Pay no attention to the anti-virus vendor behind the curtain... or: Vulnerability != Exploit

Why oh why oh why do I smell a computer security vendor rat in this story?

Guess what? Every web server visible on the Internet has at least one vulnerability or more. The trick is in mitigating them. Anyone serious about "Information Assurance" knows the difference between a vulnerability and an actual threat, and can prevent threats.

Hitting a vulnerability in an IRS server might let you put in an extra web page or two, but would it let you commit gainful fraud somehow? And how many of those "unauthorized servers" are even remotely connected to sensitive data?

"...hackers or employees could exploit the vulnerabilities." Show me the proof, and stop wasting my time with anecdotes. The IRS employ some of the most paranoid people in the United States, and so much as sneezing on an IRS employee is dangerous... :-)

All hail Gaia! er... AIAG!!

Another Incompetent Agent of Government.

'nuf said.

Considering...

the absolute horse shit the federal government makes us go through, through little exercises like HIPPA compliance and SOX compliance, the bastards in the IRS should be keelhauled when their security audits show miserable failures.

There are very few entities within the US government that have virtually every VITAL bit of information about every citizen in the country, than the US.

The mere thought they have ‘thousands’ of unregistered servers just floating around in their networks leaves me nervously laughing in a mild state of shock and disbelief. It’s not the fact that there’s now a publically available report showing significant numbers, it’s the fact that it’s probably much worse than they think.

One client I’ve worked for, that does work for the government, is so paranoid that if there’s a single rogue access point found on the premises, a full scale forensic investigation is launched, all machines attached to the switch or within the maximum signal radius of the AP are quarantined until they are deemed secured. They take this stance with their workstations because they are that serious about their workstation security, so I positively shudder to think about the repercussions if one ‘rogue’ server that just happens to provide some support for business and doesn’t conform to a strict policy/configuration model. Not only would somebody’s ass be fired but after the smoke cleared I’d hazard to guess that all traces of they and their family would cease to be.

So I find it terrifying that the bloodsucking-bastard’s-from-hell IRS have a minor security problem and have such a difficult time controlling their networks.

Calm down, calm down!

If you read the title of the report - it's not so clear from the Reg article :( - the investigation was into *internal* (intranet) web servers, they're not connected to the Internet. This includes many desktops with port 80 active in error. So, weak security (lack of configuration control) - certainly; bad practice (policies and procedures not being followed) - definitely; open season for hackers - err, probably not.

Move along folks, nothing to see here ..

@Gordon Fecyk

So its okay to have a bunch of gaping security holes in such an important network, because they might not be exploited?

We aren't talking about a few web pages here. This is their internal network, the one that work actually gets done on. The fact that it is in such a terrible state speaks of a fundamental sloppiness in systems administration and IT management that simply should not be there in any organisation, let alone an arm of government.

So someone wants to sell them stuff? Big deal. Clearly someone needs to clean up there, and they evidently can't do it themselves.

Printers?

Most printers these days have built in Web-sever admins. I know the two in my department have them, and they are vanilla HP and Xerox printers.

I'll lay odds there are many, many printers in the IRS.