[funsec] Border Security System Left Open

[Nick FitzGerald]

Fergie wrote:

> A computer failure that hobbled border-screening systems at airports
> across the country last August occurred after Homeland Security officials
> deliberately held back a security patch that would have protected the
> sensitive computers from a virus then sweeping the internet, according to
> documents obtained by Wired News.

One has to question whether the folk running these systems even have 
the _minimal_ competence for doing their job.

Why are "sensitive" systems such as these on networks where they _can_ 
be exposed to network-spreading malware or [D]DoS attacks?

If they "must" (for god-only-knows-what reason) attach these machines 
to public sewer networks, then why are they running an OS that is so 
commonly (and trivially) exposed to such outages?

If they weren't connected to the Internet (which one would expect they 
weren't) then why weren't such "sensitive" systems attached to a 
properly fortified and locked down network?  One that only DHCPs for 
known MAC addresses or at least one that puts "unknown" MACs in their 
own, heavily restricted, VLAN??  [I won't name the European airport but 
I found free Ethernet access via its administrative network from an 
Ethernet jack in a public area in the last year.  You half expect this 
for WiFi, but for Ethernet??]

And, even if they "must" (for god-only-knows-what reason) run Windows, 
why are they not running the systems the dumbest of their dumb users 
(in terms of "PC smarts" and the level of OS access necessary to do 
their jobs) not running some extra-hardened, ultra-locked-down, least-
privileges configuration to totally minimize any possibility of 
something like Zotob affecting them?  Especially given that they 
clearly were NOT taking other "reasonable, best practice" precautions 
as suggested above?

Abject incompetence.

Fercrissakes...


Regards,

Nick FitzGerald