The Zotob Worm and the DHS

On August 18 of last year, the Zotob worm badly infected computers at the Department of Homeland Security, particularly the 1,300 workstations running the US-VISIT application at border crossings. Wired News filed a Freedom of Information Act request for details, which was denied.

After we sued, CBP released three internal documents, totaling five pages, and a copy of Microsoft's security bulletin on the plug-and-play vulnerability. Though heavily redacted, the documents were enough to establish that Zotob had infiltrated US-VISIT after CBP made the strategic decision to leave the workstations unpatched. Virtually every other detail was blacked out. In the ensuing court proceedings, CBP claimed the redactions were necessary to protect the security of its computers, and acknowledged it had an additional 12 documents, totaling hundreds of pages, which it withheld entirely on the same grounds.

U.S. District Judge Susan Illston reviewed all the documents in chambers, and ordered an additional four documents to be released last month. The court also directed DHS to reveal much of what it had previously hidden beneath thick black pen strokes in the original five pages.

"Although defendant repeatedly asserts that this information would render the CBP computer system vulnerable, defendant has not articulated how this general information would do so," Illston wrote in her ruling (emphasis is lllston's).

The details say nothing about the technical details of the computer systems, and only point to the incompetence of the DHS in handling the incident.

Details are in the Wired News article.

Posted on November 6, 2006 at 12:11 PM • 21 Comments

Comments

another_bruceNovember 6, 2006 1:00 PM

i may be exhibiting some naivete here, but if these 1300 workstations were running on a dedicated government intranet with an airgap between it and the nasty internet, and the 1300 users obeyed their manual and never loaded material of dubious origin into their boxes, how could this infection have possibly happened?

Lamont PetersonNovember 6, 2006 1:13 PM

@another_bruce

Well, your "if"s are related to people, so I think there's your answer; somewhere, a "weak link" (a.k.a. person) didn't follow some guideline.

However, given the heavy nature of the redacting and the number of completely "suppressed (for lack of a better word) pages, it makes me wonder if there might have been a purely network pathway that this particular worm got in through.

Sounds like the crustacean security model at work.

RichNovember 6, 2006 1:33 PM

How to enter the country, if you are "on a list":
1. launch worm to crash system
2. enter country
Notice how the dependency on technology is a vulnerability itself.

derfNovember 6, 2006 1:38 PM

If DHS systems are required to have an airgap, how will Vista phone home? If DHS gets a special non-phone home version of Vista, how long will it take for hackers to come up with their own non-phone home version?

jayhNovember 6, 2006 1:43 PM

"The details say nothing about the technical details of the computer systems, and only point to the incompetence of the DHS in handling the incident."

This is, of course the most common actual reason for redactions and foi refusals. Probably outnumber legitimate secrets by 100 to 1


bobNovember 6, 2006 2:27 PM

While I am the last person to side with the government [there's a hobson's choice, which monolithic uncaring organization do I pick to side with: MS or DHS], I believe testing to make sure a MS patch does not crash a wide variety of marginally compatible peripherals is prudent.

Now redacting all that trivial stuff in the documents was silly, that was just their way of thumbing their nose at us, saying "no, WE do not work for YOU, unimportant peon citizen taxpayers, YOU work for US".

Geoff LaneNovember 6, 2006 4:12 PM

"Department of Homeland Security"

Let me guess, they lock the doors and windows at night. Keep paper records in locked filing cabinets. Keep records of who and when people enter and leave the building.

Yet an organisation that pretends to protect the nation doesn't use a high security internal network and workstations?

Are we seeing a financial cheap-skate setting security policy?

I wonder how they test the integrity of their databases after an infection? An infection that could be a cover for some more serious activity.

Dean HardingNovember 6, 2006 4:33 PM

> If DHS systems are required to have an airgap, how will Vista phone home?

Where on earth did you hear that Vista "phones home"? That's gotta be one of the dumbest things I've heard.

Well, apart from just about anything the DHS does, that is. OF COURSE it was because of somebody's incompetence that they were infected. You simply don't get virus infections when you know what you're doing.

If doesn't surprise me that they're trying to hide it, though. Nobody likes to admit they made a mistake.

Bruce SchneierNovember 6, 2006 5:10 PM

"i may be exhibiting some naivete here, but if these 1300 workstations were running on a dedicated government intranet with an airgap between it and the nasty internet, and the 1300 users obeyed their manual and never loaded material of dubious origin into their boxes, how could this infection have possibly happened?"

The effectiveness of air gaps is greatly over-rated.

Rob MayfieldNovember 6, 2006 7:32 PM

@Bruce: "The effectiveness of air gaps is greatly over-rated."

... as evidenced by the ones found between the ears of most of the DHS IT Department it would seem ;-)

ThomasNovember 6, 2006 7:40 PM

@Bruce,
"""The effectiveness of air gaps is greatly over-rated."""

No, it's just that the air-gap in the network can't hope to compensate for the air-gap between some people's ears.

saladpopeNovember 6, 2006 7:43 PM

"The details say nothing about the technical details of the computer systems, and only point to the incompetence of the DHS in handling the incident."

"CBP claimed the redactions were necessary to protect the security of its computers"

Maybe they don't realize that we already know they are incompetent?

RalphNovember 6, 2006 7:58 PM

This is so broken in so many ways, it is hard to know where to start.

1. The network was part of "Homeland Security" with a budget of US$30.8 billion (2006) - yet was defeated by a teenager in Morocco using a flaw that was already patched.

2. The department lied to CNET in December, claiming the problem was routine computer glitches.

3. It took them a day and a half to patch 72 percent (936 machines). Clearly they didn't have sufficient tools for the job.

4. The December before the Inspector General had told them their specific network had a problem (assuming he told them to fix it). Months later they still had it.

5. They had 4500 people sitting around Miami airport while they fluffed around like the idiots they were!

6. After the fact it seems PR is the most important priority; possibly revealing no one is honestly interested in fixing the problems.

It is hard to decide which is more embarrassing, the incompetence that got them into the situation or the obvious lies and trying to hide their stuff ups. Like eight year olds trying to pretend they weren't smoking when the room stinks of smoke.

THESE are the biggest real world security problems. Denial (even to themselves), dishonesty of people and agendas, arrogance and structural unaccountability.

This should be documented and taught in schools to show why security is so hard in the real world.

AndrewNovember 7, 2006 12:17 AM

>> "Department of Homeland Security"

>> Let me guess, they lock the doors and windows at night. Keep paper records in locked filing cabinets. Keep records of who and when people enter and leave the building.

This only because it's in the GSA manual.

They don't trust a manual unless someone in the government wrote it.

SadEuropeanNovember 7, 2006 2:14 AM

@ Bruce

Off the topic comment:

Bruce, don't you have any comment on the hand luggage restrictions hitting Europe from Nov 6th? It was supposed to be temporary, looks like they decided to make it long term, with annoyance such like possible duty free bottle seizure..

bobNovember 7, 2006 6:54 AM

@Rob Mayfield: No, those airgaps work EXTREMELY well; and its a ubiquitous state at DHS not just in their IT department...

Tim BNovember 7, 2006 9:56 AM

It's easy to point the finger and accuse DHS of incompetence, but I can see the scenario playing out in any number of organizations with complex, proprietary line of business applications. Maybe they were overly cautious, but the key is that the software vendor offers no warranty against any problems that the software may cause on enterprises (read the EULA). Had US VISIT gone down because of the patch, they would have been in the same boat.

The desire to cover it up is just CYA and human nature. By the way, the poster who asked about Vista phoning home bit, please know that MS expects you to deploy special servers on your Intranet to answer those activiation calls as part your upgrade.

merkel cellNovember 7, 2006 9:57 AM

Yes, DHS is an embarrassment and they want to hide the fact from the general public. We do not need to bring down DHS when a simple worm can do the job.

sandford elliotNovember 7, 2006 4:46 PM

Tim B ~~
"By the way, the poster who asked about Vista phoning home bit, please know that MS expects you to deploy special servers on your Intranet to answer those activiation calls as part your upgrade"

Too bad we use a software that requires the purchase of yet more "special servers" to handle activation. How about we NOT use the software(VISTA), so obliterate the whole 'phone-home' scheme?

JeffDNovember 8, 2006 3:25 AM

@sandford,

Forcing hardware upgrades/new purchases was one of the carrots Microsoft threw the hardware vendors a year or so ago. They could have cleaned things up so that Vista would run on a Windows 2000-class machine; with extremely un-Microsoftish attention to efficiency and quality, they could have made it much smaller (go look at ReactOS to have an idea what I'm talking about). There's only two reasons why Windows is screwed up worse than the DHS: top-level arrogance and the "Code Complete" development 'method' that claims youy can have all your features demoable without design, scrum or unit tests.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..