Mapping The CIA Nonclassified Network

jeffy124 writes "A security firm Matta Security in London has mapped the CIA non-classified network. Using only legal and open sources, the company mapped topology of machines and even found networks otherwise closed to the public. The company never port scanned or probed the network directly. Among items they found were emails and phone numbers of sys admins and other employees. Amazingly, they did all this in two days."

Mapping was a planned leak!

[tcd004]

According to the Pentagon News Herald

TCD004

Portscanning?

[LWolenczak]

Last I checked, Portscanning was legal?

Re:Portscanning?

[Telastyn]

Legal, though it's also likely to draw attention. Listening to traffic is a little more suripticious.

Re:Portscanning?

[CodeMonky]

legal but highly frowned upon when used on machines you aren't responsible for.

Re:Portscanning?

[Monkelectric]

Im a sysadmin for a major university, and I can tell you first hand that even pinging will get you a letter from the agency you pinged.

One of my users decided to ping a DOD (department of defense) computer ... he pinged it, and a few days later we got an email from them asking us A: if we have been compromised B: if we hadn't please dont do it again. The letter was very courtious, and explained they understand that pinging in itself is not illegal or not even unusual, the real point was to inform us that we may have been compromised (prolly a good idea). A buddy of mine who works for the air force claims if you ping an air-force server, armed FBI agents will appear at your door quickly ... Obviously I am unwilling to test this :)

Re:Portscanning?

[LWolenczak]

they said they did it w/o "illegal" portscanning.

Read the Article!

Re:Portscanning?

[Baca]

Question is if you ping them and they show up, do they respond with "pong?"

Re:Portscanning?

[matthewn]

Well, would someone who's feeling lucky today ping an Air Force server and report back? ;)

(Hell no! I'm not gonna do it! You do it! --No way, man! I ain't gonna do it! You do it!)

Re:Portscanning?

[LWolenczak]

You know, somebody really should be watching the watchers.....

Re:Portscanning?

[CodeMonky]

it may be illegal in other countries.

Re:Portscanning?

[brer_rabbit]

what's the worse that could happen?

% ping hidden.airforce.mil
PING hidden.airforce.mil from 192.168.1.4 : 56(84) bytes of data.
64 bytes from hidden.airforce.mil: icmp_seq=0 ttl=57 time=20.871 msec fbi_agents_in=10
64 bytes from hidden.airforce.mil: icmp_seq=1 ttl=57 time=19.560 msec fbi_agents_in=9
64 bytes from hidden.airforce.mil: icmp_seq=2 ttl=57 time=20.497 msec fbi_agents_in=8
64 bytes from hidden.airforce.mil: icmp_seq=3 ttl=57 time=20.820 msec fbi_agents_in=7
64 bytes from hidden.airforce.mil: icmp_seq=4 ttl=57 time=19.732 msec fbi_agents_in=6
64 bytes from hidden.airforce.mil: icmp_seq=5 ttl=57 time=20.805 msec fbi_agents_in=5
64 bytes from hidden.airforce.mil: icmp_seq=6 ttl=57 time=19.830 msec fbi_agents_in=4
64 bytes from hidden.airforce.mil: icmp_seq=7 ttl=57 time=20.770 msec fbi_agents_in=3
64 bytes from hidden.airforce.mil: icmp_seq=8 ttl=57 time=19.781 msec fbi_agents_in=2
64 bytes from hidden.airforce.mil: icmp_seq=9 ttl=57 time=20.790 msec fbi_agents_in=1

--- hidden.airforce.mil ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss, 100% user loss
round-trip min/avg/max/mdev = 19.560/20.345/20.871/0.541 ms

Re:Portscanning?

[AnalogBoy]

Pentagon (AP)

A massive, national mobilization of FBI agents was reported today by sources speaking on condition of anonymity. While officially the situation is classified, the source said there was a massive DOS attack of every major government site.

"We don't believe this to be the work of ametures." said the source, "The attack was highly organized - thousands of users, from all over the globe, using a special form of denial of service attack called the 'Slashdot Effect'."

The government has been keeping an eye on the hacker portal "Slashdot", at http://slashdot.org/, for quite some time, stating that it is always the best place to find out what the next big illegal thing is, whether it be irritating the MPAA, RIAA, or disrupting critical government networks.

President Bush is quoted as saying something inconsequental, ignorant, and stupid, as usual.

Re:Portscanning?

[SpinyNorman]

Maybe ... legal until you're accused of hacking into the syetem you portscanned, then it'll be used against you as evidence of hacker intent.

This has already been done.

Re:Portscanning?

[CoreyG]

A friend of mine at VT strobed (portscanned) some .mil machine his freshman year(96-97). A few days later he was called into a meeting with the Dean of the A&S college and some G-Men. They then went back to his dorm room and got copies of every h4X0r1ng tool he had on his linux machine.

Re:Portscanning?

[technos]

Apparantly they've become more paranoid.. I remember portscanning .mil subnets as recently as 97-98, though that was from a badly implemented net sampling tool and not through malice. (Line read scan(n_ipb,n_ipc,n_ipa,n_ipd), should have been alphabetic order) For years and years, I used to set the system clock on my CMOS-battery impaired DOS box from the clock on a Air Force server I found manually trolling hosts. Didn't respond to ping, but telnet got me the time..

Don't recall ever hearing from anyone about it. I even tried to send an explaination of the port-scan, but the published email I had bounced.

Re:Portscanning?

[CodeMonky]

You are welcome to be completely ignorant of other countries laws if you plan on never leaving the us. However if you are gonna ever travel abroad you may wish to keep track of what is and isn't legal elsewhere when it comes to computers. It would be a shame for you to portscan a computer while on a trip to china and be put to death.

Re:Portscanning?

[Darth_Burrito]

whew, I'm just glad the ttl isn't counting down as well.

Re:Portscanning?

[mallie_mcg]

64 bytes from hidden.airforce.mil: icmp_seq=5 ttl=57 time=20.805 msec fbi_agents_in=5

I think you have the wrong domain name. (Well i know www is not hidden., but ill look into it for you!! :p~

PING www.af.mil (131.84.1.31) from 192.168.83.206 : 56(84) bytes of data.
From h1-0.dtic.bbnplanet.net (4.1.1.254): Packet filtered
From h1-0.dtic.bbnplanet.net (4.1.1.254): Packet filtered
From h1-0.dtic.bbnplanet.net (4.1.1.254): Packet filtered
From h1-0.dtic.bbnplanet.net (4.1.1.254): Packet filtered

Yes actuall results. I wonder when i will get the email. (Yes i am an Admin on the domain, yes i am bored), or failing that visits from people in really bad suits. (Im lonely too, it will be nice to have someone to talk to!!) --- www.af.mil ping statistics --- 27 packets transmitted, 0 packets received, +4 errors, 100% packet loss

Re:Portscanning?

[cloudmaster]

I ran a quick "nmap -O" on a few air force servers just a few weeks ago, because they were mirrorring one of our web sites very aggressively (many requests per second) and I wanted to get some information on exactly what the machine was that was pulling stuff down that hard. I've yet to be visited by anyone, in person or via email.

Then, the site being mirrored was one that we'd developed for the air force, so I assume that they must've figured it was ok or maybe realized that it's bad form to monopolize most of our T1 for several minutes at a time and not felt like pushing the issue... :)

I'm pretty sure that individual bases or however they're grouped each are alowed some leeway in their security implemntations, so they probably don't all track connection information down to each individual ping...

Re:Portscanning?

[ByteHog]

just one ping? damn.. wonder what'll happen if we slashdot them.. do we get to see the black helicopters? :)

Re:Portscanning?

[Cally]

> Im a sysadmin for a major university, and I can
>tell you first hand that even pinging will get you a
>letter from the agency you pinged.

I can assure you that this is NOT the case for us outside the US. I've been known to use www.af.mil as a test of connectivity / UDP / ICMP, and I've not seen a letter, an email or indeed any MIB.

Re:Portscanning?

[gfreeman]

[Russian/Connery accent] Vasily, verify number of hops to our target - one ping only ...

--
Graham

Re:Portscanning?

[Sabalon]

No no no...

ping uss-dallas -one-ping-only

It's DMZ data I'm sure...

[bergeron76]

I would tend to think that the sites they mapped were in areas considered "DMZ" or De-Militarized-Zone. It's basic System's Administration... I think these Brits aren't giving our spooks enough credit.

Re:It's DMZ data I'm sure...

[global_diffusion]

Here's another funny thing:

Among items they found were emails and phone numbers of sys admins and other employees

This sounds really stupid of the CIA at the first glance, but if you think about it, the sys-admins were probably "email the webmaster!" links and the 'other employees' were probably officials that displayed their office numbers so the public could contact them. What a joke.

Web Logs

[CokeBear]

Checking all my logs now for any access from 198.81.x.x

Always nice to know if the spooks are checking up on me. (Not that I would give them any reason to)

Re:Web Logs

[Kalak]

The CIA doesn't have the whole 198.81.xxx.xxx class. 198.81.23.39 is an AOL proxy server, and I sincerely hope the CIA isn't using AOL.

"You've got a mail bomb"

Re:Web Logs

[BlueUnderwear]

Yes, and 198.81.209.16 is at IBM ( yktgi01e0-s1.watson.ibm.com). So, don't panic if you see any 198.81 in your webserver logs.

So what?

[oni]

It don't claim to have found any private or restricted information. Everything they found was specifically put on the web to be found.

Simply knowing the names and e-mail addresses that Matta turned up would be enough for some social engineers to get the rest of the information necessary to mount an attack

Sorry, I don't buy that. "Hi, this is chuck, the webmaster. Can I have the names of our russian agents please?"

Post the article again when someone breaks in or actually finds classified info.

Re:So what?

[kafka93]

Social engineering is probably *the most* dangerous form of attack, as well as the most often overlooked from a defensive standpoint. Although the webmaster may not directly have details of russian agents, to use your example, he may have access to information that might compromise the security of the entire system. From my admittedly limited experience, the military and other "important" organisations are often little better prepared for attacks than the average web startup: even where great care and attention has been given to firewalls and the like, there will still exist employees who will disclose information, and there is still always the capacity for human error.

Besides, addressing this kind of issue "when someone breaks in" is too late. And it's important that the civilian be aware of and take an interest in problems in its government, police force, legal system, etc.

Re:So what?

[gartogg]

Do you really think that there are privates manning the phones at the pentagon that will give out anything other then their name to someone that has no real reason to call?

Of all organisations that might be vulnerable to social engineering, I am least worried about the military.

In any case, if people only hire intelligent software engineers, no one will be able to social engineer anything. It's a concern, but real hackers who recognize the phrase "social engineersing" don't bother with crap companies, and the script kiddies who can do damage don't have voices deep enough to pass for an adult.

Re:So what?

[dvdeug]

Of all organisations that might be vulnerable to social engineering, I am least worried about the military.

A small team of men managed to literally roll an airplane out the back gate of an Air Force base, primarily using social engineering tactics. This team, hired by the military, found that military security wasn't all that it was cracked up to be.

if people only hire intelligent software engineers, no one will be able to social engineer anything.

How does *that* follow? Many social engineering attacks get the user to hand over username and password, and if you can't check IP (think mobile users) then you've just lost. At best you can contain it to that user's files, but that still may be a severe security leak.

Re:So what?

[monkeydo]

First, anyone who answers the phone at the CIA is trained not to tell you anything. For that matter, they don't know anything. Everything os compartmentalized, computer systems, intelegence, even people. Social engineering on the scale you mention usually doesn't happen in the wild. Social engineer as a hacker technique is popular because of the low risk exposure. If you are a team hired by the AF to try and steal a plane you have zero risk no matter what you try, so you'll do some things no one would do in real life.

Second, do you really think the CIA uses username/password authentication for *anything*? Think smartcards, one time key generators, palm scanners, etc. I guarantee there isn't a single secure system you can get into without at least a token and a passphrase. The most secure systems require multiple authentications. Hello, we're are talking about the largest *inteligence* agency in world.

Re:So what?

Hi, this is chuck, the webmaster

Actually it's "Dave":

Central Intelligence Agency (CIA-DOM)
Information Services Infrastructure
Washington, DC 20505

Domain Name: CIA.GOV
Status: ACTIVE
Domain Type: Federal

Technical Contact, Administrative Contact, Billing Contact:
Wheelock, David E. (DEW1)
(703) 613-9840
DAVIDW@UCIA.GOV

Domain servers in listed order:

RELAY1.UCIA.GOV 198.81.129.193
AUTH100.NS.UU.NET 198.6.1.202

Record last updated on 31-Oct-01.

Dave?
Dave's not here, man.
No, it's me, Dave - let me in.
Dave's not here!

Re:So what?

[kruczkowski]

Rhein-Main Air Base, Germany 1985. Don't know the exact story but a lady slept with some airman and stole his id, drove onbase with a bomb in the car and blew it. 3 people died.

Re:So what?

[Darth_Burrito]

One of the companies I used to work for gave us secureid keychains with 7 or 8 digit numbers on them that changed every 60 seconds. Whenever we logged in to our company account, we had to supply the code in addition to our username and password. A very popular scam was to email people a message with a link to a fake login page. Sometimes they would fake an internal memo: Eg. New company policy regarding X, log in here and read it. Your order for $120 sunglasses has been processed, to view your order login here. A virus is propagating through the company network, login here to download the patch, etc. Some of these messegaes would be very convincing. Often the only way to tell them apart from real company mail was to examine the link's url which was usually obsficated. I'm sure many people, especially new hires, periodicly fell for this stuff. What I'm trying to say is, social engineering can be very effective. It only takes a couple of uninformed folks to make a mistake and when you are more or less constantly under attack, a few slip ups are bound to happen.

Re:So what?

[oni]

terrorist group targets Chuck and his SysAdmin pals before launching some kind of attack.

I should have made this clear in my last post, and this is based on my experience in the military: The web-page flozies typically work in the public affairs departments. They could be abducted by aliens and no one would care much. The real IT people have nothing to do with "administering" web sites.

Maybe the CIA does things differently - but I doubt it.

Re:So what?

[overunderunderdone]

Social engineering is probably *the most* dangerous form of attack, as well as the most often overlooked from a defensive standpoint.

This is good advise to most businesses who don't think about it that much.

BUT, to be fair to the CIA they are one institution that is fully aware of and as far as humanly possible takes into account "social engineering" (or "humint") After all that is what they DO - it is EXACTLY how they gather information themselves and it is exactly how they expect their rivals to gather information on them. Yes, they are still human and as humans WILL still make errors that will disclose information, but then again it is the one institution in the world where you might never be sure whether what you got was real information or disinformation.

Not that impressive

[fiber_halo]

I wouldn't say that they mapped the CIA's network. Sure, they found some machine names that route mail. Big deal. I'll bet more that half of the slashdotters here could have gotten the same (or more) information. I don't see how knowing what machines route mail pose any security threat. Anyone outside the network could just look at their mail headers and see what internal machines were used to forward the mail.

If someone can get classified information from CIA via social engineering, I'd say someone needs to be retrained. These guys should be on the lookout for that at all times.

Re:Not that impressive

[paiute]

Social engineering is by far the most cost-effective way to run an intelligence agency. I'll let you spend billions on fancy software and hardware. I'll spend a grand on a hooker to wink at one of your sysadmins - and I've got all the access I want.

Re:Not that impressive

[Happy+go+Lucky]

Social engineering is by far the most cost-effective way to run an intelligence agency. I'll let you spend billions on fancy software and hardware. I'll spend a grand on a hooker to wink at one of your sysadmins - and I've got all the access I want.

A few years ago, Archer-Daniels Midland actually did try to hire a few hookers to get some market information from a competitor. The plan got scrapped when nobody could keep a straight face at the thought of some lady of the evening moaning "f--- me! F--- me! Harder! What's your method for removing impurities from lysine? Oh, god, harder!"

But I agree with paiute. It's people who have information, and getting information means getting it from people. Sending them hookers who then blackmail them is one option-a US Marine assigned to our embassy in Moscow fell for that back in the 80's.

And a lot of people will talk just because. Rajid at the 7-11 (not flamebait-that's really his name), a half-dozen homeless guys, and a handful of "undocumented workers" who are just as happy that the gringo cop speaks Spanish and doesn't know INS' phone number like to talk about what goes on in one particular neighborhood, and that includes talking to cops who want to buy coffee at 3AM (mainly me) and as a result I know pretty much everything that happens within two blocks of that 7-11.

It's all about people, and knowing how to listen to them. If the CIA had the good sense to hire street cops, semi-experienced newspaper reporters, multilingual cabdrivers, and a very few really good clinical psychologists to send overseas, they'd be able to tell us what kind of lube Osama bin Laden uses when he has relations with his goats, whether Jiang Zemin really is a pedophile or if that's just office gossip, if there's another reason why Vladimir Putin is cranky this week, and where the communist guerillas in Colombia buy their cigarettes. The really REALLY good information-gatherers know that they need to talk to people instead of wasting money on techno-toys.

Re:Not that impressive

[Cally]

>I wouldn't say that they mapped the CIA's network.
>Sure, they found some machine names that route mail.
>Big deal.

Ah, you've never done any pen-testing I see... the first stage of which is always information gathering. It's not unknown to be able to pick out the most vulnerable point of entry without a single packet passing from between yourself and the target.

Re:Not that impressive

[bluGill]

If the CIA had the good sense to hire street cops, semi-experienced newspaper reporters, multilingual cabdrivers, and a very few really good clinical psychologists...

They do. There are problems with this. I'll talk to my local cop, but most of the cops I know will NOT talk to the KGB, MI6 (or is it MI5?), or any other overseas spi agency knowingly. some will, but most will not. I have relatives in the military who tell me sensitive (unclassified) information that foreign goverments would like to know. I don't go repeating that information to just anyone.

Accually reporters are the easiest target, just buy a subscription to the local newpaper and read it.

The other problem is money. Getting the information is easy. However sortting out "John and Mary smith are proud to anouce their son's engagement..." from interesting stories takes trained men. (and that is before we get into stenography where the announcement is a coded message that looks legitmate) Sortting though all of it takes money. The computers the CIA plays with are expensive, (and congress loves it because it brings jobs to some community that builds the stuff), but once technology is bought you can use it for years at the cost of only electrisity. Compare that to the cost of paying someone every year to read newspapers, and spy reports, and it doesn't take long for a computer to pay for itself in the volumn of data it can process compared to what the person can. Of course a person sorting through the paper is probably better than a computer, but there are many newspapers, and most of the time none of the have anything of interest.

Big deal!

[shyster]

Big deal! So they managed to map their public space and their mail servers on the inside. All of this is pretty easy to find out and is hardly supposed to be a secret.

As for the email addresses and sysadmin names, I really don't think that's a big deal.

"Simply knowing the names and e-mail addresses that Matta turned up would be enough for some social engineers to get the rest of the information necessary to mount an attack,"

Guess we better stop posting our email addresses and names! And, god forbid, get rid of your business cards! And don't forget your whois information!!!!

If that's really an avenue to social engineering, then we're all in trouble.

Re:Big deal!

[shyster]

I notice you're no longer posting your email address in your comments.

Only because of spammers and trolls. My email address is publicly available, well posted on Usenet and mailing lists, and evidently available on mnay spam lists. Of course, that is my spam trap email address.

My business email address is available via whois information, as well as PR records on the DNS servers that I set up/maintain. And, of course, on our website.

My personal email address that I wish to not receive spam on, alas, is priveleged knowledge, and is only known to a select few. Of course, it is available as the email address of the administrator of my subdomain, and is aliased to postmaster@my.subdomain.com. So there are ways of finding it. And it doesn't take an 3l33t h4ck0r, or the CIA, to do it.

It doesn't have to be a large organization

[Sarcasmooo!]

If you submit a freedom of information act request to the CIA, you can probably get back pages and pages of blacked out text.

wonderful

[crystalplague]

in the same page as the network map is

Related Stories: Report warns of al-Qaeda's potential cybercapabilities
don't you just love when we do half the terrorists jobs for them then wonder how they pull off elaborate attacks?

Re:wonderful

[gad_zuki!]

Related Stories: Report warns of al-Qaeda's potential cybercapabilities
don't you just love when we do half the terrorists jobs for them then wonder how they pull off elaborate attacks?

Yeah, they sure are helping the enemy.

The terrorists have connected to port 25, I repeat the terrorists have connected to port 25!!!!

PH34R MY SK1LLZ

[spoonist]

h3y d00dz!

nslookup -q=mx www.cia.gov

- m4tt4 s3cur1ty 1337 h4x0r

good link on legality of port scanning

[zkosky]

A link that has some good info on the legality of port scanning is: Journal of Technology Law and Policy
If you take the time to read it, there is a bunch of interesting stuff in it. Just do a page search for "port" and you'll get to the cool stuff.

Original PDF Report

[Alien54]

It doesn't look like the information they gathered alone is really anything remarkable

Exactly. It is the typical information that any sysadmin from the outside. The graphic diagramming the networking layout shows nothing remarkable.

You can seen the original report in PDF format here, with _all_ of the juicy details.

Which is funny, because the link is not directly accessable from the main site.

talk about security.

Meme...

[netsharc]

A few weeks ago I was in an IRC-room when someone asked what sort of results people were getting for "traceroute (some IP I've forgotten)". whois said it was the CIA's IP-range, and the traceroute never reached that IP.
Taking the numbers from the diagram in the article, whois says:

Hewlett-Packard Company (NETBLK-HP19)
3000 Hanover Street
Palo Alto, CA 94304
US

Netname: HP19
Netblock: 192.81.0.0 - 192.81.255.255
Maintainer: HP
.
Hmm the CIA has 162.45.*.* assigned to them, I guess they aren't using it.
I hope the MiBs don't come knocking on my door now.

sendmail 8.8.8?

[teridon]

One of their Sun boxes is running sendmail 8.8.8. Isn't that a bit out-of-date/insecure?

Re:sendmail 8.8.8?

[EricKrout.com]

Well, they're using Solaris 2.5.1, which initially came with SMI-8.6.

They have upgraded since that original version, however.

The latest Sendmail version for Solaris 2.5.1 was 8.8.8 plus a Sun patch, so hopefully they got rid of any and all potential problems.

MONOLINUX :: Imagine There's No Windows. It's Easy If You Try.

Re:sendmail 8.8.8?

[Soko]

One of their Sun boxes is running sendmail 8.8.8. Isn't that a bit out-of-date/insecure?


Hmmmm....Can you say honeypot ?

Soko

governments and computer security

[circletimessquare]

governments are big, slow moving elephants. overworked bureaucrats grappling with small budgets and bosses who don't understand or care to understand what they do.

a constituency that howls about privacy one second and howls about security the next. how could the cia/ fbi have ever let september 11th happen! what a massive failure of intelligence. how dare the government propose a national id card/ that security guard frisk me/ have a shadow government in bunkers up and running. it's a conspiracy to rob us of our bill of rights i tell you!

plane hijacker mohammed atta getting his ins paperwork approved 6 months after september 11th. conflicting mission statements. layers and layers of legislation like legal sediment conflicting and overlapping and obfuscating the directives for an office. look at the org chart that tom ridge now oversees as part of the new homeland security office. it resembles a circuit board.

computer security is a flavor-of-the-month affair... savvy smurfing DoS exploits one month, code red worms the next... nimbleness, dexderity, and flexibility being the name of the game here.

so let's have a packet collision here between the nature of these two beasts. i think the government is screwed, basically. so how do you change the nature of big slow-moving government?

i'm not trying to be pessimistic. because i think after september 11th there is a lot of will to fix things. president bush said as much today when he commented that mohammed atta's paerwork coming through a few days ago is completely inexcuseable on the part of the ins.

i'm just wondering how you change the nature of this beast, because it will, it has to, change.

Anyone else notice the Lotus Domino Server

version 5.0.6a

Why you may ask?

Because Lotus Notes and Lotus Domino is the only mail product that gives email administrators zero access to information within mail files. Each Notes database has an access control list, and you can specify who's on it. The mail server can have "depositor" access, which means it can only place information inside the database. The database can also be encrypted so that only the server can read it -- meaning someone has to steal a copy of the database itself off of the file system, in order to have a chance at decryption.

Re:Anyone else notice the Lotus Domino Server

[Cedric+C.+Girouard]

Because Lotus Notes and Lotus Domino is the only mail product that gives email administrators zero access to information within mail files. Each Notes database has an access control list, and you can specify who's on it. The mail server can have "depositor" access, which means it can only place information inside the database. The database can also be encrypted so that only the server can read it -- meaning someone has to steal a copy of the database itself off of the file system, in order to have a chance at decryption.

Little known fact: The password entry box you get when logging in to a domino client/server setup with the 4 little hieroglyphs, is a CIA-requested add-on. That and the random amount of X's you get when you punch in the password.

Also, stealing a copy of the database will not help you if persistent ACL's were set up.

Other nice features of Domino is that you can have multiple level of access within each documents, meaning that group XYZ would have read access to the entire document, while group XY would only get 2/3rd of the forms in it, and group X would get only 1/3rd of the forms within the document.

Reasons why they're not using Exchange ? Well... Exchange did never get its security clearance...

Re:Anyone else notice the Lotus Domino Server

[DavittJPotter]

Except: as an administrator, if you *really* want to read someone's mail, you can re-register and re-certify that person, thereby generating a new ID file, which will match the entry in the .nsf's ACL. You then Switch ID to that user, and open their database. The ACL reads Davitt J Potter/CIA/GOV/US, and... well, you're in. Why do I know this? :) Users forget passwords, and this is how we recovered passwords. Granted, this is not the most secure implementation, but it is the default for a Domino installation.

You *can* disable this, however, by setting up password recovery within Domino, which I recommend that ALL Domino admins do. Then it requires anywhere from 2 to (I think) 4 different ID's to enter a recovery password, which will then recover the user's password.

Domino/Notes also is interesting in that your password is never sent over the wire, encrypted or otherwise. Your machine gets a copy of about a 2K $user.id file, which contains your authentication certificate to the Domino server. Your password identifies to your certificate that "I am Davitt J Potter/CIA/GOV/US." The Notes client then sends the certificate info to Domino, which then checks to make sure that certificate was generated by the Domino server, and is still a valid certificate. (Domino servers can set certificate expirations, so even if your password is valid, your certificate may be expired.)

I found Domino to be a really nice enterprise level email solution; I only wonder why it isn't used more?

Re:Anyone else notice the Lotus Domino Server

[dillon_rinker]

I found Domino to be a really nice enterprise level email solution; I only wonder why it isn't used more?

Marketing.

Re:Anyone else notice the Lotus Domino Server

[twinpot]

Except: as an administrator, if you *really* want to read someone's mail, you can re-register and re-certify that person, thereby generating a new ID file, which will match the entry in the .nsf's ACL. You then Switch ID to that user, and open their database. The ACL reads Davitt J Potter/CIA/GOV/US, and... well, you're in.

This won't work if the mail is encrypted, because if you create another ID with the same name, the public/private key combo is different. Therefor the only thing you may be able to read is the subject line. The message body will have been encrytped (you can encrypt the DB itself, and you can specify that all emails you receive are encrypted too).

Re:Anyone else notice the Lotus Domino Server

[Cedric+C.+Girouard]

Interestingly enough, the military uses Exchange for most of their non-secure email traffic (which is part of the reason the Air Force is getting on MS's case about security). Hmm.

Keywords here are : AIR FORCE and NON-SECURE.

Air Force and CIA, last time I checked were two very different branch... One being Army, the other one being government intel. (but then again, I'm a canuck, so what do I know.).

I'm pretty sure that for secure comms, Air force probably uses some weird mainframe based home-brewed system, and stays far far far away from Ms Exchange... I would not even be surprised that they still use some kind of point to point paper based teletype for all the really important stuff. I would not trust nuclear launch orders to a computer transmission... I guess they would not either...

Re:Anyone else notice the Lotus Domino Server

[bob_dinosaur]

I found Domino to be a really nice enterprise level email solution; I only wonder why it isn't used more?

Have you ever tried to use the client? That's why.

Version 5.0 of the client still can't handle Daylight Savings Time! If it crashes (and it does) you've got to manually kill the process nlhdeamon.exe to restart. You do not want your helpdesk handing out instructions like that...

got their emails, huh?

[switcha]

Matta's study also uncovered the names, e-mail addresses and telephone numbers of more than three dozen CIA network administrators and other officials.

I hope those guys like pr0n and are looking for a good mortgage rate.

Fuckin' A!

[Knunov]

"Sorry, I don't buy that. "Hi, this is chuck, the webmaster. Can I have the names of our russian agents please?""

I always find it amusing when people try to make the CIA/FBI/NSA out to be bumbling idiots. They're not perfect, but they are really f'ing good.

In fact, if someone brought that weak 'social engineering' their way, it wouldn't surprise me if they were logged, traced, then given a visit by a couple really solemn-looking men in bad suits and dark sunglasses that smelled like pistachios.

I dare even one of the cynical know-it-all people that read this board to try it. Be sure to post your results so we can laugh at your cornholing.

Knunov

Re:Fuckin' A!

[Knunov]

"Why, pray tell, would they smell of pistachios?"

What else would you eat during a stakeout?

Knunov

Re:Fuckin' A!

[dillon_rinker]

In fact, if someone brought that weak 'social engineering' their way, it wouldn't surprise me if they were logged, traced, then given a visit by a couple really solemn-looking men in bad suits and dark sunglasses that smelled like pistachios.

I don't have to worry about this. Everybody knows I'm a respectable programmer. I even help my landlady take out the garbage. Besides, I know my rights.

Re:Fuckin' A!

[Andy_R]

Steak! Mmmmm....

Re:Fuckin' A!

[revscat]

...men in bad suits and dark sunglasses that smelled like pistachios.

This, class, is a perfect example of a "dangling participle." The numerous comments that follow it are themselves perfect examples of what paleontologists call "easy humor". Note how the monkeys almost instinctivly jump at the opportunity to mock the original poster's error, despire the fact that other such comments have already been made. It's almost as if they can't help themselves. But spring is approaching, so displays such as this are more common: even the lowly geek desires a mate. He therefore displays his prowess in the only way he knows how, specifically by ridiculing the intelligence of others, and, by contrast, promoting his own apparent intelligence.

- Rev.

basic network enumeration...

[dfelznic]

Not a great example of detective work. I saw this on the politech list and it was made to seem like they got a lot more info. This was just basic network enumeration. Any kiddie could have done this after reading the first few chapters of Hacking Exposed

Re:basic network enumeration...

[Reziac]

BTW, while you're buying HACKING EXPOSED (a marvelous book) be sure to pick up a copy of the companion piece, HACKING LINUX EXPOSED. (Yes, it's a real book.)

Morons

[Hagmonk]

Hey I just drove past the CIA headquarters and now I have the following valuable facts:

They exist.

They work in buildings.

They have barbed wire around their compound.

Humans go in and out at various times during the day.

Using this valuable information and the logic of this silly article, I *could* mount a tactical strike against CIA headquarters!

Maybe I could run into a CIA employee at the butcher's and make friends and learn his home phone number. Shit! I've just *hacked in* to the CIA. Ph34r my skillz.

Re:Makes for interesting headlines, but not much e

[SpinyNorman]

I'm sure they have systems that arn't connected to the internet in any way however remotely, but also seeing as the CIA snoops on the internet, they obviously have some machines connected to the internet that they would be upset if you hacked into (not that hacking into any of them would be very wise).

Using legal tools != legal

[WolfWithoutAClause]

It's quite possible they've broken the law here; as unreasonable as it seems. As an example, if somebody gave you their telephone number, that's probably not classified. On the other hand, if someone hands you their telephone book, that's probably classified. So, reverse engineering their telephone book somehow would mean you have classified information; and that may be illegal. IANAL.

Whether their IP address list is classified, I cannot say... probably not, but I wouldn't like to bet.

Re:Using legal tools != legal

[WolfWithoutAClause]

> They may have broken the law? In what jurisdiction?

> We laugh at the CIA in a country that has real things to fear -

Skylarov probably laughed the same way...

Re:Google's in the news

[PHAEDRU5]

Do a google search.

Yes, ;^)

I found something classified!

[commodoresloat]

Surely this top secret terrorism buster logo was meant to be classified; there is no way the CIA would be stupid enough to let this information out into the public arena, where it would expose them to ridicule!

Uhm...K.

[NetJunkie]

As a sysadmin, it's important to know what information you make public or leak out. All of the information presented here are things that normally are known. If you don't know my DNS, web, and email servers why do I bother setting them up?

This sounds dangerous to people not in the know, and may make a good article to read but I don't see an issue here. Some of it is very questionable. How do you really know they are running Solaris? That wouldn't be hard to mask.

Re:Hah.

[CokeBear]

Thats not the point!

The point is, that anyone in the USA should be allowed to discuss the merits of any social/political system. For a long time, that discussion was cut off, and people who held a particular viewpoint (however absurd it might seem to us rational people) were fired from their jobs, spied on, and even imprisoned.

Hackers tools

[The+Monster]

Who needs portscans. The article says:

"The fact that this information was gathered through a search on Google.com, which is hardly considered by most people to be a hacker's tool, is especially interesting,"

Absolutely true, if you think about it. Google is most definitely a hacker's tool, but not a tool for doing what most people consider to be 'hacking', nor for that matter do most people consider google itself.

Re:Makes for interesting headlines, but not much e

[kruczkowski]

It happens all the time, idiots copy emails from the class net and then send it off to people on the unclass. "uh becouse they don't have a class email address..."

Also ILOVEYOU was found on the class system, that BTW runns MS lookout and exchange 5.5

Ever heard of stripping headers?

[tweek]

The least they could do is have the outbound mailserver strip the internal mail headers from the message before sending it out. It's easy to do with postfix and that's what we do. Why give out anymore information than needed? I noticed that they were able to get what CIDR block they use for internal IP's from the mailserver.

Jesus I don't run a covert espionage agency and I at least do that at our company. Hell I even proxy requests to private servers from an apache server in the DMZ.

Isn't this just basic network security?

Re:Ever heard of stripping headers?

[Reziac]

Someone says, "Hell I even proxy requests to private servers from an apache server in the DMZ."

Would that be in the Demilitarized Zone??

:)

Wana know more?

[kruczkowski]

Here, get this CD/Video set, it's free! Learn how to secure Windows NT/UNIX to goverment standards! Order now!

http://iase.disa.mil/eta/index.html

Nice to see Unix

[Gothmolly]

Not a whiff of Microsoft on their accessible networks, which makes me sleep easier at night, knowing their external Net presence has some semblance of stability and security.

Significance?

[hyrdra]

I have a feeling this made news just because of it's affiliation with the CIA -- the all powerful super secret spy agency of the US government. I sure wish I could generate news stories by doing recursive whois reports and DNS queries.

What's next? I would think that if you were not able to map the CIA's unclassified public network than they must have some sort of major DNS problem.

There is absolutely no significane to this news story other than organizations who maintain a publically accessible web site with such services as e-mail and a web site must have a logical network structure to deliver said services. The CIA is no exception.

it's not that hard.

[hoyosa]

$ host -v -a -l cia.gov I think that about covers it.

Port scanning

[lightspawn]

(Is there a site/whatever where people with ideas suggest what software is missing and people with time may choose to implement them?)

What I want is a kernel module to defeat port scanning. Whenever a remote tries to connect to a port that isn't bound, the module kicks in, accepts the connections, and doesn't do anything, or echos the incoming data, or sends random data, or behaves like a web/ftp/etc server, or a combination of the above.

If most computers used this, wouldn't port scanning become impractical?

Would there by any harm in it?

Re:Port scanning

[Tony+Hoyle]

Why do you want a kernel module to do this? You could knock up a perl script to do it in a few minutes.

Who's Socially Engineering Whom?

The CIA's actual network defenses never even came
into play. Because of the CIA's reputation, the
security firm didn't dare portscan, or test the
numbers, names, and addresses they got.

Obviously the CIA are the ones who really employed
social engineering in this case.

Cisco 4000 Series Router

[regen]

Anyone else notice that they were using Cisco 4000 series routers (at least as the gateway router, but I bet in other parts of the network as well)?

Why is this significant? Well, as was recently pointed out the 4000 series line cards contain a class III led transmit/receive status indicator, which makes it possible to sniff traffic off of the interface optically from a distance. Hope the CIA has some extra black tape handy.

Easier than that...

[BLKMGK]

You can simply copy the database locally and use a freely distributed tool to edit the ACL to add yourself or modify -Default-. That will NOT get you past encrypted mail using Public keys tho'. On disk encrypted dBs will also not be effected by this. Doesn't appear in the ACL log either of course. If the person hasn't set User Types you can also create a Group with the user's name and put yourself in it.

On top of that at least two folks have created code that's supposed to unlock the ID file. One by substituting the hash that's compared by the password dialog in memory with one that's created by a seperate application. That code isn't distributed depsite promises to release. The second piece of code is a bit shakier but is supposed to be able to backdoor the ID. These two groups are speaking to one another but as of yet I've not seen any results. http://www.falling-dominos.com/ was one of the sites that was working this but refuses to release code for fear of the DMCA. I want this code if anyone has it..

Lastly, there's code out there to dictionary attack the ID file. Some work would no doubt yield brute force code but source hasn't been released for this tool. I might know how it works though ;-)

Overall though - Notes is damned secure compared to the MSFT crap that's out there. R6 is looking pretty good and the RC1 beta has been running on my server\workstation for several months now rock solid. Lotus came up witha workable PKI long before X509 seemed to have caught on. Port encryption and all sorts of nice goodies too. I happen to like the client and its dirt easy to build simple apps. Even workflow apps aren't hard to build and publishing to the WEB is no biggie unless you get really tricky. My home server is running Notes and except for the mile long URLs I find it pretty friendly...

What class system are YOU talking about?!

[BLKMGK]

It sure as hell isn't the CIA's running Exchange. They had a speaker at Lotusphere FROM the CIA who made it quite plain the Lotus Notes was what they were using. Very entertaining little guy too - loved it when the phone rang on the podium and he answered it. Wrong number(lol)!

Anyway, from what he said Exchange was NOT welcomed. Why would they bother to tell people that, present on it, run Notes on their Unclass server, and then run Exchange inside? You must be talking about another network....

I'd only question the Zone Transfer...

[BLKMGK]

They didn't just scarf info from Google - they also did reverse DNS lookups and a ZoneTransfer. At least one college kid has had his door kicked in for having done a ZoneTransfer to a domain that had recently been hacked. (sigh) Port scanning is no biggie IMO but it seems to me a ZoneTransfer might be a little more "aggressive". Still, if their country doesn't care.....

Never re-route CIA packets...

[darkonc]

A friend of mine once described a run-in that his company had with 'the CIA' a number of years ago.

Before his company got attached to the net, they were using an address of '11.*' for their internal computers, which included a number of Sun workstations -- some doing double duty as routers. For those of you who don't know, RFC 1918 officially designates 3 network ranges for this sort of work -- 192.168.*, 10.* and 172.16.0/12. 11.0 obviously doesn't fit in that range.

When they got their network attached to the 'net, they had to do a good deal of work to renumber all of their computers to have 'proper' IP addresses (either in their assigned block, or in an RFC1918 non-routing block).

Within an hour of connecting their box to the 'net, they got a rather brusque call from an intelligence agency official demanding to know why they were stealing his packets. They had to disconnect from the network and root around their network until they found (and removed) the errant subnet stub. It turns out that they had managed to miss one SUN with a second ethernet card that was no longer attached to an active subnet (but still routing to the stub subnet). This was back at a time when any SUN with two ethernet cards routed by default, and every machine ran routed(8) as a matter of course (much easier than having to do manual routing all the time!). It turns out that the route to the stub network had leaked out to the larger internet and poisoned the routing for a huge pool of machines.

When I teach networking, I use it as an example of why you should always use the proper non-routing addresses for internal networks.

(I just did a whois, and 11.0/8 is actually owned by the Defence Intelligence Agency, not the CIA. Not like there's a big difference for us civies.)

Actually Notes can prevent Admin snooping...

[BLKMGK]

Simply modify the Server's ACL entry such that the User Type is "server" and this problem is solved. While you're at it set the option for "enforce consistant ACLs" and watch what happens when the Admin tries to get in. :-) You can set on-disk encryption to make things harder and for REAL fun have the User Record in the address book set so that all of th email is encrypted using the user's Public key. Whoops - the admin can't get in without the ID now huh?

Admin keeping copies of your ID? No problem, change your password and the ncreate a private encryption key. Encrypt that which you find too sensitive to share and smile. The admin is now locked out without breaking your IDs password or using a tool to circumvent the IDs password. Those tools aren't publicly available..

Done right it's quite possble to have privacy using Notes. Oh, use port encryption too ;-)