Saturday, March 08, 2008

Pentagon concedes it was hacked for two months

Some people may remeber that in June 2007 the Pentagon admitted that it had been hacked but played down the significance of the successful penetration of its systems. However, senior officials at the DoD are now saying that they have serious concerns about the amount of data that was stolen. They have now admitted that the intrusion, thought to be orchestrated by the Chinese, was in place for two months on their network, spreading malicious code and "culminating in an intrusion that created havoc by exploiting a vulnerability in Microsoft Windows".

As I said at the time, for the Pentagon to get rooted so successfully should bring into sharp focus the reality and danger of the proposed ID register by the Government. The Home Secretary has made claims that the ID database cannot be hacked because it is not "online". Does she think that internal systems in the Pentagon are "online"? You don't need a system to be online, or in other words, on 'teh interweb', for it to be hacked.

The ID register will inevitably be on a network somewhere, it's not going to a single system with a monitor and keyboard plugged into it. It will be remotely access across the so-called Government Secure Intranet. You'll note that the word "secure" is in the name. The problem is is that there are exit points from GSI that are on the wider Net. If one of those touch points with the outside world is compromised then GSI and the "not online" databases become available.

The sooner we have someone that knows about IT and security taking the Government to task and ripping the idiocy of their security claims apart the better.


Anonymous said...

Time for a Ministry of IT perhaps?

Anonymous said...

This was a spectacularly inane comment at the time, but the rejoinder is even easier than that:

If the database is supposed the place where the validity of your card is confirmed, how is that actually supposed to happen if the database is not available really actually quite widely? Like, to anyone who needs to verify your identity? Like the whole purpose of the sodding enterprise?