1,105,409 Community Members

Proof that US government workers are stupid

Member Avatar
(happygeek)
Reputation Points: 1,411 [?]
Q&As Helped to Solve: 452 [?]
Skill Endorsements: 166 [?]
 
2
 

dohs1.jpg Penetration testing by the US Department of Homeland Security which involved dropping USB thumb drives and various data discs around the car parks of government agency buildings has revealed a not-so-shocking truth: just like most folk, government workers allow curiosity to trump security when faced with the opportunity to have a nosey at something they think they shouldn't be looking at.

Some 60 percent of those who picked up the thumb drives and discs went on to stick them straight into their company computers in order to see what they contained. The more that the drive or disc looked like it really might contain something 'official' and secret, those with an official looking logo stamped on them for example, the more likely people were to plug them in. In fact an amazing 90 percent of the drives with official logos that were picked up were installed.

Of course, this will come as absolutely no surprise to anyone who knows anything about both human nature and IT security. Stick baiting, as the process is known amongst the bad guys, is a remarkably simple and effective method of installing malware onto the networks of target businesses. This particular pen test proves that government departments are not immune to the curiosity factor when it comes to targeted attacks. The DOHS testers got their percentage numbers for this test because the drives were 'infected' with a basic call home routine, but this could just as easily have been truly malicious software such as a Trojan. That such high numbers of drives were able to successfully call home after installation suggests that network security at US government agencies is not as good as it could, and indeed should, be.

Ray Bryant, CEO at security experts Idappcom, says the pen test just proves that "there is no device known to mankind that prevents people from being idiots" and warns that when coupled with network security systems that are not properly installed can have disastrous consequences. Unsurprisingly (as his company markets such a thing) he recommends an additional automated security audit layer be added which won't prevent human error but would flag up where the network is vulnerable due to configuration problems. "To err is human" Bryant concludes " but to fail to compensate for those errors is an unnecessary risk".

Attachments dohs1.jpg 53.13KB
Member Avatar
Davey Winder

I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .

Member Avatar
Sariscos
Junior Poster
104 posts since May 2011
Reputation Points: 80 [?]
Q&As Helped to Solve: 4 [?]
Skill Endorsements: 1 [?]
Team Colleague
 
0
 

I'm really surprised they're allowed to take information out of the building without having it checked in/out.

Member Avatar
Agilemind
Posting Pro in Training
477 posts since Jun 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 22 [?]
Skill Endorsements: 6 [?]
 
0
 

@Sariscos

From the DOHS website:
"Mission support careers involve the following fields: medical, human resources, facilities, budget, procurement, science and technology, training, intelligence, planning and coordination, detection, civil rights, fraud detection and more. Sample components"

Depends what buildings they targeted, many of these wouldn't require such intense secrecy.

Member Avatar
TheBigWedding
Newbie Poster
1 post since Jun 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Want to know how the Stuxnet virus could have accidently been insinuated into the software located on a closed server, of the type found in most nuclear energy plants? Look no further than this article.

Member Avatar
GrimJack
Posting Maven
2,928 posts since Feb 2004
Reputation Points: 1,395 [?]
Q&As Helped to Solve: 78 [?]
Skill Endorsements: 0 [?]
Featured
 
0
 

The headline was unsupported by the what was in the article - I would propose that the headline is proof that headline writers are stupid.

See

Member Avatar
happygeek
veganarchist
9,515 posts since Mar 2006
Reputation Points: 1,411 [?]
Q&As Helped to Solve: 452 [?]
Skill Endorsements: 166 [?]
Administrator
Featured
 
0
 

Perhaps gullible is a better word, but the article supports the statement whatever. No more stupid than anyone else picking up and inserting sticks they find on the floor I grant you, but stupid/gullible nonetheless.

Member Avatar
dzen
Newbie Poster
7 posts since Jan 2010
Reputation Points: 1 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

and what about antivirus software installed on the PCs ? if it is configured correctly as well as user rights and permissions (only admin are allowed to install smth), than how come call home routine or other software is allowed to be installed by antivirus from thumb drives and etc?

Member Avatar
jwenting
duckman
8,364 posts since Nov 2004
Reputation Points: 1,399 [?]
Q&As Helped to Solve: 447 [?]
Skill Endorsements: 35 [?]
Infraction Points: 5
Team Colleague
 
2
 

I'm really surprised they're allowed to take information out of the building without having it checked in/out.

No information was taken out for the test, they tested information being taken in...
IT Security no doubt requires no data carriers from outside being used in department systems, but clearly there's no safeguards against this and/or the staff have become expert at circumventing such safeguards as may exist.

I used to work at a major bank's headquarters. This scenario would have been physically impossible there as all computers had hardware to prevent it.
The disk drives (no USB ports existed back then, and if they did they'd have been internally disconnected or physically removed from the systems for just this reason) were all special units that would encrypt and decrypt any disk put in on the fly.
Unencrypted disks thus could not be read, and disks written by them could not be read by any outside system (though decryption software might have decrypted the data).

All external connectors to the computers were either removed, internally disconnected from the rest of the hardware, or where needed (like network, keyboard, mouse, and monitor connectors) were shielded so they could not be disconnected by the user (a metal shield was placed over the rear of every workstation, which required a key to unlock which only the IT department had access to and was probably stored in a safe somewhere).
All computers were furthermore locked with a steel cable to individual desks to prevent theft.
Laptops weren't much of a problem as we had none, and our network was such that it was impossible for unauthorised systems to log on (both an obscure network topology, and the servers required custom software to communicate any login request, developed in house, which would present a workstation dependent code to the server for authentication, any unknown code, even were the workstation known to another server, would cause the workstation to be locked out from the network).

Yes, it was paranoid. But we didn't have to fear compromised data security from people plugging unauthorised disks or computers into the network.

It's rather disturbing that similar security measures aren't in place in a supposedly security conscious government department like DHS.

Member Avatar
jwenting
duckman
8,364 posts since Nov 2004
Reputation Points: 1,399 [?]
Q&As Helped to Solve: 447 [?]
Skill Endorsements: 35 [?]
Infraction Points: 5
Team Colleague
 
1
 

and what about antivirus software installed on the PCs ? if it is configured correctly as well as user rights and permissions (only admin are allowed to install smth), than how come call home routine or other software is allowed to be installed by antivirus from thumb drives and etc?

AV software works on pattern recognition and behaviour prediction.
If you write something that doesn't match those patterns and seems innocious in its behaviour it doesn't get flagged.
Say this thing installed itself as a plugin into MS Office when a Word document with a macro was loaded, then sends a single email before deleting itself or going dormant.
That's unlikely to get detected by an AV scanner.

Member Avatar
Ancient Dragon
Achieved Level 70
27,643 posts since Aug 2005
Reputation Points: 5,232 [?]
Q&As Helped to Solve: 3,038 [?]
Skill Endorsements: 115 [?]
Team Colleague
Featured
Sponsor
 
2
 

Reads like an episode of Candid Camera :)

Member Avatar
TheLittleEngine
Newbie Poster
19 posts since Feb 2011
Reputation Points: 1 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

most bases don't allow you to use thumb drives in the computers and if you do there are serious repercussions.

Member Avatar
swebsitedesign
Newbie Poster
11 posts since Jul 2011
Reputation Points: -2 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

it is surprising they're allowed to take information out of the building without having it checked in/out.

Member Avatar
Netcode
Veteran Poster
1,049 posts since Jun 2009
Reputation Points: 33 [?]
Q&As Helped to Solve: 86 [?]
Skill Endorsements: 8 [?]
 
0
 

If this were to be in my country, the testers would have taken over the whole nation and become so wealthy.

You
Post:
Start New Discussion
View similar articles that have also been tagged: