Extent of Government Computers Infected By Bots Uncertain

Krishna Dagli writes to mention findings by the company Trend Micro on the extent of bot infection in U.S. Government computers. The article by Information Week indicates that, while the 'original' findings were much harsher, the security vendor has since backed down from some of its claims. Still, the extent to which information-stealing software has penetrated our national infrastructure is enough to take note. From the article: "While it may be tempting to discount the warnings of security vendors as self serving--bot fever means more business for Trend Micro--there's unanimity about the growing risk of cybercrime. In its list of the top 10 computer security developments to watch for in 2007, released last week, the SANS Institute warns that targeted attacks will become more prevalent, particularly against government agencies. 'Targeted cyber attacks by nation states against U.S. government systems over the past three years have been enormously successful, demonstrating the failure of federal cyber security activities,' SANS director of research Alan Paller says in an e-mail. 'Other antagonistic nations and terrorist groups, aware of the vulnerabilities, will radically expand the number of attacks.'"

Not only governments, but enterprises at risk

[Anonymous Coward]

Most of cybercrime is just the ole criminal activity for financial gains. This is often underestimated.

http://www.verkiezingen2006.nl/ [verkiezingen2006.nl]

Other antagonistic nations?

[Anonymous Coward]

'Other antagonistic nations and terrorist groups, aware of the vulnerabilities, will radically expand the number of attacks.'"

You mean anagonistic nations other than your own?

Why, that means

[Geminii]

- we have a new excuse for legalising illegal wiretapping and making it mandatory for Americans' PCs to spy on their owners! Because if we don't, those strangely elusive terrorists will have won. Again.

Bots accounting for questionable browser habits

[Neil Watson]

How many of these bots are there to generate hits for porn sites thus making the employees look bad?

It's the bureaucracy that's the biggest problem

[elrous0]

As someone who has worked in government IT, I can tell you that the biggest problem that we faced security-wise was the bureaucracy of the government. Want to hire a consultant, buy a piece of security software? Then you have to go through the long and arduous procurement process (forget any nimbleness or adapatability). Want to fire someone who is incompetant? Forget it (firing anyone is a HUGE pain in the ass, especially in the federal system). What you end up with in government IT (and, hence cyber-security) is often a bunch of guys used to doing the same thing every day; never learning anything new; who have grown burned-out, disenchanted, and cynical with the whole process.

-Eric

And Yet Still Windows

[blueZhift]

I know it's always fashionable to bash Windows here on /., but stories like this really do beg the question of why the government is not seriously looking at a more secure operating platform. In particular, while Linux is not perfect, it would be much less likely to fall prey to the ills that are epidemic on Windows without much, if any, added cost post transition. I suppose someone will have to die before getting off of Windows is seriously considered, if even then.

Re:Wouldn't it be fitting...

[Hijacked Public]

But they would never 'discover' that, because they can't sell themselves or their peers security software. A more newsworthy headline, even aside from the fact that 'Extent of Government Computers Infected by Bots Uncertain' really has no relevant meaning at all and anyone who paid to get a report with that title should demand a refund, would be if a security software company audited someone's machines and reached the conclusion that no, you do not need to buy anything from us.

Re:Granny != Uncle Sam

[rwhamann]

Because many of Uncle Sam's employees have the tech skills of granny. Just like a home users, convenience often trumps security - "don't break the mission!"

Budget cutbacks and incompetence

[RingDev]

I used to work both as a consultant, and an LTE for a department of a state government. I did software development, all of our Network resources were managed by the Department of Administration (DOA, appropriately enough). DOA may have started out as a good idea, one centralized agency that maintained licensing, contracts, support, purchasing, etc... But cutbacks led to them continuously cutting pay and positions. By the time I left, the only representatives from the DOA that I knew of were two LTE college students, and one former manager who took a demotion to a tech position to stay employed (which just happened to bump one of the last skilled technicians out of the department).

Anyways, under their watch we had numerous security breaches. One of our servers was hosting a child porn collection and IRC channel. Another server had been crippled by viruses, and we had seen other signs of intrusion time after time. The child porn server was confiscated by the FBI when they tracked it down. They returned the server to the DOA when they had finished so that the DOA could learn from the breach and correct the security issue, but there was no one employed with the DOA who could identify the failure or what to do about it.

Anyways, my rough guess is that given what I've seen of state networks, I would think they are heavily botnetted. The other side of the public sector though, atleast the Marine Corps network, is a pretty impressive setup. I've seen those guys in action and I would be extremely suprised if there is a lick of traffic that escapes their pipes with out their express knowledge.

-Rick

Re:And Yet Still Windows

[Anonymous Coward]

HA

Do you know what govt agencies have to go through to approve an upgrade from Word 2000 wo XP? And you want them to change a whole OS? hahahahah! Nottice I said "approve". They can buy the stuff all day long, but can't install it without jumping through 1000 hoops. :)

Don't bet on it

[Anonymous Coward]

The unclassified side of military networks can be just as scary as any other government IT network. I can't speak directly about the Marines, but I remember Code Red hitting the Army networks connected to NIPRNET real hard, compromising thousands of machines and generally making life difficult for those of us on the same connections.

It's like any other organization though - there's areas that are run exceedingly well, and areas that aren't. It's hard to generalize about anything as large and complex as government, or even military IT.

Re:Why, that means

[thrillseeker]

That would mean holding government people to the same laws as civilians. When do we do that?

Daily.

Re:And Yet Still Windows

[Sloppy]

I think the real reason that you see so many security vulnerabilities is because you have experts (not just script kiddies, but blackhat experts) trying to break into Windows on a daily basis.

That may be an aggravating factor, but it's definitely not the main problem. Windows' biggest problem isn't just that it's proprietary software -- it's that it just plain sucks even within the realm of proprietary software. It's the one platform where

• Web browser was designed to download and execute binary code from web pages. I'm not talking about accidents and bugs like buffer overflows -- I'm talking about an intended feature. It's horrifically dangerous on purpose.
• Mailreader executes attached scripts (supposedly this is mostly fixed nowdays?)
• Word processor and spreadsheet execute macros when loading document -- and those macros can do just about anything.

These aren't merely bugs that Microsoft failed to catch before the product shipped. Free vs proprietary software issues aside, Windows is dangerous by design. It's not just about lack of peer review or poor code quality. It's about trying to serve interests other than the users'. Switching to anything, even other proprietary systems, would almost certainly be better, because the above "features" are things that nobody else would dare to implement.

If another platform were as dominant as Windows and there was still a lack of diversity, the situation wouldn't be as bad. Whether it were free software such as Linux, or a proprietary system such as MacOS, you'd still have a different situation. Bugs would still exist, and vulnerabilities would still be found. But the software wouldn't be designed to treat external (and therefore potentially hostile) content as executable code. You just can't do worse than Windows.

Re:Granny != Uncle Sam

[Anonymous Coward]

For your (and the parent poster's) information, it is not as easy to manage millions of computers spread over the entire globe and keep them as safe as your granny's PC. If you think it is, then you need to find another profession.

If it isn't easy then you shouldn't do it. Seriously. If *you* find it hard to to manage millions of computers, then you shouldn't be managing millions of computers. Nobody should. No one person should be directly managing more than a few hundred or thousand computers at most and then they should be using the appropriate software tools. I know what you meant, but it is important to be clear about who is responsible for what in an organization as big as the US government and the associated institutions.

This isn't a problem of computer security, but a management issue. Delegation of authority is what management is about. The problem of keeping some computers and a network relatively secure is not the problem. It is putting a management system in place to be able ensure uniform best practices across the bureaucracy which is at issue. It seems far too easy for networks of hundreds or thousands of computers to go without appropriate computer security personnel for extended periods of time. Transitions are also a problem, with computer security being a very unrewarding area it seems that people are moved around with some frequency. There is nothing about computer security that is inherently hard, but the difference between good management and bad management is so little that it is hard to tell the difference until the effects are felt some time later.