back to article Feeling bad about your last security audit? Check out what just happened to the US Department of Interior

The US Department of the Interior (DoI) spectacularly failed its latest computer security assessment, mostly for a lack of Wi-Fi defenses. This is according to a report [PDF] from the department's inspector general (via NextGov) which found that, among other failings, the DoI internal wireless network could be broken into over …

  1. redpawn Silver badge

    Good enough for me

    The same attack would work at my house and expose my mother's house as well.

    So how does that Deep State stuff work anyway?

    1. Anonymous Coward
      Anonymous Coward

      @redpawn - Re: Good enough for me

      Deep State does it quit nicely, thank you for asking! Now please go outside and wait for the black helicopter that will pick up up in a minute.

  2. Gene Cash Silver badge

    Nice picture

    So did they also worry about getting shot for "carrying a bomb"?

    In this part of the USA, that device in the left hand picture would get you instantly shot, no questions asked.

    1. Anonymous Coward
      Anonymous Coward

      @Gene Cash - Re: Nice picture

      You mean they will not even wait for someone to record it on camera ?

      1. sanmigueelbeer Silver badge

        Re: @Gene Cash - Nice picture

        You mean they will not even wait for someone to record it on camera

        Don't be silly. Every street corner already has a several CCTV cameras and the feeds are being analyzed in China.

    2. Robert Carnegie Silver badge

      Re: Nice picture

      I doubt you would be shot unless "this part of the USA" is a prison, in which case, how are you able to tell us about it...

      It also may help in those terms if you are not brown, and not bearded.

      They used it in public visitor space at offices, so bags might be not searched, it's not Apple that we are talking about (Apple premises qualify... but I already mentioned prisons). If bags are searched... there are such things as steel toe capped work boots. So if no one notices and cares that your footwear has a USB-C port, you get a clear run at it. A clumpy, clattery run, I admit.

    3. Anonymous Coward
      Anonymous Coward

      Re: Nice picture

      and you get pregnant from wearing a skirt, aids from having your pants low, and covid from not wearing a mask alone in your car.

      yeah, thats how much sense your post makes.

  3. HildyJ Silver badge

    No surprise

    Our government IT security is as bad as yours across the pond. This is in large part due to the fact that our IT has been outsourced (just like yours and often to the same companies). If they have an independent security function, that has been outsourced too (also often to the same companies). Management doesn't want employees.

    1. chivo243 Silver badge

      Re: No surprise

      "IT has been outsourced"

      Would have been nice if the article named and shamed some of these so called IT Contractors...

    2. Potemkine! Silver badge

      Re: No surprise

      Absolutely. As long as IT and more especially Cybersecurity will be seen as a cost rather than a investment, as long as the decision over IT budget will lies in the hand of accountants willing to maximise short term profit, then this kind of situation will continue.

      "The Capitalists will sell us the rope with which we will hang them" could be also hackers' motto.

    3. Anonymous Coward
      Anonymous Coward

      You get what you pay for

      If its outsourced and the contract doesn't contain provision for Security, guess what... you aint getting it.

      If it doesn't contain Security Advisory service, you aint even getting that.

      When you take your car to the garage for a new fan belt, do they change the exhaust too free of charge without asking you?

      Its easy to try and blame "outsource" as the problem, but they only do what you tell them to do and what you pay for.

      The fault lies entirely on the customer not specifically trying to deal with security by putting in place the instructions AND MONEY for doing it.

      No outsource contract I've ever seen contains the blanket statement "just do all of my IT sh1t, you have a free hand to do what you see fit, send me the bill for whatever"

      1. Chris G Silver badge

        Re: You get what you pay for

        Quite so. Outsourcing anything requires the direct employment of enough people who are expert in a subject so that the specifications are adequate.

        The beancounters tend to think, 'If we are outsourcing this, why do we need any experts of our own?'

        I have seen this happen too many times, incomplete specs and no one who can be held directly to blame.

        1. Anonymous Coward
          Anonymous Coward

          Re: You get what you pay for

          Exactly - the customers which make the outsourcers bleed are the ones with a sizeable retained IT department who's job it is to issue instructions and manage the supplier with tight control.

          The ones where stuff goes wrong and they get their trousers pulled down are where retained IT is too small.... usually where its just one or two "senior managers".

          I speak of this having been working in outsourcing for a few decades.... we have "problem customers" and those are the ones which hold our feet to the fire.... those are the ones seeing the actual benefit of outsourcing, the rest....

          There are quite a few of "the rest", in fact mainly "the rest".

      2. John Brown (no body) Silver badge

        Re: You get what you pay for

        "When you take your car to the garage for a new fan belt, do they change the exhaust too free of charge without asking you?"

        No, but they'll usually, for free, cast an eye over the rest of the car and tell if they think other work needs doing. Reputable ones will even be mostly honest about it too.

    4. BPontius

      Re: No surprise

      Can't blame outsourcing. The U.S Government hasn't been able to secure it's networks or PCs since the Reagan Administration. The movie WarGames got President Reagan asking if that was realistic, after some investigating found it was. Starting years of struggle to secure Government systems. Long before outsourcing the Military, IRS, White House, Pentagon, DOJ...etc haven't been able to keep their systems patched or secured. Teenagers have hacked into Defense department systems. Read: Dark Territory by Fred Kaplan

  4. You aint sin me, roit Silver badge

    But what's the Chinese angle?

    Surely some bright spark could have spun this "And that's why we have to strip out all Huawei 4G kit."

    1. Anonymous Coward
      Anonymous Coward

      Re: But what's the Chinese angle?

      I'll play along.

      All the equipment was made in.....

      came with Anvisoft antivirus (look it up)

      That or 15 year old Cisco or Juniper gateways..

  5. 2+2=5 Silver badge

    Parks and Recreation

    > A lack of attention to basic security practices cleared the way for outsiders to harvest user credentials, and gain access to the inner-workings of the US government

    This is the Department of the Interior they're talking about?

    1. Anonymous Coward
      Anonymous Coward

      Re: Parks and Recreation

      You can do a lot of damage there.

      For example, that department sometimes does controlled fires as part of their forest fire control strategy. Suppose you change the location and timing of one of those. You could literally burn cities.

      1. DaveEdi

        Re: Parks and Recreation

        I can see it now.

        Yes Mr Secret Service man, my docket says that I have to burn down all the trees @ 1600 Pennsylvania Avenue. Oh, and hoover up all the leaves.

      2. John Brown (no body) Silver badge

        Re: Parks and Recreation

        "For example, that department sometimes does controlled fires as part of their forest fire control strategy"

        Surely not! The esteemed President Trump has quite clearly stated that the forest fires are caused by the States not looking after their 3% of forest. It's nothing whatsoever to do with the 50% or so the Feds are charged with looking after or the privately owned forest land run for profit by businessmen like President Trump and properly and safely managed.

  6. Anonymous Coward
    Anonymous Coward

    Nice to see...

    ...all of that endless and largely pointless wifi hacking training SANS and others like to sell you finally hit some paydirt.

    Talk about low hanging fruit.

  7. Eclectic Man Bronze badge

    Plus ca change

    I remember once doing a follow up security review of a customer 2 (two) years after a colleague had done one. Half the people I interviewed said that there had been a review before and nothing had been done. So when I came to write up my report it was no surprise that not only were the faults described by my colleague two years previously all still there, they had managed to add some new ones.

    (As Major Bloodknock* might say "Well, there's progress for you".

    *The Goon Show, BBC Radio: "King Solomon's Mines".)

  8. Blackjack Silver badge

    The best Wi-Fi defence...

    Is not to use Wi-Fi.

    Just.. use cables for everything.

    Even the latest Wi-Fi protocol has holes and it has not been fully implemented in most places yet.

    1. Captain Scarlet Silver badge

      Re: The best Wi-Fi defence...

      or just turn everything off

      1. cawfee

        Re: The best Wi-Fi defence...

        change every hostname to localhost

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020