Security

Report: Border Computers Still Hackable and Unpatched

August 18th will mark two years since the Zotob virus wriggled through a known Windows vulnerability into DHS’s US-VISIT system and crashed parts of it. Now a new GAO report finds that the network remains "riddled with information security control weaknesses" that continue to put personal information and border security at risk. THREAT LEVEL readers […]

Customs1_f
August 18th will mark two years since the Zotob virus wriggled through a known Windows vulnerability into DHS's US-VISIT system and crashed parts of it. Now a new GAO report finds that the network remains "riddled with information security control weaknesses" that continue to put personal information and border security at risk.

THREAT LEVEL readers will recall that the Bureau of Customs and Border Protect (CBP) stonewalled my Freedom of Information Act request on the Zotob incident, until I successfully sued the agency in federal court. The released documents showed that CBP knowingly left the US-VISIT computers vulnerable to the Windows 2000 bug favored by Zotob, some nine days after Microsoft announced the hole and published a patch.

Amazingly, two years later, the GAO finds CBP still isn't keeping US-VISIT patched. From the report (.pdf):

CBP did not consistently maintain secure configurations on the mainframe, applications servers, and workstations we reviewed at the data center and ports of entry. For example, production servers and workstations were missing critical operating system and software application security patches. CBP also used outdated versions of software and products that were no longer supported by the vendor. Further, CBP could not implement critical security features because it had not deployed the appropriate software on some workstations.

As a result, increased risk exists that the integrity of the CBP mainframe, network devices, and administrator workstations supporting US-VISIT could be compromised and could lead to denial-of-service attacks or to individuals gaining unauthorized access to network resources.

Looking back, Zotob was something of a gift to CBP. Since 2005, those types of fast-spreading worms have largely gone the way of the Dodo. Today malware writers are all about bots, which are designed to stay hidden on computers indefinitely, instead of burning through them like a forest fire. With nothing clearing out the rotting deadwood of unpatched Windows machines except a couple GAO auditors, there's little reason to think that US-VISIT isn't owned up right now.

The GAO report was requested by Senator Joe Lieberman, Chair of the Homeland Security and Governmental Affairs Committee, who said in a press release that DHS needs to get its act together.

The security flaws GAO discovered in this critical border security program jeopardize the integrity of the program and could make it easier for terrorists to enter the country. DHS is spending $1.7 billion of taxpayer money on a program to detect potential terrorists crossing our borders yet it isn't taking the most basic precautions to keep them from hacking into and changing or deleting sensitive information. DHS must immediately put the recommended controls in place to secure US-VISIT.