Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pentagon Hid Magnitude of Data Loss From Recent Breach

Posted by Soulskill on from the it's-just-a-flash-wound dept.

blueton tips us to a brief story about recent revelations from the Pentagon which indicate that the attack on their computer network in June 2007 was more serious than they originally claimed. A DoD official recently remarked that the hackers were able to obtain an "amazing amount" of data. We previously discussed rumors that the Chinese People's Liberation Army was behind the attack. CNN has an article about Chinese hackers who claim to have successfully stolen information from the Pentagon. Quoting Ars Technica: "The intrusion was first detected during an IT restructuring that was underway at the time. By the time it was detected, malicious code had been in the system for at least two months, and was propagating via a known Windows exploit. The bug spread itself by e-mailing malicious payloads from one system on the network to another."

15 of 218 comments (clear)

  1. army net security is indeed ridiculous. by r00t · · Score: 5, Interesting

    Sysadmins must apply patches IF AND ONLY IF they are army approved.

    Sounds decent so far, hmmm?

    The army has some committee that regularly decides which patches to approve.

    Still not too bad, hmmm?

    The committee approves patches for things that are being actively exploited.

    Ponder that one for a moment. It means that every security hole will be exploitable on the army networks. Every security hole gets a chance, since "not exploited yet" means "not a problem".

  2. Re:All joking aside by Anonymous Coward · · Score: 1, Interesting

    I think it is time for any signifcant secrets to be inside a separate network Or just move them around constantly, as if in a cloud, obscuring the true location of the data through very complex levels of abstraction, all proprietary, which themselves change over time. Couple this with an isolated network that actually cannot inter-operate with other protocols, that is only live and accessible after a certain sequence of events (only partially automated, if at all) are performed (one time, of course, after which the sequence is never again used).

    The fact that the Pentagon attempted to secure data using off-the-shelf equipment demonstrates that they a) aren't very serious about security or b) were not actually breached and are banging the drums for some other reason. I know which way I'm leaning (damn you Microsoft! just kidding).
  3. Re:Mafia? No, I don't think so. by Ungrounded+Lightning · · Score: 1, Interesting

    Woosh!!

    Mafiaa == RIAA + MPAA

    Sorry. Missed the extra "a". (Should have been all-caps, though.)

    Mafiaa != Mafia

    Where'd you get that idea? I was under the impression that the RIAA is a direct descendant of the jukebox protection racket / Crosby organization. (That's what makes the "MAFIAA" coinage so poignant.)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  4. Re:Windows strikes again. by SethJohnson · · Score: 5, Interesting



    2) Decent firewall alerting you to connections to chinese IP space,

    Duhh.. these guys weren't amateurs. They wouldn't have been communicating directly with the compromised hosts. There'd be like three or more hops of compromised boxes between them and the Pentagon. Not to mention that the intrusion might have originally been thanks to a viral botnet where the controllers recognized some interesting IPs within their herd. Then used the command-control structure to issue specific commands to those boxes to further infiltrate the Pentagon. Probably was always outbound connections uploading data and grabbing new marching orders (encrypted in both cases).

    Seth

    --
    $5 / month hosted VPS on linux = awesome!
  5. it is by Quadraginta · · Score: 3, Interesting

    Twenty thousand people work in the Pentagon, the bulk of them secretaries, flunkies, gophers, paper pushers and form filers. They have, naturally, a plain old typical big business e-mail system for sending memos back and forth about whether the proper signatures have been affixed to form eight six four nine nine stroke seven aitch. This is what got hacked. To the extent "sensitive" data was compromised, it would be stuff like the Assistant Associate Deputy Secretary's daily conference call schedule, which is "sensitive" in the sense that in the remote chance that someone wants to assassinate him they'd find such data mildly useful.

    There is of course also a serious network of computers at the Pentagon which handles serious military secrets. It doesn't run Windows. It isn't physically connected to the Internet. The Chinese can't touch it.

    This is a silly FUD nonstory. There's no reason for the Pentagon to treat random secretarial computers with the same attention to security as they give classified computers. It would be very expensive, and my taxes are high enough already, thank you.

    1. Re:it is by hughk · · Score: 2, Interesting

      Yes there is NIPRNET and SIPRNET, with one for the unclassified stuff and the other for classified. Funny thing is that the mildenhall.com incident demonstrated that secret data not only goes out on the public Internet (this should only happen through secure tunnels), it can end up outside the military altogether.

      --
      See my journal, I write things there
  6. Re:Windows strikes again. by Hemogoblin · · Score: 5, Interesting

    Speaking as someone who has worked as an Immigration Officer with the Canada Border Services Agency, I can say that our immigration laws are quite fine, thank you. In addition, our antiterrorism laws are quite robust, and I would argue that the United States' laws are needlessly draconian. Thank you for your time.

  7. Re:Windows strikes again. by fastest+fascist · · Score: 2, Interesting

    If they let their security be compromised via a KNOWN exploit, I don't see that they'll have much luck with other systems than windows, either...

  8. Honey pot. by dsmatthews · · Score: 4, Interesting

    It would not be the first time that a government has gone to great length to convince others that the stolen data they have is real, when really it is not, rather it is carefully crafted misinformation designed to fubar any project or plans it is used in.

  9. Re:Windows strikes again. by NotBorg · · Score: 2, Interesting

    1) Intrusion Detection Software 2) Decent firewall alerting you to connections to chinese IP space, 3) network anomaly detection software

    When did these things start coming with Windows? Not even server editions of Windows come with that stuff. However, I can think of a competing OS that does ship with these wonderful things.

    4) patching your damn boxes!

    Sure thing. I'm not going to say heads shouldn't have already rolled over there at the DOD IT Department Department. Heck, even the idiotic users should be slapped around a bit. But--deep breath--what if MS servers DID come with nice IDS and Firewall software? Maybe graduates of the "I'm a Windows administrator" class would know a few more things to double-click. Maybe.

    If its so well established that these things are necessary, why doesn't Microsoft include them? Call me a troll. Yeah, I blame Microsoft as well for not including powerful network security tools.

    blame the admins...............check, check, check
    blame the user.................check
    derogatory references to DOD...check
    blame Microsoft................check
    state you that are trolling....check

    I think we're done here.

    --
    I want this account deleted.
  10. Re:Additional information by Anonymous Coward · · Score: 1, Interesting

    Aren't WE the the Chinese People's Liberation Army?

  11. Re:M$CROSOFT SUCKS by EdIII · · Score: 2, Interesting

    You mean the people that have been using them their whole lives?

    The people who have been contracted by companies to design, implement, and maintenance solutions based on M$ products?

    The people who have spent money to become certified?

    The people who just don't speak out of their ass about Microsoft security flaws, and their failures to address them?

    Yeah, those people cannot possibly have an educated, non-biased opinion about Microsoft as a whole.

    I spell Microsoft with the $ since they care more about money then they do about properly designing a product before they bring it to market, and then after they do they make the customer suffer while they try to figure out this whole "security" and "intarnet" thingy everybody is talking about.

    No offense, and I don't mean to generalize and marginalize your opinion, but I hear from a lot of people just like you too... those who think that any negative opinion about Microsoft is not objective.

    Ohhh, and name one more software company that makes such horrific products (based on my experience and the experiences of my clients) and yet still seems to make so much money and hold on to such a large market share. Perhaps, it also because of the $$, and that Microsoft can outright purchase influence, acquire competitors, and engage in unfair business practices.

    I guess all those lawsuits from various states, agencies, countries, and the EU are just from other people "like me" who are not objective?

    Maybe I did not spell it out enough in my earlier post, I have been using them for over 20 YEARS. I don't have "stock" in any other companies, or any hidden agenda in "bashing" them.

  12. Not entirely accurate either by WindBourne · · Score: 2, Interesting

    Many of these systems would be communications between DOD and weapons builders. No doubt that there is more than just idiot chit-chat that was in the email. It would include a number of details of our new weapons. Now, it may not include full specs, but in parts, it speak about various aspect of it. Once spoken about that, allows others to try and guess. They will try to guess how to duplicate AND how to defend against it. Worse, it may speak of known weaknesses that we have. Perhaps china finds out that the ABL has a certain frequency of laser, as well as length of time that it runs. That would enable them to build shielding (mirrors of a certain thickness) against it. Perhaps in these email, data about China is mentioned. Now, they may put 5 and 5 together and figure out where the pigeon is. All in all, information IS power. And it is ALL valuable.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  13. Re:Windows strikes again. by Vancorps · · Score: 2, Interesting

    With the firewall exception Windows does some with the IDS you are referring to. Network monitoring is deeply ingrained and has no trouble reporting to a syslog server. The problem is the effort it takes to setup a proper IDS so that it doesn't overwhelm you with false-positives which is really the same with any IDS package. Microsoft likes the basic approach that comes with Windows and then the advanced approach they get through their Operations Manager software. Of course now it's being rolled and merged with SMS so patching should become simpler as well.

    The problem is either incompetent administrators or overworked admins. I've seen both lead to those kinds of issues. The other problem is that the data was on the computers to begin with. In this day and age with centralized storage from NetApp, EMC, Hitachi, etc... there is no need for workstations to even have hard-drives, especially in a security conscious organization. Security isn't easy thats for sure but it's certainly not impossible with what Microsoft gives you out of the box. If you really want to you can always turn on TCP/IP filtering and disable 25 either ingress and/or egress. Of course that's only a patch as a proper botnet client would call home and find a new port to send on through a proxy. Of course email should be blocked at the firewall as well doing deep packet inspection on any port.

    So in short, Microsoft does provide some powerful network security tools. A lot of them are even free even if they don't come on the Windows cd. The Baseline Security Analyzer is free for instance and makes securing Windows boxes en masse a pretty simple task.

  14. Re:$TRILLIONS for Insecurity by Doc+Ruby · · Score: 2, Interesting

    That's OK. It gave me a reason to do the math on the actual Vietnam inflation, which is even worse. And the actual Iraq debt, which puts it over $1T.

    In fact, the actual numbers of each wars are certainly higher. The reports on which they're based are purposely smaller, and there is lots of covert budget not reported.

    For kicks, imagine what the US could have done with either of those budgets if we'd invested them constructively. For example, there were about 25M Iraqis when we invaded (we've killed hundreds of thousands, and driven off millions now). If we'd given each and every Iraqi $25,000 (including children and old people, in every family), we'd have spent as much, and certainly gotten more. Hell, we could have gotten practically all of them to do whatever we wanted for $5000 per person, and look to everyone like the best friends in the world. They'd have let American oil corps have whatever deal we want.

    Imagine if we just left Iraq alone, and invested that $1T in Americans. That's about $10K per family. If we'd invested it in just tech workers, that's probably $100K per. In scientists, probably a quarter-million each. Squandering it in Iraq was about the stupidest way we could have possibly spent it. No wonder the Pentagon is hiding so much.

    --

    --
    make install -not war