Security

Hackers compromise Homeland Security computers

In what must surely be a gigantic black eye, congressional investigators said on Monday that dozens of computers belonging to the Department of Homeland Security have been compromised by hackers. <br /><br /> To add salt to the wound, a government contractor hired to protect the DHS computers instead tried to hide the incidences from the department.

In what must surely be a gigantic black eye, congressional investigators said on Monday that dozens of computers belonging to the Department of Homeland Security (DHS) have been compromised by hackers.

To add salt to the wound, a government contractor hired to protect the DHS computers instead tried to hide the incidences from the department.

In a written statement by Democratic Reps. Bennie Thompson of Mississippi and James Langevin of Rhode Island:

The results of our [committee] investigation suggest that the department is the victim not only of cyber attacks initiated by foreign entities, but of incompetent and possibly illegal activity by the contractor charged with maintaining security on its networks.

Excerpt from CNN on the severity of the breaches:

We know where it [the information] was taken from, but we don't know what was taken. We only know how many megabytes was taken," the staff member said. "Everything was on the LAN A, which was an unclassified network. To the best of our knowledge there was no classified information [taken].

The implicated contractor was not specifically named in the statement, though a committee staffer identified it as Unisys Corp. Unisys Corp has a $1 billion contract to safeguard DHS computers.

To read more:

Does your company outsource the management (not necessarily security-wise) of internal computers to an external provider? What have your experiences been like with such contractors?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

21 comments
shadowdao
shadowdao

Security must be handled in tiers, with checks and balances, and this is obviously not the case. That truly is disheartening seeing as this is the Department of Homeland SECURITY people. If you going to have a security company monitor your network traffic and such, why are you not auditing them? That from a business sense is just stupid. From an IT prospective the IT Department should be standing in line at the welfare office for not doing their job. I don't care what system(s) or OS or even if the information was classified or not, the fact remains they were hacked, regardless. All OS software has vulnerabilities out of the box, as do hardware, and it is the job of the security firm and IT department to close the holes, while making it functional to those the require access, and monitoring such access, along with fail attempts and following up on issues and strange readings. What is saddest I think is that this same thing happens daily all across the country and no one knows what to look for and it never gets caught. Companies need to do security audit on a regular basis whether it be from an outside source or an internal division of your IT department, it needs to be done. (Personally i think security should be manged internally and audited by a third party firm, but thats my thoughts on it.) I hope to hear feedback from people.

Dusterman
Dusterman

Well ........ . We have a guy on here that works for the guvment and is very good at what he does. . He probably will not post about this but I will ask why he or another person from another guvment agency is not assigned to monitor these "outside" contracts. . We have some of the very best [ computer geeks ] working for our guvment in places like DC, Virginia,Maryland and Texas ..... that are more than qualified to "monitor" and admin these "projects". . This situation is a complete failure ..... not only on the part of the company but on our own guvment's inability [ wanting or needing ] to share info within itself. . It is truely tragic that we can be compromised by anyone outside of any "department", it is by design [ flaw ]that it will always be a problem and must be monitored constantly 24/7/365 . All of this is indeed old news. . That ..........is sad ......... .

fixdinet
fixdinet

Enough, im tired of people blaming security issues on Microsoft. I admin a mixed environment and I can assure you, no OS is secure. I receive security updates from Redhat for only 4 of our Linux boxes, in the past 2 years (actually just under) I have received 515 emails from Redhat concerning fixes, patches and vulnerability updates for these 4 servers. Secure OS, hardly, granted Microsoft based OSs are no better but I think the blame needs to be shared amongst all operating systems. The real issue in this story is someone got into the network. Where is the IDS? Why weren???t firewall rules restrictive enough from both stopping someone from getting in as well as stopping them from getting out? Do we know how it was launched? Why wasn???t a antivirus management server in place to assure all workstations were updated? Speaking of updates, if using windows based OSs on a sensitive network, why no WSUS server to assure that the clients are secure? Having worked for a few places that used Unisys for outsourced projects, I have yet to find a shining diamond amongst all the coal I have encountered there. Oh I???m sure there has to be a few, but I place this failure squarely on Unisys???s shoulders. I cannot see why their services are still being used by the government when they have been caught for defrauding the government due to unethical billing practices.

TechinMN
TechinMN

"I cannot see why their services are still being used by the government when they have been caught for defrauding the government due to unethical billing practices." That's easy: then the procurement decision makers wouldn't get their kickbacks. Anyone who's worked in/with the government knows there is NO such thing as objective competition for those contracts. One thing folks are missing: why is Unisys being held responsible for this AT ALL? They are being blamed for not providing a service that the Dept. of Homeland In-security in its higly-incompetent wisdom decided it didn't want to pay for anymore due to (ahem) 'budgetary constraints'. How can you be held liable for something you were are no longer paid to do? How can you be accused of fraud, if you receive no compensation for a service you are no longer paid to do. DHS should be thankful Unisys even told them about it, after some bureaucrat decided IDS wasn't necessary. Sounds like a lot of mud-slinging going on to cover someone's butt. I agree, though: there's definitely laws being broken here. Follow the money that has supposedly been spent on all this, and I have no doubt the real criminals will be found.

fixdinet
fixdinet

"In their letter requesting an investigation, Thompson and Langevin said that "contractors provided inaccurate and misleading information to Department of Homeland Security officials about the source of these attacks and attempted to hide security gaps in their capabilities." The letter does not name the contractor, but a committee staffer identified it as Unisys Corp., which has a $1 billion contract to safeguard DHS computers. In a written statement, Unisys disputed the allegations, which were made public Monday in a Washington Post article. According to the House Homeland Security Committee, Unisys was charged with installing intrusion detection systems, but the systems were not fully deployed at the time of the initial incidents. If they had been, "the initial intrusions may have been detected and prevented," Thompson and Langevin said. Sounds to me as if it wasnt a bureaucrat idea to leave out IDS as you suggested but rather Unisys dragging their feet. I get the impression that you work for Unisys based off of your reply. Hope you are one of the brighter people there. I have cleaned up their work to include switches installed under sinks (water in the ports) and servers in pool equipment rooms (humidity). My faith in them grows more weary with every article I read about them. I laugh that you feel that the 1 BILLION dollar contract wasnt enough to purchase an IDS.

tmcclure
tmcclure

This is a surprise to people? It just goes to show you how impudent governemnt really is.

network923
network923

If we didn't have DHS then it never would have happened in the first place. Check out http://www.ronpaul2008.com and learn more about cutting excess government spending.

paulmah
paulmah

What have your experiences been like with such contractors?

dan_e_graves
dan_e_graves

Hackers are a problem with Homeland Security but hacking into a Homeland Security computer is not going to do much damage. The people that are going to do damage to this country are not the ones that are coming into this country at this time. The people that are going to hurt us are already here in sleeper cells just waiting until it is time for them to act. All the fuss about travelers coming to and from the USA is being used as a decoy to keep Homeland Security busy while the real danger are the ones that have been here many years and are part of our everyday community. Our complete country can be shut down in one day it the sleeper cells decide it is time to take over. As a former Military person it is easy for me to see how this could be done. I have sent a letter to Homeland Security to explain this but never heard anything from them. It is like they don't care. I would be glad to drow out the events that would stop us in our tracks if anyone from the Homeland Security Office would be interested.

simphiwe.mngadi
simphiwe.mngadi

I think you should have never left the army. As for your letter, can you imagine how many letters any government department receives from solution providers. There are just too many arm-chair activists like yourself. Good luck, you gonna need it.

Neon Samurai
Neon Samurai

I've no doubt that the infiltration and espianage trades are alive and well but you make it sound like there's a commie-terrorist--boggeyman under every rock and behind every tree. I think your current administration has been far more efficient at damaging the country but that's really up to the American people to decide in the next vote. On the lighter side, would it be safe to say that your letter to DHS had a great impact in getting you added to one of there "lists"?

Jaqui
Jaqui

why is the DHS using software designed from the get go to be vulnerable? If they had professional quality software instead of MS' home user software [ doesn't matter which version of windows, they are all designed for video gaming only ] then they would not have been able to be hacked.

guillenkma
guillenkma

Your statement, "If they had professional quality software instead of MS' home user software [ doesn't matter which version of windows, they are all designed for video gaming only ] then they would not have been able to be hacked.", is a blanket statement and totally unfounded. All Microsoft software is NOT for vide-gaming only. If it were it wouldn't have all those networking services running, that have NOTHING to do with video-gaming. You should be reticent of posting replies just for the sake of posting one. Do a little research first.

simphiwe.mngadi
simphiwe.mngadi

The OS debate will never end. It has been hightly semanticised using certain features, that might make computing sense but is just complex for business to understand. It's all a bunch of high-tech mambo-jambo. I, personally, don't think that the issue here is about how better one OS is over the other; but about information security. If a risk is identified, there should be action taken to mitigate such risk. Cowboy tactics don't work.

Neon Samurai
Neon Samurai

Windows security is a mess in exchange for the areas Microsoft developer budgets where allowed to be focused on. DHS is run by polititions who, no doubt, made less than educated decisions about there information systems. The administrators left to keep the information systems running didn't have security appropriate for the office they where managing. The contractor, if still on contract, where negligent. If they where off contract as some have posted then that blame goes back to the person who chose not leave there office without tech support. There's all kinds of blame to be spread around. I don't expect the complete details of the breach will be release any time before he "classified" lifespan expires and the freedom of information act can be used to retrieve it. True, a good systems admin can even lock down win95 too some degree given the right third party security tools. The fact still remains, Microsoft's products don't compete based on security, stability and overall product quality and if the DHS office had been using a different platform, such a breach would have been harder to orchestrate. Someone got into the DHS computer systems and now there will be a great deal of butt covering, finger pointing and whipping boys punished instead of princes.

Timbo Zimbabwe
Timbo Zimbabwe

"They have yet to release a version of windows that breaks from that video game focus." How about Windows 2000? I don't recall EVER reading about how "friendly" it is to gaming. BTW, your systems are only as secure as those who administer it. Maybe you should stop taking cracks at MS about the poor job that a computer contractor did. I run Windows and have yet to be hacked, but then again, that's just me....

jdclyde
jdclyde

Some can't even do that! :p

Neon Samurai
Neon Samurai

If you read othere posts by Jaqui, you'll find that he is very computer literate. From the view point of techies, the comment comes from comparing Windows (all versions) too the many more robust OS. In comparison to Unix like OS, Windows is a children's toy meant for gaming only. Vista is the first step in possibly changing the gross lack of quality control that Microsoft puts into Windows but it's a very small step. Home and Ultimate are the same piece fo swiss cheese, the latter simply has a few extra "features" so it can be marketed at a premium. I suspect you may be the one in need of a little research on the subject. Comparing different OS designes requires installing and being able to comfortably administer those different OS otherwise one has no real basis for comparison. Those who know more than Windows tend to be pretty unanimous on the shoddy quality of products that hold 90% of the desktop market through marketing and business strategies rather than good development. As an example; there's no real-time certified version of Windows for use in time critical systems and medical equipment - why is that do you figure? (heck, Windows own end user license agreement says "best of luck, you can't sue us when you eventually loose your data do to choosing our product".) The content of the comment is very much on point; if DHS ran a secure OS instead of Windows, the breach would have been much smaller if possible at all. Other OS architectures are naturally more secure while still being as easy to use. I'm guessing the classified information networks are a little better managed but that may also be putting too much faith in government workers.

Tony Hopkinson
Tony Hopkinson

shouldn't fail because File And Printer Services is disabled then.... Just one example... Windows is designed for connectivity not security. That design imperative runs through the entire OS. MS Security analogy Use a sieve as a bucket and then provide nifty little patches for SOME of the holes.

Jaqui
Jaqui

activex started as force feedback of video game controls, MS made it a system level service that is network aware [ CRITICAL SECURITY FLAW ] The RPC mechanism defaults to using all ip addresses, instead of the loopback interface, meaning it explicitly looks for remote executable code, to run as system level service [ CRITICAL SECURITY FLAW ] Bill Gate, comdex 1980 [ or so ] I'm pleased to announce our newest software application, designed to make it easier and more entertaining for people to play video games on their home computers.. Windows 1.0 They have yet to release a version of windows that breaks from that video game focus.

UncleRob
UncleRob

... "wouldn't have all those networking services running, that have NOTHING to do with video-gaming". Well lets qualify your statement. The original purpose of those network services (you haven't mentioned any specific services so we'll just assume all of them) may not have been for video gaming but to say that they have nothing to do with video gaming isn't exactly an accurate statement either. Most of today's popular video games offer some form of multiplayer gaming options, how do you think those options are enabled. The video games are making use of said network services to connect to the internet to allow communication with game servers and other users playing those same video games, this is what facilitate multi-player gaming. You should look into it, it's what also makes gaming platforms like the xbox/360, ps2/3, gamecube/Wii very popular as it caters to users who like multiplayer gaming which require the infrastructure you're talking about to function. As for that blurb about doing some research, you do a little yourself as well.

Editor's Picks