DoD Takes Criticism From Security Experts On Cyberwar Incident 116
wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."
The Article Doesn't Make a Good Case (Score:2, Interesting)
The only thing the article really provides to dispute the Pentagon's account is that the worm is simple and common.
But then it goes on to mention that while common, its payload is configurable. And the soldier quoted at the end of the article point blank says that it was the outsized effect (14 months of cleanup and lost data) compared to the simplicity of the vector that freaked them out so badly.
Shit, all the military really needs is some logs showing where the thing was sending data and it gets a pretty solid idea of what's going on. And they hinted that there was something to the circumstances where the worm initially entered the system...
Really, what's the story here? Pentagon says it conducted 'forensics' on the worm and decided on foreign origin, security analysts say, "But it's such a simple worm, it can't be that!" The analysts are talking out of their asses, and the Pentagon's explanations make a great deal of sense. Maybe the Pentagon is lying, maybe not, but nothing the doubters say in the article means anything.
Was the threat real? (Score:4, Interesting)
As the Security Week article suggests this sounds like the lying the military told about the Gulf of Tonkin Incident [fair.org].
Falcon
Another patch in the submarine's screen doors (Score:2, Interesting)
Two words: Bradley Manning (Score:5, Interesting)
Instead, we get this implausible thumb drive scenario. And guess what, instead dof applying $0.02 of common sense, we will see a proposal to spend $2B on intelligence system upgrades and military contracts. Of course, senator, we have earmarked 20% of that for your state...
-- Loaurnkoz
Re:Another patch in the submarine's screen doors (Score:2, Interesting)
Re:The Article Doesn't Make a Good Case (Score:1, Interesting)
Really, what's the story here? Pentagon says it conducted 'forensics' on the worm and decided on foreign origin, security analysts say, "But it's such a simple worm, it can't be that!" The analysts are talking out of their asses, and the Pentagon's explanations make a great deal of sense. Maybe the Pentagon is lying, maybe not, but nothing the doubters say in the article means anything.
The implication was that it was a sophisticated attack. The attack vector was autorun. Consider this, my first computer was a Win95 box bought second hand when someone upgraded to 98. I used to buy computer magazines and use the included disks, which would use autorun to change my browser home page, so I learned to disable autorun.
So if I as a computer newb with no training can work out how to disable this attack vector 10 years before it was used to attack pentagon systems, then the pentagon can not have placed system security as any type of a priority at all. They haven't even thought about it. IMO there should be a lot of people fired over this and permanently banned from any government IT security work. There were people being paid to secure those systems and they were sleeping on the job. Such sloppy work done by combat personnel, if it didn't result in their deaths, would probably warrant a dishonourable discharge or prison time for being AWOL.
Re:easily defeated, only if you disable the vector (Score:4, Interesting)
But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned.
And what's more, Microsoft's suggested method of disabling autorun didn't work back then. They had to release a patch. And even then, they didn't disable autorun by default.
Re:lulz (Score:4, Interesting)
Where I work, someone inadvertently emailed emailed a spreadsheet of the 3000+ employees social security numbers, addresses, salaries, and our date of births.
Their solution was to disable access to our personal email so that one one could leak that info to anyone else. It has been half a week and our personal emails are still blocked.
The funny part is that I just plugged in my usb drive and windows popped up asking if I wanted to "open folders to view files" and sure enough, I can access my data on it and move information from my computer to it without the cyber trail.
And I work at a "hippa complainant" medical equipment company.
Funny thing is, since the person who sent the email is high enough on the food chain, they are still here while IT is checking to see if anyone emailed or copied it and threatening action against those employees.
Re:The Article Doesn't Make a Good Case (Score:3, Interesting)
Your explanation gives the Pentagon a lot of benefit. In my view, its equally likely that these government officials are exaggerating the impact and sophistication of the attack to keep from looking like fools when the inevitable congressional hearing on this subject arises. You'll get a lot more sympathy from the senator on the other side of the hearing room if you say you were hacked by a foreign intelligence agency as opposed to some 16 year old Chinese kid. Given how hard it is to trace the origin of these attacks, its quite easy to twist the limited evidence available to support one hypothesis or the other.
My take on this? Some DoD employee brought a thumbdrive from home and infected his work PC. When others used their thumbdrives to copy information from this person's PC, they also got infected. Thanks to autorun and the relatively low profile this attack kept (e.g. it didn't do much to slow down infected computers) it took a long time for the IT department to find out about the infection. At that point the worm had become endemic to the network and many man-hours were spent rooting it out, hence the claim of "large expenses".
Even if you don't find my explanation entirely reasonable, you have to admit that the existing evidence doesn't exactly prove that the Pentagon was attacked by sophisticated and nefarious spies. Could they have been? Sure. But its equally likely that they were attacked by a garden variety piece of malware for which they were unprepared.
Excel: scourge of IT (Score:3, Interesting)
That's the result of having a tool that allows computer-illiterate people to process data.
When the printing press was invented people started learning to read and write. They learned spelling and grammar.
When the GUI was invented people started forgetting how to read and write. They want to click on icons because they don't want to learn the spelling and grammar of the commands that control the computer.
In the computer world, Johannes Gutenberg invented the comic book.