Reid said the trouble began in May when an employee opened a malicious attachment disguised as the text of a congressional speech. The worker's machine was infected with a Trojan backdoor that was caught by the agency's intrusion detection system. As IT workers investigated the breach, though, they began to find other intrusions in the East Asia Pacific region, as well as in Washington. Hackers had been using yet another Microsoft zero-day bug to worm their way into the State system, Reid explained.
Alan Paller, director of research at the SANS Institute, attended Thursday's hearing and said he was struck by the agency directors' desire to say that their security was working well.
"Saying 'we're OK' doesn't improve what's wrong," he said in an interview with InformationWeek. "There are big problems here. Between them, Commerce and State had 30 different systems compromised last summer. You're not hearing about most incidents because they quickly classify them as classified. This is just the tip of the iceberg."
Paller pointed out that IT investigators with the Commerce Department still don't know where the intruder hid inside their system. They didn't keep logs long enough to be able to look back and see specifically what machines he touched. "They only found the ones he left visibly touched," he added. "We don't even know how many machines the Chinese still own. We have a pretty good idea that State got the intruders out, but with Commerce, we have no idea how many systems are still owned by someone else."
From the Government Accountability Office, Gregory C. Wilshusen, director of information security issues, and David A. Powner, director of information technology management issues, testified in tandem Thursday. They said information security weaknesses continue to place federal agencies at risk, and noted that in 2006, agencies reported a record number of information security incidents to U.S.-CERT.
They reported that of the 24 major agencies last year, 18 had access control weaknesses, such as not replacing well-known vendor-supplied passwords, permitting excessive access privileges that users did not need, not encrypting sensitive information, and not creating or maintaining adequate audit logs.
Many agencies, they added, did not even install patches in a timely manner.
These weaknesses need to be dealt with immediately, and not with more FISMA-like reports but with immediate actions, said Paller.
"Right now, every window and every door has a hole in it," he added. "You can get into basically any federal system without getting caught. It's criminal. The weaknesses are all over the place. They're wide open."