Slashdot Mirror

Not that I'm disagreeing with the advertising critique, but HPE has a pretty decent line of "local storage" called 3Par. They are one of the few DoD approved storage systems on the market.

So, open source products never do any updates, change libraries, new dependencies...your install of Debian is forever set in stone and is never updated? You personally vet every new dependencies that comes up when you yum update, and go in to and review all 50+ package's code to make sure it's all complaint with the Application Security and Development Secure Technical Implementation Guide? You can verify that absolutely none of the code violates V-70363? This requirement here is why Open Course isn't widely used in Federal systems, outside of very specific products and applications. If you can't call a toll-free line, open up a real support ticket (NOT just posting to a forum), etc then it's "Remove or decommission all unsupported software products in the application". Any libraries that use cryptography need to be FIPS compliant, listing their module that can be verified.

How do you specify a secure baseline for your open-source applications?

So you want federally mandated software development standards that, because they don't know a damn thing, would require 100% unit and functional test coverage along with passing a State approved linter and vulnerability scanner?

Well, in some cases... those already exist.

Ahhh yes. DISAster, I remember working with them well. In 2008 I spent 6 months fighting with them to get approval to use SSH host key authentication for host automation rather than the already approved RLOGIN method. They are only "slightly" behind the times...

Yes they do have some very useful recommendations, but working in an environment where those recommendations actually have weight proves my point. They can at times be a major hindrance and getting changes or exceptions made is a nightmare task. This can range from having to rewrite already existing tools/packages (and all the associated bugs and support headaches) due to complications bringing in 3rd party (OSS) items or them simply being behind (sometimes by a decade or more) the power curve of modern standards.

My argument isn't that we don't need any regulation, just that regulation is not it is all it's cracked up to be.

So you want federally mandated software development standards that, because they don't know a damn thing, would require 100% unit and functional test coverage along with passing a State approved linter and vulnerability scanner?

Well, in some cases... those already exist.

The question to ask, as both a taxpayer and an IT guy is this: What's the "penalty" for failing to make the October deadline?

You have to manage a network using McAfee HBSS.

You joke, but that is, in fact, the apporved DoD solution:
https://www.disa.mil/cybersecu...

If this information was truly classified, there is no question that he was not allowed to store it on his personal computer, and he would have been aware of this. This is covered in security clearance 101, even without a clearance it is covered in the annual Cyber Awareness training that all people with access to DoD and Intelligence networks must review (you can take it yourself if you want).

I agree it is not the main story by any means, likely some person or another is always doing this and most of the time it is never discovered.

... and that's already the rule. Almost all software developed under contract for the Fderal Gov't, civilian agencies ,or the DoD have an "unlimited use rights" clause incorperated. Providing a copy of the source for static analysis is also part of the approval process. It seems that what they're trying to do is make the sharing easier or to revive the multiple failures of intra-agency forge sites as a real common platform (think data.gov) http://www.disa.mil/about/lega...

http://iase.disa.mil/Pages/ind... has 3 relevant rules for Windows 10. It must be deployed by January 2017, Domain-joined systems must use Windows 10 Enterprise Edition, and Windows Telemetry must be configured to the lowest level.

It's right there. DISA is the DoD cyber rule maker, and you don't have to be military to read or use their guidance.

There is no special build. And apparently basic telemetry is fine.

There is also a Java based STIG Viewer. http://iasecontent.disa.mil/stigs/jar/STIGViewer_2.2.jar

They already have.

I would LOVE to see what the DODI 8510.01 RMF C&A package for this deployment would look like. Hell, the Ports, Protocols, and Services mapping alone would be breathtaking. (And, frankly, very useful for us mortals to study to find the other privacy backdoors the geek press hasn't cottoned on to yet.)

Let me clarify that last. To gain certification and accreditation to deploy a new software or hardware technology to a DoD network, you have to fully disclose all long-haul network access, down to which ingress or egress ports (or service numbers) using what transport protocol. All of them. So Microsoft's "phone-home" bullshit would have to be completely, explicitly, and accurately mapped.

*happy dance*

Well, a geek can dream.

Not necessary. They will apply their STIG though here from the DISA website and firewall and additional security here from the DISA website. You will be amazed on what basic throve of info you have in those, even for Chrome and some other known to phone home things.

Not necessary. They will apply their STIG though here from the DISA website and firewall and additional security here from the DISA website. You will be amazed on what basic throve of info you have in those, even for Chrome and some other known to phone home things.

menial monkeys

menials like YOU

YOU ARE HELPLESS

YOU are a rookie noob wannabe menial & "ne'er-do-well"

little "ne'er-do-well"

So, still all you can do is insult, while still not getting it. I see now what I am dealing with.

Used by thousands? lol

Perhaps you should peruse:

http://iase.disa.mil/stigs/Pag...

That is the definitive security guide. I'll bet nowhere in there it says to use a hosts file.

download the dod certs and suddenly, it will be trusted http://dodpki.c3pki.chamb.disa...

If you are really serious about InfoSec, you should look to DoD 8570 baselines for certifications:

• Technical:
• • CISSP
  • CISA
  • CASP
  • GCED
  • GCIH
• Management:
• • CISSP
  • GSLC
  • CISM
• Defense:
• • CEH
  • GSNA
  • CSIH

Security is big business right now. It is hard to produce a secure system as shown by the successes in attacking actual secure interfaces (Heartbleed, Winshock, etc.). This is big business commercially, also.

The NSA is a deeply schizophrenic organization.

Not schizophrenic - they just have 2 conflicting missions. That would be signals intelligence (gather and decrypt) and information assurance (protect and defend).

It could be that a split and reorg would be good - say move the information assurance folks and merge them with DISA. Then clamp down on any out of control signals intelligence programs.

A+ still satisfies the DoD 8570 baseline cert requirement for level 1 IA personnel (basically all DOD IT personnel, whether employed by the DOD or a contractor). Other government agencies and large corporations often have minimum certification requirements that include some of the entry-level CompTIA certs.

Saying "leave it off your resume" is silly. Lots of hiring is still done by non-technical managers who like to see the "letters and stuff" for certifications. Most technical people out there who actually are doing hiring, but (justifiably) don't have as much respect for the entry level certs won't penalize you for having one.

Check out the "Security Technical Implementation Guides" (STIGs) put out by DISA at:

http://iase.disa.mil/stigs/

and the "Security Configuration Guides" put out by the NSA at:

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtml

while following them fully is probably overkill for you they have a lot of good information on hardening systems and applications.

Sorry, but no. The DISA STIGs are hosted here: http://iase.disa.mil/stigs/index.html

The US Department of Defense makes many of their security guides available free to the public. They're very good starting points for securing operating systems with some really good best practices baked in. Note that anything marked "FOUO" (For Official Use Only -- AKA "sensitive but unclassified") is not available to the public. It won't let you download those because you have to be a member of the DoD's extensive PKI system.

Many private companies use these "STIGs" as well, since they're also available for S-CAP compliant scanners.

They are available for free from the US government here.

Comments like the parent and the grandparent irk me... Information Assurance is not the personification of "Mordak, the preventer of information services." Sometimes IA policies really do make sense.

I have worked in the world of DoD information assurance (really, I have, see http://www.linkedin.com/in/ericgearhart), and I completely disagree with what you're saying. Your example is built on the premise that the guys on this ship will be connecting to DoD information systems... that's simply not what the original poster is asking.

Think about what you're saying... you wanted to set up a "private wifi" in order to allow instructors to to monitor simulations. Don't you think that's sensitive data? If someone brute forced or rainbow tabled that WiFi access point's WPA2 key (you're using WPA2 pre-shared keys, right?) and got onto that private wifi network, wouldn't the data they could siphon off be valuable?

Setting up a completely separate WiFI network *that does not have any DoD sensitive data flowing over it* and is only connected to via personal information systems (laptops, desktops, tablets, phones, whatever) is perfectly acceptable.

Even your original premise, that "wifi is the devil according to IA" is untrue - there are wireless STIGs (Security Technical Implemenation Guides - basically they define how information systems are to be implemented on DoD networks) that cover a variety of wireless situations... nevermind USB devices, there's even one that covers the use of wireless mice and keyboards!

http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html
http://iase.disa.mil/stigs/net_perimeter/wireless/wireless_net.html

Comments like the parent and the grandparent irk me... Information Assurance is not the personification of "Mordak, the preventer of information services." Sometimes IA policies really do make sense.

I have worked in the world of DoD information assurance (really, I have, see http://www.linkedin.com/in/ericgearhart), and I completely disagree with what you're saying. Your example is built on the premise that the guys on this ship will be connecting to DoD information systems... that's simply not what the original poster is asking.

Think about what you're saying... you wanted to set up a "private wifi" in order to allow instructors to to monitor simulations. Don't you think that's sensitive data? If someone brute forced or rainbow tabled that WiFi access point's WPA2 key (you're using WPA2 pre-shared keys, right?) and got onto that private wifi network, wouldn't the data they could siphon off be valuable?

Setting up a completely separate WiFI network *that does not have any DoD sensitive data flowing over it* and is only connected to via personal information systems (laptops, desktops, tablets, phones, whatever) is perfectly acceptable.

Even your original premise, that "wifi is the devil according to IA" is untrue - there are wireless STIGs (Security Technical Implemenation Guides - basically they define how information systems are to be implemented on DoD networks) that cover a variety of wireless situations... nevermind USB devices, there's even one that covers the use of wireless mice and keyboards!

http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html
http://iase.disa.mil/stigs/net_perimeter/wireless/wireless_net.html

This doesn't bode well for the effectiveness of the Windows STIGs.

http://iase.disa.mil/stigs/net_perimeter/wireless/u_apple_ios_4_gms_iscg_v1r1_20111020.zip

ModSecurity (or any other WAF) can greatly decrease the number and kinds of attacks that actually make it through to your application. And like a good firewall it can alert you when you're under attack. If you do nothing else, put this in place.

You also want to make sure your app is solid, so head on over to DISA and see what the military recommends. They have Security Technical Implementation Guides (STIGs) for just about everything in your architecture: http://iase.disa.mil/stigs/app_security/index.html

Once you have things built, test! Use some of the open source penetration testing tools to see if there are any known vulnerabilities in your stack. Try it with and without your WAF in place.

Finally, if you really need to go the extra mile, it's time to shell out some cash for professional penetration testers. They'll have a tool belt full of open source and proprietary tools and the good ones will even do a static analysis of your code.

All that DISA has issued is an "Interim Security Configuration Guide" (see: http://iase.disa.mil/stigs/net_perimeter/wireless/u_android_2.2_dell_iscg_v1r1_20111020.zip), which is for "limited deployment, pilots and demonstrations" (see: http://iase.disa.mil/stigs/net_perimeter/wireless/u_android_iscg_release_memo.pdf). An approved device would have a "Security Technical Implementation Guide" (see: http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html), such as BlackBerry and Windows Mobile.

cetroyer

All that DISA has issued is an "Interim Security Configuration Guide" (see: http://iase.disa.mil/stigs/net_perimeter/wireless/u_android_2.2_dell_iscg_v1r1_20111020.zip), which is for "limited deployment, pilots and demonstrations" (see: http://iase.disa.mil/stigs/net_perimeter/wireless/u_android_iscg_release_memo.pdf). An approved device would have a "Security Technical Implementation Guide" (see: http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html), such as BlackBerry and Windows Mobile.

cetroyer

All that DISA has issued is an "Interim Security Configuration Guide" (see: http://iase.disa.mil/stigs/net_perimeter/wireless/u_android_2.2_dell_iscg_v1r1_20111020.zip), which is for "limited deployment, pilots and demonstrations" (see: http://iase.disa.mil/stigs/net_perimeter/wireless/u_android_iscg_release_memo.pdf). An approved device would have a "Security Technical Implementation Guide" (see: http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html), such as BlackBerry and Windows Mobile.

cetroyer

There is and an iPad as well. But thanks for playing.

http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html

Now go cry to mommy and ask her for a cookie and a nice glass of milk.

for a semi-complete list of smart phones that DISA is looking at, check here: http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html (A simple google search takes you right there).

Interesting that their iPhone and iPad risk assessment document comes up as "access denied"... Maybe I need one of those Dell Streak thingys to see it?

for a semi-complete list of smart phones that DISA is looking at, check here: http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html (A simple google search takes you right there).

That being said, IT infrastructure needs to expand and accommodate smart phones, both in the commercial and military world. You can only say NO for so long before everyone starts hearing "640K should be enough for anybody".

I would disagree, but not entirely. Yes, the US military is over-reliant on Windows. That said, Windows gets lots of scrutiny - much more than competing OS. The fact that Windows has an entirely broken security model is not lost on those responsible for CND (computer network defense) within the armed forces. Unfortunately, the means of fixing it is mostly via STIGs, "security and technical implementation guides" produced by NSA. This results in an OS which mostly won't run software and can't communicate over a network. This is why the STIG is supposed to be applied with consciousness of the impact on software, and with some delicacy to preserve capabilities. This does not stop those responsible for purported security scans and IA (information assurance) inspections from mandating the application of said STIGs across the board as a prerequisite for allowing your systems on the network, with the results you'd expect.

Getting an exception to the STIG requires getting a general officer* to sign off on a risk, which is a career-ending move if there is some kind of penetration attributable to the exception. So they aren't really interested in doing that much.

I suppose computers that don't work correctly are "secure", in the sense that it's hard to get data off a computer that isn't used as a resource, but rather a boat anchor. Still, this doesn't say much for the military ultimately achieving much in cyberwarfare or even CND by breaking their systems by default.

The root of the problem is that most people that go into IA or CND in the military are nontechnical or just incompetent. It's not the trade that you'd choose if you were savvy, and being surrounded by a good percentage of idiots can't be pleasant. There are some very, very smart people within the system but I wonder personally how any of them stand the general level of incompetence. I can't get a straight answer out of them except for "duty", which may be the real one.

That said, the whole infrastructure is on the wrong track to gaining true capability. Needs changing.

* Each agency has a "Designated Approving Authority" or DAA. It's usually the highest ranking person at said agency. That is who takes ownership of risk.

A lot of people don't really know what they are talking about. In my organization everyone is required to take annual training about these things.. even if you aren't important. Here is the anti-fishing training: http://iase.disa.mil/eta/phishing/Phishing/launchPage.htm

You have to complete that training and print a certificate annually or you lose access to the network. The government does take these things seriously. It's a small percentage of individuals who aren't paying attention to the training or don't care. Even a simple mind could listen to these directions and follow them.

These are what systems are required to do in the way of security measures, as defined by the Federal Information Processing Standards, the Orange Book and the Common Criteria.

A lot of the documentation can be found at the Information Assurance Support Environment website, Policy and Guidance

To summarize, information that is labelled "Secret" can only be stored on a machine that - in the Orange Book system - is classed as B3 or better. The use of security labeling and a mox of host-level and network-level mandatory access controls is supposed to ensure that this is actually mandated at the OS level on each machine and between machines. B3 is equal to the more modern Commmon Criteria EAL4.

(It is impossible, in theory, to transfer information that is classified at one level into a lower classification, on the same machine or by going through a series of machines. To be able to do so is a violation.)

To be given an EAL4 rating, that precise combination of hardware and software MUST be tested by an approved laboratory and shown to meet all of the criteria.

Further, as noted on the FIPS website: "With the passage of the Federal Information Security Management Act of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards (FIPS)."

• Minimum Security Requirements for Federal Information and Information Systems (FIPS 200)
• Standards for Security Categorization of Federal Information and Information Systems (FIPS 199)
• Standard Security Label for Information Transfer (FIPS 188)

Mandated Criteria, Rainbow Series and Related

• Computer Security Requirements (CSC-STD-003-85)
• Security Requirements for Automated Information Systems (AISs)
• A Guide to Understanding Configuration Management in Trusted Systems (Orange Book, Rainbow Series)

Mandated Criteria, Common Criteria

• Common Criteria for Information Technology Seciryt Evaluation, Part 1
• Common Criteria for Information Technology Seciryt Evaluation, Part 2
• Common Criteria for Information Technology Seciryt Evaluation, Part 3
• Comon Methodology for Information Technology Security Evaluation

These are NOT optional. These are Federally-mandated requirements. If Manning's computer did not meet these standards, it was NOT authorized to be on the network and the machines that transferred classified information to it were NOT authorized to do so.

Hint: that issuer ain't Verisign. I don't know whether that's the official DoD cert or if that's one created by that particular organization, but I do know that it doesn't ship with any popular browser by default

No, its not verisign. And of course they aren't self-signed, thats retarded. The US military has the largest PKI deployment in the world, they know a thing or two about certs. The DOD has their own root certificates which don't ship by default with commercial browser, since they aren't relevant for normal use (and theoretically, they would allow the DOD to MITM your SSL connections).

If you want, you can download and install them: http://dodpki.c3pki.chamb.disa.mil/rootca.html

My facility would like to move to Windows 7, but there's still no official DoD hardening and approval process for it.

Yes, there is.

Win 7 Stig here http://iase.disa.mil/stigs/content_pages/windows_os_security.html

The DoD owns those... NIPR is mostly bureaucratic military stuff, while SIPR is the secure one. Good luck with the Pentagon letting folks like HHS, DOI, DOE, congress-critters, or (heh) your local utility co-op getting latched onto to those.

Speaking of "realistic security policies", just to even think of hooking into NIPR, you have to harden your boxes to the these specs (ever had to put all of /usr onto its own partition and lock the whole thing read-only? I guess it all depends on your definition of "realistic"). SIPR's requirements are only 'slightly' more anal.

/P

Surprise: the DoD uses Linux, and they have the same guides for locking and hardening Linux as they do for other Unices (Solaris) and for Windows.

See http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf (search for Linux) for examples.

I'm with you on the security clearance stuff. I'm pretty sure there are sub-groups that cannot have blogs and social-site profiles. But i don't think it's a problem for Big Army, it's more of a problem for Special Forces and similar groups. Rangers are.. well, i won't assign them to either group because someone would be unhappy either way.

I should also say that all military personnel are trained to identify these types of things: http://iase.disa.mil/eta/ Though nothing is specific to social networks, much of the training is similar (like phishing awareness).

Since you have devolved to name calling and apparently run out of facts, here's the refutation of the 2 things you said that are demonstrably wrong:

SharePoint? Give me a break. That's one morass of crap that still has to hit the fan. Is their version control still based on VSS?

What are you talking about? Nobody brought up Sharepoint but you, just now.

Or, as an alternative, are you so fucking ignorant of PowerPoint that you didn't know that, like all Office apps, it has integrated collaboration and version control? Of course, this utter ignorance doesn't stop you from posting about it as if you were some sort of expert. Looks like all the guesses I made in the last post were correct.

So you tout as collaboration the track changes functionality? You've got to be kidding me. That garbage hasn't worked correctly in the 10 years it's been out. I thought we were talking tech here, apparently with the equivalent of a brain damaged script kiddie. I should have known since you picked PowerPoint as your example, arguably one of the worst programs in existence for its stated purpose.

What does that even mean? It ships "as secure as possible." Fuck you can't even use a web browser on the damned thing without turning off half a dozen security features.

Ok, I'll admit that maybe there's something you can do to improve it's default security configuration, but six months!? Please God tell me that was 3 days of actual work, and 5.9 months of browsing Fark.com, because that's the only way you don't come out being entirely incompetent.

You really think it's secure? You're an idiot who's probably been pwmed after the first virus/trojan you came across. Here's a little reading to show you how you can harden various systems, although this still doesn't make them secure

Huh? I have no idea what you're trying to communicate here...

That's about the only sentence in your entire diatribe that's actually true. You have no idea, at all. And now you've figuratively opened your big mouth and let everyone else know too. I wish you'd stated this 2 posts ago and saved me some time.

Give this place a shot man: http://www.onguardonline.gov/

We use http://iase.disa.mil/eta/index.html#onlinetraining and have to maintain the certs yearly.

White House photographer is a Government employee as they are military.. See WHCA http://www.disa.mil/whca/ Spent a good number of years at that command. President Clinton tried the same thing to hide Al Gores fund raising, with illegal use of WHCA to film and photograph.

How Can I Contribute To Open Source?

This question seems to be distinctly different from your paragraph. Your $10 here and there is something I've also done many times. And it's great to hear that I'm not alone. From buying Firefox swag to just realizing that FOSS Product A saved me (at least) three days of my time so the least I can do is paypal $20 to those in charge.

So if you'd like to contribute in other ways, pick a project that has something that you know a lot about or are passionate about and try to make small improvements submitted as patches. Good with embedded C? Try to help out the Firefox team in squeezing out cycles. Good with computer vision algorithms? Hit up OpenCV or even write some more script/extensions for the Gimp. What's your passion? The most important thing to remember is to not get discouraged when your patch gets rejected or deferred or sent back. Ask for feedback from the team and keep in mind you're there to support them. Firefox might be too closely knit of a project for you to break into but just perusing sourceforge or github will open up your eyes to who's out there looking for your help. A lot of these projects have wish lists.

But what I'm hearing from you is that you'd like to give FOSS more recognition than contributions. No one wants your management or tax payer to feel obligated to fund open source. That flies directly in the face of what open source wants to do for you.

I had the idea to put up a Web page stating that we 'use the following free software to save tax dollars,' as a way to help spread the word about open source software, but management calls this an 'endorsement.'

Above all, respect your management. Were I in your place, I'd take a page from the DoD and on your page post side by side both the open source products you use and the proprietary products you use with a brief explanation. Get your management to approve this (pending security concerns) and whenever a change is made or an addition of open source product is used, put it up. I think you'll find that your page--if not from the get go--will slowly start to paint a common picture: the coexistence of open source products and proprietary products not only working side by side but also supporting each other.

I would not recommend trying to make a business case out of government funded changes to open source products unless you have someone high up in your pocket and on your side. Doing something like that could really make you look foolish if you have no clout to begin with and could injure your reputability. Just a thought, you're free to proceed as you see fit.

"Working in partnership with Microsoft and elements of the Department of Defense, NSA leveraged our unique expertise and operational knowledge of system threats and vulnerabilities to enhance Microsoft's operating system security guide without constraining the user to perform their everyday tasks, whether those tasks are being performed in the public or private sector,"

DISA and the NSA produce guides.

http://iase.disa.mil/stigs/stig/index.html
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml

They're patting one another on the back because they worked on the guide before Windows 7 was released.

While there could be a backdoor, a more rationale conclusion is the involvement of these government agencies is to help insure the O/S has the capability to be highly securable. Very few programmers outside of government have the same security worldview as the NSA/DoD, so MS needs that government expertise to assist them. http://iase.disa.mil/stigs/index.html

DISA has some simple and straight-forward IA training available on-line. The DoD IA training includes interactive exercises. There is also a module on phishing. Check it out. http://iase.disa.mil/eta/index.html#onlinetraining For most techie's it is far to basic, but based on your target audience, I would recommend it.

The feds appear to have spent a lot of money developing nice Flash-based "Information Assurance" training materials complete with videos and voiceovers and nice little sub-plots and quizzes meant to be very accessible to their workers.

http://iase.disa.mil/eta/issv3/issv3/index.htm

Of course, not everything will be relevant to your family, but it's a good start.

I've noticed over the last few years a growing trend toward host-based detection systems, like the McAfee product line for example.The US government or at least the DoD is really jumping on this band wagon.

Any thoughts about this approach?