Feeds

DHS network vulnerable to attack

Remote access security issues

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

The US Department of Homeland Security is having some homeland cyber security issues on its systems providing remote access to telecommuters, according to a newly-released report by the DHS Inspector General's office.

Earlier this year security auditors armed with ISS's Internet Scanner, @stake's L0phtCrack and Sandstorm Enterprises' PhoneSweep 4.0 spent five months probing hosts, attacking passwords and war dialing the Department.

They found that some of the hosts designed to allow home workers and other trusted users access to DHS networks by modem or over the internet lacked the authentication measures called for by official NIST guidelines and recommendations by the National Security Agency, like minimum password lengths and password aging.

Moreover, system patches were not kept up to date, leaving some systems open to known buffer overflows and other exploits. Meanwhile, a war dialing effort against 2,800 DHS phone lines turned up 20 modems that the Department couldn't immediately account for.

"Due to these remote access exposures, there is an increased risk that unauthorized people could gain access to DHS networks and compromise the confidentiality, integrity, and availability of sensitive information systems and resources," the report concludes.

The audit examined DHS's Emergency Preparedness and Response Directorate; the Bureau of Immigration and Customs Enforcement; the Bureau of Citizenship and Immigration Services; and DHS Management. Only DHS Management proved resistant to L0phtCrack. Of the other three components, passwords were crackable with user name and dictionary attacks at a rate between eight per cent and 37 per cent, with some accounts protected by no password at all.

In a written response attached to the report, Department CIO Steve Cooper said some of the auditors' concerns were overstated: The systems suffering known vulnerabilities were waiting for patches to come out of testing, and any genuine effort at password hacking would be hobbled by the Department's policy of limiting failed login attempts, wrote Cooper.

"As we complete the transition to Windows 2003 on most of our networks, it will be impossible to have a password that does not comply with DHS complexity requirements," he wrote.

Copyright © 2004, SecurityFocus logo

Related stories

Proposed Homeland Security Czar scratched
US Homeland Security Czar resigns
Uncle Sam demands all air travel records

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.