U.S. Department of Homeland Security websites are open doors to hackers, audit finds

computer with a hacking window popped up

The agency tasked with protecting the U.S. government from hackers is vulnerable to hackers.

The Department of Homeland Security—the agency charged with protecting the U.S. government from hackers—can be hacked.

Critical vulnerabilities exist on internal Homeland Security agency websites allowing attackers to gain access to sensitive data from both the U.S. Secret Service (USSS) and U.S. Immigration and Customs Enforcement (ICE) agencies, according to an audit by the department’s Inspector General.

Homeland Security uses private internal websites that allow agents to share information, track cases, and report investigation statistics.

ICE in particular was found to have numerous security problems that opened the agency up to cyberattacks. 

ICE’s computer system do not implement a significant portion of Homeland Security’s required security standards, and the agency does not use a vulnerability scanner on its websites, which left the agency unaware of the handful of issues found in a Inspector General’s report published earlier this month.

The Secret Service only recently acquired such a scanner, but, even so, their websites and systems were considerably more secure, according to the audit.

The full list of website vulnerabilities was not made public, but a handful of examples included unprotected files containing sensitive data, SQL injections, cross-frame scripting, and reflected cross-site scripting.

The weaknesses allow attackers to impersonate Homeland Security agents to fool the department’s systems or to impersonate Homeland Security’s systems in order to fool the agents.

“Without remediating the vulnerabilities identified, sensitive cyber mission data may be compromised,” the Inspector General’s report explained.

Given the severity of the vulnerabilities, Homeland Security emphatically agreed with the recommendations of the report. It’ll take nearly three months to fix all the issues, however, with a deadline of Nov. 30, 2015.

The Inspector General’s September 2015 audit was prompted by a January 2015 Senate report that concluded that Homeland Security was “struggling to execute its responsibilities for cybersecurity, and its strategy and programs are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat.”

At the time that report was published, hackers had already been inside federal networks for month, stealing mountains of data from the Office of Personnel Management (OPM).

The OPM attackers weren’t discovered until they were accidentally found out four months later.

Illustration by Max Fleishman 

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.