DoD and Net Attacks

Chernyakov writes "The Washington Post has an article about attacks on DoD systems. According to the article, the Pentagon's chief information officer said 'The Defense Department suffered more than 22,000 electronic attacks on its computer systems in 1999 and about 14,000 in the first seven months of this year.' " Those numbers apparently count port scans too, but the article is interest, talking about many things, including the fact that they don't run any commercial software on their most classified systems for fear of backdoors. I imagine the DoD's sysadmins are a scary bunch.

Re:Port Scan's

[bellings]

I'm afraid I don't understand what people are calling a "port scan." If I type

$ telnet foo.bar.com 25

does it count as a port scan in your book? Because thats the exact equivilant of what anyone checking for mail relays is going to do -- there is no reason to check any port other than the mail port if you're looking for a mail relay. But, if you've got an MX record screwed up somewhere, you're going to get exactly the same thing if someone tries to send you mail. How do you distinguish between someone checking for mail relays, and someone trying to send you mail?

Another poster comments "how much of an "attack" is it to scan to see if FTP is open?" What kind of "scan" would anyone do to see if FTP is open? The user check to see if port 21 is open, and thats it.

I remember reading once on slashdot how an @Home nameserver was "port scanning" some guys machine, because it responded to his machine's DNS requests. Come on -- that's not a scan.

If checking one port is a "scan", then I'm afraid I probably scan hundreds, or even thousands, of machines a day. I'm such a 'leet hacker. Most of our webservers get tens of thousands of "scans" a day (generally, by people "scanning" port 80), from people all over the world. The mail servers get thousands of scans, too. What are you guys talking about?

Re:Open Source Software security

[jlg]

Keep in mind that OpenBSD isn't really very old. These classified sites have been around for a while and it seems unlikely that OpenBSD could become better than what they had before in a just a few years.

Fundumentally, OpenBSD is still UNIX. Remember the Orange Book codes? You don't see many UNIX systems past C2 because they really weren't designed for it. The A's and high B's belong to operating systems designed with security in mind from the start. Not insecure OSes that have been patched up.

Not to say OpenBSD isn't secure, it's just not at the right level of paranoia.

Re:Port Scan's

[bellings]

from a security point of view, someone who is only trying to use a service they already know you have isnt' scanning you; someone is scanning you to find something out they didn't already know, which is something you should be aware of

So... if I type http://www.monkey.com/ into the address bar of my web browser, just to see what comes up, I'm doing a "port scan" on that server? Should the administrator of www.monkey.com be aware that I'm trying to hack into the site?

If I decide I want to download the latest version of NetBSD, and I just randomly guess

$ ncftp ftp.netbsd.org

am I doing simething the administrator of the domain should be aware of? (In fact, last night I did exactly this. I had no idea where to download NetBSD -- that was just my first guess. I had no idea if there really was machine named ftp.netbsd.org, or what services it may provide. By trying to connect, I really was trying to discover something I didn't already know.)

The only thing I'd call a real "port scan" is the kind of thing you can do with a program like nmap -- scanning dozens or hundreds of ports at once, just to see which are open. It shouldn't be a suprise to anyone that those "port scans" are easy to log, but next to worthless to break into the machine.

DoD Computer Systems, OSs, and Commercial Software

[thewiz]

Understand that most attacks that are launched on DoD computer networks are against UNCLASSIFIED networks. They can contain sensitive information but the really CLASSIFIED stuff is housed on machines that aren't even connected to the Internet (think the original Mission Impossible movie). The sensitive machines that are connected to the Internet can't be found by any script kiddy or leet haxors. For those of you who think you're the hottest cracker around, think again. If the NSA or DoD hasn't approached you to join, you're not nearly as good as you think you are.

To address a few issues that others have brought up:
Attacking a military system with more than a port scan or mild probing WILL earn you a visit from some very terse (but polite) gentlemen.

At the facility I work at we use Solaris, AIX, Windows NT, Windows 98, OS/390, MVS, and even Linux on an S/390. I'm sure there is a project somewhere that uses OpenBSD.

Backdoors in commercial software are a VERY big issue, especially when the system is connected to the Internet. We DO use software like Emacs, and other Open Source software on our systems. Having the source code available for perusal by a programmer is EXACTLY the reason we use OSS. There is nothing hidden in OSS like there is in proprietary packages. Ever tried asking Microsoft for their code for any of their products so you could verify C2 compliance?

The DoD does NOT engage in monitoring the public on the Internet (that's the FBI's job ;) ). You will be monitored while accessing a DoD site (and we post BIG warning messages about that) or if you attempt to do anything that is deemed an attack against DoD systems (the same kind of acts that would get you monitored by a commercial site).

As for programmers putting backdoors into software that the DoD creates, that chance is nearly 0%. When a mission critical software package is written, it is done by more than one person, often by more than one team of people. The code is then subjected to multiple peer reviews. Everything that is done by the program is questioned and re-evaluated at each step of the development cycle. Why else do you think that the government is still using computers from the 70's and 80's? We haven't finished the code reviews yet! ;)

Trusting foreigners - Well, you can't even get a clearance if you were not born in the U.S. (at least that's the way they say it's supposed to work).

The DoD is NOT stupid or careless; unfortunately, there are times when people make mistakes and accidentally compromise classified information. This happens through laziness and cockiness on the part of users AND Admins; the same reasons that commercial sites get cracked.

And, yes, many of us are not in this job for the pay, rather out of a sense of duty toward our country.

Port Scan's

[holos]

Is it really fair to count port scans as an attack? I can see classing it if it comes from a 192/10/172/169 address but normal scans are part of life, or they are at least for my boxes and me. With portsentry on them I usually get 5 a week from sources all around the world, usually they just check for mail relay and script kiddy tools but sometimes I'll catch the same IP scanning many machines, then they get monitored.

Re:Port Scan's

[Falsch+Freiheit]

Yes.

If you are intent on breaking into a machine to which you have no access, a port scan is the first step.

For any kind of attack (whether with guns or with computers), reconnaissance is the first step.

If you're not the DoD, though, I wouldn't worry about portscans. I don't count them as attacks just because they're so common. Besides, if I have a machine that runs several websites (some of which have files available for download), how much of an "attack" is it to scan to see if FTP is open? It could just be somebody who got a partial file download and wants to see if they can finish the download.

Also, with most of your machines, there is *some* kind of legitimate access the public has to it. The SMTP port or HTTP or something like that. For many DoD machines, there is *no* legitimate access for most of the public.

Only 5 a *week*? Wow. That's low. I think the main machine I do any admin for gets that many in an hour.

Re:2000 Mission Critical Computers?

[slickwillie]

Are you kidding? Real defense weenies don't play solitaire, they play minesweeper.

slashdotting .mil servers

is slashdot organizing a DoS attack on US .mil servers by posting a link on the front page?

Quality of DoD sysadmins

[dkusters]

Working for a DoD contractor who supplies software to the DoD, I can attest to the general lack of quality among their sysadmins. There are some amazingly good admins out there, but they are few and far between.

The DoD has tens of thousands of computers at thousands of locations. They have over 10,000 different software applications that they have had written for them. I'm not exaggerating. Organizations as large as the DoD need a lot of admins. But, the admins are, for the most part, civil servants. They fit into the standard scale of civil servants jobs and wages. In other words, they don't get paid very well.

Let's say your a good admin. Would you work for $70K at a computer company or for $40K for the DoD and have a BGen. screaming at you for not allowing him to receive his granddaughter's cute annimation in the mail even though you've explained that the latest DoD mandate forbade ActiveX in emails? Simple choice. Industry pays better and has a better working environment.

So, what are you left with? One of the admins we deal with (let's call her Betty) was a typist in the secretarial pool (yes, the DoD still has those). She was promoted to an admin. Why? Because of her vast knowledge of networking? Because of her ability to troubleshoot hardware? No. Because she could type fast. This is a real story. Only the name has been changed.

There are good DoD admins out there. They do it not for the environment or the money, but for the sense of pride out of helping the country. On average, the quality of the DoD admins is very low.

Dave.

P.S., this post does not reflect the opinions of my employeer.

Re:What OS's do they use?

[superid]

Oh for crying out glayvin...."we" use everything that you do. Everything...NT, 2000, 98, 95, DOS, Linux, solaris, Irix, AIX, HP-UX and thats all within sight of my office!

What makes you think we're any different than a very large corporation? We are not one giant monolithic organization. We have well run firewalled networks...we have isolated networks...we have public webservers and database servers. Some I don't doubt will be defaced, others I have confidence that they are basically impenetrable.

We have smart users that can setup their own systems, and we have some of the stupidest users you've ever seen (I got 3 trouble calls from one person for the same printer in 10 minutes... out of paper, offline, and then he printed to a printer 10 feet away and couldn't find the printout)

the article is interest?

[divide_by_0]

Those numbers apparently count port scans too, but the article is interest, talking about many things....

what kind of interest does this article get? I would hope it would get at least 5% compound interest anually.

I'll confess,

[Shoeboy]

I have been responsible for some of this. I can't help it - it's so rewarding.
You scan a DoD computer and several large men come over to talk to you.
They humiliate and scold you.
If you're lucky, you get a cavity search!
My favorite is a guy called Agent Wesley, he's got reaaaly long fingers.
Anyway, just wanted you guys to understand my script kiddie motivations.
--Shoeboy