[ISN] The U.S. Government’s Cybersecurity Is a Total Shitshow

http://gizmodo.com/the-u-s-governments-cybersecurity-is-a-total-shitshow-1515947200 By Ashley Feinberg GIZMODO February 4, 2014 Today, a report from the Homeland Security and Governmental Affairs Minority Committee offered an overview of the fed’s current state of cybersecurity. And how is the government with which we entrust our most sensitive and private information looking? In short-bad. Very, very bad. It’s no secret that the federal government isn’t exactly what you might call competent when it comes to, well, anything having to do with technology. But according to the new report, the full extent to which we really have no idea what the hell we’re doing is more than a little concerning. According to The Washington Post: The report draws on previous work by agency inspectors general and the Government Accountability Office to paint a broader picture of chronic dysfunction, citing repeated failures by federal officials to perform the unglamorous work of information security. That includes installing security patches, updating anti-virus software, communicating on secure networks and requiring strong passwords. A common password on federal systems, the report found, is “password.” So just how bad is it? We’ve picked out some of the more troubling revelations here, but you can read the report in its entirety down below. Brace yourself-it ain’t pretty. 1. Shitty passwords Over at the Department of Homeland Security, FEMA’s Enterprise Data Warehouse boasts “accounts protected by ‘default’ passwords, and improperly configured password controls.” The IRS isn’t doing much better, either: In March 2013, GAO [Government Accountability Office] reported that IRS allowed its employees to use passwords that “could be easily guessed.” Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the agency’s name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards and Technology. This isn’t exactly a new revelation. The GAO has cited the IRS for allowing old, weak passwords in every one of its reports over the past six years. 2. Physically writing down those passwords on furniture Particularly painful is the Department of Homeland Security’s mishandling-to put it lightly—of sensitive information: Independent auditors physically inspected offices and found passwords written down on desks, sensitive information left exposed, unlocked laptops, even credit card information. To take just one example, weaknesses found in the office of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For Official Use Only) documents left out, three keys, six unlocked laptops