DoD Takes Criticism From Security Experts On Cyberwar Incident 116
wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."
lulz (Score:1, Insightful)
Millitary runs windows without disabling autorun. Now that's egg on your face...
Re: (Score:1, Funny)
Clearly they need to create a new command structure and several brave new cyberwarfighter divisions to hold shift while inserting media. Higher ranking officers can take tech support calls or power cycle the nuke fire control on schedule.
Re:lulz (Score:4, Interesting)
Where I work, someone inadvertently emailed emailed a spreadsheet of the 3000+ employees social security numbers, addresses, salaries, and our date of births.
Their solution was to disable access to our personal email so that one one could leak that info to anyone else. It has been half a week and our personal emails are still blocked.
The funny part is that I just plugged in my usb drive and windows popped up asking if I wanted to "open folders to view files" and sure enough, I can access my data on it and move information from my computer to it without the cyber trail.
And I work at a "hippa complainant" medical equipment company.
Funny thing is, since the person who sent the email is high enough on the food chain, they are still here while IT is checking to see if anyone emailed or copied it and threatening action against those employees.
Re: (Score:3, Informative)
Citation
http://www.mysanantonio.com/business/local/kci_working_to_contain_employee_data_breach_102106769.html [mysanantonio.com]
Re: (Score:2)
Re: (Score:1)
I think you confused two parts of the article...
“We were able to move swiftly,” Izbrand said. “We are offering credit monitoring and identity-theft protection and any other assistance our employees want.” The credit and identity-theft services are being provided by an independent company, he said.
KCI is a publicly traded company that designs, markets and services products involved in the healing process and treatment of wounds. Its products include hospital beds and mattress replacements.
I disagree that the problem isn't that someone sent this spreadsheet to the entire company. It's not unreasonable for someone in HR to create something like that for a specific task, but it should be guarded closely. Maybe you meant it shouldn't have been so easily accessible that it could accidentally be emailed to the entire company, but that's not what you stated. That so-called bigwig should be reprimanded harshly if there's anyone above him.
Excel: scourge of IT (Score:3, Interesting)
That's the result of having a tool that allows computer-illiterate people to process data.
When the printing press was invented people started learning to read and write. They learned spelling and grammar.
When the GUI was invented people started forgetting how to read and write. They want to click on icons because they don't want to learn the spelling a
Re: (Score:1)
They fucked up something really really basic (Score:5, Insightful)
on military systems.
And so they can either pretend it didn't happen or pretend that they were only defeated by a dedicated and skilful foe rather than by their own ineptitude and laziness.
they went with the latter.
Re:They fucked up something really really basic (Score:4, Insightful)
You assume the fucked up.
Just because the version of this worm that is common in the wild is not particularly dangerous does not mean that the version used in the attack (or the fuckup if you will) was the same.
How you administer an injection matters a lot less than what was in the syringe.
Auto-run might have stopped this worm, but turning that off did not become standard practice till the Vista roll out, and the military may have had reason to use auto-run. To simply state that some minor setting in windows would have prevented this is naive.
The fuckup, if there was one, was allowing a foreign intelligence agency to get close to a military laptop.
Re: (Score:2)
oh come on, autorun has been spreading USB viruses for years.
Turning it off was basic common sense before vista ever hit the shelves.
Re: (Score:3, Informative)
But you are assuming facts not yet proven.
1) that it was in fact the commonly found version of this worm that was used rather than a specially crafted one
2) that it required auto-run to do what it was designed to do.
3) that auto-run was in fact still on in the subject machine
Re: (Score:1, Insightful)
By 'fucked up', he meant that they had installed Windows (any version) on pretty much all their computers.
Re: (Score:2)
4) Everyone in the military uses common sense.
Re: (Score:2)
They hardly ever get punished for it, so why would they stop trying?
Re: (Score:2)
"that it was in fact the commonly found version of this worm that was used rather than a specially crafted one"
Which makes no sense.
If a competent organisation is going to mount a serious well funded attack you don't use code which is already in virus signature databases.
You have one of your coders knock up something vaguely similar but with totally different code which will slip by AV software.
And as long as it avoids acting too obviously it will never be picked up by the AV software because it's rare for
Re: (Score:2)
Re: (Score:2)
The damning portion of this experience isn't that a worm got on to military networks. The damage comes from the fact that this was an autorun worm. These worms are dependent entirely on human intervention to spread, and therefore spread much more slowly than automated worms targeting operating system vulnerabilities. Yet the military was unable to defend itself against this inept attack. If they have trouble defeating an autorun worm (something that a reasonably competent IT department can handle) how a
Re: (Score:2)
You've hit upon a key aspect of the event here, but I'n not sure you've interpreted it correctly.
See that is the part of the story that doesn't hold water, and its why I think the military may have more knowledge of this than the naive attention seeking critics.
This worm would be a really poor way to spread an intrusion, because of the need for human assistance to get started, and because it is essentially harmless and low risk and easily detected by anti-virus software both then and now.
Further, if you wer
Re: (Score:2)
Someone brought an infected USB stick from home. I'm sorry, but that's the most likely scenario, and certainly far
Re: (Score:2)
If you think that is the likely explanation then you haven't read a single word about the extent of the damage and the amount of files stolen in this incident.
Re: (Score:3, Insightful)
What damage? What stolen files? The military has said nothing about files being stolen. From the article:
The worm, dubbed agent.btz, caused the military’s network administrators major headaches. It took the Pentagon nearly 14 months of stop and go effort to clean out the worm — a process the military called “Operation Buckshot Yankee.” The endeavor was so tortuous that it helped lead to a major reorganization of the armed forces’ information defenses, including the creation of the military’s new Cyber Command.
But exactly how much (if any) information was compromised because of agent.btz remains unclear. And members of the military involved in Operation Buckshot Yankee are reluctant to call agent.btz the work of a hostile government — despite ongoing talk that the Russians were behind it.
No mention of any files stolen. All the article says is that it took the military 14 months to clean the worm off its network. Given the size of the military's network, the level of bureaucracy involved in administrating it, and the incompetence of said bureaucrats, I don't find this to be a surprising figure at all. It doesn't speak to the sophistication of the attack. It highlights the lack of s
Re: (Score:2)
"and easily detected by anti-virus software both then and now."
And this is the simple reason why no sophisticated attacker would use an already known virus.
Viruses are not that hard to write, I'm only a moderately skilled programmer and I've written a couple for the sake of proving I could (never released though).
If you use a known virus that's already infected grandmas computer then the AV companies will know it.
If you write your own with code unknown to the AV companies, even a fairly trivial virus that a
Re: (Score:2)
In military grade security, there is no legitimate reason to enable autorun, since you can always just manually start the program if you really want to start it.
Re: (Score:1)
How you administer an injection matters a lot less than what was in the syringe
Thats what she said.
Re: (Score:2)
Seriously? Is that all you got?
No one even knows if auto-run was involved, any you have convinced them in the court of ignorance without even a glance at the facts.
Re: (Score:2)
Autorun is the only infection vector of Agent.btz, through thumbdrives or through network drives.
If it was not agent.btz then they're being convicted in the the court of ignorance by their own claims.
If it really was agent.btz then they deserve the accusations of incompetence.
Re: (Score:2)
You need to check your facts.
First autorun is NOT the only vector for Agent.btz.
Second they never said it was agent.btz, rather they said it was based on that.
Re: (Score:2)
Please, show me the other vectors that agent.btz uses then.
The link you provided only lists vectors which rely totally on autorun.
And if you're a forgien intelligence service there is no reason to use code already in the AV companies signature databases as a base for your attack, that just jeopardizes the attack since any civilian AV scanner will pick it up.
Rolling your own virus is not hard.
easily defeated, only if you disable the vector (Score:5, Informative)
But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned. The Air Force SDC (Standard Desktop Configuration) and the follow-on FDCC (Federal Desktop Core Configuration) ended that.
Re: (Score:3, Insightful)
Re:easily defeated, only if you disable the vector (Score:4, Informative)
How about just getting rid of the main attack vector(Windows) altogether? The DoD "security" policies seem like they were written by Microsoft specifically to push Microsoft products. Windows is still the darling child of the DoD and anything else is considered "dangerous" and is subject to infinitely more scrutiny than Windows boxes are.
[citation needed]
Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.
You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.
But because you managed to bash both the military and microsoft in a single sentence you will probably be modded up anyway.
Re:easily defeated, only if you disable the vector (Score:5, Informative)
But beyond that because most of the individuals with knowledge of securing computer systems are younger and lower in rank, it can be kind of a toughy actually getting proper orders and resources to secure things. Or at least I assume that's what happened, it's the only explanation I can think of that's even halfway plausible that doesn't involve outright treason.
was that a trap system? old systems that where not (Score:2)
was that a trap system? old systems that where not updated but still where siting on part of the network?
Or did he point how bad there systmes are and they just tried to cover it up and though the book at him?
Re:easily defeated, only if you disable the vector (Score:5, Insightful)
Quite simply put Windows lacks a lot of the basic security mechanisms that ALL other operating systems possess. And instead of doing the rational thing and banning Windows because of its shortcomings the DoD just brushes Windows' shortcomings aside(largely because Microsoft has a lot of lobbyists in high places in Washington). You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS. You think I am anti-DoD, I'm not. If I was I would be cheering their use of windows. If there is a cyber-war, I want my country to win which is why I think they need to BAN Windows ASAP. Microsoft has repeatedly shown that it is either unable or unwilling to fix their shit, so dump the motherfuckers already.
Re: (Score:2)
That's kind of like saying "We trust the contents of this closed shipping crate because we were told what's in it. But we don't trust the contents of that open shipping crate, even though we can see for ourselves what's in it."
Sometimes my government makes me embarrassed to be an American.
Re:easily defeated, only if you disable the vector (Score:5, Informative)
Surprise: the DoD uses Linux, and they have the same guides for locking and hardening Linux as they do for other Unices (Solaris) and for Windows.
See http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf [disa.mil] (search for Linux) for examples.
Re:easily defeated, only if you disable the vector (Score:4, Informative)
(1) There are positive aspects of OSS that should be considered when conducting market research on software for DoD use, such as:
(i) The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.
(ii) The unrestricted ability to modify software source code enables the Department to respond more rapidly to changing situations, missions, and future threats.
(iii) Relianceonaparticularsoftwaredeveloperorvendorduetoproprietary restrictions may be reduced by the use of OSS, which can be operated and maintained by multiple vendors, thus reducing barriers to entry and exit.
(iv) Open source licenses do not restrict who can use the software or the fields of endeavor in which the software can be used. Therefore, OSS provides a net-centric licensing model that enables rapid provisioning of both known and unanticipated users.
(v) Since OSS typically does not have a per-seat licensing cost, it can provide a cost advantage in situations where many copies of the software may be required, and can mitigate risk of cost growth due to licensing in situations where the total number of users may not be known in advance. (vi) By sharing the responsibility for maintenance of OSS with other users, the Department can benefit by reducing the total cost of ownership for software, particularly compared with software for which the Department has sole responsibility for maintenance (e.g., GOTS). (vii) OSS is particularly suitable for rapid prototyping and experimentation, where the ability to "test drive" the software with minimal costs and administrative delays can be important.
(2) While these considerations may be relevant, they may not be the overriding aspects to any decision about software. Ultimately, the software that best meets the needs and mission of the Department should be used, regardless of whether the software is open source.
. .
Re: (Score:2)
Well, considering general natures of government and military today, I was willing to believe...
Hey, what do /., AM radio talk shows, and FOX News have in common? People like you!!!!!!
Re: (Score:2)
Re: (Score:2)
Hey, what do /., AM radio talk shows, and FOX News have in common? People like you!!!!!!
Oh come on now that's not fair... as I allude to in my reply to Jane Q., there are those even *inside* the DoD community who have the same preconceptions about FOSS "being insecure"....
Re: (Score:2)
Well, considering general natures of government and military today, I was willing to believe...
Hey, what do /., AM radio talk shows, and FOX News have in common? People like you!!!!!!
He was willing, but he looked it up. That makes it people not like him.
rd
Re: (Score:2)
Yup... and when the subject has been brought up by those spreading FUD at work about FOSS (I'm employed by DoD) I have busted out that very same memo and quoted from it :)
Re: (Score:1)
While these considerations may be relevant, they may not be the overriding aspects to any decision about software. Ultimately, the software that best meets the needs and mission of the Department should be used, regardless of whether the software is open source.
Bingo. The military used to use Unix and Solaris. I was in during the final years of it's general use. Only specialized systems are still using Solaris and some use Linix. My last deployment, we had a Mac media server. In the end, you use what your users are used to using, not what you as the admin/tech want. It is the same in any corporation. You can make all the sense in the world but in the end the boss gets what he/she wants.
Re: (Score:1)
You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS.
China already has their own military operating system Kylin [schneier.com]. As far as anyone can tell, it's just BSD with some mods.
Another major factor you are missing is that the DoD has billions of dollars in specialized software that was designed for Windows, business practices are built around Windows, employees are trained on Windows, etc. It is not a simple matter of switching to *nix, *BSD, or whatever else when you have several hundred thousand employees who know nothing else. Look at the fact that the avera
Re:easily defeated, only if you disable the vector (Score:4, Insightful)
DoD is very big, and there are hundreds of thousands of DoD computers that don't follow the simplest security best practices. Just because the NSA publishes a document on how a Windows box should be configured, doesn't mean it gets configured that way in the field. Military IT is just like social issues; The only area not being neglected and starved of resources is the last area to have a major shitstorm.
Re: (Score:2)
This story deals with computers in a war zone during 2008.
We are not talking about some receptionist in a recruiting office in Kansas.
Re: (Score:2)
Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.
Ha! Good one! Unless, of course, by "special build" you really mean "a burned ISO downloaded from the Pirate Bay - then you're spot on. And don't give me a [citation needed] either because [i was the guy doing those installs and know that damn near every other unit did it the same way]
Re: (Score:1, Informative)
Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.
You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.
But because you managed to bash both the military and microsoft in a single sentence you will probably be modded up anyway.
Most of the time it's a standard version of Windows that's been locked down according to the STIG (Secure Technical Implementation Guide). There are STIGs for UNIX, web servers, network devices, etc. There is no magic "custom install of windows...special build" blah blah blah ... because if there were, we would be using it at our office.
Re: (Score:1)
You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.
I know that's exactly what I would be asking. No, not really, actually I would demand *more* scrutiny if Windows is used (and my demand for not using it for anything that important would not work). That can of course be translated (by small evil minds) to mean that I would allow some other system "without same level of scrutiny (than windows)".
I would never support windows (nor OS X but actually I just know too little about it and would only go for system that I know I can trust) in that or any other "seri
Re: (Score:3, Insightful)
You made that up.
That fact is not in evidence. It's not in the stories linked to this article. It's merely speculation by people here so they can thump their chests and sound like they know something.
Re: (Score:2)
Wait, you are still on this Auto-run thing?
No where in any of the linked articles does it say that auto run was the source of insertion, or that auto run was on, or that the USB ports were free of epoxy.
That auto run was the source of infection is an INVENTION of this thread. There is simply no evidence of this.
The worm engine used was based on an auto run worm, but if that was all there was to it it would have been caught by virus scanners of that era.
Re: (Score:2)
Re: (Score:2)
Sure. The complexity of moving a million users/desktops/servers + govt overhead is trivial. Is next Tuesday soon enough for you?
Re: (Score:2)
i work for an agency under DoD... (Score:5, Informative)
...and was actually discussing the switch from Windows to Linux with couple friends of mine from the IA shop. I'm in charge of desktop PC support for this 3,300-user agency.
I'd like to preface things by saying that I use Linux exclusively at home and have for several years. No dual boot, no wine and no running Windows in a VM. I could do my whole job from within Linux if Firefox supported reading encrypted mail in Outlook Web Access and if there was something available for Linux that'd allow me to read Visio drawings in their native format.
Software costs are inconsequential so we'll ignore that argument for the time being. The biggest expense in an IT budget isn't software or hardware, it's people - and although things would settle down after a year or two the cost of migration is the showstopper here, not the cost of sustainment.
I've heard different stories about what caused the USB ban but for me the short version is that somewhere in DoD some sysadmin should have been fired. I can't say for sure what happened but at least two Defense Information Systems Agency (DISA) policies were violated - autorun wasn't disabled on the workstations and apparently workstation virus scanners weren't configured properly, so to minimize the threat DoD bans USB storage devices rather than fire the nitwit who wasn't doing his job.
Windows as a vector? Out of 3,300 users we had eight (yes, eight) security incidents in the last twelve months where a PC was infected by a hostile application - the reason I know this is I had to put that damn metric in a Powerpoint slide recently. Eight out of better than three thousand is a pretty good average, but the PCs still run like crap ;-)
They've authorized turning USB storage back on, but only for approved devices that will be encrypted and centrally managed - and USB storage will be enabled by device rather than by user. Unauthorized devices still won't work. We've decided that since folks have been working without thumb drives for two years we're gonna continue to let them work that way - we've got the infrastructure in place to authorize thumb drives by hardware signature but we don't plan to issue any to end users at this point.
DoD information security policies aren't written by Microsoft - Microsoft wouldn't hire anybody that stupid. Case in point - DISA mandates that LAN and WLAN interfaces on a machine can't be active at the same time but outside of creating separate hardware profiles for wired and wireless Windows doesn't support this configuration - and simply disabling network bridging doesn't satisfy the requirement. If you ask DISA how to implement this requirement they can't tell you. I can tell you there's a neat little application called Wireless AutoSwitch [wirelessautoswitch.com] that'll do the job and it's dirt cheap, though.
But I digress.
Re: (Score:2)
Does that really help security that much?
Many banks over here have basic network isolation - certain PCs and networks have zero Internet or other outside connectivity, yes it does affect productivity. There's a bank where people have to leave their PCs and go to another PC for googling or other internet access. That sucks in many ways, but I'm sure the DoD can afford more PCs per person and a better setup, if they s
Re:easily defeated, only if you disable the vector (Score:4, Interesting)
But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned.
And what's more, Microsoft's suggested method of disabling autorun didn't work back then. They had to release a patch. And even then, they didn't disable autorun by default.
The Article Doesn't Make a Good Case (Score:2, Interesting)
The only thing the article really provides to dispute the Pentagon's account is that the worm is simple and common.
But then it goes on to mention that while common, its payload is configurable. And the soldier quoted at the end of the article point blank says that it was the outsized effect (14 months of cleanup and lost data) compared to the simplicity of the vector that freaked them out so badly.
Shit, all the military really needs is some logs showing where the thing was sending data and it gets a pretty
Re: (Score:1, Interesting)
Really, what's the story here? Pentagon says it conducted 'forensics' on the worm and decided on foreign origin, security analysts say, "But it's such a simple worm, it can't be that!" The analysts are talking out of their asses, and the Pentagon's explanations make a great deal of sense. Maybe the Pentagon is lying, maybe not, but nothing the doubters say in the article means anything.
The implication was that it was a sophisticated attack. The attack vector was autorun. Consider this, my first computer was a Win95 box bought second hand when someone upgraded to 98. I used to buy computer magazines and use the included disks, which would use autorun to change my browser home page, so I learned to disable autorun.
So if I as a computer newb with no training can work out how to disable this attack vector 10 years before it was used to attack pentagon systems, then the pentagon can not have p
Re: (Score:2)
No the external security analysts (Sophos, the seller of antivirus software) says: with a good antivirus *cough*buy Sophos AV*/cough* and centrally managed policies *cough*buy Sophos Enterprise*/cough* you can't have this simple attack entering your Windows workstations. They are probably right.
The DoD says, somebody put a USB stick in his computer and this was the result. They are probably also right.
What you can conclude out of those passages is that the DoD probably doesn't have Sophos Antivirus ;-) What
Re: (Score:3, Interesting)
Your explanation gives the Pentagon a lot of benefit. In my view, its equally likely that these government officials are exaggerating the impact and sophistication of the attack to keep from looking like fools when the inevitable congressional hearing on this subject arises. You'll get a lot more sympathy from the senator on the other side of the hearing room if you say you were hacked by a foreign intelligence agency as opposed to some 16 year old Chinese kid. Given how hard it is to trace the origin of
Re: (Score:2, Insightful)
They're not exaggerating either the sophistication or the impact; that's just the thing. They fully admit it was a bullshit vector they should have been prepared for, and they fully admit it took them over a year to manage a response. Read the quotes in the article, they sound downright embarrassed. Shamefaced, in fact. The general saying it took months just to get a count of computers? They're not trying to avoid looking like fools, they're shouting, "What fools we were!"
I find your explanation entire
Was the threat real? (Score:4, Interesting)
As the Security Week article suggests this sounds like the lying the military told about the Gulf of Tonkin Incident [fair.org].
Falcon
Re: (Score:1)
or the MiG-25 [wikipedia.org]. Oversell the threat so you get a nice big budget for your toys/projects.
Re:Was the threat real? (Score:5, Insightful)
Re:Was the threat real? (Score:4, Insightful)
The problem ultimately is that a kill switch would have to touch a huge amount of infrastructure, including satellite links in order to work, and I have very little confidence that even with highly qualified engineers working on it that there isn't going to be a bug, glitch or vulnerability that ends up working its way into the system.
Re: (Score:1, Flamebait)
There are legitimate reasons to consider a "kill switch." As in the ability to take the nation off the internet at a moment's notice,
There are no legitimate reasons to disconnect the nation from the internet. It's all about censorship or fear of the unknown.
Falcon
Re: (Score:2)
I can't help but think '... PUNCH!' at the end of your posts, and imagine you striking down those who disagree with you.
I can't help but think (Score:2)
'... PUNCH!' at the end of your posts, and imagine you striking down those who disagree with you.
Nope, I'm non-violent like Henry David Thoreau [wikipedia.org], who wrote Civil Disobedience [wikipedia.org], and Mohandas Karamchand Gandhi [wikipedia.org]. Where I differ is that if it came to it, such as with the NAZIs, I would not hesitate to bare and use firearms.
There are four boxes of liberty: soapbox, ballot box, jury box, and ammo box. Use in that order.
Falcon
Re: (Score:2)
From a humanitarian point of view, it's not ideal. But we let these people drop cluster bombs on cities, so that's really besides the point.
Re: (Score:2)
Knocking a country of the internet in the case of war could be a quite potent weapon.
ie there are no legitimate reasons to consider a "kill switch" which will do the same thing, knock the country off the net.
Falcon
And without considering the obvious: decentralize (Score:2)
It is interesting how any government solution to their own screw-up always involves giving them more power. The obvious solution to an "asymmetrical" cyber-security threat to our national infrastructure, from their point-of-view, is more centralization of authority and a big "cybersecurity command" that gets more budget dollars.
%0
Just another vector for funding... (Score:5, Insightful)
Since when was efficacy or even logic a metric for whether or not a new department/task-group/domain/[insert group du jour] is deemed "necessary" for any govenrmental body? This is just another not-so-subtle attempt at widening the jurisdiction of the military. After all, if the boogyman is unmasked, why, another must be conjured lest we all wake up to the cold truth that these people are simply pissing large reams of money down the tubes.
In the end, all of this will be justified after the fact despite any protestations. War on terror, anyone?
ps. Although if you think about it, it's somewhat ironic that antivirus firms (Sophos, Symantec, etc), which have been frequent fear mongerers themselves, are calling the military on fear mongering.
Say It Ain't So (Score:5, Insightful)
Re: (Score:2)
What we'd heard... (Score:5, Informative)
Where I am, is a lot less on the "secret agent" / James Bond side of things, and a lot more on social engineering.
Two vectors were talked about.
Vector 1: Middle East. Some guys decided they wanted to be insurgents, but didn't have explosives experience and really didn't want to be shot at. So instead, they loaded up viruses on a bunch of hardware (external drives, thumb drives, etc) and sold it to soldiers. Said soldiers then turned around and used these drives on not only their personal computers, but also on Unclass and Classified systems, where it quickly spread because of bad IS/IA policies.
Vector 2: Pentagon area. Similar situation, but instead of selling pre-infected items, some foreign power just left a lot of pre-infected thumb drives around various coffee shops, etc. While some were turned in to lost and found, others were picked up by people who said, "Hey! Free thumb drive!" and proceeded to use them at work and at home. And when work was in a government office that, again had poor IS/IA policies, suddenly you've got computers opening holes in firewalls and transmitting data out.
Hence the big change in policy, to ban thumb drives, turn off auto-run, etc.
The next doomsday weapon (Score:4, Insightful)
Now that many nations have nuclear weapons, it's obvious that development of the internet or IT doomsday device will be next.
I think the US military are hinting along these lines.
Another patch in the submarine's screen doors (Score:2, Interesting)
Re: (Score:2, Interesting)
Re: (Score:1)
Go figure (Score:3, Insightful)
I would be surprised if the secret forensics information is anything more than the malware has Russian roots.
Just because malware is written by Russia crackers doesn't make it a Russian government attack.
rd
Two words: Bradley Manning (Score:5, Interesting)
Instead, we get this implausible thumb drive scenario. And guess what, instead dof applying $0.02 of common sense, we will see a proposal to spend $2B on intelligence system upgrades and military contracts. Of course, senator, we have earmarked 20% of that for your state...
-- Loaurnkoz
Re: (Score:3, Funny)
To be fair this incident happened two years ago. Which means they should be getting around to resolving the Bradley Manning issue and review some time in 2012...
Re: (Score:2)
You would think that the priority would be to investigate the incident, check how recruits working on army intelligence are selected, trained and supervised... Instead, we get this implausible thumb drive scenario.
Who said they are not doing that as well?
I don't see how one thing contradicts the other.
None of us know if that was him (Score:2)
...chatting with Lamo. No one has been able to speak to Manning and that chat log seems to be the only thing pointing to him.
The Problem behind: (Score:4, Insightful)
Virus writers update their viruses 100 times faster than the military its rules. I would not wonder if the rules effective at that moment were 10 years old (or just minor revisions - like fixing security holes already being exploited). I work in a very large company, and each time i try to report a security problem i observe, i am being told the IT department is responsible and its not my job - and nothing changes. I assume in the military its the same problem but worse; maybe you even go in jail because you figured sth out.
A Sysadmin's Lamentation... (Score:5, Informative)
I was there in 2008 during the midst of this. At that time, there were significant problems with security on the network terminals that we all used to access the internet. In most places, we were limited to two or three ways to access the internet (not NIPERNET.) Either computer labs operated by Spawar (government contractors) ,computers operated by Cyberzone (A commercial entity) or, if your FOB was large enough, in-room/tent access provided by the MWR (Morale Welfare and Recreation.)
Now all the computers that were in use there used satellite up-links to access the internet. Too many users would max the link, and access to the web would slow to a crawl, or worse. Think 5 - 10 minutes to load a web page. Now after a long day (or two, or three, or more!) out on mission, people would roll back in the gate, tromp off to the internet and eat, often in just that order and go to bed. Most of the time people were sending and receiving email and pictures from friends and family, baby pictures, movie clips and the like. Most of the time, these would be put on flash drives so people could see them later in their tents and so on.
The computers that were operated by the Cyberzone and Spawar rarely if ever had their anti-virus up to date. Worse, the anti-virus updates would take so long to download (hours!) that people would give up on doing them. The MWR and Post Exchange were often great about getting laptops out to troops in remote locations. However there was often no way to get software updates to these PC's. The situation was ripe for trouble.
Many people did both their office work and home use on the same computers, as the situation demanded.
While I was there in 2008, we began seeing signs of the SillyFDC worm and agent.btz in increasing numbers. We were able to track it back to the Spawar and Cyberzone computers, but we had no way to convince the people there to update their anti-virus. The PC's that were on NIPERNET at the time had restrictions on the use of flash drives, but those were not fully enforced. No-one is sure who “Crossed the Streams” but both worms started showing up in more and more NIPERNET computers. The largest problem in stopping it was that we were not in charge of policy of our own computers. We knew that the worms spread through the use of autorun, but we could not get people to bring in their flash drives to have them scanned. Worse, we could not disable autorun on the NIPERNET PC's. We had no access to the local policy on the machines (or anti-virus updates!) We were able to finally contain things by disabling autorun on personal computers, sacrificing one of our personal laptops to doing nothing but scanning possible infected drives, and quarantining known infected PC's from use.
We were never able to get updates for the anti-virus for the NIPERNET PC's, but we eventually discovered and distributed ClamWin for personal computers, though.
We received word about the no-flash-drives rule about 3 months later. That generally made things more difficult, as there were quite a few places that had no network access; a flash drive was the only way to move documents about. More people ended up doing work on their personal computers and ignoring the government ones after that.
Things that would help defend against this in the future:
Spawar, Cyberzone, and MWR should be required to keep on their networks a basic SAN that has updated anti-virus, security patches and run a script to update that when network traffic is low. That way, individuals can get their updates from local storage rather than trying to pull hundreds of megabytes over a slow network link.
If you have a computer while downrange, you should be required to make sure that it's security is up to date, and download patches (from the SAN) at least monthly. Anti-virus should be done as frequently as possible.
NIPERNET needs to have some method of having local administrators modify their systems. Many times, the local S-6 (Communication and Networking Support)
Re: (Score:2)
Re: (Score:1)
NIPRNET, not like my mangled spelling.
It's the DOD network for unclassified but sensitive data.
http://en.wikipedia.org/wiki/NIPRNet [wikipedia.org]
http://everything2.com/title/NIPRNET [everything2.com]
Re: (Score:3, Insightful)
I have been out of the military for quite some time but I don't see how your suggestions would help the matter anyhow. Sure there are some talented enlisted people that would more than be capable of handling the situation but the military command structure is no designed for that. Anyone worth a squat is not going to be doing anything more meaningful than cleaning a tank with a toothbrush. DOD contractors are no better they work for the govt because no one else want's them.
Re:A Sysadmin's Lamentation... (Score:4, Informative)
Actually the solution to this is training your enlisted troops how to handle this. I was in Iraq when this went down, as a network admin for a grunt unit. The problem went away when we burned 10 CD's with AV that cleaned it (the most recent definitions from Symantec did NOT do this until almost 4 months later, making government computers completely open) and training 2 Marines per company on how to help their users. Within a week we had controlled the issue.
Re: (Score:1)
I was there in 2005/2006. So far you have given the best informed description of the situation that lead to the bad practices.
I still lament over the loss of being able to use a thumb drive. The things were darn useful when used IAW Thumb Drive policy and IMHO could still be used if policies were enforced. Now I often use my personal laptop as opposed a NIPPER and keep large documents such as FM's and TM's there.
Re: (Score:1)
In other news.... (Score:1, Offtopic)
Bait (Score:2)