DoD Takes Criticism From Security Experts On Cyberwar Incident 116
wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."
lulz (Score:1, Insightful)
Millitary runs windows without disabling autorun. Now that's egg on your face...
They fucked up something really really basic (Score:5, Insightful)
on military systems.
And so they can either pretend it didn't happen or pretend that they were only defeated by a dedicated and skilful foe rather than by their own ineptitude and laziness.
they went with the latter.
Re:easily defeated, only if you disable the vector (Score:3, Insightful)
Just another vector for funding... (Score:5, Insightful)
Since when was efficacy or even logic a metric for whether or not a new department/task-group/domain/[insert group du jour] is deemed "necessary" for any govenrmental body? This is just another not-so-subtle attempt at widening the jurisdiction of the military. After all, if the boogyman is unmasked, why, another must be conjured lest we all wake up to the cold truth that these people are simply pissing large reams of money down the tubes.
In the end, all of this will be justified after the fact despite any protestations. War on terror, anyone?
ps. Although if you think about it, it's somewhat ironic that antivirus firms (Sophos, Symantec, etc), which have been frequent fear mongerers themselves, are calling the military on fear mongering.
Say It Ain't So (Score:5, Insightful)
The next doomsday weapon (Score:4, Insightful)
Now that many nations have nuclear weapons, it's obvious that development of the internet or IT doomsday device will be next.
I think the US military are hinting along these lines.
Re:Was the threat real? (Score:5, Insightful)
Re:They fucked up something really really basic (Score:4, Insightful)
You assume the fucked up.
Just because the version of this worm that is common in the wild is not particularly dangerous does not mean that the version used in the attack (or the fuckup if you will) was the same.
How you administer an injection matters a lot less than what was in the syringe.
Auto-run might have stopped this worm, but turning that off did not become standard practice till the Vista roll out, and the military may have had reason to use auto-run. To simply state that some minor setting in windows would have prevented this is naive.
The fuckup, if there was one, was allowing a foreign intelligence agency to get close to a military laptop.
Go figure (Score:3, Insightful)
I would be surprised if the secret forensics information is anything more than the malware has Russian roots.
Just because malware is written by Russia crackers doesn't make it a Russian government attack.
rd
Re:Was the threat real? (Score:4, Insightful)
The problem ultimately is that a kill switch would have to touch a huge amount of infrastructure, including satellite links in order to work, and I have very little confidence that even with highly qualified engineers working on it that there isn't going to be a bug, glitch or vulnerability that ends up working its way into the system.
Re:easily defeated, only if you disable the vector (Score:5, Insightful)
Quite simply put Windows lacks a lot of the basic security mechanisms that ALL other operating systems possess. And instead of doing the rational thing and banning Windows because of its shortcomings the DoD just brushes Windows' shortcomings aside(largely because Microsoft has a lot of lobbyists in high places in Washington). You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS. You think I am anti-DoD, I'm not. If I was I would be cheering their use of windows. If there is a cyber-war, I want my country to win which is why I think they need to BAN Windows ASAP. Microsoft has repeatedly shown that it is either unable or unwilling to fix their shit, so dump the motherfuckers already.
Re:easily defeated, only if you disable the vector (Score:4, Insightful)
DoD is very big, and there are hundreds of thousands of DoD computers that don't follow the simplest security best practices. Just because the NSA publishes a document on how a Windows box should be configured, doesn't mean it gets configured that way in the field. Military IT is just like social issues; The only area not being neglected and starved of resources is the last area to have a major shitstorm.
Re:They fucked up something really really basic (Score:1, Insightful)
By 'fucked up', he meant that they had installed Windows (any version) on pretty much all their computers.
The Problem behind: (Score:4, Insightful)
Virus writers update their viruses 100 times faster than the military its rules. I would not wonder if the rules effective at that moment were 10 years old (or just minor revisions - like fixing security holes already being exploited). I work in a very large company, and each time i try to report a security problem i observe, i am being told the IT department is responsible and its not my job - and nothing changes. I assume in the military its the same problem but worse; maybe you even go in jail because you figured sth out.
Re:easily defeated, only if you disable the vector (Score:3, Insightful)
You made that up.
That fact is not in evidence. It's not in the stories linked to this article. It's merely speculation by people here so they can thump their chests and sound like they know something.
Re:A Sysadmin's Lamentation... (Score:3, Insightful)
I have been out of the military for quite some time but I don't see how your suggestions would help the matter anyhow. Sure there are some talented enlisted people that would more than be capable of handling the situation but the military command structure is no designed for that. Anyone worth a squat is not going to be doing anything more meaningful than cleaning a tank with a toothbrush. DOD contractors are no better they work for the govt because no one else want's them.
Re:The Article Doesn't Make a Good Case (Score:2, Insightful)
They're not exaggerating either the sophistication or the impact; that's just the thing. They fully admit it was a bullshit vector they should have been prepared for, and they fully admit it took them over a year to manage a response. Read the quotes in the article, they sound downright embarrassed. Shamefaced, in fact. The general saying it took months just to get a count of computers? They're not trying to avoid looking like fools, they're shouting, "What fools we were!"
I find your explanation entirely reasonable. In fact, it's precisely what I believe happened. But the fact that it was a simple autorun exploit which administrative incompetence let spread hither and yon doesn't mean the payload wasn't trying to funnel data to someone. Most malware does nowadays, after all. It's pretty clear the Pentagon thinks--or at least wants us to believe--that whatever this virus sent home went to a foreign power. If they wanted to save face, they'd never admit that.
I'm not giving the Pentagon credit, per se. (I do give them credit for admitting such a colossal fuckup, though.) I'm saying that their story is entirely believable and that the detraction of the security experts boils down to, "But foreign spies would never stoop to that!"
Re:They fucked up something really really basic (Score:3, Insightful)
What damage? What stolen files? The military has said nothing about files being stolen. From the article:
The worm, dubbed agent.btz, caused the military’s network administrators major headaches. It took the Pentagon nearly 14 months of stop and go effort to clean out the worm — a process the military called “Operation Buckshot Yankee.” The endeavor was so tortuous that it helped lead to a major reorganization of the armed forces’ information defenses, including the creation of the military’s new Cyber Command.
But exactly how much (if any) information was compromised because of agent.btz remains unclear. And members of the military involved in Operation Buckshot Yankee are reluctant to call agent.btz the work of a hostile government — despite ongoing talk that the Russians were behind it.
No mention of any files stolen. All the article says is that it took the military 14 months to clean the worm off its network. Given the size of the military's network, the level of bureaucracy involved in administrating it, and the incompetence of said bureaucrats, I don't find this to be a surprising figure at all. It doesn't speak to the sophistication of the attack. It highlights the lack of sophistication in the military's network administration skills.