U.S. Treasury Hacking Vulnerability Shows Need For Overhaul Of U.S. Government's Security Model

[Guest]

The Office of Inspector General (OIG) found a significant security vulnerability in the U.S. Treasury's Foreign Intelligence Network, which allowed 29 percent of devices to connect to it without applying proper security standards.

U.S. Treasury Hacking Vulnerability Shows Need For Overhaul Of U.S. Government's Security Model : Read more

 

[ocilfa]

US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."

 

[jimmysmitty]

US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."

Not to stick up for them but most are using IE 10 and Windows 7. My wife works for the Arizona DPS who works with all state, local and federal entities and my best friend is in the Air Force at the Pentagon. They are not that far behind.

That said, the main issue is that the people in charge are clueless to a basic computer let alone networking and security behind that network. They need to employ people who understand that an IT infrastructure is no longer a luxury but it is a necessity and with that comes the need to actually utilize the best security.

A company/government cannot survive without a IT infrastructure but the issue is they see it the same way they see everything; if it works don't fix it. The problem is that while a Windows XP system will still work, it is not secure. While 8/8.1 was annoying to learn it is more secure. Server 2012 R2 is more secure.

Instead of utilizing the proper people they have people who wouldn't know a router from a switch from a firewall even if they had access to the internet to look it up.

 

[house70]

US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."

That pretty much sums it up.

 

[house70]

US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."

Not to stick up for them but most are using IE 10 and Windows 7. My wife works for the Arizona DPS who works with all state, local and federal entities and my best friend is in the Air Force at the Pentagon. They are not that far behind.

That said, the main issue is that the people in charge are clueless to a basic computer let alone networking and security behind that network. They need to employ people who understand that an IT infrastructure is no longer a luxury but it is a necessity and with that comes the need to actually utilize the best security.

A company/government cannot survive without a IT infrastructure but the issue is they see it the same way they see everything; if it works don't fix it. The problem is that while a Windows XP system will still work, it is not secure. While 8/8.1 was annoying to learn it is more secure. Server 2012 R2 is more secure.

Instead of utilizing the proper people they have people who wouldn't know a router from a switch from a firewall even if they had access to the internet to look it up.

The fact that they stored personal information unencrypted is a testament to their ineptitude and no amount of "sticking up for them" can justify that. Even the hardware/software they use can't justify that. This is "I am the government and nothing can/will happen to me even if I screw things up badly" attitude at it's best. Because, really, who is going to hold them accountable for this? Ordinary citizens? Good luck trying to recoup some of the immense headache caused by such breach to you or me. The govt. will just shrug it off and keep on going.

 

[jimmysmitty]

US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."

Not to stick up for them but most are using IE 10 and Windows 7. My wife works for the Arizona DPS who works with all state, local and federal entities and my best friend is in the Air Force at the Pentagon. They are not that far behind.

That said, the main issue is that the people in charge are clueless to a basic computer let alone networking and security behind that network. They need to employ people who understand that an IT infrastructure is no longer a luxury but it is a necessity and with that comes the need to actually utilize the best security.

A company/government cannot survive without a IT infrastructure but the issue is they see it the same way they see everything; if it works don't fix it. The problem is that while a Windows XP system will still work, it is not secure. While 8/8.1 was annoying to learn it is more secure. Server 2012 R2 is more secure.

Instead of utilizing the proper people they have people who wouldn't know a router from a switch from a firewall even if they had access to the internet to look it up.

The fact that they stored personal information unencrypted is a testament to their ineptitude and no amount of "sticking up for them" can justify that. Even the hardware/software they use can't justify that. This is "I am the government and nothing can/will happen to me even if I screw things up badly" attitude at it's best. Because, really, who is going to hold them accountable for this? Ordinary citizens? Good luck trying to recoup some of the immense headache caused by such breach to you or me. The govt. will just shrug it off and keep on going.

You really didn't read my post, did you? I only said that they are not that far behind on OS/software.

I did however say that the people in charge of these places treat their IT infrastructure as a luxury that only needs to be upgraded if it no longer works instead of treating it like a necessity that needs to be well maintained.

Of course this should be expected as people rarely read past the first sentence in most cases.

 

[USAFRet]

Interestingly, I am one o' them gummint IT guys.
The servers do not run XP, much as you'd like to jab at them for outdated software. Server 2008, 2012, or Unix.
Desktops? The current Standard Desktop Configuration (SDC), or Federal Desktop Core Configuration (FDCC) is Windows 7 and IE10. And there is a loooong list of specific configuration and lockdown items for that.

Do things happen? Unfortunately, yes. Just like any other large organization that manages hundreds of thousands of devices and people.
There is no such thing as perfect software, people, or procedures.

We could go into far more detail, but then I'd have to shoot you.

 

[jimmysmitty]

Interestingly, I am one o' them gummint IT guys.
The servers do not run XP, much as you'd like to jab at them for outdated software. Server 2008, 2012, or Unix.
Desktops? The current Standard Desktop Configuration (SDC), or Federal Desktop Core Configuration (FDCC) is Windows 7 and IE10. And there is a loooong list of specific configuration and lockdown items for that.

Do things happen? Unfortunately, yes. Just like any other large organization that manages hundreds of thousands of devices and people.
There is no such thing as perfect software, people, or procedures.

We could go into far more detail, but then I'd have to shoot you.

For most cases it is not the IT department at fault. A lot of times you guys don't have the resources and do the best with what you can, although the IT at my wife's location is pretty much a bunch of morons, while the higher ups just brush off anything you give them as a way to make it more secure.

Considering that the US government has access to not only our identities they also have access to our SSI and other monies they should be doing a much better job securing it.

 

[USAFRet]

Interestingly, I am one o' them gummint IT guys.
The servers do not run XP, much as you'd like to jab at them for outdated software. Server 2008, 2012, or Unix.
Desktops? The current Standard Desktop Configuration (SDC), or Federal Desktop Core Configuration (FDCC) is Windows 7 and IE10. And there is a loooong list of specific configuration and lockdown items for that.

Do things happen? Unfortunately, yes. Just like any other large organization that manages hundreds of thousands of devices and people.
There is no such thing as perfect software, people, or procedures.

We could go into far more detail, but then I'd have to shoot you.

For most cases it is not the IT department at fault. A lot of times you guys don't have the resources and do the best with what you can, although the IT at my wife's location is pretty much a bunch of morons, while the higher ups just brush off anything you give them as a way to make it more secure.

Considering that the US government has access to not only our identities they also have access to our SSI and other monies they should be doing a much better job securing it.

Yes they should.
The procedures are there, the hardware is there, the software is there.....people are the problem.

 

[falchard]

Best idea ever. Don't expose confidential information to the Internet. Still what would they hack? A counter that keeps adding dollars to the US treasuries balance sheet.
while(1)
TreasuryBalance++;

 

[rantoc]

Having a system unsecured vs the internet is like leaving the door home unlocked - its just stupid! Hearing a gov run facility get hacked who is suppose to have very good security due to its content makes me wonder if they didn't leave the door poorly locked, gambling with the content within and this time that gamble backfired...

Just hope the responsible (either security responsible or the administration if the security responsible pointed out they needed additional funding and din't get a dime - quite common sadly) gets the torch for allowing the hackers to gain access.

I hope those poor sobs who have their personal information leaked due to the gamble sue them - Big times!

 

[mrface]

I find it hilarious that most people are up in arms over the OPM holding data for all its employees; Being that it is the Office for Personnel Management. I am 100% confident that every personnel office in the country, rather public or private sectors, holds information about its employees. In the end, it comes down to what USAFRET has said, the people are the problem.

[/although I will say SDC and FDCC suck, when the government decides to go to thin dummy clients(virtual desktops) then we will certainly be secure.)

 

[jalek]

Seems the director of the FBI is against people securing any of their data, so why should this be addressed?

 

[house70]

I find it hilarious that most people are up in arms over the OPM holding data for all its employees; Being that it is the Office for Personnel Management. I am 100% confident that every personnel office in the country, rather public or private sectors, holds information about its employees. In the end, it comes down to what USAFRET has said, the people are the problem.

[/although I will say SDC and FDCC suck, when the government decides to go to thin dummy clients(virtual desktops) then we will certainly be secure.)

I can't speak for what other people are thinking, but I for sure am not against OPM holding necessary data; what I am against, though, is to hold the data unencrypted, like these clowns did. As long as practices like this go unabated, shielded by the 'big govt. ' attitude where nobody is responsible, expect further breaches to be accompanied by severe loss of sensitive information. Also expect the involved institutions to not give a flying fig about it.

 

[house70]

US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."

Not to stick up for them but most are using IE 10 and Windows 7. My wife works for the Arizona DPS who works with all state, local and federal entities and my best friend is in the Air Force at the Pentagon. They are not that far behind.

That said, the main issue is that the people in charge are clueless to a basic computer let alone networking and security behind that network. They need to employ people who understand that an IT infrastructure is no longer a luxury but it is a necessity and with that comes the need to actually utilize the best security.

A company/government cannot survive without a IT infrastructure but the issue is they see it the same way they see everything; if it works don't fix it. The problem is that while a Windows XP system will still work, it is not secure. While 8/8.1 was annoying to learn it is more secure. Server 2012 R2 is more secure.

Instead of utilizing the proper people they have people who wouldn't know a router from a switch from a firewall even if they had access to the internet to look it up.

The fact that they stored personal information unencrypted is a testament to their ineptitude and no amount of "sticking up for them" can justify that. Even the hardware/software they use can't justify that. This is "I am the government and nothing can/will happen to me even if I screw things up badly" attitude at it's best. Because, really, who is going to hold them accountable for this? Ordinary citizens? Good luck trying to recoup some of the immense headache caused by such breach to you or me. The govt. will just shrug it off and keep on going.

You really didn't read my post, did you? I only said that they are not that far behind on OS/software.

I did however say that the people in charge of these places treat their IT infrastructure as a luxury that only needs to be upgraded if it no longer works instead of treating it like a necessity that needs to be well maintained.

Of course this should be expected as people rarely read past the first sentence in most cases.

Oh, but I did read your post, alright.
Please allow me to summarize MY post (I feel the point was missed): Not encrypting the personal info stored on the hacked servers was/is a noob move (regardless of the hardware/software combo they might have been using ). There is NO excuse for that.
That's it. BTW, it also has nothing to do with upgrading/maintaining their IT infrastructure. They could have been using Windows 12 Secret Service Edition for what I care, the data would still be un-encrypted and ready for picking at the first hacking event.

 

[mrface]

I find it hilarious that most people are up in arms over the OPM holding data for all its employees; Being that it is the Office for Personnel Management. I am 100% confident that every personnel office in the country, rather public or private sectors, holds information about its employees. In the end, it comes down to what USAFRET has said, the people are the problem.

[/although I will say SDC and FDCC suck, when the government decides to go to thin dummy clients(virtual desktops) then we will certainly be secure.)

I can't speak for what other people are thinking, but I for sure am not against OPM holding necessary data; what I am against, though, is to hold the data unencrypted, like these clowns did. As long as practices like this go unabated, shielded by the 'big govt. ' attitude where nobody is responsible, expect further breaches to be accompanied by severe loss of sensitive information. Also expect the involved institutions to not give a flying fig about it.

and this is fair, unencrypted though... I think people believe too much of what the news tells them...


cheers.

 

[house70]

I find it hilarious that most people are up in arms over the OPM holding data for all its employees; Being that it is the Office for Personnel Management. I am 100% confident that every personnel office in the country, rather public or private sectors, holds information about its employees. In the end, it comes down to what USAFRET has said, the people are the problem.

[/although I will say SDC and FDCC suck, when the government decides to go to thin dummy clients(virtual desktops) then we will certainly be secure.)

I can't speak for what other people are thinking, but I for sure am not against OPM holding necessary data; what I am against, though, is to hold the data unencrypted, like these clowns did. As long as practices like this go unabated, shielded by the 'big govt. ' attitude where nobody is responsible, expect further breaches to be accompanied by severe loss of sensitive information. Also expect the involved institutions to not give a flying fig about it.

and this is fair, unencrypted though... I think people believe too much of what the news tells them...


cheers.

From the article:
"The OPM for instance, didn't encrypt social security numbers, fingerprints and other sensitive information about its employees, so when the hackers penetrated the network, they could access everything."
Didn't make this stuff up (certainly hope the OP didn't just make it up, either), and if it weren't true, the OPM would be up in arms trying to save face and reassure everybody that the lost data was encrypted, as form of damage control if anything.
.... It is what it is....

 

[mrface]

It certainly is what it is. But coming from working with the government, in I.T., I can verifiably say it is encrypted. Now the encryption level that is there, is lacking, but most encryption is as well.

But what would I know,

 

[house70]

It certainly is what it is. But coming from working with the government, in I.T., I can verifiably say it is encrypted. Now the encryption level that is there, is lacking, but most encryption is as well.

But what would I know,

I re-read the article, in case I mis-quoted it. Turns out I didn't.
I am glad the branch / office you worked in was taking the proper steps to encrypt said data. However, I have not seen any statement denying the lack of encryption present within Treasury's Personnel Office data. It is not stated that ANY/ALL data is un-encrypted, but the personal info stated was left as such (in that particular database).
Unless, of course, Lucian Armasu chose to post untrue statements in his article. Even so, the editor should have caught up with it, since it's a pretty specific and serious allegation.

 

[mrface]

Its not the treasury personnel office. Its OPM; the Office of Personnel Management. https://www.opm.gov/

Although the Treasury department, certainly falls within its scope.

As said previously, me thinks people listen to the media too much; the author included. He/She is just reporting what he/she reads. Allegations or not. Again encryption is not the problem, the initial hack and data egress is the problem. Any good hacker doesnt worry about encryption as the just jump around that encryption with some simple debugging and assembly code for programs and obfuscation for raw data. This is common knowledge. If I can get into your system and egress data, it doesnt matter what encryption you have, I have your data and can take my time with it.

Cheers.