DoD Takes Criticism From Security Experts On Cyberwar Incident 116
wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."
easily defeated, only if you disable the vector (Score:5, Informative)
But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned. The Air Force SDC (Standard Desktop Configuration) and the follow-on FDCC (Federal Desktop Core Configuration) ended that.
What we'd heard... (Score:5, Informative)
Where I am, is a lot less on the "secret agent" / James Bond side of things, and a lot more on social engineering.
Two vectors were talked about.
Vector 1: Middle East. Some guys decided they wanted to be insurgents, but didn't have explosives experience and really didn't want to be shot at. So instead, they loaded up viruses on a bunch of hardware (external drives, thumb drives, etc) and sold it to soldiers. Said soldiers then turned around and used these drives on not only their personal computers, but also on Unclass and Classified systems, where it quickly spread because of bad IS/IA policies.
Vector 2: Pentagon area. Similar situation, but instead of selling pre-infected items, some foreign power just left a lot of pre-infected thumb drives around various coffee shops, etc. While some were turned in to lost and found, others were picked up by people who said, "Hey! Free thumb drive!" and proceeded to use them at work and at home. And when work was in a government office that, again had poor IS/IA policies, suddenly you've got computers opening holes in firewalls and transmitting data out.
Hence the big change in policy, to ban thumb drives, turn off auto-run, etc.
Re:easily defeated, only if you disable the vector (Score:4, Informative)
How about just getting rid of the main attack vector(Windows) altogether? The DoD "security" policies seem like they were written by Microsoft specifically to push Microsoft products. Windows is still the darling child of the DoD and anything else is considered "dangerous" and is subject to infinitely more scrutiny than Windows boxes are.
[citation needed]
Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.
You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.
But because you managed to bash both the military and microsoft in a single sentence you will probably be modded up anyway.
Re:easily defeated, only if you disable the vector (Score:5, Informative)
But beyond that because most of the individuals with knowledge of securing computer systems are younger and lower in rank, it can be kind of a toughy actually getting proper orders and resources to secure things. Or at least I assume that's what happened, it's the only explanation I can think of that's even halfway plausible that doesn't involve outright treason.
Re:They fucked up something really really basic (Score:3, Informative)
But you are assuming facts not yet proven.
1) that it was in fact the commonly found version of this worm that was used rather than a specially crafted one
2) that it required auto-run to do what it was designed to do.
3) that auto-run was in fact still on in the subject machine
It's not a pretty picture (Score:0, Informative)
Firstly, I have direct exposure and knowledge of the state of IA affairs in the DoD/IC world. Very direct. At an extremely senior level. This is a world of dysfunction that you cannot, I promise you, imagine. A world where the Gov hires contractors for insurance (so that they have someone to blame) and is unable to even so much as make a decision without pushing it all the way to the top of the agency/directorate/branch. A world where every vendor that peddles any product with "Cyber" or "Cloud" in the name can rest assured that they'll sell an enterprise license. A world where best practices are forever short-circuited in the name of 'emergent mission need'. There is an almost underworld movement amongst those technologists that understand this whereby Open Source solutions are being sneaked in the back door in the name of "research lab product". The USB problem is already solved (see HBSS Device Control) and the real issue was already solvable (via both a registry hack to disable USB storage devices and the auto-play disabling) but the retards at the top couldn't make a decision to move forward with it because, "What if it disables a keyboard, mouse or CAC reader". Idiots. The Government breeds them internally. No one worth their salt wants to be a Govvie. The pay sucks, the politics is unbearable and the future is bleak. Because of this it attracts dimwits who hire others like them, only dumber so that they don't threaten their 'stature'. The net result is Agencies full of semi-retarded morons who never leave, never get fired and keep getting promoted because the system's wired that way. We're doomed, I assure you.
A Sysadmin's Lamentation... (Score:5, Informative)
I was there in 2008 during the midst of this. At that time, there were significant problems with security on the network terminals that we all used to access the internet. In most places, we were limited to two or three ways to access the internet (not NIPERNET.) Either computer labs operated by Spawar (government contractors) ,computers operated by Cyberzone (A commercial entity) or, if your FOB was large enough, in-room/tent access provided by the MWR (Morale Welfare and Recreation.)
Now all the computers that were in use there used satellite up-links to access the internet. Too many users would max the link, and access to the web would slow to a crawl, or worse. Think 5 - 10 minutes to load a web page. Now after a long day (or two, or three, or more!) out on mission, people would roll back in the gate, tromp off to the internet and eat, often in just that order and go to bed. Most of the time people were sending and receiving email and pictures from friends and family, baby pictures, movie clips and the like. Most of the time, these would be put on flash drives so people could see them later in their tents and so on.
The computers that were operated by the Cyberzone and Spawar rarely if ever had their anti-virus up to date. Worse, the anti-virus updates would take so long to download (hours!) that people would give up on doing them. The MWR and Post Exchange were often great about getting laptops out to troops in remote locations. However there was often no way to get software updates to these PC's. The situation was ripe for trouble.
Many people did both their office work and home use on the same computers, as the situation demanded.
While I was there in 2008, we began seeing signs of the SillyFDC worm and agent.btz in increasing numbers. We were able to track it back to the Spawar and Cyberzone computers, but we had no way to convince the people there to update their anti-virus. The PC's that were on NIPERNET at the time had restrictions on the use of flash drives, but those were not fully enforced. No-one is sure who “Crossed the Streams” but both worms started showing up in more and more NIPERNET computers. The largest problem in stopping it was that we were not in charge of policy of our own computers. We knew that the worms spread through the use of autorun, but we could not get people to bring in their flash drives to have them scanned. Worse, we could not disable autorun on the NIPERNET PC's. We had no access to the local policy on the machines (or anti-virus updates!) We were able to finally contain things by disabling autorun on personal computers, sacrificing one of our personal laptops to doing nothing but scanning possible infected drives, and quarantining known infected PC's from use.
We were never able to get updates for the anti-virus for the NIPERNET PC's, but we eventually discovered and distributed ClamWin for personal computers, though.
We received word about the no-flash-drives rule about 3 months later. That generally made things more difficult, as there were quite a few places that had no network access; a flash drive was the only way to move documents about. More people ended up doing work on their personal computers and ignoring the government ones after that.
Things that would help defend against this in the future:
Spawar, Cyberzone, and MWR should be required to keep on their networks a basic SAN that has updated anti-virus, security patches and run a script to update that when network traffic is low. That way, individuals can get their updates from local storage rather than trying to pull hundreds of megabytes over a slow network link.
If you have a computer while downrange, you should be required to make sure that it's security is up to date, and download patches (from the SAN) at least monthly. Anti-virus should be done as frequently as possible.
NIPERNET needs to have some method of having local administrators modify their systems. Many times, the local S-6 (Communication and Networking Support)
Re:easily defeated, only if you disable the vector (Score:5, Informative)
Surprise: the DoD uses Linux, and they have the same guides for locking and hardening Linux as they do for other Unices (Solaris) and for Windows.
See http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf [disa.mil] (search for Linux) for examples.
Re:lulz (Score:3, Informative)
Citation
http://www.mysanantonio.com/business/local/kci_working_to_contain_employee_data_breach_102106769.html [mysanantonio.com]
Re:easily defeated, only if you disable the vector (Score:1, Informative)
Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.
You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.
But because you managed to bash both the military and microsoft in a single sentence you will probably be modded up anyway.
Most of the time it's a standard version of Windows that's been locked down according to the STIG (Secure Technical Implementation Guide). There are STIGs for UNIX, web servers, network devices, etc. There is no magic "custom install of windows...special build" blah blah blah ... because if there were, we would be using it at our office.
Re:easily defeated, only if you disable the vector (Score:4, Informative)
(1) There are positive aspects of OSS that should be considered when conducting market research on software for DoD use, such as:
(i) The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.
(ii) The unrestricted ability to modify software source code enables the Department to respond more rapidly to changing situations, missions, and future threats.
(iii) Relianceonaparticularsoftwaredeveloperorvendorduetoproprietary restrictions may be reduced by the use of OSS, which can be operated and maintained by multiple vendors, thus reducing barriers to entry and exit.
(iv) Open source licenses do not restrict who can use the software or the fields of endeavor in which the software can be used. Therefore, OSS provides a net-centric licensing model that enables rapid provisioning of both known and unanticipated users.
(v) Since OSS typically does not have a per-seat licensing cost, it can provide a cost advantage in situations where many copies of the software may be required, and can mitigate risk of cost growth due to licensing in situations where the total number of users may not be known in advance. (vi) By sharing the responsibility for maintenance of OSS with other users, the Department can benefit by reducing the total cost of ownership for software, particularly compared with software for which the Department has sole responsibility for maintenance (e.g., GOTS). (vii) OSS is particularly suitable for rapid prototyping and experimentation, where the ability to "test drive" the software with minimal costs and administrative delays can be important.
(2) While these considerations may be relevant, they may not be the overriding aspects to any decision about software. Ultimately, the software that best meets the needs and mission of the Department should be used, regardless of whether the software is open source.
. .
Re:A Sysadmin's Lamentation... (Score:4, Informative)
Actually the solution to this is training your enlisted troops how to handle this. I was in Iraq when this went down, as a network admin for a grunt unit. The problem went away when we burned 10 CD's with AV that cleaned it (the most recent definitions from Symantec did NOT do this until almost 4 months later, making government computers completely open) and training 2 Marines per company on how to help their users. Within a week we had controlled the issue.
i work for an agency under DoD... (Score:5, Informative)
...and was actually discussing the switch from Windows to Linux with couple friends of mine from the IA shop. I'm in charge of desktop PC support for this 3,300-user agency.
I'd like to preface things by saying that I use Linux exclusively at home and have for several years. No dual boot, no wine and no running Windows in a VM. I could do my whole job from within Linux if Firefox supported reading encrypted mail in Outlook Web Access and if there was something available for Linux that'd allow me to read Visio drawings in their native format.
Software costs are inconsequential so we'll ignore that argument for the time being. The biggest expense in an IT budget isn't software or hardware, it's people - and although things would settle down after a year or two the cost of migration is the showstopper here, not the cost of sustainment.
I've heard different stories about what caused the USB ban but for me the short version is that somewhere in DoD some sysadmin should have been fired. I can't say for sure what happened but at least two Defense Information Systems Agency (DISA) policies were violated - autorun wasn't disabled on the workstations and apparently workstation virus scanners weren't configured properly, so to minimize the threat DoD bans USB storage devices rather than fire the nitwit who wasn't doing his job.
Windows as a vector? Out of 3,300 users we had eight (yes, eight) security incidents in the last twelve months where a PC was infected by a hostile application - the reason I know this is I had to put that damn metric in a Powerpoint slide recently. Eight out of better than three thousand is a pretty good average, but the PCs still run like crap ;-)
They've authorized turning USB storage back on, but only for approved devices that will be encrypted and centrally managed - and USB storage will be enabled by device rather than by user. Unauthorized devices still won't work. We've decided that since folks have been working without thumb drives for two years we're gonna continue to let them work that way - we've got the infrastructure in place to authorize thumb drives by hardware signature but we don't plan to issue any to end users at this point.
DoD information security policies aren't written by Microsoft - Microsoft wouldn't hire anybody that stupid. Case in point - DISA mandates that LAN and WLAN interfaces on a machine can't be active at the same time but outside of creating separate hardware profiles for wired and wireless Windows doesn't support this configuration - and simply disabling network bridging doesn't satisfy the requirement. If you ask DISA how to implement this requirement they can't tell you. I can tell you there's a neat little application called Wireless AutoSwitch [wirelessautoswitch.com] that'll do the job and it's dirt cheap, though.
But I digress.