Proof that US government workers are stupid

Updated happygeek 2 1K Views

Penetration testing by the US Department of Homeland Security which involved dropping USB thumb drives and various data discs around the car parks of government agency buildings has revealed a not-so-shocking truth: just like most folk, government workers allow curiosity to trump security when faced with the opportunity to have a nosey at something they think they shouldn't be looking at.

Some 60 percent of those who picked up the thumb drives and discs went on to stick them straight into their company computers in order to see what they contained. The more that the drive or disc looked like it really might contain something 'official' and secret, those with an official looking logo stamped on them for example, the more likely people were to plug them in. In fact an amazing 90 percent of the drives with official logos that were picked up were installed.

Of course, this will come as absolutely no surprise to anyone who knows anything about both human nature and IT security. Stick baiting, as the process is known amongst the bad guys, is a remarkably simple and effective method of installing malware onto the networks of target businesses. This particular pen test proves that government departments are not immune to the curiosity factor when it comes to targeted attacks. The DOHS testers got their percentage numbers for this test because the drives were 'infected' with a basic call home routine, but this could just as easily have been truly malicious software such as a Trojan. That such high numbers of drives were able to successfully call home after installation suggests that network security at US government agencies is not as good as it could, and indeed should, be.

Ray Bryant, CEO at security experts Idappcom, says the pen test just proves that "there is no device known to mankind that prevents people from being idiots" and warns that when coupled with network security systems that are not properly installed can have disastrous consequences. Unsurprisingly (as his company markets such a thing) he recommends an additional automated security audit layer be added which won't prevent human error but would flag up where the network is vulnerable due to configuration problems. "To err is human" Bryant concludes " but to fail to compensate for those errors is an unnecessary risk".

dohs1.jpg 53.13 KB
Member Avatar for Sariscos
Sariscos 80 Junior Poster

I'm really surprised they're allowed to take information out of the building without having it checked in/out.

Member Avatar for Agilemind
Agilemind 0 Posting Whiz in Training

@Sariscos

From the DOHS website:
"Mission support careers involve the following fields: medical, human resources, facilities, budget, procurement, science and technology, training, intelligence, planning and coordination, detection, civil rights, fraud detection and more. Sample components"

Depends what buildings they targeted, many of these wouldn't require such intense secrecy.

Member Avatar for TheBigWedding
TheBigWedding 0 Newbie Poster

Want to know how the Stuxnet virus could have accidently been insinuated into the software located on a closed server, of the type found in most nuclear energy plants? Look no further than this article.

Member Avatar for GrimJack
GrimJack 1,414 Posting Maven

The headline was unsupported by the what was in the article - I would propose that the headline is proof that headline writers are stupid.

See

Edited by GrimJack because: Sigh!
Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

Perhaps gullible is a better word, but the article supports the statement whatever. No more stupid than anyone else picking up and inserting sticks they find on the floor I grant you, but stupid/gullible nonetheless.

Member Avatar for dzen
dzen 1 Newbie Poster

and what about antivirus software installed on the PCs ? if it is configured correctly as well as user rights and permissions (only admin are allowed to install smth), than how come call home routine or other software is allowed to be installed by antivirus from thumb drives and etc?

Member Avatar for jwenting
jwenting 1,905 duckman

I'm really surprised they're allowed to take information out of the building without having it checked in/out.

No information was taken out for the test, they tested information being taken in...
IT Security no doubt requires no data carriers from outside being used in department systems, but clearly there's no safeguards against this and/or the staff have become expert at circumventing such safeguards as may exist.

I used to work at a major bank's headquarters. This scenario would have been physically impossible there as all computers had hardware to prevent it.
The disk drives (no USB ports existed back then, and if they did they'd have been internally disconnected or physically removed from the systems for just this reason) were all special units that would encrypt and decrypt any disk put in on the fly.
Unencrypted disks thus could not be read, and disks written by them could not be read by any outside system (though decryption software might have decrypted the data).

All external connectors to the computers were either removed, internally disconnected from the rest of the hardware, or where needed (like network, keyboard, mouse, and monitor connectors) were shielded so they could not be disconnected by the user (a metal shield was placed over the rear of every workstation, which required a key to unlock which only the IT department had access to and was probably stored in a safe somewhere).
All computers were furthermore locked with a steel cable to individual desks to prevent theft.
Laptops weren't much of a problem as we had none, and our network was such that it was impossible for unauthorised systems to log on (both an obscure network topology, and the servers required custom software to communicate any login request, developed in house, which would present a workstation dependent code to the server for authentication, any unknown code, even were the workstation known to another server, would cause the workstation to be locked out from the network).

Yes, it was paranoid. But we didn't have to fear compromised data security from people plugging unauthorised disks or computers into the network.

It's rather disturbing that similar security measures aren't in place in a supposedly security conscious government department like DHS.

iamthwee commented: Nice +0
Member Avatar for jwenting
jwenting 1,905 duckman

and what about antivirus software installed on the PCs ? if it is configured correctly as well as user rights and permissions (only admin are allowed to install smth), than how come call home routine or other software is allowed to be installed by antivirus from thumb drives and etc?

AV software works on pattern recognition and behaviour prediction.
If you write something that doesn't match those patterns and seems innocious in its behaviour it doesn't get flagged.
Say this thing installed itself as a plugin into MS Office when a Word document with a macro was loaded, then sends a single email before deleting itself or going dormant.
That's unlikely to get detected by an AV scanner.

Member Avatar for Ancient Dragon
Ancient Dragon 5,243 Achieved Level 70

Reads like an episode of Candid Camera :)

Member Avatar for TheLittleEngine
TheLittleEngine 1 Newbie Poster

most bases don't allow you to use thumb drives in the computers and if you do there are serious repercussions.

Member Avatar for swebsitedesign
swebsitedesign -2 Newbie Poster

it is surprising they're allowed to take information out of the building without having it checked in/out.

Member Avatar for Netcode
Netcode 33 Veteran Poster

If this were to be in my country, the testers would have taken over the whole nation and become so wealthy.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Edit Preview