US State Department lacks any cyber-security whatsoever, including no passwords needed (Repost from Oct 2013)

Editors Note: (Ralph Turchiano)- Requested Repost from Oct 2103

 Published time: October 28, 2013 02:01                                                                            

Reuters / Jim Young

Access classified data without authorization, use your account after you’ve been fired, or anonymously request a new account for an Afghan friend – these are just some of the features available in State Department’s SMART system, BuzzFeed reports.

In the wake of the Manning and Snowden classified US intelligence  leaks, internal documents obtained by Buzz Feed reveal that the  US State Departments’ security systems are vulnerable if not  providing open access to classified information.

The breaches in security, horrifying to any IT expert, are  reported in the State Messaging and Archival Toolset (SMART) – a  cable and messaging system which is based on MS Outlook. The  SMART operates with working emails and cables, stored both in  classified (ClassNet) and unclassified (OpenNet) enclaves.

SMART was initially created for improving information sharing  after the 9/11 attacks. The internal messaging application has  been built and maintained by a team of State Department employees  and IT contractors under the $2.5 billion Vanguard  contract.

It became fully operational in September 2008 under US State  Secretary Hillary Clinton. However, it turns out the system never  complied with all the requirements of the Federal Information  Security Management Act and the National Institute of Standards  and Technology requirements, according to a 2010 Office of  Inspector General (OIG) report.

Failing to provide enough cyber protection, the system regularly  received failing or below-failing grades from its internal  monitoring system, according to documents obtained by BuzzFeed.

The SMART’s monitoring system, deployed for the purpose of  determining whether there has been unauthorized access or  modification of files, frequently fails to perform any of that,  the report said. And with an existing backdoor between the  classified and non-classified enclaves, state secrets can be  accessed by a user without proper clearance, even  unintentionally, BuzzFeed writes.

Access restriction is in fact one of the biggest problems with  SMART, it’s well-known but one nobody is willing to fix.

According to the report, in 2012 three SMART accounts were  created for users in Kabul, Afghanistan. Internal audit had shown  no one has any idea of who requested their creation or was using  them. Since then the mystical accounts have been deleted, but no  results on possible unauthorized activities via them have been  made public.

Reuters / Kacper Pempel

That unauthorized access was not an isolated incident. According  to the report accounts for former employees remain active for  some time after they leave. In addition the State Department can  only guess about the number of contractors who have access to the  system, and whether those contractors have gone through proper  security checks.

In some cases, the computer systems also allowed access to data  to unregistered users through anonymous unsecured access points  with default credentials.

Currently, the database has no hashing, time-stamping, or other  capabilities tell that the records have not been accessed,  tampered with, copied by unauthorized users, or even switched for  a fake.

After the 2010 leak of hundreds of thousands of Pentagon and  State Department documents by Army Private Bradley Manning to the  anti-secrecy website WikiLeaks, the department has disabled the  ability to forward messages, but failed to block the ability to  cut and paste messages and cables, BuzzFeed reports.

Legitimate users are also contributing to potential classified  data leaks with their routine actions. When a non-classified  user’s email on an operating level is included in a classified  group mailing list – he begins receiving all classified  attachments. Users also regularly mislabel classified information  as unclassified, BuzzFeed reports, because they just like  unclassified system better and appreciate its user friendly  interface.

There have also been complaints concerning service accounts with  non-expiring passwords or with no passwords at all, despite  federal requirements that they be reset every 60 days.

Over 19,000 of the 121,702 active accounts including users,  service, and mailbox accounts, on the unclassified system alone,  do not require passwords, said a 2012 independent audit of the  system, conducted for the OIG.

There have been requests to fix the security problem, but it has  always been delayed by the authorities, BuzFeed reported.

Back in 2009 the Chief Information Officer, Charlie Wisecarver,  tasked the department’s current Deputy Chief Intelligence Officer  in charge of the SMART program, Glen Johnson, to immediately fix  the problem.

However according to email exchanges obtained by BuzzFeed,  Johnson’s answer was that it might not be technically possible  nor prudent to change passwords every 60 days, as both users and  system operators could forget and be blocked from entering the  system.

“It is equally easy to imagine the midnight shift trying to  fix a problem and being frustrated because they can’t log in  because of an expired or changed password,” he emailed the  Wisecarver. “It is equally easy to imagine that regularly  passing around a sheet of many passwords has its own risks.”

The IT managers proposed changing only the Active Directory user  passwords, not the service accounts, however whether that was  implemented is not clear.

The State Department’s security has been a standing problem since  at least 2009, as earlier reports suggested a severe lack of  security, including unsecured servers, workstations, unencrypted  transfer of secret material, and the intermixing of classified  and non-classified information.

 

http://rt.com/usa/state-department-no-cyber-security-823/

One thought on “US State Department lacks any cyber-security whatsoever, including no passwords needed (Repost from Oct 2013)

Comments are closed.