[ISN] Feds' Own Hacker Cracks Homeland Security Network

From: InfoSec News (alerts@private)
Date: Fri Jun 22 2007 - 00:01:23 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=199906038

By Sharon Gaudin
InformationWeek
June 21, 2007

Within the past year, a hacker secretly broke into the Department of 
Homeland Security network and deleted, updated, and captured information 
-- all without anyone knowing he was even in there.

Luckily, the hacker was Keith A. Rhodes, chief technologist at the U.S. 
Government Accountability Office. Rhodes, considered to be the federal 
government's top hacker, has a congressional mandate to test the network 
security at 24 government agencies and departments. He performs 10 
penetration tests a year on agencies such as the IRS and the Department 
of Agriculture. And for the past year, he's been testing the network at 
DHS.

"I would label them [DHS] as being at high risk," Rhodes told 
InformationWeek the day after a congressional hearing into the security 
of the government agency tasked with being the leader of the nation's 
cybersecurity. "There was no system we tested that didn't have problems. 
There was nothing we touched that didn't have weaknesses, ranging from 
WAN to desktops. ... If we had continued the audit we would have found 
more. We curtailed the audit because we just kept finding problems. At a 
certain point, we just ran out of room in our basket."

Rhodes was one of the people who testified before the congressional 
hearing that took the Department of Homeland Security and its CIO, Scott 
Charbo, to task for weaknesses in the department's computer network.

Jim Langevin, D-R.I., chairman of the Subcommittee on Emerging Threats, 
Cybersecurity, and Science and Technology, said at the hearing Wednesday 
afternoon that the 844 incidents came during fiscal 2005 and 2006. He 
also said the infiltration of federal government networks and the 
possible theft or exploitation of information on them is one of the most 
critical issues confronting the country, noting that the Chinese have 
been "coordinating attacks against the Department of Defense for years."

However, Alan Paller, director of research at the SANS Institute, said 
844 is most likely only a piece of the security breaches that the 
department suffered in that two-year span.

"The reality is that the federal agencies don't report all of them," he 
said in an interview after the hearing. "Eight hundred and forty-four is 
a big number, but it's a sample of the reality, not the total reality."

Paller said the 844 incidents reported to executives at DHS could be as 
much as 80% of the real total or as little as 10%. He estimates it's 
closer to half. "You don't know about all of them. That I can 
guarantee," he said. "And in particular, you're not knowing about the 
worst ones." According to Langevin's testimony, the incidents included 
workstations infected with Trojans and viruses, a compromised department 
Web site, classified e-mails being sent over unclassified networks, and 
unauthorized users attaching their personal computers to DHS networks 
and gaining access to government equipment and data. He also said the 
incidents included "numerous classified data spillages."

There also was a report of a password dumping utility found on two DHS 
systems. Paller explained that it's malware that steals entire password 
files from the server and sends them back to a remote hacker. "This 
would give [a hacker] the ability to crack the system," he noted. "Most 
people use the same user name and passwords on lots of systems, so that 
hacker now has access to lots and lots of machines and systems."

Paller, though, said it's highly likely that the worst breaches are the 
ones that are not being reported.

"If you have a really embarrassing event, you don't want it leaking 
out," he added. "Many agencies feel it's less of a problem to not tell, 
than to tell and be beaten up about it."

Both Paller and Rhodes said part of the problem is with the contractors' 
systems where they say a great deal of sensitive information is stored. 
"Government systems are about [as secure] as most commercial systems but 
not as secure as banks," said Paller. "But a lot of government data is 
less than average because it's stored at contractor sites."

Rhodes said when he went to DHS to look into its security systems, IT 
workers there had to defer to the contractors to understand what the 
system was doing.

"Having contractors run the system is not a bad thing," added Rhodes. 
"But outsourcing is not an abdication of responsibility. Just because 
you bring the contractors in does not mean you should have an 
environment where the only person looking in the system is a contractor. 
To understand how the system was set up and what it was doing, we had to 
talk to contractors."

"There is a threat and there's also an impact," he said. "They hold 
personally identifying information. They've got a lot of information 
about a lot of people, and some of those people are good people and some 
are bad people. Is this information important to you? Yes, it's 
important to everybody in the United States. ... Any government agency 
that has weak security has an impact on the national security mission."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri Jun 22 2007 - 00:08:04 PDT