretty hard to breqk into. It'll never, ever be impossible.
The government of China isn't stupid. They know that if you are going to have a military and be a world power, it makes sense to also have significant cyber resources - so they do. They use them regularly, especially since the US allows it. The US doesn't respond to cyber attacks the same way they'd respond to physical attacks.
Where do you see any of that? How many CVEs? (Score:2)
> You also seem to think that the U.S. is the prime embodiment of justice, innocence and conduct,
Where do you see any of that? You might note that the only thing I said about the US is that they don't respond to cyberattacks the same way they respond to physical attacks. You seem to be smoking something pretty strong that gives you textual hallucinations any time an expert disagrees with your guess.
> Your analogy with the safe and saw is lacking of understanding of the topic.
Let's look at your CVEs a
Re: (Score:2)
And now is probably the BEST time to be doing it. Threat of physical retaliation is extremely low for most major powers, but the intelligence that can be gained - both in terms of identifying potential weak points in infrastructure and systems, and ways to improve defence against attacks - must be priceless.
Damn pesky Russians! (Score:4, Insightful)
Hot on the heels of recent cyber attacks on NOAA, the USPS, and the White House, the New York Times Reports that the U.S. State Department has also suffered an online security breach, though it's not clear who to blame.
For a moment there I thought TFA was not going to blindly name drop China or Russia. Don't worry folks, they did not forget!
Bleah (Score:2)
Dealing with the State Department is already a byzantine process. It'll only get worse now.
Story is a hoax (Score:1)
With the huge surveillance state we have, such hackings are impossible. It has to be a hoax. There is no other explanation.
Security in any organization is an afterthought (Score:4, Interesting)
I can see 2 things as the main root cause of this:
- Layers and layers of outsourced IT. Especially when dealing with a federal agency, almost every IT service in any agency has been outsourced. Those outsourcers hire other outsourcers and it becomes a big mess when you try to do anything that affects multiple parts of a system. I see this in the private sector as well working for an outsourcer...our team does their best to help but it's really maddening to see how much things slow down when the control gets dispersed. The network team has to talk to the storage team, who has to talk to the server team, who needs to open a ticket with the field services team to implement change #C9348673634. I do systems architecture work, so it's really painful to have to design around a garbage system like this rather than having a few smart people who know the system end-to-end.
- Security is tough and no one wants to be bothered. It wouldn't be impossible to enable 802.1x on a network, implement proper PKI to enable its effective use, and encrypt hard drives. But often, it either becomes too difficult to support or no one has the will to say things must be done in a certain way. Plus, user education is impossible. No matter how stringent the password policy is, they just write them down. People leave unencrypted laptops on trains with company data on them. It's just not possible to get them to care, full stop. They could be working with top secret nuclear weapons designs and it would mean nothing to them.
Of these two, I think the first is the hardest to overcome. Once a company or government agency has given up control of its IT environment to a company that needs to squeeze every nickel out of a contract, nothing difficult will get done. If an organization retains some sort of control and mandates change, it can be done at least to some degree. Look at how the attack on Target was carried out -- the group responsible figured out that the outsourced HVAC repair company had a connection to the store network, which (idiotically,) the POS systems were also directly attached to. So by the time the outsourced IT services team figured out they had a problem, it was too late. This is what leads companies to delay things like patching and updates to equipment, because the process is too painful when dealing with the 25 third parties you have to line up for such a change.
All Agencies Have Been Hacked (Score:2)
Some just don't know it...
Internet 3 (Score:2)
Being on the USAs current shitlist? (Score:1)