Proof that US government workers are stupid

2

By Davey Winder on Jun 30th, 2011 7:20 pm

Ad: IT HelpDesk & Customer Support Software

Penetration testing by the US Department of Homeland Security which involved dropping USB thumb drives and various data discs around the car parks of government agency buildings has revealed a not-so-shocking truth: just like most folk, government workers allow curiosity to trump security when faced with the opportunity to have a nosey at something they think they shouldn't be looking at.

Some 60 percent of those who picked up the thumb drives and discs went on to stick them straight into their company computers in order to see what they contained. The more that the drive or disc looked like it really might contain something 'official' and secret, those with an official looking logo stamped on them for example, the more likely people were to plug them in. In fact an amazing 90 percent of the drives with official logos that were picked up were installed.

Of course, this will come as absolutely no surprise to anyone who knows anything about both human nature and IT security. Stick baiting, as the process is known amongst the bad guys, is a remarkably simple and effective method of installing malware onto the networks of target businesses. This particular pen test proves that government departments are not immune to the curiosity factor when it comes to targeted attacks. The DOHS testers got their percentage numbers for this test because the drives were 'infected' with a basic call home routine, but this could just as easily have been truly malicious software such as a Trojan. That such high numbers of drives were able to successfully call home after installation suggests that network security at US government agencies is not as good as it could, and indeed should, be.

Ray Bryant, CEO at security experts Idappcom, says the pen test just proves that "there is no device known to mankind that prevents people from being idiots" and warns that when coupled with network security systems that are not properly installed can have disastrous consequences. Unsurprisingly (as his company markets such a thing) he recommends an additional automated security audit layer be added which won't prevent human error but would flag up where the network is vulnerable due to configuration problems. "To err is human" Bryant concludes " but to fail to compensate for those errors is an unnecessary risk".

1 Year Ago

0

I'm really surprised they're allowed to take information out of the building without having it checked in/out.

Sariscos

Junior Poster

Team Colleague

109 posts since May 2011

Reputation Points: 90

Solved Threads: 1

Skill Endorsements: 0

1 Year Ago

0

@Sariscos

From the DOHS website:
"Mission support careers involve the following fields: medical, human resources, facilities, budget, procurement, science and technology, training, intelligence, planning and coordination, detection, civil rights, fraud detection and more. Sample components"

Depends what buildings they targeted, many of these wouldn't require such intense secrecy.

Agilemind

Posting Whiz in Training

298 posts since Jun 2010

Reputation Points: 10

Solved Threads: 2

Skill Endorsements: 2

1 Year Ago

0

Want to know how the Stuxnet virus could have accidently been insinuated into the software located on a closed server, of the type found in most nuclear energy plants? Look no further than this article.

TheBigWedding

Newbie Poster

1 post since Jun 2011

Reputation Points: 10

Solved Threads: 0

Skill Endorsements: 0

1 Year Ago

0

The headline was unsupported by the what was in the article - I would propose that the headline is proof that headline writers are stupid.

See

GrimJack

Posting Maven

2,985 posts since Feb 2004

Reputation Points: 1,448

Solved Threads: 23

Skill Endorsements: 0

1 Year Ago

0

Perhaps gullible is a better word, but the article supports the statement whatever. No more stupid than anyone else picking up and inserting sticks they find on the floor I grant you, but stupid/gullible nonetheless.

happygeek

veganarchist

Administrator

28,352 posts since Mar 2006

Reputation Points: 1,603

Solved Threads: 90

Skill Endorsements: 70

1 Year Ago

0

and what about antivirus software installed on the PCs ? if it is configured correctly as well as user rights and permissions (only admin are allowed to install smth), than how come call home routine or other software is allowed to be installed by antivirus from thumb drives and etc?

dzen

Newbie Poster

7 posts since Jan 2010

Reputation Points: 11

Solved Threads: 0

Skill Endorsements: 0

1 Year Ago

Show Comments

2

I'm really surprised they're allowed to take information out of the building without having it checked in/out.

No information was taken out for the test, they tested information being taken in...
IT Security no doubt requires no data carriers from outside being used in department systems, but clearly there's no safeguards against this and/or the staff have become expert at circumventing such safeguards as may exist.

I used to work at a major bank's headquarters. This scenario would have been physically impossible there as all computers had hardware to prevent it.
The disk drives (no USB ports existed back then, and if they did they'd have been internally disconnected or physically removed from the systems for just this reason) were all special units that would encrypt and decrypt any disk put in on the fly.
Unencrypted disks thus could not be read, and disks written by them could not be read by any outside system (though decryption software might have decrypted the data).

All external connectors to the computers were either removed, internally disconnected from the rest of the hardware, or where needed (like network, keyboard, mouse, and monitor connectors) were shielded so they could not be disconnected by the user (a metal shield was placed over the rear of every workstation, which required a key to unlock which only the IT department had access to and was probably stored in a safe somewhere).
All computers were furthermore locked with a steel cable to individual desks to prevent theft.
Laptops weren't much of a problem as we had none, and our network was such that it was impossible for unauthorised systems to log on (both an obscure network topology, and the servers required custom software to communicate any login request, developed in house, which would present a workstation dependent code to the server for authentication, any unknown code, even were the workstation known to another server, would cause the workstation to be locked out from the network).

Yes, it was paranoid. But we didn't have to fear compromised data security from people plugging unauthorised disks or computers into the network.

It's rather disturbing that similar security measures aren't in place in a supposedly security conscious government department like DHS.

jwenting

duckman

Team Colleague

8,522 posts since Nov 2004

Reputation Points: 1,656

Solved Threads: 345

Skill Endorsements: 18

1 Year Ago

1

and what about antivirus software installed on the PCs ? if it is configured correctly as well as user rights and permissions (only admin are allowed to install smth), than how come call home routine or other software is allowed to be installed by antivirus from thumb drives and etc?

AV software works on pattern recognition and behaviour prediction.
If you write something that doesn't match those patterns and seems innocious in its behaviour it doesn't get flagged.
Say this thing installed itself as a plugin into MS Office when a Word document with a macro was loaded, then sends a single email before deleting itself or going dormant.
That's unlikely to get detected by an AV scanner.

jwenting

duckman

Team Colleague

8,522 posts since Nov 2004

Reputation Points: 1,656

Solved Threads: 345

Skill Endorsements: 18

1 Year Ago

2

Reads like an episode of Candid Camera :)

Ancient Dragon

Achieved Level 70

Team Colleague

32,116 posts since Aug 2005

Reputation Points: 5,836

Solved Threads: 2,575

Skill Endorsements: 68

1 Year Ago

0

most bases don't allow you to use thumb drives in the computers and if you do there are serious repercussions.

TheLittleEngine

Newbie Poster

19 posts since Feb 2011

Reputation Points: 11

Solved Threads: 0

Skill Endorsements: 0

1 Year Ago

0

it is surprising they're allowed to take information out of the building without having it checked in/out.

swebsitedesign

Newbie Poster

11 posts since Jul 2011

Reputation Points: 8

Solved Threads: 0

Skill Endorsements: 0

1 Year Ago

0

If this were to be in my country, the testers would have taken over the whole nation and become so wealthy.

Netcode

Veteran Poster

1,037 posts since Jun 2009

Reputation Points: 43

Solved Threads: 70

Skill Endorsements: 0