Earlier this year security auditors armed with ISS's Internet Scanner, @stake's L0phtCrack and Sandstorm Enterprises' PhoneSweep 4.0 spent five months probing hosts, attacking passwords and war dialing the Department.
They found that some of the hosts designed to allow home workers and other trusted users access to DHS networks by modem or over the Internet lacked the authentication measures called for by official NIST guidelines and recommendations by the National Security Agency, like minimum password lengths and password aging.
Moreover, system patches were not kept up to date, leaving some systems open to known buffer overflows and other exploits. Meanwhile, a war dialing effort against 2,800 DHS phone lines turned up 20 modems that the Department couldn't immediately account for.
They found that some of the hosts designed to allow home workers and other trusted users access to DHS networks by modem or over the Internet lacked the authentication measures called for by official NIST guidelines and recommendations by the National Security Agency, like minimum password lengths and password aging.
Moreover, system patches were not kept up to date, leaving some systems open to known buffer overflows and other exploits. Meanwhile, a war dialing effort against 2,800 DHS phone lines turned up 20 modems that the Department couldn't immediately account for.
The link for this article located at Kevin Poulsen is no longer available.
