Forgot your password?
typodupeerror
Government Security Your Rights Online

DoD Takes Criticism From Security Experts On Cyberwar Incident 116

Posted by Soulskill
from the no-mr-bond-i-expect-you-to-torrent dept.
wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."
This discussion has been archived. No new comments can be posted.

DoD Takes Criticism From Security Experts On Cyberwar Incident

Comments Filter:
  • lulz (Score:1, Insightful)

    by Anonymous Coward

    Millitary runs windows without disabling autorun. Now that's egg on your face...

    • Re: (Score:1, Funny)

      by Anonymous Coward

      Clearly they need to create a new command structure and several brave new cyberwarfighter divisions to hold shift while inserting media. Higher ranking officers can take tech support calls or power cycle the nuke fire control on schedule.

    • Re:lulz (Score:4, Interesting)

      by JackieBrown (987087) <dbroome@gmail.com> on Saturday September 04, 2010 @11:02PM (#33479222)

      Where I work, someone inadvertently emailed emailed a spreadsheet of the 3000+ employees social security numbers, addresses, salaries, and our date of births.

      Their solution was to disable access to our personal email so that one one could leak that info to anyone else. It has been half a week and our personal emails are still blocked.

      The funny part is that I just plugged in my usb drive and windows popped up asking if I wanted to "open folders to view files" and sure enough, I can access my data on it and move information from my computer to it without the cyber trail.

      And I work at a "hippa complainant" medical equipment company.

      Funny thing is, since the person who sent the email is high enough on the food chain, they are still here while IT is checking to see if anyone emailed or copied it and threatening action against those employees.

        • by Venik (915777)
          This is hilarious. A company specializing in identity theft prevention could not safeguard personal data of its own employees. The problem, of course, is not that some bigwig mistakenly sent a spreadsheet with names and SSNs. The problem is that such a spreadsheet existed in the first place and how it was released is really a secondary issue. I assume the guy just downloaded this information from HR database and put it in a spreadsheet for his personal managerial convenience. Probably so he can make pretty
          • I think you confused two parts of the article...

            “We were able to move swiftly,” Izbrand said. “We are offering credit monitoring and identity-theft protection and any other assistance our employees want.” The credit and identity-theft services are being provided by an independent company, he said.

            KCI is a publicly traded company that designs, markets and services products involved in the healing process and treatment of wounds. Its products include hospital beds and mattress replacements.

            I disagree that the problem isn't that someone sent this spreadsheet to the entire company. It's not unreasonable for someone in HR to create something like that for a specific task, but it should be guarded closely. Maybe you meant it shouldn't have been so easily accessible that it could accidentally be emailed to the entire company, but that's not what you stated. That so-called bigwig should be reprimanded harshly if there's anyone above him.

      • Excel: scourge of IT (Score:3, Interesting)

        by mangu (126918)

        Where I work, someone inadvertently emailed emailed a spreadsheet of the 3000+ employees social security numbers, addresses, salaries, and our date of births.

        That's the result of having a tool that allows computer-illiterate people to process data.

        When the printing press was invented people started learning to read and write. They learned spelling and grammar.

        When the GUI was invented people started forgetting how to read and write. They want to click on icons because they don't want to learn the spelling a

    • Actually, you're wrong. Google DISA STIG, search the stuff for autorun and you will find that the DoD/military is required to disable autorun. USB Policy has also changed in the last 2 years. So if the claim is as described, the policies were put in place as a response to it. The STIG regarding disabling USB ports for mass storage came out in 2008.
  • by HungryHobo (1314109) on Saturday September 04, 2010 @07:16PM (#33478022)

    on military systems.

    And so they can either pretend it didn't happen or pretend that they were only defeated by a dedicated and skilful foe rather than by their own ineptitude and laziness.

    they went with the latter.

    • by icebike (68054) on Saturday September 04, 2010 @07:56PM (#33478190)

      You assume the fucked up.

      Just because the version of this worm that is common in the wild is not particularly dangerous does not mean that the version used in the attack (or the fuckup if you will) was the same.

      How you administer an injection matters a lot less than what was in the syringe.

      Auto-run might have stopped this worm, but turning that off did not become standard practice till the Vista roll out, and the military may have had reason to use auto-run. To simply state that some minor setting in windows would have prevented this is naive.

      The fuckup, if there was one, was allowing a foreign intelligence agency to get close to a military laptop.

      • oh come on, autorun has been spreading USB viruses for years.
        Turning it off was basic common sense before vista ever hit the shelves.

        • Re: (Score:3, Informative)

          by icebike (68054)

          But you are assuming facts not yet proven.
          1) that it was in fact the commonly found version of this worm that was used rather than a specially crafted one
          2) that it required auto-run to do what it was designed to do.
          3) that auto-run was in fact still on in the subject machine

          • Re: (Score:1, Insightful)

            by davester666 (731373)

            By 'fucked up', he meant that they had installed Windows (any version) on pretty much all their computers.

          • He's also assuming that
            4) Everyone in the military uses common sense.
            • by TheLink (130905)
              I on the other hand assume the US DoD was just making another lame attempt at getting more public money.

              They hardly ever get punished for it, so why would they stop trying?
          • "that it was in fact the commonly found version of this worm that was used rather than a specially crafted one"

            Which makes no sense.
            If a competent organisation is going to mount a serious well funded attack you don't use code which is already in virus signature databases.
            You have one of your coders knock up something vaguely similar but with totally different code which will slip by AV software.

            And as long as it avoids acting too obviously it will never be picked up by the AV software because it's rare for

      • "Auto-run might have stopped this worm, but turning that off did not become standard practice till the Vista roll out, and the military may have had reason to use auto-run." Sorry - but auto-run is a known security risk, and it has been known for a lot longer than Vista has been in existence. This is the MILITARY we are talking about. The MILITARY is supposed to be more security conscious than Joe Blow who has nothing more important on his hard drives than some illegal porn.
      • by quanticle (843097)

        The damning portion of this experience isn't that a worm got on to military networks. The damage comes from the fact that this was an autorun worm. These worms are dependent entirely on human intervention to spread, and therefore spread much more slowly than automated worms targeting operating system vulnerabilities. Yet the military was unable to defend itself against this inept attack. If they have trouble defeating an autorun worm (something that a reasonably competent IT department can handle) how a

        • by icebike (68054)

          You've hit upon a key aspect of the event here, but I'n not sure you've interpreted it correctly.

          See that is the part of the story that doesn't hold water, and its why I think the military may have more knowledge of this than the naive attention seeking critics.

          This worm would be a really poor way to spread an intrusion, because of the need for human assistance to get started, and because it is essentially harmless and low risk and easily detected by anti-virus software both then and now.

          Further, if you wer

          • by ultranova (717540)

            See that is the part of the story that doesn't hold water, and its why I think the military may have more knowledge of this than the naive attention seeking critics.

            This worm would be a really poor way to spread an intrusion, because of the need for human assistance to get started, and because it is essentially harmless and low risk and easily detected by anti-virus software both then and now.

            Someone brought an infected USB stick from home. I'm sorry, but that's the most likely scenario, and certainly far

            • by icebike (68054)

              If you think that is the likely explanation then you haven't read a single word about the extent of the damage and the amount of files stolen in this incident.

              • Re: (Score:3, Insightful)

                by quanticle (843097)

                What damage? What stolen files? The military has said nothing about files being stolen. From the article:

                The worm, dubbed agent.btz, caused the military’s network administrators major headaches. It took the Pentagon nearly 14 months of stop and go effort to clean out the worm — a process the military called “Operation Buckshot Yankee.” The endeavor was so tortuous that it helped lead to a major reorganization of the armed forces’ information defenses, including the creation of the military’s new Cyber Command.

                But exactly how much (if any) information was compromised because of agent.btz remains unclear. And members of the military involved in Operation Buckshot Yankee are reluctant to call agent.btz the work of a hostile government — despite ongoing talk that the Russians were behind it.

                No mention of any files stolen. All the article says is that it took the military 14 months to clean the worm off its network. Given the size of the military's network, the level of bureaucracy involved in administrating it, and the incompetence of said bureaucrats, I don't find this to be a surprising figure at all. It doesn't speak to the sophistication of the attack. It highlights the lack of s

          • "and easily detected by anti-virus software both then and now."

            And this is the simple reason why no sophisticated attacker would use an already known virus.
            Viruses are not that hard to write, I'm only a moderately skilled programmer and I've written a couple for the sake of proving I could (never released though).

            If you use a known virus that's already infected grandmas computer then the AV companies will know it.

            If you write your own with code unknown to the AV companies, even a fairly trivial virus that a

      • In military grade security, there is no legitimate reason to enable autorun, since you can always just manually start the program if you really want to start it.

      • How you administer an injection matters a lot less than what was in the syringe

        Thats what she said.

  • by YrWrstNtmr (564987) on Saturday September 04, 2010 @07:19PM (#33478036)
    A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives.

    But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned. The Air Force SDC (Standard Desktop Configuration) and the follow-on FDCC (Federal Desktop Core Configuration) ended that.
    • Re: (Score:3, Insightful)

      by antifoidulus (807088)
      How about just getting rid of the main attack vector(Windows) altogether? The DoD "security" policies seem like they were written by Microsoft specifically to push Microsoft products. Windows is still the darling child of the DoD and anything else is considered "dangerous" and is subject to infinitely more scrutiny than Windows boxes are. And yet Windows is the most attacked(even if you scale the # of attacks to it's market share), most easily defeated OS out there. Hell even Google banned Windows after
      • by icebike (68054) on Saturday September 04, 2010 @08:00PM (#33478220)

        How about just getting rid of the main attack vector(Windows) altogether? The DoD "security" policies seem like they were written by Microsoft specifically to push Microsoft products. Windows is still the darling child of the DoD and anything else is considered "dangerous" and is subject to infinitely more scrutiny than Windows boxes are.

        [citation needed]

        Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.

        You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.

        But because you managed to bash both the military and microsoft in a single sentence you will probably be modded up anyway.

        • by hedwards (940851) on Saturday September 04, 2010 @08:16PM (#33478276)
          Yeah, the DoD is really known for being secure. Remind me again how it was that Gary McKinnon managed to get into all those military computers? Oh, right, they had no password or a default password and no firewall which anybody could've accessed had they the stones or the poor judgment to try. But beyond that, even in its default state BSD is more secure than Windows is in that respect because you can't mount anything by default without having root. Now, there is an exception on most computers by booting into single user mode, but there's ways of handling that which can greatly reduce the likelihood of being haxxored. Unless I'm mistaken you can do that with Linux and Mac OSX, although generally not by default.

          But beyond that because most of the individuals with knowledge of securing computer systems are younger and lower in rank, it can be kind of a toughy actually getting proper orders and resources to secure things. Or at least I assume that's what happened, it's the only explanation I can think of that's even halfway plausible that doesn't involve outright treason.
        • by antifoidulus (807088) on Saturday September 04, 2010 @08:33PM (#33478400) Homepage Journal
          And yet it gets hacked. It crashes constantly, it constantly needs virus updates etc. And yet there are a HUGE(before 2008 or so you couldn't actually totally disable autorun in Microsoft) security holes but they are just given a pass. The scrutiny applied to Windows is nothing compared to the amount applied to Linux because, and this is DoD policy, "Linux is open source and thus 'untrusted'". The level of logging required for Linux is insane and yet they really don't require the same level from Windows because you CANNOT log that much in Windows. Hosts.deny is required for Linux but no equivalent for Windows. nosuid has to be applied to every non-root drive for Linux, again nothing even close for Windows because Windows is simply incapable of such security. They allow NTLMv2 despite the fact that it is a proprietary protocol and thus incredibly insecure. Why, because it's really difficult to get Windows(esp. XP, which is still allowed) to authenticate with open, cryptographically secure protocols. They allow local and network users a lot more privileges on machines because it's impossible to actually get Windows operating smoothly without those privileges. The list goes on.

          Quite simply put Windows lacks a lot of the basic security mechanisms that ALL other operating systems possess. And instead of doing the rational thing and banning Windows because of its shortcomings the DoD just brushes Windows' shortcomings aside(largely because Microsoft has a lot of lobbyists in high places in Washington). You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS. You think I am anti-DoD, I'm not. If I was I would be cheering their use of windows. If there is a cyber-war, I want my country to win which is why I think they need to BAN Windows ASAP. Microsoft has repeatedly shown that it is either unable or unwilling to fix their shit, so dump the motherfuckers already.
          • The mere fact that DoD calls software "untrusted" because it's open source reveals a lot about the level of their collective knowledge/intelligence.

            That's kind of like saying "We trust the contents of this closed shipping crate because we were told what's in it. But we don't trust the contents of that open shipping crate, even though we can see for ourselves what's in it."

            Sometimes my government makes me embarrassed to be an American.
            • by flydpnkrtn (114575) on Saturday September 04, 2010 @10:38PM (#33479090)

              Surprise: the DoD uses Linux, and they have the same guides for locking and hardening Linux as they do for other Unices (Solaris) and for Windows.

              See http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf [disa.mil] (search for Linux) for examples.

              • by Jane Q. Public (1010737) on Sunday September 05, 2010 @12:12AM (#33479542)
                Well, considering general natures of government and military today, I was willing to believe that Open Source was indeed "untrusted". But since you brought it up, I did some looking and found that there was an official DoD memorandum approving of Open Source back in 2003, updated in 2009. The 2009 document says, in part:

                (1) There are positive aspects of OSS that should be considered when conducting market research on software for DoD use, such as:

                (i) The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.

                (ii) The unrestricted ability to modify software source code enables the Department to respond more rapidly to changing situations, missions, and future threats.

                (iii) Relianceonaparticularsoftwaredeveloperorvendorduetoproprietary restrictions may be reduced by the use of OSS, which can be operated and maintained by multiple vendors, thus reducing barriers to entry and exit.

                (iv) Open source licenses do not restrict who can use the software or the fields of endeavor in which the software can be used. Therefore, OSS provides a net-centric licensing model that enables rapid provisioning of both known and unanticipated users.

                (v) Since OSS typically does not have a per-seat licensing cost, it can provide a cost advantage in situations where many copies of the software may be required, and can mitigate risk of cost growth due to licensing in situations where the total number of users may not be known in advance. (vi) By sharing the responsibility for maintenance of OSS with other users, the Department can benefit by reducing the total cost of ownership for software, particularly compared with software for which the Department has sole responsibility for maintenance (e.g., GOTS). (vii) OSS is particularly suitable for rapid prototyping and experimentation, where the ability to "test drive" the software with minimal costs and administrative delays can be important.

                (2) While these considerations may be relevant, they may not be the overriding aspects to any decision about software. Ultimately, the software that best meets the needs and mission of the Department should be used, regardless of whether the software is open source.

                . . .
                • Well, considering general natures of government and military today, I was willing to believe...

                  Hey, what do /., AM radio talk shows, and FOX News have in common? People like you!!!!!!

                  • Why yes, they do! But obviously you are one of the rare exceptions.
                  • Hey, what do /., AM radio talk shows, and FOX News have in common? People like you!!!!!!

                    Oh come on now that's not fair... as I allude to in my reply to Jane Q., there are those even *inside* the DoD community who have the same preconceptions about FOSS "being insecure"....

                  • Well, considering general natures of government and military today, I was willing to believe...

                    Hey, what do /., AM radio talk shows, and FOX News have in common? People like you!!!!!!

                          He was willing, but he looked it up. That makes it people not like him.

                      rd

                • Yup... and when the subject has been brought up by those spreading FUD at work about FOSS (I'm employed by DoD) I have busted out that very same memo and quoted from it :)

                • While these considerations may be relevant, they may not be the overriding aspects to any decision about software. Ultimately, the software that best meets the needs and mission of the Department should be used, regardless of whether the software is open source.

                  Bingo. The military used to use Unix and Solaris. I was in during the final years of it's general use. Only specialized systems are still using Solaris and some use Linix. My last deployment, we had a Mac media server. In the end, you use what your users are used to using, not what you as the admin/tech want. It is the same in any corporation. You can make all the sense in the world but in the end the boss gets what he/she wants.

          • You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS.

            China already has their own military operating system Kylin [schneier.com]. As far as anyone can tell, it's just BSD with some mods.

            Another major factor you are missing is that the DoD has billions of dollars in specialized software that was designed for Windows, business practices are built around Windows, employees are trained on Windows, etc. It is not a simple matter of switching to *nix, *BSD, or whatever else when you have several hundred thousand employees who know nothing else. Look at the fact that the avera

        • by Lord_Frederick (642312) on Saturday September 04, 2010 @08:36PM (#33478408)

          DoD is very big, and there are hundreds of thousands of DoD computers that don't follow the simplest security best practices. Just because the NSA publishes a document on how a Windows box should be configured, doesn't mean it gets configured that way in the field. Military IT is just like social issues; The only area not being neglected and starved of resources is the last area to have a major shitstorm.

          • by icebike (68054)

            This story deals with computers in a war zone during 2008.

            We are not talking about some receptionist in a recruiting office in Kansas.

        • Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.

          Ha! Good one! Unless, of course, by "special build" you really mean "a burned ISO downloaded from the Pirate Bay - then you're spot on. And don't give me a [citation needed] either because [i was the guy doing those installs and know that damn near every other unit did it the same way]

        • Re: (Score:1, Informative)

          by Anonymous Coward

          Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.

          You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.

          But because you managed to bash both the military and microsoft in a single sentence you will probably be modded up anyway.

          Most of the time it's a standard version of Windows that's been locked down according to the STIG (Secure Technical Implementation Guide). There are STIGs for UNIX, web servers, network devices, etc. There is no magic "custom install of windows...special build" blah blah blah ... because if there were, we would be using it at our office.

        • by robsku (1381635)

          You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.

          I know that's exactly what I would be asking. No, not really, actually I would demand *more* scrutiny if Windows is used (and my demand for not using it for anything that important would not work). That can of course be translated (by small evil minds) to mean that I would allow some other system "without same level of scrutiny (than windows)".
          I would never support windows (nor OS X but actually I just know too little about it and would only go for system that I know I can trust) in that or any other "seri

      • WAITAMINUTE! You left the US because of the emphasis the culture puts on driving? Wow... I can think of a lot of reasons to leave here, but because you have a thin skin about not being able to drive? Incredible. That's about the stupidest... mumble mumble...
      • How about just getting rid of the main attack vector(Windows) altogether?

        Sure. The complexity of moving a million users/desktops/servers + govt overhead is trivial. Is next Tuesday soon enough for you?
        • That's the point, if autorun is enabled it is trivial, just take a bunch of automated linux installers on USB sticks, mark them "porn" and scatter them liberally around DC and a selection of military bases, it won't take long at all...
      • by pointbeing (701902) on Sunday September 05, 2010 @06:22AM (#33480654)

        ...and was actually discussing the switch from Windows to Linux with couple friends of mine from the IA shop. I'm in charge of desktop PC support for this 3,300-user agency.

        I'd like to preface things by saying that I use Linux exclusively at home and have for several years. No dual boot, no wine and no running Windows in a VM. I could do my whole job from within Linux if Firefox supported reading encrypted mail in Outlook Web Access and if there was something available for Linux that'd allow me to read Visio drawings in their native format.

        Software costs are inconsequential so we'll ignore that argument for the time being. The biggest expense in an IT budget isn't software or hardware, it's people - and although things would settle down after a year or two the cost of migration is the showstopper here, not the cost of sustainment.

        I've heard different stories about what caused the USB ban but for me the short version is that somewhere in DoD some sysadmin should have been fired. I can't say for sure what happened but at least two Defense Information Systems Agency (DISA) policies were violated - autorun wasn't disabled on the workstations and apparently workstation virus scanners weren't configured properly, so to minimize the threat DoD bans USB storage devices rather than fire the nitwit who wasn't doing his job.

        Windows as a vector? Out of 3,300 users we had eight (yes, eight) security incidents in the last twelve months where a PC was infected by a hostile application - the reason I know this is I had to put that damn metric in a Powerpoint slide recently. Eight out of better than three thousand is a pretty good average, but the PCs still run like crap ;-)

        They've authorized turning USB storage back on, but only for approved devices that will be encrypted and centrally managed - and USB storage will be enabled by device rather than by user. Unauthorized devices still won't work. We've decided that since folks have been working without thumb drives for two years we're gonna continue to let them work that way - we've got the infrastructure in place to authorize thumb drives by hardware signature but we don't plan to issue any to end users at this point.

        DoD information security policies aren't written by Microsoft - Microsoft wouldn't hire anybody that stupid. Case in point - DISA mandates that LAN and WLAN interfaces on a machine can't be active at the same time but outside of creating separate hardware profiles for wired and wireless Windows doesn't support this configuration - and simply disabling network bridging doesn't satisfy the requirement. If you ask DISA how to implement this requirement they can't tell you. I can tell you there's a neat little application called Wireless AutoSwitch [wirelessautoswitch.com] that'll do the job and it's dirt cheap, though.

        But I digress.

        • by TheLink (130905)
          > DISA mandates that LAN and WLAN interfaces on a machine can't be active at the same time

          Does that really help security that much?

          Many banks over here have basic network isolation - certain PCs and networks have zero Internet or other outside connectivity, yes it does affect productivity. There's a bank where people have to leave their PCs and go to another PC for googling or other internet access. That sucks in many ways, but I'm sure the DoD can afford more PCs per person and a better setup, if they s
    • by Culture20 (968837) on Saturday September 04, 2010 @09:10PM (#33478616)

      But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned.

      And what's more, Microsoft's suggested method of disabling autorun didn't work back then. They had to release a patch. And even then, they didn't disable autorun by default.

  • by Anonymous Coward

    The only thing the article really provides to dispute the Pentagon's account is that the worm is simple and common.

    But then it goes on to mention that while common, its payload is configurable. And the soldier quoted at the end of the article point blank says that it was the outsized effect (14 months of cleanup and lost data) compared to the simplicity of the vector that freaked them out so badly.

    Shit, all the military really needs is some logs showing where the thing was sending data and it gets a pretty

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Really, what's the story here? Pentagon says it conducted 'forensics' on the worm and decided on foreign origin, security analysts say, "But it's such a simple worm, it can't be that!" The analysts are talking out of their asses, and the Pentagon's explanations make a great deal of sense. Maybe the Pentagon is lying, maybe not, but nothing the doubters say in the article means anything.

      The implication was that it was a sophisticated attack. The attack vector was autorun. Consider this, my first computer was a Win95 box bought second hand when someone upgraded to 98. I used to buy computer magazines and use the included disks, which would use autorun to change my browser home page, so I learned to disable autorun.

      So if I as a computer newb with no training can work out how to disable this attack vector 10 years before it was used to attack pentagon systems, then the pentagon can not have p

    • by guruevi (827432)

      No the external security analysts (Sophos, the seller of antivirus software) says: with a good antivirus *cough*buy Sophos AV*/cough* and centrally managed policies *cough*buy Sophos Enterprise*/cough* you can't have this simple attack entering your Windows workstations. They are probably right.

      The DoD says, somebody put a USB stick in his computer and this was the result. They are probably also right.

      What you can conclude out of those passages is that the DoD probably doesn't have Sophos Antivirus ;-) What

    • Re: (Score:3, Interesting)

      by quanticle (843097)

      Your explanation gives the Pentagon a lot of benefit. In my view, its equally likely that these government officials are exaggerating the impact and sophistication of the attack to keep from looking like fools when the inevitable congressional hearing on this subject arises. You'll get a lot more sympathy from the senator on the other side of the hearing room if you say you were hacked by a foreign intelligence agency as opposed to some 16 year old Chinese kid. Given how hard it is to trace the origin of

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        They're not exaggerating either the sophistication or the impact; that's just the thing. They fully admit it was a bullshit vector they should have been prepared for, and they fully admit it took them over a year to manage a response. Read the quotes in the article, they sound downright embarrassed. Shamefaced, in fact. The general saying it took months just to get a count of computers? They're not trying to avoid looking like fools, they're shouting, "What fools we were!"

        I find your explanation entire

  • Was the threat real? (Score:4, Interesting)

    by falconwolf (725481) <falconsoaring_2000 AT yahoo DOT com> on Saturday September 04, 2010 @07:31PM (#33478076)

    As the Security Week article suggests this sounds like the lying the military told about the Gulf of Tonkin Incident [fair.org].

    Falcon

    • by Anonymous Coward

      or the MiG-25 [wikipedia.org]. Oversell the threat so you get a nice big budget for your toys/projects.

    • by sampas (256178) on Saturday September 04, 2010 @07:55PM (#33478186)
      Thisis another yellowcake [wikipedia.org] tale -- ginned up to scare Congress into giving DoD the Internet "kill switch" in case of "national emergency" -- like Wikileaks. Most of this is in response to the less-than-credible story in Foreign Affairs: http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain [foreignaffairs.com]. Now our own government wishes they could do what China and Iran can -- shut down the Internet at will when there's something on there that they don't like. Does the military even read the Constitution they swear to uphold?
      • by hedwards (940851) on Saturday September 04, 2010 @08:21PM (#33478318)
        Unfortunately, rather than fixing the problem, I fear that's the "fix" we're going to get. There are legitimate reasons to consider a "kill switch." As in the ability to take the nation off the internet at a moment's notice, however none of them are as easy or practical as simply restricting the kill switch to separating the military and emergency infrastructure from the net. Although the stupid thing there is that they probably shouldn't be directly on the internet in the first place.

        The problem ultimately is that a kill switch would have to touch a huge amount of infrastructure, including satellite links in order to work, and I have very little confidence that even with highly qualified engineers working on it that there isn't going to be a bug, glitch or vulnerability that ends up working its way into the system.
        • Re: (Score:1, Flamebait)

          by falconwolf (725481)

          There are legitimate reasons to consider a "kill switch." As in the ability to take the nation off the internet at a moment's notice,

          There are no legitimate reasons to disconnect the nation from the internet. It's all about censorship or fear of the unknown.

          Falcon

          • by Thiez (1281866)

            I can't help but think '... PUNCH!' at the end of your posts, and imagine you striking down those who disagree with you.

          • by DavidShor (928926)
            Sure there is. Knocking a country of the internet in the case of war could be a quite potent weapon. In the short term, it'd do a lot to disrupt internal communication.

            From a humanitarian point of view, it's not ideal. But we let these people drop cluster bombs on cities, so that's really besides the point.

            • Knocking a country of the internet in the case of war could be a quite potent weapon.

              ie there are no legitimate reasons to consider a "kill switch" which will do the same thing, knock the country off the net.

              Falcon

      • It is interesting how any government solution to their own screw-up always involves giving them more power. The obvious solution to an "asymmetrical" cyber-security threat to our national infrastructure, from their point-of-view, is more centralization of authority and a big "cybersecurity command" that gets more budget dollars.

        %0

  • by notjustchalk (1743368) on Saturday September 04, 2010 @07:37PM (#33478106)

    Since when was efficacy or even logic a metric for whether or not a new department/task-group/domain/[insert group du jour] is deemed "necessary" for any govenrmental body? This is just another not-so-subtle attempt at widening the jurisdiction of the military. After all, if the boogyman is unmasked, why, another must be conjured lest we all wake up to the cold truth that these people are simply pissing large reams of money down the tubes.

    In the end, all of this will be justified after the fact despite any protestations. War on terror, anyone?

    ps. Although if you think about it, it's somewhat ironic that antivirus firms (Sophos, Symantec, etc), which have been frequent fear mongerers themselves, are calling the military on fear mongering.

  • Say It Ain't So (Score:5, Insightful)

    by SilverHatHacker (1381259) on Saturday September 04, 2010 @07:41PM (#33478132)
    Wait, are you saying a government agency might have lied, appealing to the general public's lack of knowledge in the area of computers and using a buzzword-filled report to justify an application of force? I find that hard to believe.
    • How can you say such a thing? Government agencies never lie. Don't you realize that viruses are weapons of mass annoyance? The only way to be sure is to kill the Internet. With a switch. Located in a room deep underground in the basement of the Pentagon. You know the room I'm talking about, it's got a candybar dispenser in it and a pinball machine. The hackers will never think of searching for it there.
  • What we'd heard... (Score:5, Informative)

    by NecroPuppy (222648) on Saturday September 04, 2010 @07:49PM (#33478158) Homepage

    Where I am, is a lot less on the "secret agent" / James Bond side of things, and a lot more on social engineering.

    Two vectors were talked about.

    Vector 1: Middle East. Some guys decided they wanted to be insurgents, but didn't have explosives experience and really didn't want to be shot at. So instead, they loaded up viruses on a bunch of hardware (external drives, thumb drives, etc) and sold it to soldiers. Said soldiers then turned around and used these drives on not only their personal computers, but also on Unclass and Classified systems, where it quickly spread because of bad IS/IA policies.

    Vector 2: Pentagon area. Similar situation, but instead of selling pre-infected items, some foreign power just left a lot of pre-infected thumb drives around various coffee shops, etc. While some were turned in to lost and found, others were picked up by people who said, "Hey! Free thumb drive!" and proceeded to use them at work and at home. And when work was in a government office that, again had poor IS/IA policies, suddenly you've got computers opening holes in firewalls and transmitting data out.

    Hence the big change in policy, to ban thumb drives, turn off auto-run, etc.

  • by gilesjuk (604902) <giles.jones@nOspam.zen.co.uk> on Saturday September 04, 2010 @07:51PM (#33478166)

    Now that many nations have nuclear weapons, it's obvious that development of the internet or IT doomsday device will be next.

    I think the US military are hinting along these lines.

  • seeing as they're, you know, the pentagon, I highly doubt there are any real 'killer apps' they must have that they don't have the source code to. That said: why use windows? Its not designed to be a secure operating system in the same way that... say.. openBSD is, and while they may have the windows source code (I believe that large and gov't organizations are allowed to see it) they're not allowed to modify it. I'm just saying that in an environment like that, a very secure operating system, closed source
    • Re: (Score:2, Interesting)

      by Arker (91948)
      And even if they do have the source code, do you really think an organisation that couldnt figure out they needed to turn off 'auto-run' in their install images has done a thorough audit of all those millions of lines of spaghetti?
      • by Lanteran (1883836)
        heh, true enough. They want better security? Stop putting kids off of hacking, look at what china's doing...
  • Go figure (Score:3, Insightful)

    by ralphdaugherty (225648) <ralph@ee.net> on Saturday September 04, 2010 @08:02PM (#33478230) Homepage

          I would be surprised if the secret forensics information is anything more than the malware has Russian roots.

          Just because malware is written by Russia crackers doesn't make it a Russian government attack.

      rd

  • by louarnkoz (805588) on Saturday September 04, 2010 @08:23PM (#33478330)
    The Army just suffered one of the largest leaks in military history, thanks to Pfc Bradley Manning and Wikileaks. You would think that the priority would be to investigate the incident, check how recruits working on army intelligence are selected, trained and supervised, and perhaps review procedures so a lowly private does not have access to 100,000 secret documents that are only remotely linked to his mission.

    Instead, we get this implausible thumb drive scenario. And guess what, instead dof applying $0.02 of common sense, we will see a proposal to spend $2B on intelligence system upgrades and military contracts. Of course, senator, we have earmarked 20% of that for your state...

    -- Loaurnkoz

    • Re: (Score:3, Funny)

      by Lifyre (960576)

      To be fair this incident happened two years ago. Which means they should be getting around to resolving the Bradley Manning issue and review some time in 2012...

    • by MK_CSGuy (953563)

      You would think that the priority would be to investigate the incident, check how recruits working on army intelligence are selected, trained and supervised... Instead, we get this implausible thumb drive scenario.

      Who said they are not doing that as well?
      I don't see how one thing contradicts the other.

    • ...chatting with Lamo. No one has been able to speak to Manning and that chat log seems to be the only thing pointing to him.

  • by drolli (522659) on Saturday September 04, 2010 @09:49PM (#33478868) Journal

    Virus writers update their viruses 100 times faster than the military its rules. I would not wonder if the rules effective at that moment were 10 years old (or just minor revisions - like fixing security holes already being exploited). I work in a very large company, and each time i try to report a security problem i observe, i am being told the IT department is responsible and its not my job - and nothing changes. I assume in the military its the same problem but worse; maybe you even go in jail because you figured sth out.

  • by MacroMegaMan (819087) * on Saturday September 04, 2010 @10:25PM (#33479036)

    I was there in 2008 during the midst of this. At that time, there were significant problems with security on the network terminals that we all used to access the internet. In most places, we were limited to two or three ways to access the internet (not NIPERNET.) Either computer labs operated by Spawar (government contractors) ,computers operated by Cyberzone (A commercial entity) or, if your FOB was large enough, in-room/tent access provided by the MWR (Morale Welfare and Recreation.)

    Now all the computers that were in use there used satellite up-links to access the internet. Too many users would max the link, and access to the web would slow to a crawl, or worse. Think 5 - 10 minutes to load a web page. Now after a long day (or two, or three, or more!) out on mission, people would roll back in the gate, tromp off to the internet and eat, often in just that order and go to bed. Most of the time people were sending and receiving email and pictures from friends and family, baby pictures, movie clips and the like. Most of the time, these would be put on flash drives so people could see them later in their tents and so on.

    The computers that were operated by the Cyberzone and Spawar rarely if ever had their anti-virus up to date. Worse, the anti-virus updates would take so long to download (hours!) that people would give up on doing them. The MWR and Post Exchange were often great about getting laptops out to troops in remote locations. However there was often no way to get software updates to these PC's. The situation was ripe for trouble.

    Many people did both their office work and home use on the same computers, as the situation demanded.

    While I was there in 2008, we began seeing signs of the SillyFDC worm and agent.btz in increasing numbers. We were able to track it back to the Spawar and Cyberzone computers, but we had no way to convince the people there to update their anti-virus. The PC's that were on NIPERNET at the time had restrictions on the use of flash drives, but those were not fully enforced. No-one is sure who “Crossed the Streams” but both worms started showing up in more and more NIPERNET computers. The largest problem in stopping it was that we were not in charge of policy of our own computers. We knew that the worms spread through the use of autorun, but we could not get people to bring in their flash drives to have them scanned. Worse, we could not disable autorun on the NIPERNET PC's. We had no access to the local policy on the machines (or anti-virus updates!) We were able to finally contain things by disabling autorun on personal computers, sacrificing one of our personal laptops to doing nothing but scanning possible infected drives, and quarantining known infected PC's from use.

    We were never able to get updates for the anti-virus for the NIPERNET PC's, but we eventually discovered and distributed ClamWin for personal computers, though.

    We received word about the no-flash-drives rule about 3 months later. That generally made things more difficult, as there were quite a few places that had no network access; a flash drive was the only way to move documents about. More people ended up doing work on their personal computers and ignoring the government ones after that.

    Things that would help defend against this in the future:

    Spawar, Cyberzone, and MWR should be required to keep on their networks a basic SAN that has updated anti-virus, security patches and run a script to update that when network traffic is low. That way, individuals can get their updates from local storage rather than trying to pull hundreds of megabytes over a slow network link.

    If you have a computer while downrange, you should be required to make sure that it's security is up to date, and download patches (from the SAN) at least monthly. Anti-virus should be done as frequently as possible.

    NIPERNET needs to have some method of having local administrators modify their systems. Many times, the local S-6 (Communication and Networking Support)

    • by Simulant (528590)
      WTF is NIPER? http://en.wikipedia.org/wiki/NIPRNet/ [wikipedia.org]
    • Re: (Score:3, Insightful)

      by codepunk (167897)

      I have been out of the military for quite some time but I don't see how your suggestions would help the matter anyhow. Sure there are some talented enlisted people that would more than be capable of handling the situation but the military command structure is no designed for that. Anyone worth a squat is not going to be doing anything more meaningful than cleaning a tank with a toothbrush. DOD contractors are no better they work for the govt because no one else want's them.

      • by Lifyre (960576) on Sunday September 05, 2010 @01:48AM (#33479922)

        Actually the solution to this is training your enlisted troops how to handle this. I was in Iraq when this went down, as a network admin for a grunt unit. The problem went away when we burned 10 CD's with AV that cleaned it (the most recent definitions from Symantec did NOT do this until almost 4 months later, making government computers completely open) and training 2 Marines per company on how to help their users. Within a week we had controlled the issue.

    • by basotl (808388)
      Mod parent up.

      I was there in 2005/2006. So far you have given the best informed description of the situation that lead to the bad practices.

      I still lament over the loss of being able to use a thumb drive. The things were darn useful when used IAW Thumb Drive policy and IMHO could still be used if policies were enforced. Now I often use my personal laptop as opposed a NIPPER and keep large documents such as FM's and TM's there.
    • I have never seen a S-6 shop that didnt have at least local admin rights to the computers they were responsible for.
  • by Simulant (528590)
    ...Iraq didn't really have WMD.
  • by Joebert (946227)
    I think all of these stories of military oopsies sound a lot like the story of the woman who "accidentally" dropped her bag and waits for some guy to pick it up. Except, in this case the guy gets tagged like an animal and watched like a hawk for the next 30 years.

I judge a religion as being good or bad based on whether its adherents become better people as a result of practicing it. - Joe Mullally, computer salesman

Working...