Slashdot Mirror
Mapping The CIA Nonclassified Network
jeffy124 writes "A security firm Matta Security in London has mapped the CIA non-classified network. Using only legal and open sources, the company mapped topology of machines and even found networks otherwise closed to the public. The company never port scanned or probed the network directly. Among items they found were emails and phone numbers of sys admins and other employees. Amazingly, they did all this in two days."
One of my users decided to ping a DOD (department of defense) computer ... he pinged it, and a few days later we got an email from them asking us
A: if we have been compromised
B: if we hadn't please dont do it again.
The letter was very courtious, and explained they understand that pinging in itself is not illegal or not even unusual, the real point was to inform us that we may have been compromised (prolly a good idea).
A buddy of mine who works for the air force claims if you ping an air-force server, armed FBI agents will appear at your door quickly ... Obviously I am unwilling to test this :)
Religion is a gateway psychosis. -- Dave Foley
version 5.0.6a
Why you may ask?
Because Lotus Notes and Lotus Domino is the only mail product that gives email administrators zero access to information within mail files. Each Notes database has an access control list, and you can specify who's on it. The mail server can have "depositor" access, which means it can only place information inside the database. The database can also be encrypted so that only the server can read it -- meaning someone has to steal a copy of the database itself off of the file system, in order to have a chance at decryption.
Apparantly they've become more paranoid.. I remember portscanning .mil subnets as recently as 97-98, though that was from a badly implemented net sampling tool and not through malice. (Line read scan(n_ipb,n_ipc,n_ipa,n_ipd), should have been alphabetic order) For years and years, I used to set the system clock on my CMOS-battery impaired DOS box from the clock on a Air Force server I found manually trolling hosts. Didn't respond to ping, but telnet got me the time..
Don't recall ever hearing from anyone about it. I even tried to send an explaination of the port-scan, but the published email I had bounced.
.sig: Now legally binding!
Before his company got attached to the net, they were using an address of '11.*' for their internal computers, which included a number of Sun workstations -- some doing double duty as routers. For those of you who don't know, RFC 1918 officially designates 3 network ranges for this sort of work -- 192.168.*, 10.* and 172.16.0/12. 11.0 obviously doesn't fit in that range.
When they got their network attached to the 'net, they had to do a good deal of work to renumber all of their computers to have 'proper' IP addresses (either in their assigned block, or in an RFC1918 non-routing block).
Within an hour of connecting their box to the 'net, they got a rather brusque call from an intelligence agency official demanding to know why they were stealing his packets. They had to disconnect from the network and root around their network until they found (and removed) the errant subnet stub. It turns out that they had managed to miss one SUN with a second ethernet card that was no longer attached to an active subnet (but still routing to the stub subnet). This was back at a time when any SUN with two ethernet cards routed by default, and every machine ran routed(8) as a matter of course (much easier than having to do manual routing all the time!). It turns out that the route to the stub network had leaked out to the larger internet and poisoned the routing for a huge pool of machines.
When I teach networking, I use it as an example of why you should always use the proper non-routing addresses for internal networks.
(I just did a whois, and 11.0/8 is actually owned by the Defence Intelligence Agency, not the CIA. Not like there's a big difference for us civies.)
Sometimes boldness is in fashion. Sometimes only the brave will be bold.