Slashdot Mirror
Mapping The CIA Nonclassified Network
jeffy124 writes "A security firm Matta Security in London has mapped the CIA non-classified network. Using only legal and open sources, the company mapped topology of machines and even found networks otherwise closed to the public. The company never port scanned or probed the network directly. Among items they found were emails and phone numbers of sys admins and other employees. Amazingly, they did all this in two days."
a way to slip out of their offices. Expect a knock on the door.
According to the Pentagon News Herald
TCD004
Last I checked, Portscanning was legal?
It doesn't look like the information they gathered alone is really anything remarkable, but what they have is probably more than enough to obtain access to classified information via social hacking. It seems that some of the smartest hacks (and viruses too) have played on the shortcomings of people rather than breaking security systems.
-Sou|cuttr
I would tend to think that the sites they mapped were in areas considered "DMZ" or De-Militarized-Zone. It's basic System's Administration... I think these Brits aren't giving our spooks enough credit.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
Always nice to know if the spooks are checking up on me. (Not that I would give them any reason to)
Reality has a liberal bias
It don't claim to have found any private or restricted information. Everything they found was specifically put on the web to be found.
Simply knowing the names and e-mail addresses that Matta turned up would be enough for some social engineers to get the rest of the information necessary to mount an attack
Sorry, I don't buy that. "Hi, this is chuck, the webmaster. Can I have the names of our russian agents please?"
Post the article again when someone breaks in or actually finds classified info.
I wouldn't say that they mapped the CIA's network. Sure, they found some machine names that route mail. Big deal. I'll bet more that half of the slashdotters here could have gotten the same (or more) information. I don't see how knowing what machines route mail pose any security threat. Anyone outside the network could just look at their mail headers and see what internal machines were used to forward the mail.
If someone can get classified information from CIA via social engineering, I'd say someone needs to be retrained. These guys should be on the lookout for that at all times.
Personally, I think this is great. Anytime a private corporation can extract any kind of information on the government and their organizations, it makes the government that much more accesible to the average citizen. The fact that it's entirely legal is even better. It's quite refreshing to hear about a legal and tolerated computer activity compare to all the "bad news" that gets reported on all the time.
-S.Trooper
As for the email addresses and sysadmin names, I really don't think that's a big deal.
Guess we better stop posting our email addresses and names! And, god forbid, get rid of your business cards! And don't forget your whois information!!!!
If that's really an avenue to social engineering, then we're all in trouble.
Yet another story concerning Google. What's this? 4 in a week? (I'm too lazy to actually go count...)
Monday is a horrible way to spend 1/7 of your life.
If you submit a freedom of information act request to the CIA, you can probably get back pages and pages of blacked out text.
in the same page as the network map is
Related Stories: Report warns of al-Qaeda's potential cybercapabilities
don't you just love when we do half the terrorists jobs for them then wonder how they pull off elaborate attacks?
nslookup -q=mx www.cia.gov
- m4tt4 s3cur1ty 1337 h4x0r
big deal who cares.the information was publicly available. in fact all over the world there is this gradual trend towards openness, post cold war. even china (!) but get close to the really secret stuff you'll have a couple of large visitors, heh.
I got the SysAdmins #'s right here in my Langley phone book. OHHHHH
A link that has some good info on the legality of port scanning is: Journal of Technology Law and Policy
If you take the time to read it, there is a bunch of interesting stuff in it. Just do a page search for "port" and you'll get to the cool stuff.
Exactly. It is the typical information that any sysadmin from the outside. The graphic diagramming the networking layout shows nothing remarkable.
You can seen the original report in PDF format here, with _all_ of the juicy details.
Which is funny, because the link is not directly accessable from the main site.
talk about security.
"It is a greater offense to steal men's labor, than their clothes"
I hope that cisco 4000 is out of sight of the data-spying via LED guys, 8^)
A few weeks ago I was in an IRC-room when someone asked what sort of results people were getting for "traceroute (some IP I've forgotten)". whois said it was the CIA's IP-range, and the traceroute never reached that IP.
Taking the numbers from the diagram in the article, whois says:
Hewlett-Packard Company (NETBLK-HP19)
3000 Hanover Street
Palo Alto, CA 94304
US
Netname: HP19
Netblock: 192.81.0.0 - 192.81.255.255
Maintainer: HP
.
Hmm the CIA has 162.45.*.* assigned to them, I guess they aren't using it.
I hope the MiBs don't come knocking on my door now.
What time is it/will be over there? Check with my iPhone app!
One of their Sun boxes is running sendmail 8.8.8. Isn't that a bit out-of-date/insecure?
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
that now they know who the sysadmins are they can start squeezing their heads until they cough up some useful info...
Just because I AM paranoid doesn't mean they're NOT out to get me.
They call themselves the "Matta Attack and Penetration Team."
Haha, they said 'penetration'.
Maybe these guys can help us find the terrorists.
And I'm not even kidding. This morning three bombs were found in a morgue in my hometown (Memphis TN), and I didn't bother to check the local news today so I never even knew about it. There are ATF agents dogs and cops and whatever else all over the place, and everything is blocked off.
governments are big, slow moving elephants. overworked bureaucrats grappling with small budgets and bosses who don't understand or care to understand what they do.
a constituency that howls about privacy one second and howls about security the next. how could the cia/ fbi have ever let september 11th happen! what a massive failure of intelligence. how dare the government propose a national id card/ that security guard frisk me/ have a shadow government in bunkers up and running. it's a conspiracy to rob us of our bill of rights i tell you!
plane hijacker mohammed atta getting his ins paperwork approved 6 months after september 11th. conflicting mission statements. layers and layers of legislation like legal sediment conflicting and overlapping and obfuscating the directives for an office. look at the org chart that tom ridge now oversees as part of the new homeland security office. it resembles a circuit board.
computer security is a flavor-of-the-month affair... savvy smurfing DoS exploits one month, code red worms the next... nimbleness, dexderity, and flexibility being the name of the game here.
so let's have a packet collision here between the nature of these two beasts. i think the government is screwed, basically. so how do you change the nature of big slow-moving government?
i'm not trying to be pessimistic. because i think after september 11th there is a lot of will to fix things. president bush said as much today when he commented that mohammed atta's paerwork coming through a few days ago is completely inexcuseable on the part of the ins.
i'm just wondering how you change the nature of this beast, because it will, it has to, change.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
That's cause none of the really "good" security people really wants to work for a government or government-wannabes like Microsoft.
version 5.0.6a
Why you may ask?
Because Lotus Notes and Lotus Domino is the only mail product that gives email administrators zero access to information within mail files. Each Notes database has an access control list, and you can specify who's on it. The mail server can have "depositor" access, which means it can only place information inside the database. The database can also be encrypted so that only the server can read it -- meaning someone has to steal a copy of the database itself off of the file system, in order to have a chance at decryption.
I hope those guys like pr0n and are looking for a good mortgage rate.
You know what?
Last I checked, air gaps (to the extent of TEMPEST shielding to avoid crosstalk between nets) were still in use to physically separate classified and unclassified networks.
Of course, if someone was stupid enough to physically transfer data from classified to unclassified nets, like what that dude at Lawrence Livermore (I think?) did, by accident, that is a problem. And of course, social engineering. But HOW MANY TIMES MUST IT BE SAID, YOU CAN'T HACK INTO THE REAL SECRET STUFF VIA THE INTERNET!!!
There's 10 types of people in this world, those who understand binary and those who don't.
If you read the .pdf file available on Trustmatta's web site they even say "The information is probably not entirely correct, as we are not authorised to perform network scanning and probing to verify the existence and accessibility of specific hosts and networks..."
Also, after reading the article, I just don't see how they have done anything short of simple nslookups and email address searching... Hardly revolutionary or eye opening!
Gravity!... It's not just a good idea... It's the Law!
"Sorry, I don't buy that. "Hi, this is chuck, the webmaster. Can I have the names of our russian agents please?""
I always find it amusing when people try to make the CIA/FBI/NSA out to be bumbling idiots. They're not perfect, but they are really f'ing good.
In fact, if someone brought that weak 'social engineering' their way, it wouldn't surprise me if they were logged, traced, then given a visit by a couple really solemn-looking men in bad suits and dark sunglasses that smelled like pistachios.
I dare even one of the cynical know-it-all people that read this board to try it. Be sure to post your results so we can laugh at your cornholing.
Knunov
Why do users with IDs under 100,000 or over 700,000 usually have the most worthwhile comments?
Not a great example of detective work. I saw this on the politech list and it was made to seem like they got a lot more info. This was just basic network enumeration. Any kiddie could have done this after reading the first few chapters of Hacking Exposed
Douglas Calvert
They exist.
They work in buildings.
They have barbed wire around their compound.
Humans go in and out at various times during the day.
Using this valuable information and the logic of this silly article, I *could* mount a tactical strike against CIA headquarters!
Maybe I could run into a CIA employee at the butcher's and make friends and learn his home phone number. Shit! I've just *hacked in* to the CIA. Ph34r my skillz.
Ash OS durbatulk, ash OS gimbatul, ash OS thrakatulk, agh burzum-ishi krimpatul! Uzg-MS-ishi amal fauthut burgulli.
lol, communism. [sarcasm]now theres a social system that works well.[/sarcasm]
tried and tried, proven again and again... to fail.
I'm sure they have systems that arn't connected to the internet in any way however remotely, but also seeing as the CIA snoops on the internet, they obviously have some machines connected to the internet that they would be upset if you hacked into (not that hacking into any of them would be very wise).
> YOU CAN'T HACK INTO THE REAL SECRET STUFF VIA THE INTERNET!!!
That's just what they want you to think.
They also don't want me to get past the lameness filter. Blah Blah.
Don't become a regular here -- you will become retarded.
It's quite possible they've broken the law here; as unreasonable as it seems. As an example, if somebody gave you their telephone number, that's probably not classified. On the other hand, if someone hands you their telephone book, that's probably classified. So, reverse engineering their telephone book somehow would mean you have classified information; and that may be illegal. IANAL.
Whether their IP address list is classified, I cannot say... probably not, but I wouldn't like to bet.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Surely this top secret terrorism buster logo was meant to be classified; there is no way the CIA would be stupid enough to let this information out into the public arena, where it would expose them to ridicule!
Government types are morons....
.plan, I'm sure it wouldn't make the /. home page.
So are a lot of other people.
Funny thing is, if I left my real name, phone number, and email address in my
I'm sure I'll get modded down for this, but someone please explain to me how this is newsworthy. This type target profiling happens every hour of every day. And yes, it happens to governemnt networks also (more so than non-govt. networks). The only difference is, most of the people doing this type of thing don't make press-releases about it.
Move on, nothing to see here.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
i have a hat and t-shirt that says "CIA" on the front. have i hacked into the secret underworld?
this is so lame. the tools used here are no more upscale than what i use to trace down the occasional spammer.
Slashdot has disabled the use of javascript in the User Space area.
Pitty they can't get off their useless asses and disable page widening.
C'mon, why even bother with finding this information? I mean, its not even classified... and *EVERYBODY* knows how easy it is to get into the top-secret classified CIA files, just watch the movies! You dial to 555-1311 (CIA1) with your little 2400 baud modem, up pops the CIA logo with a login box, you type "BOSSHOG", password "SECRET" and in you go.. finding out all about those undercover operatives. Oh, and as an added side-effect (must be some super duper CIA classified image compression/encryption thing), JPG images that would take 30 seconds on your 56K modem from any normal site download in under a second!
Who cares about the damn operatives?! Get that compression algorithm and we could make a GPL version and everyone could drop broadband and go back to 56K dialup (at the *speed* of broadband!).
As a sysadmin, it's important to know what information you make public or leak out. All of the information presented here are things that normally are known. If you don't know my DNS, web, and email servers why do I bother setting them up?
This sounds dangerous to people not in the know, and may make a good article to read but I don't see an issue here. Some of it is very questionable. How do you really know they are running Solaris? That wouldn't be hard to mask.
Gimme a break. Some guys decided to do a who is on every CIA computer registared on the public internet. And gained "the names, e-mail addresses and telephone numbers of more than three dozen CIA network administrators and other officials" NO KIDDING you mean that thel listed an admin contact in their DNS entries. OMG call the FBI before the terrorists learn how to use dig.
Walking trough the jungles of the net I found one mil site. I think navy or something. After some social engineering I found a internal FAQ where they list their network names ip's and user names ,server names, proxy ip's...etc. Everything was done trough IE:)) and no port scanning was ever performed. So I knew all. I didn't do anything. I just felt sorry:!)
You're hands will be so far into the honey pots it won't even be funny...
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
It happens all the time, idiots copy emails from the class net and then send it off to people on the unclass. "uh becouse they don't have a class email address..."
Also ILOVEYOU was found on the class system, that BTW runns MS lookout and exchange 5.5
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
The least they could do is have the outbound mailserver strip the internal mail headers from the message before sending it out. It's easy to do with postfix and that's what we do. Why give out anymore information than needed? I noticed that they were able to get what CIDR block they use for internal IP's from the mailserver.
Jesus I don't run a covert espionage agency and I at least do that at our company. Hell I even proxy requests to private servers from an apache server in the DMZ.
Isn't this just basic network security?
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
Here, get this CD/Video set, it's free! Learn how to secure Windows NT/UNIX to goverment standards! Order now!
http://iase.disa.mil/eta/index.html
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
Not a whiff of Microsoft on their accessible networks, which makes me sleep easier at night, knowing their external Net presence has some semblance of stability and security.
I want to delete my account but Slashdot doesn't allow it.
Sooo.... What's new? Did someone expect public information not to be really public when it comes to the CIA? Secret stuff is probably already ran from sources that can't be easily found.
the poor sap of an airman was lured by a kraut bimbo in a dive bar to a lonely back road at 0200 and shot in the head by her waiting accomplicies.
they used his dd2af card to get on base where they left the car bomb by ramstein ab hq, after it blew and killed those people they mailed the dd2af card back to the base and said they didn't need it anymore...
"...can you imagine a BEOWULF CLUSTER of these? That'd be some serious power!"
I have a feeling this made news just because of it's affiliation with the CIA -- the all powerful super secret spy agency of the US government. I sure wish I could generate news stories by doing recursive whois reports and DNS queries.
What's next? I would think that if you were not able to map the CIA's unclassified public network than they must have some sort of major DNS problem.
There is absolutely no significane to this news story other than organizations who maintain a publically accessible web site with such services as e-mail and a web site must have a logical network structure to deliver said services. The CIA is no exception.
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
$ host -v -a -l cia.gov I think that about covers it.
I'm in Memphis also (and posting AC, since I know this will get modded off topic). The general concensus seems to be that the bombs they found in the morgue have nothing to do with terrorism. They were more likely intended to get rid of evidence, for example the body or autopsy report of a recent murder victim.
An interview with someone from the county medical examiner's office said that they don't keep evidence around for long. Notwithstanding the fact that the bombs were discovered, it's unlikely that they would have destroyed the target evidence even if they'd had the chance to detonate. The devices were given a controlled detonation by the MPD, and are en route to ATF labs in Atlanta - not to the FBI.
(I always wondered how many Echelon keywords I could fit into a legitimate post...)
(Is there a site/whatever where people with ideas suggest what software is missing and people with time may choose to implement them?)
What I want is a kernel module to defeat port scanning. Whenever a remote tries to connect to a port that isn't bound, the module kicks in, accepts the connections, and doesn't do anything, or echos the incoming data, or sends random data, or behaves like a web/ftp/etc server, or a combination of the above.
If most computers used this, wouldn't port scanning become impractical?
Would there by any harm in it?
The CIA's actual network defenses never even came
into play. Because of the CIA's reputation, the
security firm didn't dare portscan, or test the
numbers, names, and addresses they got.
Obviously the CIA are the ones who really employed
social engineering in this case.
you seem to be granting the military with a lot of intelegence (pun intended). .mil enviroment would be old and unknown systems on the network that should be better protected and are not.
I hate to break it to you but they are just Human and humans make mistakes.
I think the most likly one in the
And going back to your everything is protected by handscaners and fancy whot nots, so you can not get in via the front door, there is always a back door (not necessarly just in software) and there are alway people who want in the back door, and will pay for the privialage.
Sarg: "So how did they get past the butt-scanners(tm) and know the once millisecondarly generated keyphrase ? "
grunt: "I have no idear sir, but do you like my knew xBox?"
(readin Xbox is VERY expensive)
ERR 411[Max number of witty sigs reached]
Since when isn't Google a hacker tool ?
It's a script kiddies first port of call.
Easiest way to find someone with a fresh installation of your least favourite OS.
Some people change the headers to report different software, version and/or OS. This way you could get Johnny. S. Pionage to find the latest, greatest (wrong) script from the net and give himself away.
...the No Such Agency
Wow. They mapped the DMZ! Should I be afraid now? It must take balls of solid steel to post the IP address of the publicly accessible web servers..
And *gasp*, phone numbers? Email addresses? Dare I say it - contact information for real live CIA employees?!
OOH! Servers not accessible to the public!!
And I really liked the random link at the far upper left, pointing to the unidentified private IP range used by CIA boxes. How nice of them to add it in, given that they have zero information about it; they've got IPs of the NAT machine on the outside. wow. shocker.
Sorry for being so cynical, but this kind of tripe cracks me up. I work in the belly of the Pentagon, doing systems work now, and if the CIA's unclassified network is anything like ours, I doubt they have to worry.
Why is this significant? Well, as was recently pointed out the 4000 series line cards contain a class III led transmit/receive status indicator, which makes it possible to sniff traffic off of the interface optically from a distance. Hope the CIA has some extra black tape handy.
The Economics of Website Security
Is that what they now call 'The ping of death ?'
(at the time it was a simple "ping -t -l 66000"
The IP stack would go crazy as you are forcing 66000 bytes in a 65500 bytes buffer, crashing the system => ping of death ! Easiest DOS for Years 8)
Anyhow, come and get me, I got a full frag team ready for you 8)
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
"Here's a clue for you:
The Nixons spied. They deserved to die.
A few years ago an independent US historian was given access to the 'secret archives' in the White House to write a biography of Nixon. Most of the worst rumors about what an evil fuck he was have now been corraborated."
So, pack it up and have a break.
BTW, the first wo comes out and says 3We are better" is an asshole. You are just as corrupt. Just more expensive whores on your parliament.
And the day you can give me a real difference between Dems & Reps, maybe I'll care enough and go vote...
Til then, good luck.
It's pretty apparent that not only have you never been within the walls of which you speak but that you don't know anyone who has either. This post is pure crap. You try to impress by giving the impression that you've been there - you haven't.
You can simply copy the database locally and use a freely distributed tool to edit the ACL to add yourself or modify -Default-. That will NOT get you past encrypted mail using Public keys tho'. On disk encrypted dBs will also not be effected by this. Doesn't appear in the ACL log either of course. If the person hasn't set User Types you can also create a Group with the user's name and put yourself in it.
;-)
On top of that at least two folks have created code that's supposed to unlock the ID file. One by substituting the hash that's compared by the password dialog in memory with one that's created by a seperate application. That code isn't distributed depsite promises to release. The second piece of code is a bit shakier but is supposed to be able to backdoor the ID. These two groups are speaking to one another but as of yet I've not seen any results. http://www.falling-dominos.com/ was one of the sites that was working this but refuses to release code for fear of the DMCA. I want this code if anyone has it..
Lastly, there's code out there to dictionary attack the ID file. Some work would no doubt yield brute force code but source hasn't been released for this tool. I might know how it works though
Overall though - Notes is damned secure compared to the MSFT crap that's out there. R6 is looking pretty good and the RC1 beta has been running on my server\workstation for several months now rock solid. Lotus came up witha workable PKI long before X509 seemed to have caught on. Port encryption and all sorts of nice goodies too. I happen to like the client and its dirt easy to build simple apps. Even workflow apps aren't hard to build and publishing to the WEB is no biggie unless you get really tricky. My home server is running Notes and except for the mile long URLs I find it pretty friendly...
Build it, Drive it, Improve it! Hybridz.org
It sure as hell isn't the CIA's running Exchange. They had a speaker at Lotusphere FROM the CIA who made it quite plain the Lotus Notes was what they were using. Very entertaining little guy too - loved it when the phone rang on the podium and he answered it. Wrong number(lol)!
Anyway, from what he said Exchange was NOT welcomed. Why would they bother to tell people that, present on it, run Notes on their Unclass server, and then run Exchange inside? You must be talking about another network....
Build it, Drive it, Improve it! Hybridz.org
They didn't just scarf info from Google - they also did reverse DNS lookups and a ZoneTransfer. At least one college kid has had his door kicked in for having done a ZoneTransfer to a domain that had recently been hacked. (sigh) Port scanning is no biggie IMO but it seems to me a ZoneTransfer might be a little more "aggressive". Still, if their country doesn't care.....
Build it, Drive it, Improve it! Hybridz.org
Before his company got attached to the net, they were using an address of '11.*' for their internal computers, which included a number of Sun workstations -- some doing double duty as routers. For those of you who don't know, RFC 1918 officially designates 3 network ranges for this sort of work -- 192.168.*, 10.* and 172.16.0/12. 11.0 obviously doesn't fit in that range.
When they got their network attached to the 'net, they had to do a good deal of work to renumber all of their computers to have 'proper' IP addresses (either in their assigned block, or in an RFC1918 non-routing block).
Within an hour of connecting their box to the 'net, they got a rather brusque call from an intelligence agency official demanding to know why they were stealing his packets. They had to disconnect from the network and root around their network until they found (and removed) the errant subnet stub. It turns out that they had managed to miss one SUN with a second ethernet card that was no longer attached to an active subnet (but still routing to the stub subnet). This was back at a time when any SUN with two ethernet cards routed by default, and every machine ran routed(8) as a matter of course (much easier than having to do manual routing all the time!). It turns out that the route to the stub network had leaked out to the larger internet and poisoned the routing for a huge pool of machines.
When I teach networking, I use it as an example of why you should always use the proper non-routing addresses for internal networks.
(I just did a whois, and 11.0/8 is actually owned by the Defence Intelligence Agency, not the CIA. Not like there's a big difference for us civies.)
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Simply modify the Server's ACL entry such that the User Type is "server" and this problem is solved. While you're at it set the option for "enforce consistant ACLs" and watch what happens when the Admin tries to get in. :-) You can set on-disk encryption to make things harder and for REAL fun have the User Record in the address book set so that all of th email is encrypted using the user's Public key. Whoops - the admin can't get in without the ID now huh?
;-)
Admin keeping copies of your ID? No problem, change your password and the ncreate a private encryption key. Encrypt that which you find too sensitive to share and smile. The admin is now locked out without breaking your IDs password or using a tool to circumvent the IDs password. Those tools aren't publicly available..
Done right it's quite possble to have privacy using Notes. Oh, use port encryption too
Build it, Drive it, Improve it! Hybridz.org
The Notes server does NOT "have" to be listed in the ACL unless Agents are being run. Mail delivery is done differently and bypasses the ACLs. You could even setup the server as "No Access" and it would still deliver mail....
Build it, Drive it, Improve it! Hybridz.org
Notes security is one of the areas I work for my company - most of what I dumped there isn't the sort of thing they document in many books. Just sharing some of what I've learned - no flames.
Build it, Drive it, Improve it! Hybridz.org
I hate the orphaned processes it leaves running too. R5 is also slower :-( R6 will have portions rewritten for speed (@Function engine) and is supposed to be multi-threaded but for what I've seen they have a ways to go on that part of it (ahem).
Build it, Drive it, Improve it! Hybridz.org
You are just as corrupt. Just more expensive whores on your parliament.
And in other news, rumours are that bears actually do shit in the woods.
And the day you can give me a real difference between Dems & Reps, maybe I'll care enough and go vote...
A career politician is exactly that. Someone who's doing politics as a career move. They're not there for the betterment of the state/county/country/city/world they're there because they make a living that way. And that means getting paid, and getting re-elected.
CIA?!?!?! - lame stuff. Check out these:
199.208.192.0 - 199.208.192.255
207.132.36.0 - 207.132.36.255