back to article Won’t patch systems? Never run malware scans? Welcome to the US State Department!

A branch of the US State Department charged with detecting visa fraud was found to be ignoring basic information security practices. As pointed out by NextGov, a recent audit conducted by the Office of the Inspector General for the State Department found that its Bureau of Consular Affairs Office of Fraud Prevention was …

  1. John McCallum

    Are they waiting to catch someone hacking the system so that they can then bill them for the work that this Department should have been doing all along.

    1. Anonymous Coward
      Anonymous Coward

      Hmmm... didn't a former head of the State Department run her own email server?

      1. Comments are attributed to your handle
        Meh

        Ah, BUTTERY MALES

      2. Someone Else Silver badge
        Devil

        Hmmm... didn't a former head of the State Department run her own email server?

        Could be that this is why?

      3. amanfromMars 1 Silver badge

        Hillary Answering Machine ..... with Remote Virtualised AI Controllers. Keepers of The Secret Gate*

        Hmmm... didn't a former head of the State Department run her own email server? .... Anonymous Coward

        Ermm ...run her own email server to security check applied current solutions which may leak information terrestrially to deep underground for Heavenly Presentations to Virtualise into Realities for Purely Creative Greater IntelAIgent Games Users Use. Right there is Sequestered Immaculate Source.

        One of those Entangling New Fangling IntelAIgent Service Programs/Pogroms which GCHQ can Supply to Kenya for Nigeria to Copy and Also Live Practice with? Does Mother Russia have Similar Parallel Running Programs? A Welcome Union would be Great AI Game Changing Move........Resulting in Not Unreasoned Requests for Further Future Information.

        Did Ms May make such a Prime Offering? Future Kit Today to Banish Yesterday for a Sparkling New Tomorrow and Starting Today. I trust she hasn't been trying to offload DODgy MODified Outdated and Outmoded Kit

        * Have you any idea where that leads and lands and leaves you alone to walk amongst as human when alien is one's true norm and phorm, and many more are beginning to realise it and understand what future possibilities exist. Failure to ACTivate Appropriately Directs One Away into Successively Deeper Confinements without/with All Earthly Pleasures Provided by AI Virtual for Advanced IntelAIgent Developments Work.

  2. wyatt
    Unhappy

    Quite common, first thing we ask if someone raises a support case is if there has been any patching recently. 50%+ of the responses are 'oh we don't patch'.

    I recently carried out an installation where a customer was pushing back about allowing unsigned activex controls to run. Out of all the customers we have they're the only one that has been concerned by this, most just allow it. They did have to allow it as the software doesn't work without it but they're pressurising the manufacturer to have this changed.

    1. Alan Brown Silver badge

      "I recently carried out an installation where a customer was pushing back about allowing unsigned activex controls to run"

      I push back against activex - signed or otherwise. Being dependent on a particular browser on a particular OS is a good sign that the authors don't have a royal clue about many things, including security.

      The w3c validator has been up at http://validator.w3.org/ for many years and is constantly updated.

  3. Anonymous Coward
    Anonymous Coward

    I Am Really Confused

    The article immediately preceding this one castigated Salesforce for helping the US Border Patrol do its job of reducing the flow of illegal aliens into the United States. Fine.

    Now this article takes the US State Department to task for not having properly patched systems, thereby reducing the agency's effectiveness in catching visa and passport fraud. Does that not, in fact, aid the very same illegal aliens in their efforts to enter and stay the United States, just in a different manner?

    I am all for the press suddenly rediscovering its responsibility to watchguard the US Government in 2016. Could you perhaps apply a bit of consistency to your disapprobation?

    1. Anonymous Coward
      Anonymous Coward

      Re: I Am Really Confused

      The current US immigration system is just a giant rug, of which the border patrol maintains the surface while the working reality is swept underneath.

      Hint: Not everyone wants them to work too well, just enough to assign blame.

    2. Anonymous Coward
      Anonymous Coward

      Re: I Am Really Confused

      "Does that not, in fact, aid the very same illegal aliens in their efforts to enter and stay the United States, just in a different manner?"

      The "very same"? You mean, they hacked into the SharePoint server right before they tried crossing the border on foot, at night, so the CBP would let them go in case they catch them? Or if only those kids separated from their parents would stop crying for one second and hack into the system and send themselves a brand new passport?

      Yes, you are definitely very confused.

      What has reduced the effectiveness of the agency so far is its own failure to respect laws (though not by as much as it should have, since obeying judges decisions doesn't appear to be its forte).

  4. Justicesays

    Well, are there any vulnerabilities being exploited for

    PC DOS 3.2 ?

    Or have they done at least some updates since 1986?

  5. macaroo

    We work for the government......the most money for the least amount of work.

    1. DJV Silver badge

      What?

      Even more than lawyers? Shock, horror!

      1. Anonymous Coward
        Anonymous Coward

        Re: What?

        Obviously, the sweet spot is to work for the government as a lawyer.

  6. Version 1.0 Silver badge

    The real question

    What was the CA/CST’s information systems security officer doing? Sure, security is important but the government is perpetually cutting back on department budgets while increasing the workloads in the name of efficiency. I expect that the next step will be to outsource the tasks to India ... thus saving even more money and (very important) being able to avoid taking responsibility for these problems in future.

    1. WolfFan

      Re: The real question

      He's a government employee. If the brass pretends to pay them, and the brass does exactly that, they will pretend to work, and they do exactly that. This was the problem with the old Soviet Union: they were all government employees.

  7. DerekCurrie
    Facepalm

    Who's In Charge Of Computer Competence Inside #MyStupidGovernment ?

    In the USA, it's supposed to be NIST, the National Institute of Standards and Technology. They have a Computer Security Division. Within the division they have groups dedicated to Cryptographic Technology, Secure Systems and Applications, Security Components and Mechanisms, Security Engineering and Risk Management, Security Testing, Validation and Measurement. They regularly publish documentation regarding cybersecurity, including the 'Cybersecurity Framework.'

    But what is all this worth if every department within #MyStupidGovernment ignores best practices and is essentially on their own deciding how to handle their own computer security, each with their own level of competence, if any? This is a very old problem. It took #MyStupidGovernment nine (9) years to admit their computers exposed to the Internet were being consistently and thoroughly hacked by China: Criminal Nation. That was as of 2007. We're eleven years on from that dire embarrassment, and nothing has been learned, changed, improved, perfected?

    Hey vehement homeland security conservatives! Hey government executives and secretaries! You all have to learn this computer security stuff in depth and apply it to our government if you want the USA to be relevant and competent in the world. We're losing the cyber war. Our country is blatantly suffering from our cyber-ignorance and laziness, despite the fact that a great deal of that cyber technology continues to be invented inside the USA. Shameful, with only more shameful on the horizon. (0_o)

    1. amanfromMars 1 Silver badge

      Re: Who's In Charge Of Computer Competence Inside #MyStupidGovernment ?

      Howdy doody, DerekCurrie,

      In the face and presence of such dire incompetence, is it your duty and inalienable right to crack hack the perverse sub-prime corrupted systems and expose all possible attack vectors/systemic vulnerabilities for remote exploitation?

      Surely you cannot reasonably expect any of the past or current status quo powers that be, the actual drivers and hosts of the Greater Misfortune, to be able to change their spots and act differently with AI and IT and a novel intelligence lead? They just don't have such smarts in them. And yes, that does indicate a global revolution is ...... well, you tell me ...... in the offing and inevitable or raging and doing incalculable damage to/with fake media tales failing badly to steer future events.

      And when the Wild and Wacky West has lost the plot does the Exotic and Erotic East naturally take over and make over everything with A.N.Other Shining Path Way ..... Great AIMission? Or would you unreasonably imagine and expect them to be doing virtually nothing ....... like the cowering gibbering idiots in their western counterparts?

      1. Giovani Tapini

        Re: Who's In Charge Of Computer Competence Inside #MyStupidGovernment ?

        Or the angle of current politics...

        Sec Officer - "We need to invest in a security audit which will validate my requirements for multiple system updates and network defence solutions.."

        Administration - "You must manage on the annual budget that barely keeps the electricity flowing. We can't tax the cra* out of our country just for you to get your new shiny kit. Some of the vendors are even foreign. If the taxpayers want security they can pay themselves.

        Sec Officer - returns to playing tetris on the root server...

        1. Anonymous Coward
          Anonymous Coward

          Re: Who's In Charge Of Computer Competence Inside #MyStupidGovernment ?

          "We can't tax the cra* out of our country just for you to get your new shiny kit".

          "The F-35 Is a $1.4 Trillion Dollar National Disaster"

          https://nationalinterest.org/blog/the-buzz/the-f-35-14-trillion-dollar-national-disaster-19985

          (but maybe the F-35 isn't shiny...)

          1. Alan Brown Silver badge

            Re: Who's In Charge Of Computer Competence Inside #MyStupidGovernment ?

            "The F-35 Is a $1.4 Trillion Dollar National Disaster"

            Aka "The Jet that Ate the Pentagon"

            And the _real_ bill is likely much, much higher than that. What's been coming out of recent(*) investigations is proligate spending and coverups inside US government departments and military

            (*) And not so recent ones

            When the dust settles, the real legacy of the F35 may well be reforms in policy regarding pork. If that trickles through to computer operations policy I'll be very happy, having had to deal with script kiddies who turned out to be playing on numerous pwned us military and government systems (with the usual attitude of shooting at messengers when informed, instead of the pwners)

    2. Anonymous Coward
      Anonymous Coward

      Re: Who's In Charge Of Computer Competence Inside #MyStupidGovernment ?

      And Somewhere

      There's Someone who cares

      With a Heart of Gold,

      2 Have and Two hold

  8. Hans 1
    Facepalm

    The Bureau says it will have that policy in place by November.

    Hm, not so birght, that admission ... everybody's gonna hack the sh1t out their systems, now, while the fun lasts ...

  9. Darkk

    Patch Issues

    There is actually no practical excuse for not patching personal computers and servers. Most of our machines are windows based and for the most part patches have gone without issues. Although I would have to say July 2018 patches are without problems which gave us grief for awhile. I had to suspend patching the machines for July and August to give Microsoft enough time to fix their screwups.

    Don't get started on the WSUS server. I've rebuilt that POS thing so many times that I care to count. Will have to fork out some $$$ for a real patching server. Lucky for us, however, we already have endpoint security installed on all the machines that we can monitor and take immediate preventive measures if necessary.

    There are some critical applications that can break after an update which is any IT's nightmare if patched on a large scale. However, it goes back to my original statement there is no reason NOT to patch at all.

    1. Fatman
      Linux

      Re: Patch Issues

      <quote>There is actually no practical excuse for not patching personal computers and servers. Most of our machines are windows based and for the most part patches have gone without issues.</quote>

      You seem to possess a selective memory. I (painfully) recall a day at the office when, after Windows had updated itself, everything broke.

      Manglement was screaming about lost productivity, and placing the blame at my foot. After two frantic days, I was able to get their systems back on line. What didn't help was the constant carping of "When are we getting back to work?"

      I learned two valuable lessons that day

      1) FUCK Microsoft and Windows and in general, and

      2) Get a new job.

      As a result, I embraced the penguin (and very rarely regretted it), and I went to work for a company where the soon to be CIO actually knew about IT, and wasn't a transplanted MBA (Mainly Brainless Asshole).

      1. Alan Brown Silver badge

        Re: Patch Issues

        "Manglement was screaming about lost productivity, and placing the blame at my foot."

        There are ways of kicking back quite hard (but politely) when that happens. Including the simple statement "You aren't paying me enough to put up with your behaviour"

        > After two frantic days, I was able to get their systems back on line. What didn't help was the constant carping of "When are we getting back to work?"

        To which the answer should ALWAYS be "At least a half hour longer, now that you've broken my train of thought"

        As for windows updates: You do have test rigs you check things out on before deploying across the enterprise, don't you?

  10. Potemkine! Silver badge

    Standalone network

    Does that mean this network is physically separated from the rest of the World?

  11. bemused obsever

    greatest security risk is govt security

    I held a US DoD SAP/SAR (above top secret) clearance until I retired. A couple of years back my and everyone's clearance records were exposed in an OPM (US Office of Personnel Management) hack. This, of course, is an identity theft's wet dream- everything from SS# to mother's maiden name, all past addresses, ...

    1. amanfromMars 1 Silver badge

      Re: greatest security risk is govt security

      Just about Perfect for Clean Skins and NEUKlearer HyperRadioProACTive IT AIgents alike, bemused observer, for that Provides Relatively Anonymous Being and Super Enabled Entities with Foreign Pirate Identities.

      Methinks on a scale of 1 to 10 calamity, is that a worthy 11.

      1. Anonymous Coward
        Anonymous Coward

        Re: greatest security risk is govt security

        Stranger Things have happened ...

  12. onebignerd

    This has been an issue since President Regan first saw the movie War Games and asked if that was really possible. Ever since it's been an endless stream of studies, oversight committees, presidential recommendations, passing the buck, endless bureaucracy, political posturing and tens of millions of dollars going no where. Military, White House, Pentagon, DOJ...etc. it's all one big insecure mess. Purging the Government of Kaspersky has proved to be more challenging than expected, since it is embedded into other software and hardware. The agencies charged with protecting the country can't protect even a single PC. SCARY!!

    Read Dark Territory by Fred Kaplan

  13. Tree
    Holmes

    Need to hire some smart kids

    Debbie Wasserman Schulze hired some Pakistani named Awan for security when she was Chairman of the Democrat Party. Soon, Wikileaks knew everything about what was happning. A team of Troy High School Students just won the Cyberpatriot award. The State Dept. needs to hire them.

    National Champion: Team Troy Tech Support, Troy High School (Fullerton, CA)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like