how-to block ads
|
mapics
join:2005-04-04 | What Secure apps Government use?
What SECURE program do the FBI or police agencies use to store their data or information records?
And what secure OS they use too? Do they use Linux, Solaris or would it be custom designed? | |
Greg_Z
Premium
join:2001-08-08
Springfield, IL
 ·Comcast
| There is noone that is going to tell you, due to the layer of security that is used. Honeypots, Firewalls, believe it or not WinXP, MacOS, products are the norm.
--
One man's customer loyalty is another man's misguided arrogance. | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to mapics
Most of the government still uses Windows, but I understand that many in security roles for such agencies as the CIA and FBI enjoy OS X quite a bit.
At the NSA it's anyone's guess, but I'll bet that it's mostly highly-hardened Windows with a migration strategy to Linux. That's just my guess.
--
dmiessler.com - grep understanding knowledge | |
captnhook
join:2001-02-20
NY | reply to mapics
I could tell you ...but then I'd have to kill you  | |
iwhat
@rr.com
| reply to mapics
Apple's Mac OS X has been declared one of the world's safest operating systems by London-based security experts, mi2g.
The security firm's Intelligence Unit has run a comparitive study of the variety of operating systems available today. It states: "The world's safest and most secure online server Operating System (OS) is proving to be the Open Source family of BSD (Berkley Software Distribution) and Mac OS X based on Darwin."
It's also claimed that Linux has become the most breached online server OS in the government and non-government spheres for the first time, while the number of successful hacker attacks against Windows-based servers have fallen for the last ten months.
The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers.
"For the first time, the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004," the analyst said. | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
2 edits | reply to mapics
There's a substantial difference between agencies; the NSA are masters at hardening... that's one of their primary assigned, official missions: "InfoSec"... Information security. If the rest of the agencies were required to follow their recommendations, everythiing would be substantially more secure. But they're not. Every agency decides what they'll do internally, for the most part, outside of the military.
The military, essentially, is under the guidance and direction of NSA, which is, in fact, an agency of DoD, not an independent organization. The CIA is an executive agency; their orders come from the Executive Office of the President; Congress has oversight authority, but in a practical, daily operations sense, CIA reports directly to the National Security Council (no relation whatsoever to NSA) and the EOP. In that daily sense, the DCI is really the person in charge, and really never gets "orders" regarding things as mundane as choosing systems or software...
FBI is a bureau of the Department of Justice, and the Director reports to the Attorney General.
In departments and agencies where security isn't a major mission-critical onsideration, it's pretty much the same as any corporation that has to secure systems and data. In agencies and in situations where security is mission critical, it's probably for the most part internally written or contracted. Especially in "brain trusts" filled with tech geek employees like NSA. NSA is pretty much the world's most skilled crypto operation, ever, bar none, for example.
I seriously doubt NSA is using win32 on their deep secure systems. For one thing, it took MS ages just to get C-2 certification from them. C-2 isn't by any means suitable for the highest grade of secure information, top secret and "special compartmentalized." Some of that later stuff isn't even allowed on magnetic media. What is is often placed on standalone machines inside of vaults, or very small segregated networks (absolutely no outside connections, not even to LAN) -- BSD or hardened Linux would probably be appropriate. I haven't looked at the standards in ages.
The standards are specified by NSA. Theoretically, or more aptly, ideally, those standards should be applied government wide. Practically, they're only enforcable within DoD... however, they apply to all DoD data, facilities and personnel holding security clearance. Including defense contractors. Anyone holding security clearance is required to comply with those standards, and a fast way to lose clearance, and lucrative contracts in the bargain, is to mishandle information and get caught. Charge them 400 bucks for a toilet sink and you're fine; take a top secret drawing of the screws for the toilet seat and store it on a networked, out of box XP machine connected to the internet and you're screwed to a wall.
I'm just rambling sort of aimlessly, quite incomplete and patchwork stuff, here... but the important thing is that there are standards, they do use hardened OS's, Win32 is prevalant, but for super-secret stuff, it's not usually acceptable, at least not OOB and networked. For some applications, nothing's acceptable, at least networked. For a lot of the stuff agencies like NSA and possibly CIA do, win32 is simply not capable of the job... it doesn't run on SGI supercomputers or work efficiently on distributed computing farms. Crypto on the scale NSA does it, for example, simply isn't done on a desktop workstation. It's still heavy iron and white knuckles Unix, in some situations.
... but when you get into the other agencies, like FBI, Treasury, even CIA and Homeland Security, there's a great deal of latitude and internal policy involved. Moreover, missions are different, so applications are different. Knowing the standards and procedures in one agency doesn't automatically make you able to quickly grasp those in another.
PS- of course, OS-X is a good one... it's based on (Free)BSD, which I humbly consider one of the tightest unix variations on the planet, in all its flavors. 
--
Semper Eadem
-"Tewdor Thunder"- | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB | reply to mapics
I know one tool the FBI uses 
Blake | |
toddbs98
join:2000-07-08
North Little Rock, AR
clubs: | Norton Internet Security and ad-aware. | |
astirusty
Premium
join:2000-12-23
Henderson, NV
 ·AT&T Southwest
| reply to gwion
said by gwion  :I seriously doubt NSA is using win32 on their deep secure systems. --- stuff cut ----- BSD or hardened Linux would probably be appropriate. I haven't looked at the standards in ages. --- stuff cut ---For some applications, nothing's acceptable, at least networked. For a lot of the stuff agencies like NSA and possibly CIA do, win32 is simply not capable of the job... it doesn't run on SGI supercomputers or work efficiently on distributed computing farms. Crypto on the scale NSA does it, for example, simply isn't done on a desktop workstation. It's still heavy iron and white knuckles Unix, in some situations. This link may yield a hint to one of the OSs that the NSA
uses for secure "heavy iron" computing (acutally that is "Big-Iron"):
»www.cray.com/products/x1/ | |
major marco
Res Firma Mitescere Nescit
Premium
join:2003-02-13
Stepford, CA
clubs:
| reply to mapics
said by mapics :What SECURE program do the FBI or police agencies use to store their data or information records? And what secure OS they use too? Do they use Linux, Solaris or would it be custom designed? Hahahahahahah hahahahah hahahahahaha. Sorry. I'm not laughing at you I'm laughing with you. The feds are lucky if they use Win95.
--
MFSO.org -ArnoldWatch.org - opensecrets.org -DigitalConsumer.org - FTCR.org - Privacy.org - Adbusters.org - Eff.com - Democraticmedia.org - HealthPrivacy.org - Hacktivismo.com - ClearChannelSucks.org - Epic.org | |
exocet_cm
In memory of dadkins
Premium
join:2003-03-23
New Orleans, LA
clubs:
·Cox HSI
·Suddenlink
 ·Cingular Wireless
·AT&T Southeast
·Charter Pipeline
1 edit | reply to mapics
Louisiana Army National Guard: Windows XP Professional SP1 (not SP2) as of yet.
Each state has a domain that the user can log in to or a smart card they can use.
After a number of failed attempts the workstation is locked and an administrator is the only person that can unlock it.
All local/network activity is monitored (dunno what program/hardware does it) and logged for use.
As for INFOSEC, all passwords are changed VERY frequenty.
VPN is a BIG deal.
No outside software, etc...
Edit: Oh yeah, did I mention security is a BIG deal?!?!
EVERYTHING that happens is watched
--
Jesus Rocks!
Future New Orleans Baptist student
Missionary work in Brasil is awesome!!! | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
1 edit | reply to mapics
Smartcards... right... Fortezza... that's a pretty standardized item. see: »csrc.nist.gov/cryptval/140-1/140···p004.pdf for more info. Here's another interesting page, you might enjoy - »www.nsa.gov/ia/index.cfm
... personally, I've always used the term "heavy" iron (right or wrong, it was what I called the things). I cut my teeth on some monster thing in a clean room in 1977 (8? I forgot), and I always joke that my "first computer" was a PDP 11-44 -- which was by definition neither big nor heavy nor much in the way of iron ... it was really among the the first genuinely practical "minicomputers" - I remember that to "mount a disk" you actually "mounted" a disk... that is, you opened a big compartment and pulled out this thing that looked like a cake tray, with the lid and all... and put the disk in the computer, mounted it, and enjoyed the wild thrill of ten megs or more of limitless storage on one platter!!! WOW! That was the early 80's... we also had an IBM 360 in the back room... but I wouldn't go near that dog to save my life. Punch cards were so... so retro-seventies. Excuse me while I freshen up... my bottle of Geritol is showing
When I worked for Congress, I had another 11-44. Damned popular computer, back then. Actually, two. They were a redundant system, that performed clerical functions for the department. The disk drive unites dwarfed the computers, by the way... things looked like small, skinny deep freezers. It was the 80's, and security, aside from user authentication and logging, was virtually non-existent... or, more aptly, we had them LAN'ed, but they were utterly inaccessible outside of the complex. Not that any sane person who didn't have to would actually want to look at the mind-numbing administrative stuff we had on that machine.
PS - by the way... I forgot... I actually used this thing before the monster, in the mid 70's, in school, that you had to give binary instructions to. It wasn't much, but it was a true computer, by definition, and cost a small fortune. Those PDP's had computing power on the order of a 386/486, and cost as much as a new Mercedes does... today... you want to talk quantum leaps, the history of computing's fascinating.
--
Semper Eadem
-"Tewdor Thunder"- | |
ghost16825
Use security metrics
Premium
join:2003-08-26 | reply to mapics
NSALinux
*ducks* | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | reply to mapics
Excellent posts, Gwion; I'm shooting for some more general answers for the OP, however.
In general, for day to day operations at 90% of the government organizatons, they use Windows. I am quite sure this isn't the case for the systems with higher security requirements at the NSA and similar organizations. It's my guess that those systems are running a custom-written OS that only exists at the NSA and select other organizations. I wouldn't be suprised if some of the levels in between run an NSA-bastardized Linux with the SELinux enhancements.
As far as firewalls go, I do know that only relatively low security systems can be protected by foreign-owned products. Check Point, for example, cannot be used to protect the most secure networks at the DoD -- simply because Check Point is an Israeli company. My understanding is that some very proprietary, seldom-seen, home-grown firewall technologies are used to protect those networks.
--
dmiessler.com - grep understanding knowledge | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to mapics
Well, I do know this... the Pentagon was refitted around 1999 by Fore Systems, later Marconi, and employs a pure ATM over fiber LAN - which was a huge project, something akin to wiring a major city. I genuinely don't think their "undernet" is accessible to or from the internet, at all, on a very great scale. I also know that Fortezza, licensed by NSA, is the standard for encryption. That's public information. Now, I'm quite sure there are non-public standards and things we can have no idea of, too, for certain applications.
I'm guessing a lot of the security apps are internal NSA productions, honestly. I know Fortezza was an NSA production, originally. That's what the PCMCIA smartcards are for.
Firewalls and so forth I really have no idea, but I know Tiny used to be a component that was released to the public that was from the "CMDS" (centrally managed desktop security) suite that Tiny used to sell to the Air Force and Navy. The way it worked, essentially, was you had the packet filter, a sandbox, an IDS and some other components, all connecting back to a security server, that ran on an SQL or Oracle backend, and actually controlled and logged everything from the one central point. They could shut down a client machine, rewrite all the rules, -- anything... from the server, with full automation capability, based on what was going on and reporting back, in real time, and it could be done locally, over the internet or via VPN. It could also deny access automatically if it detected tampering or any sort of "mismatch" with the stored profile at login.
I went over a lot of that in the old days of Tiny, but my mind's a little foggy, now. It's all somewhere, I guess, in the ancient pages of BBR - then - DSLR... what they use, now, I couldn't say...
--
Semper Eadem
-"Tewdor Thunder"- | |
Heshup
Are Those For Me?
Premium
join:2001-06-20
From hell
| reply to mapics
Not going to say what part of the government my girl friend works with, but she did some classes in Jan. & Feb. this year and all the computers and they be the same as she works on with her job has Win 95 & 98. I could not understand how this could be so far behind time. Don't think for one minute because it has government on it, that it be secure.
If one believes that they would let the mainstream know how many times the government systems has been breached, then you would believe any thing.
On the computers that I have seen at her work place's, I have never seen any Security programs and to to top it off they on the most part use Dail up to get to the net.
Not saying by any means that they all be like that, cause I know they not be, but................ you figure out just how far this trend would be.
--
Last words are for fools who haven't said enough. | |
Deajl
@algx.net
|  reply to mapics
It's quite simple. The secured computers are not connected to the WWW. Period.
There are designated hardware firewalled machines, without any resident sensitive/secret data storage, for linking to the Web.
Data is transferred by manual methods, removable media, between the Web computers and the offline, secured, machines. No hardwire links between the two systems.
Doesn't get anymore secure than that.
| |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to mapics
Right... so long as the media are verified and scanned every time they leave a WAN connected machine and before they're mounted on a segregated, secure machine...
--
Semper Eadem
-"Tewdor Thunder"- | |
Sfer34
@algx.net | Yes - well, of course. That goes without saying. | |
Spanner intheWorks
@as9105.com
|  reply to mapics
Hi, On my quest for info in Rootkit Dectection Treasure Trove, i found the following interesting articles -
Interview with Rootkit Hunter author Michael Boelen - JK: What do you see for the future of rkhunter? With the advent of SElinux will there still be a need for rkhunter and it's kind? - »lwn.net/Articles/104380/ -
Further info on the continuing research project by the National Security Agency's SElinux adventures - »www.nsa.gov/selinux/ - »selinux.sourceforge.net/ -
So yes they do use XP, and IE as well, but the above shows where they might be heading !
Spanner | |
|
