Thread: DHS Security Chief Dismisses Congress's Hacking Questions

DHS Security Chief Dismisses Congress's Hacking Questions
By Ryan Singel EmailJune 20, 2007 | 5:00:46 PMCategories: Breaches

Congress asked Homeland Security's chief information officer, Scott Charbo, who has a Masters in plant science, to account for more than 800 self-reported vulnerabilities over the last two years and for recently uncovered systemic security problems in US-VISIT, the massive computer network intended to screen and collect the fingerprints and photos of visitors to the United States.

Charbo's main tactic before the House Homeland Security subcommittee Wednesday was to downplay the seriousness of the threats and to characterize the security investigation of US-VISIT as simultaneously old news and news so new he hasn't had time to meet with the investigators.

"Key systems operated by Customs and Border Patrol were riddled by control weaknesses," the Government Accountability Office's director of Information Security issues Gregory Wilshusen told the committee. Poor security practices and a lack of an authoritative internal map of how various systems interconnect increases the risk that contractors, employees or would-be hackers can or have penetrated and disrupted key DHS computer systems, Wilshusen and Keith Rhodes Director, the GAO's director of the Center for Technology and Engineering told the committee.

Rep. Bob Etheridge (D-N.C.) pondered the worst case scenario for US-VISIT.

"Terrorists or nation states could get int there and change or alter their names rendering our watchlists and visa program useless," Etheridge said.

Charbo cited the absence of evidence as the evidence of absence: "There are other controls placed around that system and there is no evidence that the system has been hacked by outsiders." (ed. note This is false since US-VISIT was infected by a worm.)

US-VISIT has a long history of security problems and failing government audits. Though the system is supposed to be self-contained,some undisclosed number of US-VISIT computers running Microsoft 2000 were infected by the Zotob worm in August of 2005, revealing not only that the system lacked good patch management, but that somehow the system touches the internet. DHS attempted to hide the evidence, but a persistent government sunshine lawsuit from Wired revealed the infection in the fall of 2006.

But Charbo refused to admit that US-VISIT was deeply flawed.

"The GAO did not consider mitigating defenses, and visited without putting the audit in the context of the overall security environment," Charbo said.

DHS self-reports to US-CERT, a central computer security reporting center, included notice of suspicous bot nets on DHS computers and password sniffing software that could connect to the outside world.

House Homeland Security Chair Bennie Thompson, who opened the hearing by saying " the first thing Mr. Charbo needs to explain is why he should keep his job," pushed Charbo on unauthorized laptops and classifed emails being sent on unclassifed networks (which must be pretty easy to do given the rabidness with which Homeland Security classifies information.

Charbo downplayed these threats, too.

Without exception, these incidents were when someone who typed an email and sent that item on an unclassified system and the person getting them said I believe this is a security breach," Charbo said, saying at that point security personnel step in to either educate, punish or remove security clearances and that this kind of slip-up happened just as often when offices didn't have IT systems.

The GAO's Rhodes jumped in to add that reporting by employees is hardly the ideal auditing method for these kinds of breaks.

"What has to be put in place is not just personnel, but some control to keep people moving from one network to another freely," Rhodes said. "Having free access from one side to another is only going to foster the problem."

The most interesting moment of the hearing came from California Democrat Zoe Lofgren asking if US-VISIT had ever been hacked. Read this post to find out GAO and THREAT LEVEL's divergent answers.




http://blog.wired.com/27bstroke6/2007/0 ... ty-ch.html

Lawmakers: Can DHS protect its networks?
After 844 DHS cybersecurity incidents in 2005 and 2006, lawmakers are putting the pressure to DHS to improve its security soon

By Grant Gross, IDG News Service
June 20, 2007
comment Talkback E-mail E-mail print this Printer Friendly reprints Reprints Text Size: Default Text Large Text

The U.S. Department of Homeland Security's (DHS) CIO was on the hot seat Wednesday on Capitol Hill after an independent audit found that a database that screens U.S. visitors lacked security controls.
Free IT resource

* TechNet: More ways to know it, share it, and keep it running.
* Sponsored by Microsoft

Free IT resource

* Security developments delivered to your phone
* Sponsored by AT&T

Related Stories

* McAfee puts Total Protection 2.0 into beta
* DHS privacy committee joins Real ID opposition
* Congress lashes agencies for Fs in cybersecurity
* Popular Tags
dhs, departmentofhomelandsecurity, security

The chairman of the U.S. House of Representatives Homeland Security Committee called on DHS CIO Scott Charbo to explain why he should keep his job after persistent cybersecurity problems at the agency.

"What happened to leadership?" Representative Bennie Thompson, the committee chairman and a Mississippi Democrat, said during a hearing of the Subcommittee on Emerging Threats, Cybersecurity, and Science, and Technology. "What happened to accountability?"

Lawmakers also said they were concerned that the agency reported 844 cybersecurity incidents in 2005 and 2006.

"Although we still have a ways to go, we've made measurable improvements in the management of information security at the department," Charbo said. "Certainly, we need to increase our vigilance to ensure that such incidents do not happen again."

Many of the 844 incidents were minor, and the agency has taken major steps to fix past cybersecurity issues, Charbo said. Many of the reported cybersecurity incidents related to problems like lost laptops that did not result in data breaches, he added.

The subcommittee did not have a breakdown of the incidents Wednesday.

Asked about reports of bots installed on DHS computers that could send information out to hackers, Charbo said he had "no evidence" that the bots caused a breach.

Thompson's comments came as the U.S. Government Accountability Office (GAO) issued a report saying DHS continues to have "significant weaknesses in computer security controls that threaten the confidentiality, integrity, and availability of key ... systems."

GAO investigators found no security controls on the US-VISIT database, the system that screens people who want to visit the U.S. for potential terrorists and criminals. Lawmakers are concerned whether terrorists could get into the database "and change or alter their names to allow them access to this country, and we wouldn't even know that they're doing it," said Representative Bob Etheridge, a North Carolina Democrat.

A contractor provides IT security for US-VISIT, but DHS has its own security controls in place to protect the database, Charbo said. He didn't disclose specific security measures.

The GAO doesn't have evidence that the US-VISIT database was breached, said Keith Rhodes, chief technologist and director of the GAO's Center for Technology and Engineering. "I did not see controls in place that would prevent it," Rhodes said. "I did not see defensive perimeters, and I did not see detection systems in place whether it had or had not [been breached]."

GAO started a cybersecurity review of DHS a year ago but curtailed its efforts because it kept finding "more and more" problems, Rhodes said. "If we had continued to this day, I would argue we'd still be finding things," he said. "The problems were pervasive. The problems were systemic."

Charbo outlined recent measures DHS has taken to improve cybersecurity there. The agency is collapsing multiple legacy WANs into a single WAN, and it is standardizing all e-mail and directory services onto a single platform, he said. The agency had 13 separate e-mail systems when it was formed out of 22 U.S. agencies in 2002, he said.

DHS also is combining multiple data centers into a shared center, he said.

Thompson asked how DHS officials can preach cybersecurity practices to other agencies and private companies while continuing to have its own problems. Among the incidents DHS reported were employees sending out classified documents on unclassified networks and contractors attaching unauthorized laptops to the DHS network, he said.

"How can the Department of Homeland Security be a real advocate of sound cybersecurity practices without following some of its own advice?" he said. "What the department is doing on its own network speaks so loud that the message isn't getting across to anyone else."

http://www.infoworld.com/article/07/06/ ... rks_1.html

And people want to entrust DHS with their personal biometric data for the REAL ID?