Another Government Computer Security Incident: Hackers Break Into the U.S. State Dept. Computers
An interesting story just appeared on CNN, "Hackers target State Dept. computers." Some of the more interesting excerpts from the story:
"Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking."
The break-ins were reportedly discovered in mid-June. It would be interesting to know how the hackers implanted backdoors into the computers. Perhaps the admin and supervisor passwords were some of those stolen? Were the passwords clear text files? Or, were they poorly constructed so that they allowed a password cracker to gather them? Sounds like at least two-factor authentication would be a good idea for all government computer systems, doesn't it?
""The department did detect anomalies in network traffic, and we thought it prudent to ensure our system's integrity," department spokesman Kurtis Cooper said. Asked what information was stolen by the hackers, Cooper said, "Because the investigation is continuing, I don't think we even know.""
Well, it is refreshing to finally have a representative of an organization that has experienced an incident honestly report that he doesn't know what was taken or compromised.
"After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet."
"Many diplomats were unable to access their online bank accounts using government computers because most financial institutions require the security technology to be turned on. Cooper said the department has since fixed that problem."
I find the disabling of SSL interesting...wonder what type of protection they implemented as a compensating control?
Technorati Tags
information security
IT compliance
government computer security incident
hacker
security breach
awareness and training
regulatory compliance
privacy
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
It could be a plant story, too. Cyberattacks have been coming from PRC for a long time. There could be many possible reasons to break such a story now.
Going to Google with search term "coventry 'churchill knew'" will show how things can play out. All we know is that CNN ran a story which talked about attacks on US State Dept networks.
Posted by: a reader | July 11, 2006 10:43 PM
After considering all the reported details in the AP story (which cnn.com carried), I think the most likely explanation is this.
The computers of the state department diplomats (mostly outside the USA) all connected back to the State dept intranet via IPSec (secure VPN) technology. They didn't use SSL to routinely transfer data between their computers in the field and the headquarters computers, because the VPN encryted all the communication for them.
When they wanted to access web sites out on the WWW, their web requests first went over theh VPN back to the intranet at HQ, and from there were routed out onto the Internet.
These diplomats and agents were being "phished" (tricked into revealing their state department account names and passwords to computers out on the Internet). When that happened using http (not https, no SSL involved), the State departments routers/snoopers could detect the phishing.
They could detect external web sites that deliberately were made to look like HQ intranet web sites. They could detect when the diplomats and employees were sending their passwords out onto the internet, and could then immediately stop that traffic, or deactivate the accounts for the phished users.
But when SSL was involved, the SSL encryption (between the user's computer and the external https web site) made it impossible for the department's routers & snoopers to detect phishing. The "weakness in this [SSL] technology" was actually its strength. It stopped State's snoopers from decrypting the traffic, and so from detecting phishing.
So, apparently, the State department blocked all OUTGOING https requests going from the department intranet out to the Internet for a while. They didn't drop encryption security for VPN traffic. They disallowed https traffic from the HQ intranet to go out to sites on the Internet. This led to the complaint that diplomats could no longer do online banking.
Now they claim that they've "solved the problem" of employees and diplomats being unable to reach their banks and do banking on line. I suspect they've implemented a filter that allows SSL with a (pretty large) list of pre-approved https web sites made mostly of banks and perhaps larger merchants. I'll bet they paid a pretty penny for that whitelist and the servers/filters that implement it.
Posted by: Mister SSL | July 17, 2006 1:54 AM