DHS Security Chief Dismisses Congress's Hacking Questions
By Ryan Singel EmailJune 20, 2007 | 5:00:46 PMCategories: Breaches

Congress asked Homeland Security's chief information officer, Scott Charbo, who has a Masters in plant science, to account for more than 800 self-reported vulnerabilities over the last two years and for recently uncovered systemic security problems in US-VISIT, the massive computer network intended to screen and collect the fingerprints and photos of visitors to the United States.

Charbo's main tactic before the House Homeland Security subcommittee Wednesday was to downplay the seriousness of the threats and to characterize the security investigation of US-VISIT as simultaneously old news and news so new he hasn't had time to meet with the investigators.

"Key systems operated by Customs and Border Patrol were riddled by control weaknesses," the Government Accountability Office's director of Information Security issues Gregory Wilshusen told the committee. Poor security practices and a lack of an authoritative internal map of how various systems interconnect increases the risk that contractors, employees or would-be hackers can or have penetrated and disrupted key DHS computer systems, Wilshusen and Keith Rhodes Director, the GAO's director of the Center for Technology and Engineering told the committee.

Rep. Bob Etheridge (D-N.C.) pondered the worst case scenario for US-VISIT.

"Terrorists or nation states could get int there and change or alter their names rendering our watchlists and visa program useless," Etheridge said.

Charbo cited the absence of evidence as the evidence of absence: "There are other controls placed around that system and there is no evidence that the system has been hacked by outsiders." (ed. note This is false since US-VISIT was infected by a worm.)

US-VISIT has a long history of security problems and failing government audits. Though the system is supposed to be self-contained,some undisclosed number of US-VISIT computers running Microsoft 2000 were infected by the Zotob worm in August of 2005, revealing not only that the system lacked good patch management, but that somehow the system touches the internet. DHS attempted to hide the evidence, but a persistent government sunshine lawsuit from Wired revealed the infection in the fall of 2006.

But Charbo refused to admit that US-VISIT was deeply flawed.

"The GAO did not consider mitigating defenses, and visited without putting the audit in the context of the overall security environment," Charbo said.

DHS self-reports to US-CERT, a central computer security reporting center, included notice of suspicous bot nets on DHS computers and password sniffing software that could connect to the outside world.

House Homeland Security Chair Bennie Thompson, who opened the hearing by saying " the first thing Mr. Charbo needs to explain is why he should keep his job," pushed Charbo on unauthorized laptops and classifed emails being sent on unclassifed networks (which must be pretty easy to do given the rabidness with which Homeland Security classifies information.

Charbo downplayed these threats, too.

Without exception, these incidents were when someone who typed an email and sent that item on an unclassified system and the person getting them said I believe this is a security breach," Charbo said, saying at that point security personnel step in to either educate, punish or remove security clearances and that this kind of slip-up happened just as often when offices didn't have IT systems.

The GAO's Rhodes jumped in to add that reporting by employees is hardly the ideal auditing method for these kinds of breaks.

"What has to be put in place is not just personnel, but some control to keep people moving from one network to another freely," Rhodes said. "Having free access from one side to another is only going to foster the problem."

The most interesting moment of the hearing came from California Democrat Zoe Lofgren asking if US-VISIT had ever been hacked. Read this post to find out GAO and THREAT LEVEL's divergent answers.




http://blog.wired.com/27bstroke6/2007/0 ... ty-ch.html