If you can’t trust visiting the U.S. government’s Department of Labor website, what on the Internet can you trust?
I asked a similar question in March, 2011, in my column titled, “Careful where you click,” as I wondered, “Who would think that looking at ads found on the London Stock Exchange website could infect your computer with malicious software designed to steal your money? If you can’t trust the London Stock Exchange, who can you trust?”
In that situation, you didn’t even have to click on anything. All you had to do was look at the London Stock Exchange’s main website page and bam, your computer would start preparing malicious software for installation in what has come to be known as a “drive-by attack.” Folks who actually clicked on the fake notices and “alerts” that popped up found themselves in big trouble.
Here we are, two years later, and it seems that too many highly-placed, over-paid, so-called security officers working for the U.S. government still don’t know how to secure their own websites. Last week, visitors to the U.S. Department of Labor website “www.sem.dol.gov,” a site devoted to hazardous conditions found at Department of Energy installations, found the website hacked and their computers being infected with malware. It appears that the infected site and the attacks it was serving up were the work of Chinese hackers targeting certain employees working in the nuclear weapons industry. I checked the website while writing this column and it was still offline.
Should we expect more of our trusted government servants?
“… this issue highlights (again) the U.S. federal government infecting citizens’ computers with malware. President Bill Clinton (in 1998) called for the government to “lead by example” in cybersecurity. How can the government expect industry to do the right thing, he asked, if the government doesn’t protect its own systems and show the way?” asks Alan Paller, director of research at the world-renowned SANS Institute. “When Karen Evans was at OMB as federal CIO and when Sameer Bhalotra was in the White House as deputy cyber czar, there was real progress. Is it reasonable to ask why we have gone backwards since they left?”
Indeed, it seems that too many of our government leaders just don’t “get it,” and have not really tried to “get it” for many years. Millions and billions of dollars have been spent on showy, impressive-looking systems designed to monitor and surveil our every move, giving the appearance of “security,” yet all the while failing to provide the serious protections our country’s networks so desperately need. We’re experts at making sure Grandpa can’t carry more than 3.4 ounces of shaving cream onto an airplane, but we can’t seem to keep 20-something Chinese hackers located 10,000 miles away out of our critical computer systems.
“A good example, and there are many, of where the US Government could best drive higher levels of security by focusing on becoming what Presidential Decision Directive 63 back in 1998 called ‘a model of information security’ on the Internet,” stated John Pescatore, Vice President at Gartner Inc. for fourteen years and SANS Institute director since 2013. “Instead, we have way too much federal focus on monitoring of private industry, having private industry share information and creating “yet another framework” for private industry – instead of focusing on making government systems themselves (and by extension those of contractors and suppliers) much, much more secure.”
What do these things mean to “normal,” everyday computer users? Realize that the government cannot seem to get its own house in order, much less protect you. Take responsibility for your own computer security; take your Internet safety into your own hands. Pay attention to your computing environment and question everything you see. Use research tools like Google to learn about things you don’t understand, rather than blindly clicking and hoping all will be well. Read columns like this one and learn how to take care of the basics. Be careful where you click.