HLS: Serious or Not Serious VIII
Something I alluded to before but since has been exposed to new light:
A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus [Zotob] then sweeping the internet, according to documents obtained by Wired News. […]
Later in the story . . .
[an IG report] found system vulnerabilities at the U.S. points of entry where the US-VISIT workstations are operating. It blames the weaknesses on poor communications between administrators in the field and those at US-VISIT’s Virginia data center. In February, the Government Accountability Office — Congress’ investigative arm — followed up with its own investigation of the program, faulting US-VISIT for not having an overall security plan.
The system that vets people who bother to come through ports of entry has no security plan. Sleep tight, America.
Prior to infecting CBP, the Zotob virus reportedly caused disruptions at The New York Times, ABC and CNN’s headquarters in Atlanta, as well as some offices on Capitol Hill. In late August, the FBI announced the arrest of two men in connection with the worm: 18-year-old Farid “Diabl0” Essebar in Morroco, and a 21-year-old Turkish man named Atilla Ekici, known online as “Coder.”
Arab hackers . . . Imagine that.
People deride big-iron, but it works and you’d be hard pressed to find someone writing exploits for PL/I. It is when the “solution” to big-iron “problems” is to slap an HTML front end on top of some middleware (plus card readers, plus biometrics, plus . . .) that you start to see major problems; not just from a security perspective, but in usability too. An EBCDIC-to-ASCII conversion and a Google appliance would work just as well, but why take the easy path when there are vendors on-site waiting to add to an already bloated work order?
There are many other systems like this that are supposed to help keep us safe. Keep thinking that the same or similar problems aren’t there. We shouldn’t be going for the quick fix; we should be going for the right fix and damn the inconvenience to travelers. Something I’m not looking forward to: The next generation of gov’t IT managers explaining to the next Commission on the next spate of terrorist attacks in the US why they chose to pursue – yet again – over-budget, under-performing, hole-riddled systems.