Mike Levine and Justin Fishel report yet more vulnerabilities in government databases in Security Gaps Found in Massive Visa Database.
From the post:
Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.
Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added.
That sounds serious so I was doing due diligence, ho-humming through the report when I ran across this explanation for why this isn’t serious:
…
CCD allows authorized users to submit notes and recommendations directly into applicants’ files. But to alter visa applications or other visa-related information, hackers would have to obtain “the right level of permissions” within the system -– no easy task, according to State Department officials.
…
Hmmmm, ‘…”the right level of permissions” within the system…’
I’m sorry, do they mean like root? 😉
Levine and Fishel aren’t specific about the vulnerabilities, there are public reports to point you in the right direction:
Audit of Department of State Information Security Program
November 2012 https://oig.state.gov/system/files/202261.pdf
November 2013 https://oig.state.gov/system/files/220933.pdf
October 2014 https://oig.state.gov/system/files/aud-it-15-17.pdf
November 2015 https://oig.state.gov/system/files/aud-it-16-16.pdf
Management Assistance Report: Department of State Incident Response and Reporting Program
February 2016 https://oig.state.gov/system/files/aud-it-16-26.pdf
With redactions you will have to work backwards from FISMA, OMB, and NIST requirements and vulnerabilities discovered in other governmental systems.
The sort of mosaic work at which topic maps excel.
As far as ISIS hacking the visa system, you can imagine the conversation at ISIS HQ:
Speaker 1: I want to volunteer for mission X in the United States.
Speaker 2: Do you have a valid US Visa?
Speaker 1: No, it was denied.
Speaker 2: Sorry, this mission is for holders of valid US visas only. Apply for another mission.
Right. Speaker 1 is volunteering for a mission that may result in the deaths of hundreds, possibly even themselves, but they are stopped from visiting the US for lack of a valid visa.
Does that strike you as an odd juxtaposition of concerns?
If you can’t think of non-visa controlled ways to enter the United States, you are too dumb to be a jihadist or to be defending against them.