- Gina Rodriguez slammed for promoting ‘American Dirt’ 4 Years Ago
- Netflix says ‘The Witcher’ is its biggest show. Is it really? Today 8:59 AM
- Tulsi Gabbard sues Hillary Clinton for podcast comments Today 8:53 AM
- Lizzo reps Beyoncé’s Ivy Park collection in adult-themed TikTok Today 7:58 AM
- Netflix’s ‘Eye for an Eye’ is a fun but messy thriller about revenge Today 7:00 AM
- Which 2020 Democratic candidates post the most cringe? Today 6:30 AM
- The new ‘Hunger Games’ book paints President Snow as a hero—and people are not happy Tuesday 9:03 PM
- Influencer called out for ‘troubling image’ with Kenyan child Tuesday 8:18 PM
- Professor arrested for spending $185K of grant money on iTunes and strippers Tuesday 7:28 PM
- Man cuts his books in half to make them ‘portable,’ spurs online debate Tuesday 6:09 PM
- Fans defend Lana Del Rey after she was mocked for flying commercial Tuesday 5:10 PM
- Lady Gaga fans find alleged new song name in her website’s code Tuesday 4:42 PM
- Barstool Sports deletes anti-union tweets, blog post in settlement Tuesday 3:47 PM
- The ‘can have … as a treat’ meme has come full circle Tuesday 3:09 PM
- Joe Rogan says he’s voting for Bernie Sanders Tuesday 2:54 PM
U.S. Department of Homeland Security websites are open doors to hackers, audit finds
The agency tasked with protecting the U.S. government from hackers is vulnerable to hackers.
The Department of Homeland Security—the agency charged with protecting the U.S. government from hackers—can be hacked.
Critical vulnerabilities exist on internal Homeland Security agency websites allowing attackers to gain access to sensitive data from both the U.S. Secret Service (USSS) and U.S. Immigration and Customs Enforcement (ICE) agencies, according to an audit by the department’s Inspector General.
Homeland Security uses private internal websites that allow agents to share information, track cases, and report investigation statistics.
ICE in particular was found to have numerous security problems that opened the agency up to cyberattacks.
ICE’s computer system do not implement a significant portion of Homeland Security’s required security standards, and the agency does not use a vulnerability scanner on its websites, which left the agency unaware of the handful of issues found in a Inspector General’s report published earlier this month.
The Secret Service only recently acquired such a scanner, but, even so, their websites and systems were considerably more secure, according to the audit.
The full list of website vulnerabilities was not made public, but a handful of examples included unprotected files containing sensitive data, SQL injections, cross-frame scripting, and reflected cross-site scripting.
The weaknesses allow attackers to impersonate Homeland Security agents to fool the department’s systems or to impersonate Homeland Security’s systems in order to fool the agents.
“Without remediating the vulnerabilities identified, sensitive cyber mission data may be compromised,” the Inspector General’s report explained.
Given the severity of the vulnerabilities, Homeland Security emphatically agreed with the recommendations of the report. It’ll take nearly three months to fix all the issues, however, with a deadline of Nov. 30, 2015.
The Inspector General’s September 2015 audit was prompted by a January 2015 Senate report that concluded that Homeland Security was “struggling to execute its responsibilities for cybersecurity, and its strategy and programs are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat.”
The OPM attackers weren’t discovered until they were accidentally found out four months later.
Illustration by Max Fleishman
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.