back to article Who's running dozens of top-secret unpatched databases? The Dept of Homeland Security

The US Department of Homeland Security is running dozens of unpatched databases, some of which are rated "secret" and even "top secret," according to an audit. An inspection [PDF] of the department's IT infrastructure found huge security gaps, including the fact that 136 systems had expired "authorities to operate" – meaning …

  1. Anonymous Coward
    Anonymous Coward

    This is why they want everyone to weaken security

    ... it'll keep everyone else's security in line with theirs. :D

    1. Pascal Monett Silver badge
      Trollface

      DHS - Department of Homeland what already ?

      1. Stoneshop Silver badge
        Facepalm

        DHS - Department of Homeland what already ?

        Department of Homeland Stupidity, of course. Duh

    2. g e

      Words you'll never hear from them

      "Thanks for the heads-up, Mr McKinnon"

  2. Doctor Syntax Silver badge

    "The report details ... a seemingly bureaucratic effort to delay a report announcing the flaws in its systems."

    Next time, don't piss off the auditors. They get the last word.

    1. Keef

      "Next time, don't piss off the auditors. They get the last word."

      OFCOM

      Sorry mate, but you are really wrong, at least when it comes to UK auditors of a certain persuasion.

      Fucking OFCOM, ARRGGHH!

      1. 2+2=5 Silver badge

        OFCOM is a regulator not an auditor

        1. Keef

          Fair cop, you are right 2+2=5.

          Thanks for correcting me mate.

          Cheers all.

        2. The Regger
          Linux

          *a Reglauditor

    2. Anonymous Coward
      Anonymous Coward

      Next time, don't piss off the auditors. They get the last word.

      Nah, bad planning. The clever thing to do is to compromise the auditors before they get near, I think I've seen that done in the UK with a very well known government project. It takes a bit of planning but it's more effective and much harder to prove unless you can get an insider to speak up, and the press tends to miss those things anyway.

    3. Anonymous Coward
      Anonymous Coward

      Next time, don't piss off the auditors. They get the last word.

      If only. Alas, the DHS routinely fails security audits. (Its least-popular circus, the TSA, fails them spectacularly every few years.

      Yet nothing changes. Oh, the agency - a giant shambling bureaucracy even by US standards - makes promises, and the top jobs change hands occasionally, but we keep seeing these reports. No doubt there are some folks there (John Roth, the DHS Inspector General, is one) who are trying to fix some of the problems. But they're facing an Aegean Stables of incompetence, poor record-keeping, ad hoc systems left to rot, jealously maintained fiefdoms, misallocated resources ... all the usual problems of any huge organization left too long without proper management.

  3. Anonymous Coward
    Anonymous Coward

    You were told NEVER to peek behind the curtain!

    1. MrT

      Ah, so that's how DHS was reaching its green targets...

    2. I. Aproveofitspendingonspecificprojects

      Who is that guy?

      https://www.youtube.com/watch?v=YWyCCJ6B2WE

      > Ah, so that's how DHS was reaching its green targets...

      No, that is how GCHQ and the others were green-screening the targets

  4. a_yank_lurker Silver badge

    Surprised? Nah

    This is the US government where competency and professionalism is in short supply from top to bottom. Remember, the Federal bureaucracy incompetently implements idiotic laws passed by Congress whose members have been accused being less intelligent than a flea by Mark Twain.

    1. I. Aproveofitspendingonspecificprojects

      Utah rubbish!

      It isn't widely known but the reason for the bad feeling between the Allies during WW2 was the incompetence of the US commanders. We called them Our Italians (a reference to the fact that the Allies broke Italian logistics and forced them to behave like the Americans at Kasserine.)

      MacArthur in particular was the Wizard of Auz. Apparently they had a mock battle in the 1930's to select the worst generals. Then invaded Italy to prove it, hence the German saying: "I vill buy back."

      1. disgruntled yank Silver badge

        Re: Utah rubbish!

        How after all could the US compete with victories like Dunkirk? Or master strategists such as Churchill: Norway, Anzio, the Dodecanese, and if he had his way a campaign up through the Llubljana Gap?

        1. petboy

          Re: Utah rubbish!

          I think the post about Wizard of Auz was a poor attempt at satire ... American logistics? As the Germans said "they fought a rich man's war - instead of attacking a machine gun next with grenades, they call in an air strike".

    2. ps2os2

      Re: Surprised? Nah

      "Remember, the Federal bureaucracy incompetently implements idiotic laws passed by Congress whose members have been accused being less intelligent than a flea by Mark Twain."

      Err the pot calling the kettle black?

      1. Richard Taylor 2 Silver badge

        Re: Surprised? Nah

        I think Twain was rather smarter than the average flea (or Congressman)

    3. Anonymous Coward
      Anonymous Coward

      Re: Surprised? Nah

      No, This is the US Government under the OBAMA administration where competency and professionalism don't even exist. Instead "Alfred E. Neumann" has no friggin clue what he is doing or how a President should behave or what he should do besides cower behind Michelle.

      Micromanagement is the presidential watchword of the decade, no small wonder he has gone through so many Military advisers in ten years. They all have more military and common sense than Obama does. Hard to be an effective leader when you can't even figure out what is wrong and what is right.

      Even worse when you are a proven traitor to your country, having utterly failed to honor your oath of office!

    4. Robert Moore

      Re: Surprised? Nah

      My favourite Twain quote:

      "Suppose you were an idiot, and suppose you were a member of Congress; but I repeat myself." - Mark Twain

  5. Kev99 Bronze badge

    And these are the goof the US expects to protect us frum dem dare furriners? They can't even find contraband during inspections. Unless it's a 16 ounce bottle of shampoo in your carry-on.

    1. Anonymous Coward
      Anonymous Coward

      tape it to a gun

      And fly out of Atlanta.

    2. Mark 85 Silver badge

      Yep... the same goofs that want to filter all the "data" through themselves and co-ordinate with the other TLA's and FLA's.

      <sarc>But.. they will keep us safe even if they can't keep anything else safe.... </sarc>

  6. Anonymous Coward
    Anonymous Coward

    Is that why people cannot get off no-fly lists?

    No one knows how to work the d/b...

  7. DerekCurrie Bronze badge
    Facepalm

    I wish I didn't have so many reasons to call it...

    #MyStupidGovernment (0_o)

    Catch Up! This Is The Future!

    Rather than worry about being able to hack into US citizen data, why can't you surveillance zealots figure out that being hackable means You WILL Be Hacked By The Bad Guys! You ARE being hacked by the bad guys. Over and over and over and over again.

    What an incoherent mess of cognitive dissonance is my US government.

    Its IQ: Diminishing daily.

    1. I. Aproveofitspendingonspecificprojects

      Call it...StuckNext

      You could wreck the American economy overnight much worse than a chimpanzee managed in 8 years. Just put everyone on the database. But what you really need to do is slip them on one by one (Generals last) so nobody notices like Clingfilm over speed cameras.

      > EL Res has a Snowden article splaffed in the sidebar next to your comment.

      Google has this in the first return on "EL Res":

      Vamos al bosque a cazar reses. A lo mejor consiga un jabalí.

  8. John Smith 19 Gold badge
    FAIL

    And it only takes one unsecured remote maintenance agent with no password protection...

    As a certain G McKinnon found.

    Of course the DoD estate is much larger so maybe all Homeland PC's are inaccessible from the web.*

    Side question. Is NSA part of Homeland Security? Sounds like they should be, but I bet they are "exempted.2

    *And maybe next week I'm dating a super model.

    1. tom dial Silver badge

      Re: And it only takes one unsecured remote maintenance agent with no password protection...

      1. NSA is part of the Department of Defense.

      2. DoD systems that process secret data and above normally are in rooms that are physically and electrically isolated from the internet and are accessed by workstations not connected to the internet or locally connected terminals. That does not guarantee security (as the Iranian government knows), but it makes unauthorized access quite a lot harder.

      3. Within the DoD privileged access is not permitted from the external network,

      1. chivo243 Silver badge
        Trollface

        Re: And it only takes one unsecured remote maintenance agent with no password protection...

        It's funny that EL Res has a Snowden article splaffed in the sidebar next to your comment.

  9. tom dial Silver badge

    The report is not an especially good one, but may not be as bad as might seem. Many or most of the audit findings address inadequate or incomplete documentation and do not necessarily indicate unfixed vulnerabilities. It is quite possible, perhaps even likely, that a system without a current ATO is fully patched and configured to conform to the current baseline requirements. Similarly, lack of training documentation does not establish incompetence any more than its existence proves competence. However, failure to obtain or renew ATOs and maintain other required documentation indicates something may be off about management, staffing, or both.

    Of much greater concern are the unsecured external access points. Although the auditors found only 40, it is likely that some of them also were found by others, and that is a bad thing. The large number of unsupported operating systems (most apparently Windows XP and Server 2003) also is a bad sign, as some of them almost certainly were internet reachable. Those attached to classified systems should not be, and we may hope that actually is the case. There also were too many unpatched systems, along with an extensive collection of add in software like Firefox, Chrome, and Flash.

    All in all, the report suggests a certain slackness of management, hints that users are able to install software (always a bad idea), and delays in patching that suggest inadequate staffing or failure to manage the work effectively. The rapid increase (nearly 700%) in POA&Ms from 2014 to 2015 suggests a significant work backlog, again suggesting management and staffing problems. Staffing and other resource problems may result from external constraints such as budget limits that foster a line management view that "IT is not our primary mission."

    1. Ken Hagan Gold badge

      ...a line management view that "IT is not our primary mission."

      Actually that's arguably the most actionable point to come out of this. Someone has classified these databases as secret. Either that's not true and their whole classification system is broken, in which case heads should roll, or it is true in which case the response to "IT is not our primary mission" is simply to point out that "security is" and sack the idiots who disagree.

      Formally arguing that the most security-sensitive systems (by your definition) should be excluded from your security audit is a clear indication that you are too stupid to do the job.

      1. tom dial Silver badge

        IT is not, in fact, a major part of the DHS mission. It is a mission essential part of their infrastructure, though, at least equally with office space and utilites. Accordingly, all aspects of information assurance ought to be seen as prerequisite to any other expenditure, right along with rent (often paid in funny money to GSA, but still in the agency budget). The problem is that if they don't pay the rent they might get evicted, while they can cut back on IT support costs for some time before it becomes evident through either a publicly visible breach or breakdown of services. OPM fell to this, I suspect, and State Department IT was bad enough that Secretary Clinton seems to be receiving a pass for illegally operating a private server for government data processing.

  10. Ken Hagan Gold badge

    Perhaps they need more money?

    Or perhaps Congress should seriously consider the proposition that keeping the department in existence in this state is actually worse for US security that shutting it down. With pen-tests recently showing that they only stop 5% of forbidden items getting onto planes they clearly aren't achieving anything there and with all their security-related info sitting on insecure databases the risk of future disasters is obvious.

  11. Anonymous Coward
    Anonymous Coward

    Strange...

    When Gary McKinnon pointed out all the holes he found in their system they tried to arrest him.

    1. tom dial Silver badge

      Re: Strange...

      Perhaps it had something to do with the way McKinnon approached the problem. There were others that almost certainly would have caused him a lot less trouble.

  12. I. Aproveofitspendingonspecificprojects

    16 October 2012, after a series of legal proceedings in Britain, Home Secretary Theresa May withdrew her extradition order to the United States. Was this after one of Julian Assange's informants' torture was exposed?

    Or does he just not want to risk flying on American Airlines?

  13. Anonymous Coward
    Anonymous Coward

    Professional Beaurocrat Managers at work

    Talk to any high level management person in these organizations and 'keeping patches up to date' is not on their radar. It's boring, they don't understand it, and it's not sexy to list in their list of accomplishments.

  14. Anonymous Coward
    Mushroom

    Protecting the Homeland from Cyber Terrorists ..

    "We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations,"

    What's Adobe and Oracle even doing on servers defending the homeland from the cyber terrorists?

    "it is clear that the DHS' .. doesn't know how bad its security is because its own security audits are lacking"

    How about having Homeland Security run penetration tests against its own computers and then utilize such a report to patch the servers and workstations.

    1. Anonymous Coward
      Anonymous Coward

      I cannot speak for DHS...

      But I can comment w/r to the multi-national corporation that employs me.

      About Adobe...

      More than half of our internal documentation is distributed electronically in PDF format. It's common for a lab worker to carry a month's worth of content with him/her on a thumb drive attached to his/her badge lanyard or keychain. This habit has itself been flagged by corporate security as a security risk, since most workers take their badges, keychains, and thumb drives home after work. But there is no punishment or corrective action in the P&P handbook, and so it goes overlooked.

      In order to read a PDF document within a "secure" lab, a worker must use a lab desktop, since personal computing devices are not allowed inside. In order to do this (read PDF files in electronic format, as opposed to making a print-out) many lab workers will install an Adobe PDF reader application, since this is easy and free to do.

      Also, there is apparently a hack that allows Adobe to check automatically for updates. Lab computers are theoretically connected only to the internal "secure" lab network. But I have been sitting at a lab computer when an automatic update took place. I deliberately did not look into this.

      About Oracle...

      Oracle markets an application called "Taleo". I don't know much about it, except to say that it is an HR tool that screens job applicants against existing open positions. It/Taleo contains job opening info from HR, and accepts candidate info uploads, such as resume, citizenship status, cover letter, etc. I believe that a portion of the Taleo app resides in the cloud, but have not looked into this.

      I have seen other lab workers surfing the "internal open positions" data base in the lab, using a lab desktop. I do not know if Taleo requires a client system app to do this. But I do know that it requires a browser (FireFox, Chrome, etc). I conclude that one or more of my fellow lab workers have installed browser software, and possibly an Oracle client application on some number of the desktops in my lab(s).

      Our lab workers are well screened & vetted. Background checks are mandatory and I believe the checks to be reasonably thorough. Nevertheless, I'm confident that we have some numbers of systems that (1) have Adobe, Oracle, and browser software installed (2) Have some sort of external internet access (3) are frequently connected to classified documentation (from the thumb drives).

      It is a systemic problem. Absent a draconian reign of terror by the corporate thought police, I cannot think of a pleasant or even a reliable means to resolve the malfunction.

      1. tom dial Silver badge

        Re: I cannot speak for DHS...

        One obvious correction is to lock down the workstations by denying users all software installation rights. Upper level management, of course, must approve and support this, and additional IT staff will be required to support the small number of cases where a particular user has a justifiable need for a product that is not part of a standard configuration. There could be cost reductions, though, from establishing and enforcing compliance with a small number of standard configurations combined with a small number of tested (and maintained) optional software products.

        The more I think about it the more I become convinced that the root cause is failure of line management to understand the importance of IT and provide adequate support. In the US government, upper management extends to include the Senate and House of Representatives as well as the President and cabinet officers; and in the private sector, it includes the owners, possibly as represented by the board of directors. And that is a sizable potential problem.

  15. Anonymous Coward
    Anonymous Coward

    It is encourgaging for ISIS, the Chinese, Korea and othr interested parties that yuo do not need to spy on the USA, all you need to do is to let them collects everything because that is "hot" and "macho" and then rely on their weaknesses to hack into their systemss and siphon everything off. It is perfectly in ine with outsourcing and globlization t let the work be done by those who do it for buttons or for free.

  16. ecofeco Silver badge

    Doomed to repeat

    It seems to me that we are in much the same situation as the world was just prior to WW1 and WW2. Many heads of technological organizations, including warfare, are mere figureheads who arrived at their position by political favor and not skill or knowledge and are woefully unprepared for the changes taking place, let alone, coming.

    And just like WW1 and 2, drastic changes ARE coming.

  17. John Tserkezis

    Don't worry, it's easy to fix.

    Just filter ever foreign website from general users.

    It works. Read it for yourself.

    It's all in a document marked "Top Secret" on a publically accessible Homeland Security website.

    1. szielins

      Re: Don't worry, it's easy to fix.

      I didn't know Donald Trump was branching into IT.

  18. Florida1920 Silver badge
    Holmes

    No surprise

    DHS was a bad idea from the start. 9/11 happened in large part because the CIA and FBI didn't talk to each other. Adding another layer of bureaucracy was stupid, but you'd expect no better from G.W. DHS folded in FEMA and the Coast Guard, but left CIA and FBI to carry on their pissing contest unaffected. The post-Katrina catastrophe in New Orleans was a direct outcome of demoting FEMA into subordinate status. Fear what may happen after a larger-scale disaster, which no government agency or official "could have seen coming," even though they will.

  19. zen1

    Infuriating!

    As someone who's audited by the govt on a regular basis, I find it effing infuriating that the very same government entities that make sure my company is complying with DoD handling of sensitive data is the same group of idiots who are running a complicated IT infrastructure like a bunch of <explicative deleted> noobs. If it were up to me, shit like this would not happen. Period. If it did, department heads would be in jail for criminal negligence, if not tried on espionage. As nosy as this government is and as sophisticated as it's intelligence gathering can be, you'd figure that there's be a little inter-departmental assistance going on and they'd get their security shored up. But no, it's like a bunch of independent fiefdoms, all squabbling and finger pointing until they get caught with their pants down.

    If I get a deficient on my audits, I have a short amount of time or I lose my business. It's as simple as that. The fact that there have been so many public facing systems, networks and services that have had so many security problems is in-effing-excusable. Someone in the executive branch (god forbid) or the legislative branch (even bigger imbeciles) should get off their asses and do something.

    1. Mark 85 Silver badge

      Re: Infuriating!

      But no, it's like a bunch of independent fiefdoms, all squabbling and finger pointing until they get caught with their pants down.

      There's the problem. If you've been watching the government or worked in it or for it, for any amount of time, you know that it's fiefdoms. Have a big fiefdom, you get budget, personnel, and power. If the fiefdom has good press.. it gets more. If it's a necessary (for the people of the country) and not on the A-list, it may get smaller.

    2. Anonymous Coward
      Anonymous Coward

      bunch of <explicative deleted> noobs.

      I'd imagine this is a common gripe , experienced by most private companies who are doing things properly that have been outsourced from the public sector because they were bad at it - but are still in charge of the outsourcees.

  20. Anonymous Coward
    Anonymous Coward

    Ya think?

    Obviously the U.S. gov'ment doesn't.

  21. Stevie Silver badge

    Bah!

    Cue Laurel and Hardy Theme Tune.

  22. Prst. V.Jeltz Silver badge

    It seems to me that publishing the results of your audit, flaws and all, is in itself a massive security problem!

    1. zen1

      @ Prst. V.Jeltz

      I know this is probably obvious, but at least acknowledging them internally is a good start. Broadcasting the fact without a coherent plan already in place, OR not staying ahead of them in the first place, is shows a systemic failure of processes and piss poor management.

  23. Anonymous Coward
    Anonymous Coward

    The solution is simple

    Move applications to a FEDRAMP certified cloud provider.

    This process works by having for-profit "Independent Third Party Assessors" compete to sell you certification and accreditation approval.

    What could possibly go wrong?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019