Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Android Security Software United States Technology

Civil Servant Watching Porn At Work Blamed For Government Malware Outbreak (techcrunch.com) 180

An anonymous reader quotes a report from TechCrunch: A U.S. government network was infected with malware thanks to one employee's "extensive history" of watching porn on his work computer, investigators have found. The audit, carried out by the U.S. Department of the Interior's inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and "exploited the USGS' network." Investigators found that many of the porn images were "subsequently saved to an unauthorized USB device and personal Android cell phone," which was connected to the employee's government-issued computer. Investigators found that his Android cell phone "was also infected with malware." The findings were made public in a report earlier this month but buried on the U.S. government's oversight website and went largely unreported.
This discussion has been archived. No new comments can be posted.

Civil Servant Watching Porn At Work Blamed For Government Malware Outbreak

Comments Filter:
  • by Anonymous Coward on Tuesday October 30, 2018 @08:08AM (#57561015)

    The jokes write themselves!

  • I bet (Score:2, Offtopic)

    by Revek ( 133289 )

    He go a promotion. Its not like they fire employees.

    • by Revek ( 133289 )

      Nope, not offtopic. The problem with these public organizations is that they are allowed to do these things due to the fact they are rarely fired for them. Its almost impossible to get fired from a government job. This person will most likely get a little slap on the wrist and after a year or so be promoted and or receive a raise. The IT in their organization will most likely not face any penalty for not having secured their network and the devices operating on it. They talk about a blacklist of sites

      • Re:I bet (Score:4, Insightful)

        by arth1 ( 260657 ) on Tuesday October 30, 2018 @09:51AM (#57561613) Homepage Journal

        They talk about a blacklist of sites when they should be talking about a whitelist of allowed sites.

        While this sounds nice in theory, in practice it is very hard to implement in a way that works and doesn't just hinder work. The people who administer the whitelist are not going to know what is needed for every job function. Nor will they have the capacity to monitor every whitelisted object to ensure that it remains safe. (One of the whitelisted sites might start serving ads proxied through their server - ads which aren't safe.)
        And for the users, requesting sites being added to a whitelist as needed can delay entire teams for days on end. What do you mean, we cannot download the schematics for the microcontroller we just discovered a problem with until it's added to a whitelist? And when it delays a high level manager who needs to look at a web site of a potentially new supplier or customer, the whitelist system will be gone.

        • by Revek ( 133289 )

          I admit its not easy on the front end but you can easily get a good start by logging sites visited for a month and start with that. I've helped with the implementation of a white list at a few businesses and after a month or two its just a matter of maintenance.

          • At a business. Where everyone works in the same industry, and needs the same sites. My emplyers (Home Depot and H and R Block) would generate very different whitelists.

            If you're talking about the government the scale of required sites goes up exponentially. A single IRS office will probably need access to most of the finance sites H and R Block uses, plus all the sites Home Depot uses (might be auditing a contractor and need to find out how many boxes of nails are needed for a $50k expense to be justified),

            • by Revek ( 133289 )

              Its obvious that a whitelist would be specific to the business. It depends on weather you want you're employees to be able to access the whole of the internet. One eye doctor had us lock it down until they literally couldn't access anything unrelated to the job. She maintains the list herself and since it was installed none of her machines have become infected. On a larger scale it would require someone to work that desk full time but it would have the benefit of reducing this types of breach. You don'

              • I didn't actually bring up cost. I brought up the scale of he whitelist, and the difficulty of administering it, but not the cost. This is the Federal government, there are literally millions of users, so any costs would be trivial on a per-user basis. The problem is creating some system that will actually whitelist the right websites for the right offices. A single small business does like one thing, for one segment of the market. The government does almost everything.

                Knowing the Feds, what you'd end up wi

  • by Somebody Is Using My ( 985418 ) on Tuesday October 30, 2018 @08:13AM (#57561039) Homepage

    The porn-watcher might have been the patient-zero of this outbreak, but I think as much if not more blame needs be laid at the feet of the IT staff that allowed the malware to get as far as it did. Limit user privileges, lock down access ports and use secure operating systems and the damage would not have been as severe; it might only have been limited to that single user's machine.

    But that sort of thinking would require a costly revamping of the entire computer infrastructure, so better to put the blame on a single user, who could just as easily have gotten the malware from an ad on a perfectly legitimate site. Fortunately, he was viewing porn (naked bodies entwined together! The most evil threat America has ever faced!) so it's easy to throw him to the wolves.

    • by lgw ( 121541 ) on Tuesday October 30, 2018 @08:26AM (#57561099) Journal

      use secure operating systems

      Let me know when you find one. All browsers are vulnerable to something. Every OS has privilege excalation exploits and zero-days.

      Or were you just thinking "don't use Windows XP"? Yeah, I think everyone gets that now.

      so better to put the blame on a single user, who could just as easily have gotten the malware from an ad on a perfectly legitimate site. Fortunately, he was viewing porn (naked bodies entwined together! The most evil threat America has ever faced!) so it's easy to throw him to the wolves.

      Paid porn sites have damn good security, and are about the safest place on the web. The problem is the sites that come up when you google for porn (SEO malware sites), plus the ad networks used by free porn sites.

      To your point: an ad blocker would probably have prevented this, along with the default behavior of most browsers to block known malware sites.

      • by arth1 ( 260657 )

        Every OS has privilege excalation exploits

        There are OSes with no privilege separation, and thus no privilege escalation, and thus no privilege escalation exploits.

        Of course, that's not the type of operating systems an end-user would use, but still, your "every" is wrong.

        • Operating Systems with no privilege separations? By that; do you mean operating systems where everyone is an administrator? That doesn't seem like a very good solution to preventing privilege escalation exploits. That's like saying "We don't worry about prisoners escaping to masquerade as guards! Everyone here is a guard already! "
          • by arth1 ( 260657 )

            There are some older operating systems like DOS where users did have full control, but there are also modern operating systems where there is no privilege separation, like microcontroller operating systems. Your kitchen scales don't need to prevent privilege escalation exploits.
            (Although it would be a good hack to have the scales report too high weights of anything healthy and too low weights of anything unhealthy, slowly increasing the risks of death for the users.)

      • Let me know when you find one.

        While no browser is completely secure, EVERYTHING is more secure than I.E./Edge. And while no operating system is completely secure, most everything is more secure than Windows (which has very little to do with its market dominance; its security is like Swiss cheese) or MacOS (which sacrifices a lot of security to make it shiny).

        Yes, Linux is WAY more security than both of them combined, but Javascript and Intel-based CPU's are the major vectors for concern nowadays. Both of them significantly negate all

        • It's not only intel CPU's, ARM have their own issues as well. From an article about Spectre and meltdown.
          "In particular, we have verified Spectre on Intel, AMD, and ARM processors."
        • by lgw ( 121541 )

          hile no browser is completely secure, EVERYTHING is more secure than I.E./Edge.

          Edge is definitely more secure than Firefox. Pay attention the the Slashdot stories on hacking events and the like: IE and Firefox are being excluded as "too easy", while Chrome and Edge are harder targets. It's not 1998 any more, or even 2008.

          most everything is more secure than Windows

          That stopped being true with Vista, which was a long time ago now. XP sucked because in practice most people ran as local admin, and had admin privileges. Vista was much like Ubuntu: you get a pop-up whenever you need to elevate to admin/root. It's not 1998 any m

        • And while no operating system is completely secure, most everything is more secure than Windows (which has very little to do with its market dominance; its security is like Swiss cheese) or MacOS (which sacrifices a lot of security to make it shiny).

          Yes, Linux is WAY more security than both of them combined, but Javascript and Intel-based CPU's are the major vectors for concern nowadays. Both of them significantly negate all operating system security, and should be relegated to the shitcan of history.

          You're exaggerating. Back in the days of the "I'm a Mac"/"I'm a PC" commercials Apple was absolutely right to mock the fuck out of Windows security. It sucked. But these days almost all the holes are gone, and with Windows Defender you don't even really need Windows Anti-Virus software anymore. Which is just like OS X.

          As for the rest of "most everything," I respectfully a couple of clusters of Unixen used primarily by Sysadmin/High Geek types better be more secure then the shit us hoi polloi use.

      • Paid porn sites have damn good security, and are about the safest place on the web. The problem is the sites that come up when you google for porn (SEO malware sites), plus the ad networks used by free porn sites.

        Never really thought about it before but this is a damn good point. Too bad pay-for-porn doesn't market it as such.

    • Here in the UK, the government makes sure the potential infection is huge so it makes all that work to protect them from it worth the investment. https://www.telegraph.co.uk/ne... [telegraph.co.uk]

    • by Bite The Pillow ( 3087109 ) on Tuesday October 30, 2018 @08:59AM (#57561263)

      His manager, who didn't realize thus guy is spending a lot of time not working

      The network support, who didn't notice high band with use and try to figure if it was legit

      His coworkers who almost certainly knew he wasn't working

      • What else is there to do in South Dakota?
      • by Tablizer ( 95088 )

        manager [didn't realize this guy] is spending a lot of time not working

        Not necessarily. He/she could be an efficient worker who does in 3 hours what most do in 8. I've met some like that.

        Normally such a person would go to the private sector instead, but maybe they valued "play time" over money.

        • Or his manager may have decided the less work he does the less damage he can do.

          Or his manager liked watching porn on his computer.

    • Re: (Score:3, Insightful)

      by geekmux ( 1040042 )

      The porn-watcher might have been the patient-zero of this outbreak, but I think as much if not more blame needs be laid at the feet of the IT staff that allowed the malware to get as far as it did. Limit user privileges, lock down access ports and use secure operating systems and the damage would not have been as severe; it might only have been limited to that single user's machine.

      But that sort of thinking would require a costly revamping of the entire computer infrastructure, so better to put the blame on a single user, who could just as easily have gotten the malware from an ad on a perfectly legitimate site. Fortunately, he was viewing porn (naked bodies entwined together! The most evil threat America has ever faced!) so it's easy to throw him to the wolves.

      The porn-watcher might have been the patient-zero of this outbreak, but I think as much if not more blame needs be laid at the feet of the IT staff that allowed the malware to get as far as it did. Limit user privileges, lock down access ports and use secure operating systems and the damage would not have been as severe; it might only have been limited to that single user's machine.

      I do agree with you regarding the IT policies that are severely lacking, but I'll believe there was an actual "outbreak" when the evidence presents itself. Neither TFS or TFA really says anything about the extent of this "outbreak" or the true damage that was caused, which tends to turn this entire article into nothing more than sensationalist bullshit. In fact, if you read the actual report, it states quite clearly that a single computer was found to have malware present, and it "exploited the USGS' netw

    • by Anonymous Coward

      Don't blame IT so quickly. "Scientists" utterly rage at any attempt to "control" they're usage of computer resources. Having local admin is common place and expected from the user base, and supported by management. Even content filtering tends to be a "taboo", again also supported by management who are often or were scientists themselves.

    • at the feet of the IT staff that allowed the malware to get as far as it did.

      Why are we talking about malware? How about the IT staff that allowed someone to visit "thousands" of porn sites without being flagged down for disciplinary measures. I'm willing to bet that this happened over quite a period of time.

  • by Da w00t ( 1789 ) on Tuesday October 30, 2018 @08:24AM (#57561087) Homepage

    If you work computer security for any company of decent size, you're gonna discover someone surfing porn. Most times we give folks the benefit of a doubt the 1st time in case it's some porn ad something on an otherwise "okay" site (gray, but not really a policy violation), but once a pattern of porn surfing is discovered, it usually results in someone getting written up, potentially ending with them losing their job.

    Don't do this at work. You're not on your personal computer, it could be a shared computer (ewwww), and it's not your network. There's always someone watching to the benefit of the company, not you. It makes for an awful work environment for the people in the office, and can bring in malware. There's a joke I heard, of people clicking on the Yes/Accept/Install buttons ... "do I have porn yet?" [click] "do I have porn yet?" [click]. Lots of malware comes down in the form of a "video codec" or plugin you need to watch the media. It's just awful.

    • by mark-t ( 151149 )

      If you work computer security for any company of decent size...

      And just how many people is that, precisely? 20? 50? 100? 1000?

      • by Anonymous Coward

        If you work computer security for any company of decent size...

        And just how many people is that, precisely? 20? 50? 100? 1000?

        2.

      • by Da w00t ( 1789 )

        If you work computer security for any company of decent size...

        And just how many people is that, precisely? 20? 50? 100? 1000?

        I really don't see how that is relevant, do you expect me to quote a scientific study that shows MTTP (mean time to pr0n)? "decent size" was very obviously a generalization.

        • by mark-t ( 151149 )
          I was simply curious as to whether or not the places I have worked in the past decade may not be large enough, or if your generalization of "any company" was, in fact, an overgeneralization.
    • There are people out there who watch porn. I don't mean rub one out and close the window. No, they watch for hours and hours. They get addicted. They can't stop. Watching at work? Of course. Alcoholics drink at work, drug addicts are high at work, why wouldn't porn addicts watch porn at work?
    • Most times we give folks the benefit of a doubt the 1st time in case it's some porn ad something on an otherwise "okay" site (gray, but not really a policy violation)

      Had that happen to me once, but it wasn't a bad ad but a bad search result. Was looking for how to solve some SQL Server issue clicked on a link that looked like it had relevant info, but nope, porn site. My boss was behind me and saw it and asked what I was doing. I explained to her the problem I was working on showed the search result page with the relevant search result I clicked on and then showed that it went to the porn site instead. Thankfully it was at a small company so there was not a HR battle to

  • by Anonymous Coward

    "The EROS Center..." Oh, can irony get any better than this??!!

  • by 93 Escort Wagon ( 326346 ) on Tuesday October 30, 2018 @08:41AM (#57561181)

    But this dude apparently thought he worked for the United States Gynecological Survey.

  • Comment removed based on user account deletion
  • "I'd like to share a revelation that I've had during my time here. It came to me when I tried to classify your species and I realized that you're not actually mammals. Every mammal on this planet instinctively develops a natural equilibrium with the surrounding environment but you humans do not. You move to an area and you multiply and multiply until every natural resource is consumed and the only way you can survive is to spread to another area. There is another organism on this planet that follows the sam
  • Surely his computer was running Quebes OS (or something similar), with the USB ports disabled. If this wasn't the case, why not?
  • "Investigators recommended that USGS enforce a “strong blacklist policy” of known unauthorized websites and “regularly monitor employee web usage history.”

    WHITELIST FFS. Not perfect but infinity better than a blacklist, also know as wack-a-mole.

    • WHITELIST FFS.

      Or better yet, just turn off their internet complete. But on a more serious note, white-listing the internet is a recipe for disaster. A far better solution is to generate a blacklist and then flag up people who hit one of the blacklisted sites for further surveillance.

      Blacklisting allows the internet to still be a usable resource. Whitelisting just pisses off your workers at best or cripples your productivity (depending on the work you do) at worst.

  • But, Oh noes! The BOGEY-MAN PORN is to blame. What a crock! How do you know it wasn't from sports sites, shopping sites, joke sites, running your mouth sites? No, it has to be the BOGEY-MAN PORN!

    The #MeToo movement is a collective witch-hunt that is not interested in justice for those legitimately wronged (which there are a lot of), they are only interested in using sex as a weapon to seize more and more power for ineffectual, weak, dictator wannabes!

  • Would ad blocker plug-ins have prevented this?
  • He's helping pay for repairing potholes and clearing snow from streets . . .

  • Of course he was watching porn! He worked at the EROS center!

  • Jeesh - can't our government use a firewall with content filtering???
  • Most government entities don't have a clue on their network infrastructure let alone on locking the computers down. Too many different standards and different ways of their networks are built. Guess how many system admins come and go over the years without an once of documentation. Router passwords changed and no one seems to know them. Since no one bother to enforce industry standards of best practices this is what got them.

    Best they could do in the interim is enforce policy rules on the firewall to d

  • Comment removed based on user account deletion
  • OMG, it wasn't a contractor? Seriously, this is typical government workforce in the US.

Ignorance is bliss. -- Thomas Gray Fortune updates the great quotes, #42: BLISS is ignorance.

Working...