If you asked Jackson Pollock to do a painting representing government computer security, it would look just like every other Jackson Pollock painting.
I feel like it is literally impossible to understand how bad government computing has become; that’s redundant, I’m afraid, because it’s impossible to understand government computing and security is a subset of that. I used to say that computer security is a sub-field of system administration (I still think that) and if you haven’t got a grip on system administration and configuration management, don’t even think about worrying about security – you can simply know “it’s bad.”
Diana Kelley, who (last time I checked) is IBM’s Executive Security Advisor – basically IBM’s top computer security consultant – and I used to joke around about the “tells” that indicate a security disaster. If you went to a client site and there were a lot of Dilbert cartoons in cubicles, you knew that management was a disaster and therefore security was a disaster. If you asked “how many people have access to the wiring closets?” and people looked puzzled, you could tell it was a disaster. Or, “how do you do configuration management?” if you got a blank look, you were headed into a disaster. We both felt that we could assess a client’s security just by the questions they asked us, no need to ask any of our own.
At one point, I developed something that was akin to the Anthropic Principle, which was probably inspired by a bit of a Henry Rollins rant, in which he said, “you know, nobody ever calls up Kofi Annan to just say ‘Hi Kofi!’ – think how he feels when the phone rings. He knows it’s a disaster inbound and someone is asking him to intervene.” Or, words to that effect. The same thing applies to computer security consultants who do incident response: nobody calls you up and says, “hey if you’re in LA let’s go for Thai food.” It’s always, “can you get a flight to out here by tomorrow morning?” Then, another thing occurred to me: the clients who call you for incident response will almost certainly have certain things:
- System logs disabled
- Overly permissive firewall rules
- No configuration management
- No idea what devices on the network matter
- Desktop users have local admin and browse the web and do email with privileges
Diana and I used to call it the “Jeff Foxworthy List” after his stupid “… you may be a redneck” classist humor.
All that being said, I almost don’t need to even discuss the disaster. You, too, know what’s coming.
Buzzfeed reported: [buzz]
A disgruntled employee at the State Department changed the biographies of President Donald Trump and Vice President Mike Pence to say their term was coming to an end on Monday – nine days before President-elect Joe Biden is to be sworn in – two current-serving diplomats with knowledge of the situation told BuzzFeed News.
The president’s biography was changed to read, “Donald J. Trump’s term ended on 2021-01-11 19:49:00,” while the vice president’s biography was edited to “Michael R. Pence’s term ended on 2021-01-11 19:44:22.” The time stamp on Trump’s page changed multiple times, before both pages were removed around 3:50 p.m. and replaced with a 404 reading, “We’re sorry, this site is currently experiencing technical difficulties. Please try again in a few moments.”
Other than Pompeo, are there any gruntled State Department employees? If the premise of the story is that someone edited the web site because they were disgruntled, the pool of suspects is, indeed, large. But that’s not really the story; it’s this tidbit:
Both diplomats said that an investigation into the matter could be a challenge, considering how many people have administrative access to the content management system used for the State Department’s official website.
It’s a “closed system” that is “nearly impossible to hack,” said one of the diplomats.
It appears to me that it’s a system that is not necessary to hack. If “how many” people have administrative access, then it’s not a “closed system” it’s an “uncontrolled system.”
The first question that I’d ask is: “system logs enabled?” and I know the answer would be “no, we turned them off because they were just taking up space.” Second question: “how many users have edit access?” and I know the answer would be “a lot.” Then it becomes a case of forensics – the content management system probably puts edit histories in comments within the document, and it would capture the account name, which is probably “admin” or something silly like that. In classical computer security, this is why “shared accounts” are a no-no and you can tell you’re dealing with incompetents if they use shared accounts rather than creating individual passworded accounts, even if they are all conferred admin privileges.
Like most web sites, the State Department uses a content management system (something like WordPress, which is what FTB runs on) and every content management system maintains logs and controls who can edit what and how. For example, I can’t pop over to Pharyngula and edit PZ’s posts, he could log in as “admin” and edit mine, but it’s “separation of privileges” which is Security Implementation 101. Using a shared admin account deliberately bypasses separation of privileges. Those privilege controls are there for a reason, but State Department’s so incompetent they had trouble figuring out who edited the page?
Normally, figuring out who did it would be a 15 minute job. You’d look at the content management system logs, then see what account did the change, then see what system they connected from (IP addresses are recorded in CMS logs along with timestamp and userID. Some CMS’ maintain versions of the file, so you could verify that the changes were, in fact, committed at that time) Then you’d see who was logged in on that IP address at that time, either through activedirectory logs or endpoint logs. If the site was really set up by a non-incompetent there would be a firewall between the CMS staging system and the rest of the network, and that would corroborate the logs. It’s possible that there’s no staging system (who needs quality control? “what me worry?”) and State Department propaganda department staffers just edit the live site. I wouldn’t be surprised. These are apparently a bunch of dumbasses.
I worked on a project, building the 1st generation of firewalls for the State Department, under program management of one Peter Kurtz, who was a hard-core old school security guy. That was around 1992 or so – I ported my firewall code to State’s preferred platform of the time, which was SCO Xenix because Xenix actually had some pretty cool security capabilities. I had to modify some of my software to work better under the more restrictive security framework, and forklifted that code into my product’s base release, making it better. I don’t know how long Kurtz lasted there but he retired a few years after that and I believe that all the security was ripped out and replaced with “COTS” (Commercial Off The Shelf software) which is code for “just throw stuff together” since being careful about how software is configured is not “off the shelf” – the “off the shelf” configuration of almost everything is pathetically insecure.
Years later, I commented in a talk, “government computing IT executive management has been replaced with people who only know how to read powerpoints from vendors.” I thought that the comment might get a chuckle but, instead, the temperature of the room plummeted and afterward, I walked off stage through the smoke of burning bridges.
Remember: these are the people who are complaining that China and Russia are hacking them to bits. Meanwhile, they’re such dumbasses they can’t even manage a content management system for a public-facing website that is, arguably, semi-important.
Traceroute tells me that the State Department hosts at Akamai. So, it’s a “cloud computing” set-up. Another bridge burner: “Cloud computing is great for organizations that don’t know how to do IT.” I really believe that: if you don’t know how to set up a CMS, you can host at WordPress and they’ll keep it working for you, for a one-time charge of $200 and $11-$40/month. Then, just work within the perfectly good framework that the cloud providers include, and don’t bypass it by turning logs off, or using shared accounts. The sad fact about a lot of these face-plants is that someone often had to go to some trouble to turn security off. Sheesh!