Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Security United States IT

DHS Offering Free Vulnerability Scans, Penetration Tests (krebsonsecurity.com) 79

tsu doh nimh writes: The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies -- mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help 'critical infrastructure' companies shore up their computer and network defenses against real-world adversaries. And it's all free of charge (well, on the U.S. taxpayer's dime). Brian Krebs examines some of the pros and cons, and the story has some interesting feedback from some banks and others who have apparently taken DHS up on its offer.
This discussion has been archived. No new comments can be posted.

DHS Offering Free Vulnerability Scans, Penetration Tests

Comments Filter:
  • by mveloso ( 325617 ) on Tuesday December 01, 2015 @12:46PM (#51034709)

    Most people don't enjoy the TSA scans and penetration tests, but I guess different strokes for different folks.

    • Bankers are big on BSDMbsdm

    • With a headline like that, I expected to be laughing at the comments.
      • by rtb61 ( 674572 )

        Nothing funny, legally it is a very bad idea as under law the DHS is allowed to lie to you, so the penetration tests have, under law, zero value. They are far more likely to not declare any holes they have found in case they can use them for investigatory purposes or put holes in place they can use for investigatory purposes. Basically under law you can not trust US investigatory agencies unless any those claims and declarations are made in a court of law, the only place they are legally required to tell t

    • penetration tests

      I'm still waiting for the "National Sheep Association" jokes...

  • Like penetrating pretty much anything these days would be a challenge after the NSA rooted everything.

    • The only solution any longer is not to use electronics for anything significant.
    • But that's only for national security and stopping terrorism! And in no way whatsoever in any universe could the NSA be lying, right? Right?
      • But that's only for national security and stopping terrorism! And in no way whatsoever in any universe could the NSA be lying, right?

        Right?

        Which is actually about NSA and revolving political 'theater' following orders of banksters, preservation of a fiat currency propped up on the petro dollar since '71 because the banksters swindled their own bank, department of energy prospects, corporate espionage and enslaving and sticking us with the check. If the place is going to continue to be run by foreign thieving superstitious closet case Nazi pedophiles, perhaps they should just push the button by picking a fight directly with Putin instead of th

  • by Nidi62 ( 1525137 ) on Tuesday December 01, 2015 @01:02PM (#51034841)
    The newest scam call: (cue heavy Russian accent)"Hello, my name is Steven. I am calling from the Department of your Homeland Security and am definitely not former KGB agent. For limited time only we are offering free computer vulnerability scans and identity theft testing. Please give us your computer login credentials and bank information that we may begin our testing."(end heavy Russian accent)
    • by DoofusOfDeath ( 636671 ) on Tuesday December 01, 2015 @01:11PM (#51034905)

      (end heavy Russian accent)

      Glad you remembered closing tag. Otherwise rest of comments would also have Russian accent.

      • by alexhs ( 877055 )

        Now you closed it a second time ! Let's match opening and closing tags !

        (cue heavy Russian accent)

        Voilà ! Much better now.

        A physicist, a biologist and a mathematician are sitting in a street café watching people entering and leaving the house on the other side of the street. First they see two people entering the house. Time passes. After a while they notice three people leaving the house. The physicist says, "The measurement wasn't accurate." The biologist says, "They must have reproduced." The mathematician says, "If on

    • by TheCarp ( 96830 )

      Hmmm the text doesn't read like a very convincing russian accent, as it has a somewhat distinct grammar that goes with it. Particularly, skipping use of the definite article, and less superfluous preposition usage:

      I would expect it to be more like "Hello, my name is Steven. I am calling from Homeland Security Department and definitely not former KGB agent." That seems more like the flow I have come to expect from a person with a heavy russian accent.

      I know there are likely a lot of russians who have learned

      • by Nidi62 ( 1525137 )

        Hmmm the text doesn't read like a very convincing russian accent, as it has a somewhat distinct grammar that goes with it. Particularly, skipping use of the definite article, and less superfluous preposition usage:

        Which is exactlywhy a "smart" scammer would make sure to use definite articles and prepositions, probably to the point of overcompensating and using them too much.

        • by TheCarp ( 96830 )

          Yes but even that is more work and more expensive. Pretty sure its cheaper to just hire the people with the bad accents to get on the phone for you.

          My assumption is they are so bad because there is no value in being better, not because there is so much value in being bad that they go out of their way.

      • More like "Hello, I am Steven of Homeland Security Directorate, ahh Department".
  • ...and all you have to do is install this one little piece of code. It will delete itself when the test is over. Really! Honest! ...What are you looking like that for!?
  • The TSA has been scanning for vulnerabilities & performing free penetration tests for over a decade now.
  • by xxxJonBoyxxx ( 565205 ) on Tuesday December 01, 2015 @01:08PM (#51034887)

    >> The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’

    This.

    >> They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.

    Simple solution: put in a regulation that says if you get breached, you agree to take down your online services for two weeks to get your house in order. Something like that would free up money for preventative solutions in a hurry. Furthermore, we KNOW the inspected organizations have some security personnel (which aren't cheap) because the permission form asks for specific contacts who might be smart enough to interpret any results.

    • by schwit1 ( 797399 )
      What is the punishment for government agencies? OPM knew they had been hacked for a long time but CHOSE to remain online so OPM business was not interrupted.
  • Security Penetrates YOU!

    Seriously though, who would want their systems compromised by a group of motivated liars who have a demonstrated track record of covering up their own wrongdoing and misusing any access they do get?

    Anyone who wants that deserves every inch of penetration they are going to get.

  • ...the fox will test your hen-house for free.

  • by rsborg ( 111459 ) on Tuesday December 01, 2015 @01:10PM (#51034897) Homepage

    Another example of corporate welfare... pen-testing costs time and money, why should I as a taxpayer be out this money?

    • by Anonymous Coward

      Because every vuln left open means your odds of financial fuckage skyrocket.

      • Yeah, vulnerabilities cost money. If you get hacked you could be put out of business. That means that if you care about your customers and want to stay in business you pay for the right tools and people to ensure you are secure.

        How does a Government who can't handle basic things like medical care for Veterans have a better chance of protecting you than a private company who will be out of a job if they are not effective? What is your repercussion against the DHS when they fail and you go under? What pen

    • So the people writing commercial (good) security software can lose their jobs when the market goes to the free option.
    • by MobyDisk ( 75490 )

      Corporations pay taxes too. In theory.

  • by avandesande ( 143899 ) on Tuesday December 01, 2015 @01:15PM (#51034935) Journal

    How about publishing a set of standards and tests that critical infrastructure companies must utilize?

    • by Anonymous Coward

      it's really just a way for them to legitimize their own hacking and data collection habits.

      • it's really just a way for them to legitimize their own hacking and data collection habits.

        It's like the local fire department asking if there are any fields farmers would like to burn or houses they can burn for practice stopping fires.

    • by AHuxley ( 892839 )
      The free offer is just a talking point to make new contacts in the private sector.
      The "free" testing has a few different ideas behind it:
      An offer to upper level private sector stakeholders to talk about security threat assessments and protective measures. Basically upper management get a fancy digital version of see something, say something and an offer of a special card just for them.
      Long term a free offer to host a new server might be made to split and compare all real time data flows to shared police
  • than the stupid port scan tests that some credit card companies require you to do before they let you have a credit card processing machine.

  • These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help 'critical infrastructure' companies shore up their computer and network defenses against real-world adversaries.

    What are the odds DHS didn't even bother to make sure the rest of FedGovs house is in order before moving onto the private sector? Though it does nicely prove DHS, et al are all lapdogs to almighty corporate profits.

  • Well good; I'm guessing that a lot of organisations (outside of Federal) that use this "free" service are ones too cheap to go private.
    Just as long as they don't think that they'll get the same breadth and depth of experience as you would with some other options - you don't attack a bank the way you attack a power station so better to go to the specialists for your situation.
    Still, if it leads to the DHS overall getting more of a clue then I'm all for it.
    But somehow I doubt it...

    Now, getting a "tested clear

  • by account_deleted ( 4530225 ) on Tuesday December 01, 2015 @02:28PM (#51035485)
    Comment removed based on user account deletion
  • And if they discover vulnerabilities, those will be passed on to NSA first?

  • "You hypocrite, first take the plank out of your own eye, and then you will see clearly to remove the speck from your brother's eye." - Matthew 7:5

    OPM ?!? Anyone?!? OPM?!?
    DHS Might want to PERFERT their methods on GOVT agencies first...
  • According to the report that reads more like a summary with hardly a data point, the most common vulnerability was an "Unsupported Unix Operating System."

  • so this is how elites bugger J&J Sixpack! :(

          they ask for volunteers, and then just sit back and wait for free prostitution

    (of ALL kinds; no homo sapiens phobia of any kind whatsoever with these folks)

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...