Weak passwords and rarely updated software
are a recurring theme behind the 48,000 cyber incidents reported to the
Department of Homeland Security - including the theft of data on the
nation’s weakest dams by a “malicious intruder”, and an incident where
hackers broadcast a malicious warning about a zombie attack via several
American TV stations, a DHS report has found.
“Data on the nation’s weakest dams, including those which could kill
Americans if they failed, were stolen by a malicious intruder,” the
report, titled The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure”
said, “Nuclear plants’ confidential cybersecurity plans have been left
unprotected. Blueprints for the technology undergirding the New York
Stock Exchange were exposed to hackers.”
The report was based on information from more than 40 previous investigations by inspectors general, according to Mashable’s
report. Mashable described weak passwords as a recurring theme of the
17-page report, and said that “password” remains a common choice for
government employees.
The report highlighted a series of breaches, including a
reported attack on a national emergency broadcast system which led TV
stations in Michigan, Montana and North Dakota to broadcast fake zombie
attack warnings. “Civil authorities in your area have reported that the
bodies of the dead are rising from their graves and attacking the
living. Do not attempt to approach or apprehend these bodies as they are
considered extremely dangerous.”
The report was blunt about who to blame: “real lapses” by government
employees, including software governing physical access to secure sites
which was several years out of date, and “weak or default” passwords
guarding servers containing sensitive information. The report cited an
instance of 10 passwords written down and left on desks in the office of
the Chief Information Officer for U.S. Immigration and Customs
Enforcement.Websites including the DHS’s own pro-security site ‘Build Security In’ - built to encourage developers to ““to build security into software in every phase of its development” – also contained known vulnerabilities, the report said. Republican Senator Tom Coburn, who chaired the committee, told the Washington Post, “They aren’t even doing the simple stuff.”
At the Nuclear Regulatory Commission, “a general lack of confidence” led staff to buy and deploy computer networks without the knowledge of their own IT staff. ZDNet’s report described government sites and systems as “ripe with vulnerabilities”.
The report said that many intrusions were the result of poorly updated software, including AV software.
“While cyber intrusions into protected systems are
typically the result of sophisticated hacking, they often exploit
mundane weaknesses, particularly out-of-date software,” the report said.
“Even though they sound boring, failing to install software patches or
update programs to their latest version create entry points for spies,
hackers and other malicious actors. Last July, hackers used just that
kind of known, fixable weakness to steal private information on over
100,000 people from the Department of Energy. The department’s Inspector
General blamed the theft in part on a pieceofsoftware which had not
been updated in over two years, even though the department had purchased
the upgrade.”
“Weaknesses in the federal government’s own cybersecurity
have put at risk the electrical grid, our financial markets, our
emergency response systems and our citizens’ personal information,”
Senator Coburn said in a press release. “While
politicians like to propose complex new regulations, massive new
programs, and billions in new spending to improve cybersecurity, there
are very basic – and critically important – precautions that could
protect our infrastructure and our citizens’ private information that we
simply aren’t doing.”
No comments:
Post a Comment