DoD Takes Criticism From Security Experts On Cyberwar Incident

wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."

lulz

[Anonymous Coward]

Millitary runs windows without disabling autorun. Now that's egg on your face...

They fucked up something really really basic

[HungryHobo]

on military systems.

And so they can either pretend it didn't happen or pretend that they were only defeated by a dedicated and skilful foe rather than by their own ineptitude and laziness.

they went with the latter.

Re:easily defeated, only if you disable the vector

[antifoidulus]

How about just getting rid of the main attack vector(Windows) altogether? The DoD "security" policies seem like they were written by Microsoft specifically to push Microsoft products. Windows is still the darling child of the DoD and anything else is considered "dangerous" and is subject to infinitely more scrutiny than Windows boxes are. And yet Windows is the most attacked(even if you scale the # of attacks to it's market share), most easily defeated OS out there. Hell even Google banned Windows after it got hacked(via Windows, what else!).

Just another vector for funding...

[notjustchalk]

Since when was efficacy or even logic a metric for whether or not a new department/task-group/domain/[insert group du jour] is deemed "necessary" for any govenrmental body? This is just another not-so-subtle attempt at widening the jurisdiction of the military. After all, if the boogyman is unmasked, why, another must be conjured lest we all wake up to the cold truth that these people are simply pissing large reams of money down the tubes.

In the end, all of this will be justified after the fact despite any protestations. War on terror, anyone?

ps. Although if you think about it, it's somewhat ironic that antivirus firms (Sophos, Symantec, etc), which have been frequent fear mongerers themselves, are calling the military on fear mongering.

Say It Ain't So

[SilverHatHacker]

Wait, are you saying a government agency might have lied, appealing to the general public's lack of knowledge in the area of computers and using a buzzword-filled report to justify an application of force? I find that hard to believe.

The next doomsday weapon

[gilesjuk]

Now that many nations have nuclear weapons, it's obvious that development of the internet or IT doomsday device will be next.

I think the US military are hinting along these lines.

Re:Was the threat real?

[sampas]

Thisis another yellowcake [wikipedia.org] tale -- ginned up to scare Congress into giving DoD the Internet "kill switch" in case of "national emergency" -- like Wikileaks. Most of this is in response to the less-than-credible story in Foreign Affairs: http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain [foreignaffairs.com]. Now our own government wishes they could do what China and Iran can -- shut down the Internet at will when there's something on there that they don't like. Does the military even read the Constitution they swear to uphold?

Re:They fucked up something really really basic

[icebike]

You assume the fucked up.

Just because the version of this worm that is common in the wild is not particularly dangerous does not mean that the version used in the attack (or the fuckup if you will) was the same.

How you administer an injection matters a lot less than what was in the syringe.

Auto-run might have stopped this worm, but turning that off did not become standard practice till the Vista roll out, and the military may have had reason to use auto-run. To simply state that some minor setting in windows would have prevented this is naive.

The fuckup, if there was one, was allowing a foreign intelligence agency to get close to a military laptop.

Go figure

[ralphdaugherty]

      I would be surprised if the secret forensics information is anything more than the malware has Russian roots.

      Just because malware is written by Russia crackers doesn't make it a Russian government attack.

  rd

Re:Was the threat real?

[hedwards]

Unfortunately, rather than fixing the problem, I fear that's the "fix" we're going to get. There are legitimate reasons to consider a "kill switch." As in the ability to take the nation off the internet at a moment's notice, however none of them are as easy or practical as simply restricting the kill switch to separating the military and emergency infrastructure from the net. Although the stupid thing there is that they probably shouldn't be directly on the internet in the first place.

The problem ultimately is that a kill switch would have to touch a huge amount of infrastructure, including satellite links in order to work, and I have very little confidence that even with highly qualified engineers working on it that there isn't going to be a bug, glitch or vulnerability that ends up working its way into the system.

Re:easily defeated, only if you disable the vector

[antifoidulus]

And yet it gets hacked. It crashes constantly, it constantly needs virus updates etc. And yet there are a HUGE(before 2008 or so you couldn't actually totally disable autorun in Microsoft) security holes but they are just given a pass. The scrutiny applied to Windows is nothing compared to the amount applied to Linux because, and this is DoD policy, "Linux is open source and thus 'untrusted'". The level of logging required for Linux is insane and yet they really don't require the same level from Windows because you CANNOT log that much in Windows. Hosts.deny is required for Linux but no equivalent for Windows. nosuid has to be applied to every non-root drive for Linux, again nothing even close for Windows because Windows is simply incapable of such security. They allow NTLMv2 despite the fact that it is a proprietary protocol and thus incredibly insecure. Why, because it's really difficult to get Windows(esp. XP, which is still allowed) to authenticate with open, cryptographically secure protocols. They allow local and network users a lot more privileges on machines because it's impossible to actually get Windows operating smoothly without those privileges. The list goes on.

Quite simply put Windows lacks a lot of the basic security mechanisms that ALL other operating systems possess. And instead of doing the rational thing and banning Windows because of its shortcomings the DoD just brushes Windows' shortcomings aside(largely because Microsoft has a lot of lobbyists in high places in Washington). You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS. You think I am anti-DoD, I'm not. If I was I would be cheering their use of windows. If there is a cyber-war, I want my country to win which is why I think they need to BAN Windows ASAP. Microsoft has repeatedly shown that it is either unable or unwilling to fix their shit, so dump the motherfuckers already.

Re:easily defeated, only if you disable the vector

[Lord_Frederick]

DoD is very big, and there are hundreds of thousands of DoD computers that don't follow the simplest security best practices. Just because the NSA publishes a document on how a Windows box should be configured, doesn't mean it gets configured that way in the field. Military IT is just like social issues; The only area not being neglected and starved of resources is the last area to have a major shitstorm.

Re:They fucked up something really really basic

[davester666]

By 'fucked up', he meant that they had installed Windows (any version) on pretty much all their computers.

The Problem behind:

[drolli]

Virus writers update their viruses 100 times faster than the military its rules. I would not wonder if the rules effective at that moment were 10 years old (or just minor revisions - like fixing security holes already being exploited). I work in a very large company, and each time i try to report a security problem i observe, i am being told the IT department is responsible and its not my job - and nothing changes. I assume in the military its the same problem but worse; maybe you even go in jail because you figured sth out.

Re:easily defeated, only if you disable the vector

[icebike]

You made that up.

That fact is not in evidence. It's not in the stories linked to this article. It's merely speculation by people here so they can thump their chests and sound like they know something.

Re:A Sysadmin's Lamentation...

[codepunk]

I have been out of the military for quite some time but I don't see how your suggestions would help the matter anyhow. Sure there are some talented enlisted people that would more than be capable of handling the situation but the military command structure is no designed for that. Anyone worth a squat is not going to be doing anything more meaningful than cleaning a tank with a toothbrush. DOD contractors are no better they work for the govt because no one else want's them.

Re:The Article Doesn't Make a Good Case

[Anonymous Coward]

They're not exaggerating either the sophistication or the impact; that's just the thing. They fully admit it was a bullshit vector they should have been prepared for, and they fully admit it took them over a year to manage a response. Read the quotes in the article, they sound downright embarrassed. Shamefaced, in fact. The general saying it took months just to get a count of computers? They're not trying to avoid looking like fools, they're shouting, "What fools we were!"

I find your explanation entirely reasonable. In fact, it's precisely what I believe happened. But the fact that it was a simple autorun exploit which administrative incompetence let spread hither and yon doesn't mean the payload wasn't trying to funnel data to someone. Most malware does nowadays, after all. It's pretty clear the Pentagon thinks--or at least wants us to believe--that whatever this virus sent home went to a foreign power. If they wanted to save face, they'd never admit that.

I'm not giving the Pentagon credit, per se. (I do give them credit for admitting such a colossal fuckup, though.) I'm saying that their story is entirely believable and that the detraction of the security experts boils down to, "But foreign spies would never stoop to that!"

Re:They fucked up something really really basic

[quanticle]

What damage? What stolen files? The military has said nothing about files being stolen. From the article:

The worm, dubbed agent.btz, caused the military’s network administrators major headaches. It took the Pentagon nearly 14 months of stop and go effort to clean out the worm — a process the military called “Operation Buckshot Yankee.” The endeavor was so tortuous that it helped lead to a major reorganization of the armed forces’ information defenses, including the creation of the military’s new Cyber Command.

But exactly how much (if any) information was compromised because of agent.btz remains unclear. And members of the military involved in Operation Buckshot Yankee are reluctant to call agent.btz the work of a hostile government — despite ongoing talk that the Russians were behind it.

No mention of any files stolen. All the article says is that it took the military 14 months to clean the worm off its network. Given the size of the military's network, the level of bureaucracy involved in administrating it, and the incompetence of said bureaucrats, I don't find this to be a surprising figure at all. It doesn't speak to the sophistication of the attack. It highlights the lack of sophistication in the military's network administration skills.