
Porn-loving US official spreads malware to government network - denzil_correa
https://www.bbc.com/news/technology-46030242
======
jaxtellerSoA
Is this supposed to be a shocking to us?

I find it more disgraceful that the Sys Admins of said Federal Agency aren't
using GPOs to block unauthorized USB devices, than that fact than an employee
was looking at porn.

------
empath75
I did desktop support for a fed agency in the early 2000s and this was so
absurdly common that it was barely worth remarking about when it happened. I
probably spent half of my day removing malware from people who went to porn
and gambling sites.

The other half was from people who opened email attachments from pretty much
anyone.

~~~
14
Can I ask how did you become aware the machine was infected? Does not most
malware hide itself? The way you describe it seems like it was easy for you to
know. I consider myself pretty tech savvy but not sure how I would be aware if
I had malware other then obvious things like page hijacking. Thanks

~~~
mschuster91
> Does not most malware hide itself?

The "cryptolockers" not, and what also regularly happened in the IE heydays
was that suddenly there's a dozen toolbars in IE and every click anywhere
would trigger another popup window with ads.

~~~
14
Oh man, being old enough to remember those times I do not miss it. I do not
miss dial up speeds as well.

~~~
mschuster91
At least the toolbars were easy enough to remove...

------
qubax
9000 porn sites? I can understand that if his job involved researching porn.
Otherwise, who has time to visit that many websites at their job? Where does
he find the time to do actual work with his busy porn-viewing schedule?

And most importantly, why is there no mention of termination of employment?
How can someone spend all day at work browsing porn and jeopardize the network
with malware/viruses and still be employed?

~~~
jihadjihad
> How can someone spend all day at work browsing porn and jeopardize the
> network with malware/viruses and still be employed?

After doing some government consulting work, this does not surprise me in the
slightest.

~~~
PopePompous
Actually, when I was a Fed worker, I was told that browsing porn sites was one
of the very few things that could lead to immediate termination, without the
usual Civil Service procedures (which take years to play out).

~~~
lamarpye
The operative word here is "could".

------
hendzen
Ironic that he (or she) worked on a project called Eros.

------
stephengillie
Is the USGS too small to require firewalls that block obviously NSFW websites?
At my workplace, going to such sites bring up a page saying the request was
blocked before it left the corporate network.

~~~
badrabbit
No,you can even do that for your house. Porn is not hard to block.

~~~
yjftsjthsd-h
It is not hard to block _in the trivial case_ ; after that you're playing cat
& mouse and dealing with false positives.

~~~
badrabbit
Not in the trivial case. I meant most porn sites. All you have to do is use a
reputation service and block uncategorized sites. Cisco OpenDNS actually
offers a free DNS resolver that filters out most porn sites.

Also,surprised at the amount of responses on HN today that presume details....

~~~
yjftsjthsd-h
> use a reputation service and block uncategorized sites

This is what I was thinking of when I said "dealing with false positives";
those services make mistakes, and haven't hit every site.

~~~
badrabbit
I don't think anyone aims for perfection but a 90%+ true blocks and less than
5% false would be a high standard.

------
ergothus
What is the reasonable defense against this?

Intercepting firewalls like bluecoat are notoriously overbroad (and arguably
open up MITM attacks on https). Desktop/laptop malware scanners notoriously
use up CPU at murphaicly inconvenient moments.

Educating users is great, but attacks are getting sophisticated and it only
takes one mistake.

Absent great intrusion detection, which I assume is not trivial, one that
mistake is made, you have big problems. What is a realistic approach?

~~~
totony
[https://en.wikipedia.org/wiki/Principle_of_least_privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)

\- Using a good OS (e.g. Linux w/ SELinux)

\- Not giving admin access

\- Block non-authorized peripherals

\- Lock down network

You don't have to educate users if they can't make mistakes.

------
Bucephalus355
What would be the solution to this in the future? As cybersecurity gets more
and more serious, should we be essentially putting what would have been
considered a decent corporate server in terms of speed/power 7 years before in
front of every user?

Maybe Desktop-as-a-Service like with AWS Workspaces?

Or locked down, highly controlled devices like Chromebooks or a yet to be
released Windowsbook?

------
badrabbit
"An IT policy that prevents USB use should be implemented, the US Department
of the Interior suggested."

...seriously? They want to make life harder for people that have legitimate
USB mass storage needs because of this?

Do they have a DLP solution? DLP software can restrict what gets copied to and
from a drive. Software restriction policies can be pushed to prevent execution
from removable drives. Mind you,they said an "IT policy" meaning a rule that
punishes anyone who uses a USB drive. This is the equivalent of your house
getting broken into and your response is to have a rule thay punishes people
for leaving the door unlocked instead of getting a home security system.

Also,why is this a bbc news story?

~~~
totony
For most enterprises, removage storage is a liability, e.g. ip thief, ip
mismanagement, loss, security

There are better ways to handle file sharing than removable storage if an
employee needs it

~~~
badrabbit
And it's the security teams job to assess the security needs of the business
and apply policies. If the entire business has a data loss risk then sure a
blanket ban makes sense.

I disagree with what you said in that I believe "most businesses" need
granular security policies that should be applied for specific departments.

There maybe better ways of handling files but say you're a news corp and
sources give you data over USB or a fashion company that has freelancers walk
into your location's in person to hand in photoshoots and large cad files. The
resteiction would have an impact both to users and to the business.

For example,I worked at a company where specific departments were not
restricted from accessing any website due to the possible business impact of
them not being able to reach a required site.

------
igotsideas
Who saves porn on a usb in 2018 tho

~~~
dsfyu404ed
People who hate waiting for their 1080p video to buffer every time they want
to skip around?

~~~
igotsideas
good point. The story said they were saving photos. Maybe the site of choice
didn’t optimize their photos for performance?

