1.11M Members

Proof that US government workers are stupid

 
2
 

dohs1.jpg Penetration testing by the US Department of Homeland Security which involved dropping USB thumb drives and various data discs around the car parks of government agency buildings has revealed a not-so-shocking truth: just like most folk, government workers allow curiosity to trump security when faced with the opportunity to have a nosey at something they think they shouldn't be looking at.

Some 60 percent of those who picked up the thumb drives and discs went on to stick them straight into their company computers in order to see what they contained. The more that the drive or disc looked like it really might contain something 'official' and secret, those with an official looking logo stamped on them for example, the more likely people were to plug them in. In fact an amazing 90 percent of the drives with official logos that were picked up were installed.

Of course, this will come as absolutely no surprise to anyone who knows anything about both human nature and IT security. Stick baiting, as the process is known amongst the bad guys, is a remarkably simple and effective method of installing malware onto the networks of target businesses. This particular pen test proves that government departments are not immune to the curiosity factor when it comes to targeted attacks. The DOHS testers got their percentage numbers for this test because the drives were 'infected' with a basic call home routine, but this could just as easily have been truly malicious software such as a Trojan. That such high numbers of drives were able to successfully call home after installation suggests that network security at US government agencies is not as good as it could, and indeed should, be.

Ray Bryant, CEO at security experts Idappcom, says the pen test just proves that "there is no device known to mankind that prevents people from being idiots" and warns that when coupled with network security systems that are not properly installed can have disastrous consequences. Unsurprisingly (as his company markets such a thing) he recommends an additional automated security audit layer be added which won't prevent human error but would flag up where the network is vulnerable due to configuration problems. "To err is human" Bryant concludes " but to fail to compensate for those errors is an unnecessary risk".

Attachments dohs1.jpg 53.13KB
Member Avatar
Davey Winder

I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .

 
0
 

I'm really surprised they're allowed to take information out of the building without having it checked in/out.

 
0
 

@Sariscos

From the DOHS website:
"Mission support careers involve the following fields: medical, human resources, facilities, budget, procurement, science and technology, training, intelligence, planning and coordination, detection, civil rights, fraud detection and more. Sample components"

Depends what buildings they targeted, many of these wouldn't require such intense secrecy.

 
0
 

Want to know how the Stuxnet virus could have accidently been insinuated into the software located on a closed server, of the type found in most nuclear energy plants? Look no further than this article.

 
0
 

The headline was unsupported by the what was in the article - I would propose that the headline is proof that headline writers are stupid.

See

 
0
 

Perhaps gullible is a better word, but the article supports the statement whatever. No more stupid than anyone else picking up and inserting sticks they find on the floor I grant you, but stupid/gullible nonetheless.

 
0
 

and what about antivirus software installed on the PCs ? if it is configured correctly as well as user rights and permissions (only admin are allowed to install smth), than how come call home routine or other software is allowed to be installed by antivirus from thumb drives and etc?

 
2
 

I'm really surprised they're allowed to take information out of the building without having it checked in/out.

No information was taken out for the test, they tested information being taken in...
IT Security no doubt requires no data carriers from outside being used in department systems, but clearly there's no safeguards against this and/or the staff have become expert at circumventing such safeguards as may exist.

I used to work at a major bank's headquarters. This scenario would have been physically impossible there as all computers had hardware to prevent it.
The disk drives (no USB ports existed back then, and if they did they'd have been internally disconnected or physically removed from the systems for just this reason) were all special units that would encrypt and decrypt any disk put in on the fly.
Unencrypted disks thus could not be read, and disks written by them could not be read by any outside system (though decryption software might have decrypted the data).

All external connectors to the computers were either removed, internally disconnected from the rest of the hardware, or where needed (like network, keyboard, mouse, and monitor connectors) were shielded so they could not be disconnected by the user (a metal shield was placed over the rear of every workstation, which required a key to unlock which only the IT department had access to and was probably stored in a safe somewhere).
All computers were furthermore locked with a steel cable to individual desks to prevent theft.
Laptops weren't much of a problem as we had none, and our network was such that it was impossible for unauthorised systems to log on (both an obscure network topology, and the servers required custom software to communicate any login request, developed in house, which would present a workstation dependent code to the server for authentication, any unknown code, even were the workstation known to another server, would cause the workstation to be locked out from the network).

Yes, it was paranoid. But we didn't have to fear compromised data security from people plugging unauthorised disks or computers into the network.

It's rather disturbing that similar security measures aren't in place in a supposedly security conscious government department like DHS.

 
1
 

and what about antivirus software installed on the PCs ? if it is configured correctly as well as user rights and permissions (only admin are allowed to install smth), than how come call home routine or other software is allowed to be installed by antivirus from thumb drives and etc?

AV software works on pattern recognition and behaviour prediction.
If you write something that doesn't match those patterns and seems innocious in its behaviour it doesn't get flagged.
Say this thing installed itself as a plugin into MS Office when a Word document with a macro was loaded, then sends a single email before deleting itself or going dormant.
That's unlikely to get detected by an AV scanner.

 
2
 

Reads like an episode of Candid Camera :)

 
0
 

most bases don't allow you to use thumb drives in the computers and if you do there are serious repercussions.

 
0
 

it is surprising they're allowed to take information out of the building without having it checked in/out.

 
0
 

If this were to be in my country, the testers would have taken over the whole nation and become so wealthy.

You
Post:
Start New Discussion
View similar articles that have also been tagged: