How The FBI Got Basic Security Wrong

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Wow, one username and one password for everything? That's just brilliant. You'd think the FBI would be smarter than that.

The FBI says on its website that it's "located in one centralized location," and accessible by "a single sign-on process -- using one username and one password for many different resources and services." It's not clear how many authorized users there are, but the number is likely to be in the many hundreds of thousands.
 
But damn it was convenient.

I have this argument regularly with management at my job. They keep thinking single sign on being secure is a matter of technology, rather than that it simply does not meet the needs of anything being secure.

They don't get there is no fixing the issue of, for example, logging into your email, going to make a cup of coffee, and then anyone who steps into your office or cube having full access to your purchasing accounts, or any of a hundred other mission critical things. Take those out of the dingle sign on loop, and it is no longer convenient. They also don't get that I'm never, ever going to tell them it's ok and not a security problem. I'll implement it, but only after getting you to sign off on the risks. You get the security you pay for, but you won't able to tell other I told you it was without problems.
 
After hearing about all the government mishaps and lax security - no, I don't think they would be smarter than that.

Although, this is very avoidable and a stupid thing to do. Why would an admin allow something like this? (should make this a script to post on every stupid government agency issue!).
 
There was a hackaday article discussing how a lot of government agencies relied on fingerprints as two-factor. It also discussed how terrible of an idea that was because you can't hash the fingerprint data into the database and still get reliable access, nor can you "revoke" a fingerprint (unless you burn you hand or something) and that last government hack compromised all of this. So now they're likely completely screwed on the FP front and have to look for a third factor.
 
Ur_Mom said:
After hearing about all the government mishaps and lax security - no, I don't think they would be smarter than that.

Although, this is very avoidable and a stupid thing to do. Why would an admin allow something like this? (should make this a script to post on every stupid government agency issue!).
Click to expand...

LOL...it ain't government. It is every large organization.

Most people don't know what security is or does, they only know the expereince of having to call someone to unlock their account because they cannot remember 500 different passwords that are not human readable.
 
Single sign-on should never be allowed for privilege access. It's the FBI IT Department's fault for even allowing privilege access via single sign-on. When I say privilege access, I mean admin level access to any system. Single sign-on is intended for end users only who have low level access to their applications to do their job and that's it. Any administrator with half a brain knows this. Any company that deals with sensitive data should be using a privileged account management solution like CyberArk which allows an admin to request a time limited privilege account that is monitored. If not, then whoever is running the shop should be fired!
 
Let me guess. The FBI e-mailed the userid AND password to law enforcement personnel requesting access to the portal ... in clear text (i.e. no encryption).
 
If ever there was a way to deliberately circumvent your nations security, this is it.
They are not fit for purpose, shame you cant return them to the shop they came from.
 
Heh, the reality and hollywood are pretty far off in this. They always picture the agencies as super futuristic and super secure while the truth looks pretty different. Where's the retina/DNA scan to access data like on tv? :D
 
raz-0 said:
But damn it was convenient.

I have this argument regularly with management at my job. They keep thinking single sign on being secure is a matter of technology, rather than that it simply does not meet the needs of anything being secure.

They don't get there is no fixing the issue of, for example, logging into your email, going to make a cup of coffee, and then anyone who steps into your office or cube having full access to your purchasing accounts, or any of a hundred other mission critical things. Take those out of the dingle sign on loop, and it is no longer convenient. They also don't get that I'm never, ever going to tell them it's ok and not a security problem. I'll implement it, but only after getting you to sign off on the risks. You get the security you pay for, but you won't able to tell other I told you it was without problems.
Click to expand...

Of course it does. Single Sign-On doesn't mean single-factor authentication, it means your using an attestation scheme that once you are logged in you are able to navigate through multiple resources because your authenticated access is being "attested" to. It's like one app saying yea let him on, I checked him out, he's ok.

And no one should be getting up from a logged in terminal without locking first, that's just stupid and lazy and if people in your organization are doing it then it's training issue that can be dealt with. They just need to make it important enough.

Still, this;
I'll implement it, but only after getting you to sign off on the risks.
Click to expand...
is just good business.
 
Skripka said:
LOL...it ain't government. It is every large organization.

Most people don't know what security is or does, they only know the expereince of having to call someone to unlock their account because they cannot remember 500 different passwords that are not human readable.
Click to expand...

^^^ He's right. If we could get a really big do-over and go back to 1976 or so with all the security related knowledge we have today, this wouldn't even be an issue today.

We are where we are today because we have been growing and learning in a mad money hungry race. Security wasn't built into the system while the system was being built. Security evolved as a cost saving measure as a reaction to loses. All along the way security has always been a cost/benefit issue. The absolutely funny thing is that the only guys who have ever really gotten it right, your gona laugh, it's the DoD.

The DoD is one of the very few who actually got it right and they made the big leap to doing things the right way a very long time ago. You guys have all heard of things being unclassified or secret or top secret. Well, when it comes to the DoD these are physically separated networks which share no common connections. They don't use the same switches, the same fiber lines, not even the same satellites. The only way to take something from one and put it on the other is to copy it to some form of external removable media and move it over. It's physically impossible to hack a classified system from an unclassified system. You need physical access in one manner or another to the network in order to get in. Only the unclassified system shares links with the wild wild Internet.

Unless you're the Navy and use CISCO Switches that were made in China :eek:
 
Basic skills already learned are thrown away.
You know not to leave valuables outside unattended and unsecured yet things are put online with no security. And things that dont even need to be online are!

Not fit for purpose.
Stupidity reins supreme.
 
I know I said earlier that Single Sign-on doesn't mean single factor authentication and it doesn't. But if this statement is accurate then these guys are idiots. If your services and data are at all sensitive then you should never use both single factor authentication and single sign-on together, that's just stupid.


Users can gain access to LEEP by logging in using a single sign-on process—using one username and one password for many different resources and services within the LEEP.
Click to expand...
 
lcpiper said:
^^^ He's right. If we could get a really big do-over and go back to 1976 or so with all the security related knowledge we have today, this wouldn't even be an issue today.
Click to expand...

A while back, security wasn't even a concern with computers - personal or commercial. Then, networks came along and there was a small amount. Not a lot. Then, the Internet. Since then, security has been getting better and better for most.
 
I remember the first game I hacked, actually it might have been the only game I hacked, but it qualified as a hack.

It was called Third Reich I think, they used a copy protection scheme where the game asked for the whatever word from the whatever paragraph of page whatever. I used a hex editor to search the code for a password they used, that let me find where they stored all the passwords, so I changed all the passwords to a single one so I only had to remember one. Easy. Or at least it was easy then, it's gotten harder ever since.
 
Nice one.

My first game hack was on the ZX Spectrum.
It loaded from cassette and the file was big enough to completely fill ram so there was no space to fit a program to copy it.
But they hadnt counted on the printer buffer that was just before the display file.
I found the load/save routines in the rom and wrote a tiny machine code routine in the printer buffer.
This loaded the header and main file separately, waiting for a key to be pressed each time before it play the file out of the sound port which I recorded on another tape in 2 sessions.
 
lcpiper said:
The DoD is one of the very few who actually got it right and they made the big leap to doing things the right way a very long time ago. You guys have all heard of things being unclassified or secret or top secret. Well, when it comes to the DoD these are physically separated networks which share no common connections. They don't use the same switches, the same fiber lines, not even the same satellites. The only way to take something from one and put it on the other is to copy it to some form of external removable media and move it over. It's physically impossible to hack a classified system from an unclassified system. You need physical access in one manner or another to the network in order to get in. Only the unclassified system shares links with the wild wild Internet.

Unless you're the Navy and use CISCO Switches that were made in China :eek:
Click to expand...

My dad worked pretty high up in the Treasury Department and has been saying this for years and years.

He always tells me he's glad he got out when he did, which was before the big uptick in hacking.
 
I want to retire and leave IT behind. I think that's why I am trying to move into storage specifically, to limit my exposure so to speak. Insulate me from users while narrowing the scope of my area of responsibility. Like the network guy but with far less risk and no one ever comes around saying "Every thing's slow, are you doing anything on the storage systems?"

I just don't want to think about what my work life will be like in the next ten years. My wife still talks like she intends to keep me at the yoke until I'm 65. I keep telling her I might not make it to 65, she might want to spend some time with me while she can.

I have come to suspect this is why she wants to keep me at work ;)
 
You must log in or register to reply here.
Back
Top