Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Report: DHS cyber security lagging
Kevin Poulsen, SecurityFocus 2004-12-16

The U.S. Department of Homeland Security is having some homeland cyber security issues on its systems providing remote access to telecommuters, according to a newly-released report by the DHS Inspector General's office.

Comments Mode:
Report: DHS cyber security lagging 2004-12-17
Anonymous
This is not the story for all of DHS. Some of the agencies that form DHS are using encryption, PKI, and strong authentication. To bad they all get lumped into the Term "DHS."

...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-17
Anonymous (3 replies)
Whew! Good news everyone. Steve Cooper from the DHS says unpatched software and null passwords are not really a security concern. Did someone inform the pen-test e-mail list that they don?t need to bother reporting on those issues?

What really makes we wonder is the Win2K3 comment. What ar...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-20
Anonymous
Agree. Nothing a little enpasflt.dll won't fix....

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-20
Anonymous (1 replies)
Probably NT/XP on NT 4.0 domains...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-20
Anonymous (1 replies)
Why would they be running NT4.0? Win2k was released well before the creation of DHS....

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-21
Anonymous
Unfortunately, most of the agencies existed well before the formation of DHS and continue to use what they had before becoming part of DHS, so it is a mixed bag.

...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-29
Anonymous
"What really makes we wonder is the Win2K3 comment. What are they running now that they can?t enforce some level of password complexity? "

What is preventing them is that they're running with "Steve Cooper". Get rid of the "talking head" and put a real security person in there....

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-18
Anonymous
Talk about leading by example hey? The problem is that all too often Gov have a tendency to get so caught-up in policy and planning when they should be implementing and monitoring....

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-19
PB
Quote: "any genuine effort at password hacking would be hobbled by the Department's policy of limiting failed login attempts"

Someone should inform Mr. Cooper about hash sniffing, and remote hash grabbing directly from servers (yes, even 2K3 servers) with pwdump3e & Co.

Any administrator, or som...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-20
CR
This is close to one of the funniest responses to a pentests I've seen.

Steve Cooper...time to wake up and learn a couple of things about security...

I quote:

"The systems suffering known vulnerabilities were waiting for patches to come out of testing, and any genuine effort at password hacki...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-20
Anonymous
Nice, he just identified what his new systems will be too.

His comments show that their approach is like a medium sized company that's never really been targetted.

I can only hope, that they do get hacked. Maybe then they'll take their mandate more seriously....

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-20
Anonymous
After a report that like, the only response I'd like to hear from Mr. Cooper is "will work for food".

Anyone who waits for an outside auditor to test passwords on an NT based network is asking to be hacked.

I'm sure all the hackers out there will give Mr. Cooper time to test his patches.

...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-20
Anonymous (2 replies)
This is insane. For anyone to state that the vulnerabilities or concerns of an audit team were over stated. Simply rediculous.

And there is never an excuse to not have a patch installed. Running the patch through "testing" is never an excuse. You can test and test and test, but if someone gets r...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-21
Anonymous
True, no system can "force" users to use complex passwords, but enabling password complexity along with a stringent password policy (history/length etc..) and regular lc audits go along way. The point is, this guy's response is a joke and blame shifting for problems on his systems shows how irrespo...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-21
Anonymous
Not to defend their policies, but umm, you push out an untested patch to a critical system, with highly specialized applications, and see what happens...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-21
Brian
DHS is running a Windows environment?? That is a BIG security risk in itself. Unless DHS receives a "special" Windows build from MS, their computer systems will always be open to threats and attacks. ...

[ more ]  [ reply ]
Report: DHS cyber security lagging 2004-12-21
Tommy Ward
If our government was serious about information security, they would not be relying on static passwords at all, or especially not for ANY remote access. No amount of password complexity, aging or invalid entry timeouts can overcome the deficiencies inherent in static passwords, which for remote acce...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus