Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pentagon Hid Magnitude of Data Loss From Recent Breach

Posted by Soulskill on from the it's-just-a-flash-wound dept.

blueton tips us to a brief story about recent revelations from the Pentagon which indicate that the attack on their computer network in June 2007 was more serious than they originally claimed. A DoD official recently remarked that the hackers were able to obtain an "amazing amount" of data. We previously discussed rumors that the Chinese People's Liberation Army was behind the attack. CNN has an article about Chinese hackers who claim to have successfully stolen information from the Pentagon. Quoting Ars Technica: "The intrusion was first detected during an IT restructuring that was underway at the time. By the time it was detected, malicious code had been in the system for at least two months, and was propagating via a known Windows exploit. The bug spread itself by e-mailing malicious payloads from one system on the network to another."

21 of 218 comments (clear)

  1. Windows strikes again. by urcreepyneighbor · · Score: 4, Informative

    was propagating via a known Windows exploit. DARPA may want to rethink funding OpenBSD. :)

    The DoD doesn't need Windows, we need bunkers.
    --
    "The fight for freedom has only just begun." - Geert Wilders
    1. Re:Windows strikes again. by SethJohnson · · Score: 5, Interesting



      2) Decent firewall alerting you to connections to chinese IP space,

      Duhh.. these guys weren't amateurs. They wouldn't have been communicating directly with the compromised hosts. There'd be like three or more hops of compromised boxes between them and the Pentagon. Not to mention that the intrusion might have originally been thanks to a viral botnet where the controllers recognized some interesting IPs within their herd. Then used the command-control structure to issue specific commands to those boxes to further infiltrate the Pentagon. Probably was always outbound connections uploading data and grabbing new marching orders (encrypted in both cases).

      Seth

      --
      $5 / month hosted VPS on linux = awesome!
    2. Re:Windows strikes again. by Hemogoblin · · Score: 5, Interesting

      Speaking as someone who has worked as an Immigration Officer with the Canada Border Services Agency, I can say that our immigration laws are quite fine, thank you. In addition, our antiterrorism laws are quite robust, and I would argue that the United States' laws are needlessly draconian. Thank you for your time.

  2. Hmm... by calebt3 · · Score: 4, Funny

    So they snuck in through broken Windows?

    1. Re:Hmm... by Walt+Dismal · · Score: 4, Funny

      Well, it was more like a Chink in the Windows...

  3. Is this supposed to be some sort of scandal? by unassimilatible · · Score: 4, Insightful
    I guess the standard and proper response to espionage would be to publicly confirm the value of the intelligence to the Chinese?

    What is it with you people? Is there no such thing as a state secret anymore? Should the Pentagon just list all its secrets on its Web site and get it over with? Let's just post all the targeting information, launch codes, encryption keys, advanced weapons and defense systems. etc. Let's just post it all on .mil in the interest of openness.

    Not everything is a scandal folks! Nothing to see here, move along.

    --
    Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
    1. Re:Is this supposed to be some sort of scandal? by Mork29 · · Score: 4, Informative

      No "state secrets" were lost. If something is "secret", then it's "classified". If it's classified, then it isn't being stored on a system that has access to the internet, directly or indirectly. According to the article, (yes, I read it...) there was some sensative information lost. This is not going to be launch codes or anything that's even remotely that valuable. I'm not saying it's no big deal, I'm saying that it's not nearly as big a deal as you're trying to make it out to be.

  4. Not stolen! by Subm · · Score: 5, Funny

    This is Slashdot. The data wasn't stolen. It was copyright infringed.

    When will everyone learn the difference?

    The solution is obvious: sic the Mafiaa on the attackers.

  5. Here Is A Fun April Fools Joke for the Chinese by NeverVotedBush · · Score: 4, Funny

    OK, all you government workers - especially those in the military, CIA, or NSA that are running Windows on open networks.

    Compose a few Microsoft Word documents about a planned nuclear attack on Beijing on the opening day of their olympics. Make it sound nice and juicy, say a few things about ICBMs, nuclear submarines just off their coastline. Mention the proposed megatons and expected damage. Talk about a free Taiwan

    Let them chew on that.

  6. army net security is indeed ridiculous. by r00t · · Score: 5, Interesting

    Sysadmins must apply patches IF AND ONLY IF they are army approved.

    Sounds decent so far, hmmm?

    The army has some committee that regularly decides which patches to approve.

    Still not too bad, hmmm?

    The committee approves patches for things that are being actively exploited.

    Ponder that one for a moment. It means that every security hole will be exploitable on the army networks. Every security hole gets a chance, since "not exploited yet" means "not a problem".

  7. Poem by Anonymous Coward · · Score: 5, Funny

    Me Chinese,
    Exploit SOCKS
    Me Put Malware
    On Your Box

    Me Chinese,
    Go To Town,
    Me Pull Fast,
    Your Data Down

    Me Chinese,
    Make Cheap Shoe
    Take You Secrets
    Laugh At You

    Me Chinese
    Let You Think
    Here You Go
    Bring You Drink

    Me Chinese,
    Me Play Joke
    Me Put Pee-Pee
    In Your Coke

  8. Additional information by Profane+MuthaFucka · · Score: 5, Funny

    It's not the Chinese People's Liberation Army. It's the People's Liberation Army of China. The Chinese People's Liberation Army is a bunch of wankers.

    --
    Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
  9. Re:$TRILLIONS for Insecurity by Adambomb · · Score: 4, Informative

    While i agree with your overall point, those are relatively poor metrics to base it on.

    The vietnam war cost 600B$USD considering 1968 USD.

    If you consider inflation based on the first inflation calculator google link that I clicked, plugging in 600B$ from 1968 yields:

    What cost $600000000000 in 1968 would cost $3688102617038.20 in 2007.

    thats 3.68 trillion in north american terms no?

    --
    Ice Cream has no bones.
  10. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  11. M$CROSOFT SUCKS by EdIII · · Score: 5, Insightful

    Here's the thing.... even putting the hyperbole in the title aside, Microsoft really does suck , and at so many many many levels.

    I am in my 30's and I have been using Microsoft all my life, since I was about 9 years old (I started using computers when I was 7). I build their machines, I repair them, I even program them too. I also attempt to provide security on them as well. So I have been involved with Microsoft about as long as some people have been married. So I believe that I am entitled to get drunk occasionally and rant about the "Ex" for awhile. I earned it, so to speak.

    Have people noticed that Microsoft is like a little sickly Boy in the Bubble? You have to protect him at all times.

    You have to put up a router and a firewall at a minimum to protect your little herd of MS machines. Keep them safe from the big bad wolves and all that. Of course, these days you also need to have some really good routers with IDS, gateway anti-virus, etc. to do it even better. But that is not enough. Those little guys can get into trouble just "looking" out on the Internet. So you need anti-virus, anti-phishing, anti-spam, anti-spyware, anti-malware, etc.

    When the Internet first started coming out, I remember telling people it would be cold day in hell before I hook my computer up to an unknown network in which anybody could send packets to my machines. Obviously, I had to get over that "shyness" and learn to adapt or die. However, since then, I have had to invest enormous amounts of time and energy and cold hard cash into preventative measures to keep my own Microsoft OS's from being hijacked by any asshat on the Internet.

    There is billions being made, that's with a B folks, in 3rd party solution providers that specialize in providing the security solutions just to cover the fact that Microsoft can't code security if their "life depended on it".

    Now that the Pentagon is using them, it would seem that in a roundabout way, Microsoft's life IS depending on it.

    We can bash Microsoft all we want, and talk and talk and talk about it. What it really comes down to though, is that Microsoft just may not be a secure enough environment for our National Security apparatuses to be using. If we have to work that hard at it, with that many vendors, and have that many points in which someone can screw up and leave machines vulnerable, then we need another solution .

    On another side note, where the HELL are those super secured networks I keep hearing about that my tax dollars paid for huh? Apparently, the Pentagon's networks must be in really bad shape too. You would think that trillions of dollars could provide some pretty secure networks, communication infrastructures, and operating systems.

    All that "bashing" on my part aside, Microsoft may make a decent OS for the little guy. The mom and pops at home with their families. Let's face it, it is easier to use then Linux, otherwise Linux would have a greater market share. Let's just not use it inside the Pentagon OK?

  12. Hitting us where we're centralized by NetSettler · · Score: 5, Insightful

    It reminds me of the Doonesbury comic years ago about Reagan's SDI shield, that was going to protect us from Soviet missiles by a single, always-perfect shield of protective devices. The comic was drawn in crayon, as I recall, with the voice of a little girl explaining that the world was beautiful because SDI was protecting us. Then in the last frame it said something abrupt to the effect of "Oops, one got through. Bye."

    What makes this story so scary isn't just that something got broken into, it's the thing in the back of all our minds that says "my goodness, is that the place where All Knowledge of Everything is centrally stored?" Bad enough when someone breaks into your computer and gets all your bank accounts or passwords, but when someone breaks into The Government and gets all knowledge of launch codes, defensive systems, registries of guns in the US, files on who sympathizes with who, files on who calls who, etc. ... well, that info collected with the intent of defending us might suddenly be a liability.

    That's why things like the telecom phone tapping, national IDs, etc. are so troublesome. The mere centralization of information at all for any reason is a risk that the Bush administration has been ignoring, working instead (for all we know, none of this being auditable) to pile all of everything in one fragile place. The founding fathers kept trying to decentralize things and minimize what in modern computer terms we'd call "single point of failure". They distributed power in a way that made it hard to just break in and take control, right down to making sure there was not a single head of government. It's too bad that in all the puffery we hear spouted about Constitutional original intent, the modern Republican leaders don't show more care about that kind of original intent.

    --

    Kent M Pitman
    Philosopher, Technologist, Writer

  13. Re:What known exploit was used? by causality · · Score: 4, Insightful

    The 'open source attitude' is supposed to be about choice and sharing, not about elitism.

    Choice alone isn't very useful unless you make an effort to make good choices.

    ............

    Sure, the default settings on Linux are more secure than on Windows. Linux is also not designed with the common man in mind. You shouldn't be surprised, especially IT guys, with how much of the problems with Windows are because of the marketing department rather than the actual coders.

    To the attacker trying to break into your systems, it really doesn't matter whether the security weaknesses were caused by marketing, the coders, or whatever, so I am not sure what your point is. What I can say is that what it looks like is a weak apology for Microsoft's poor security history. At any rate, as you indicated, marketing departments do not security make. You just gave a good reason why Windows would be a poor choice in a context where, presumably, security really matters. Therefore, the two are not on equal ground in this case. It is certainly not "elitist" to say that Linux would have been a superior choice (though probably OpenBSD would have been better still). Especially not when professional IT staff are not the "common man".

    Even if the client machines must use Windows, the servers hosting the sensitive data certainly do not need to use it. The wrong tool was used for the job; there is nothing "elitist" about it.
    --
    It is a miracle that curiosity survives formal education. - Einstein
  14. Re:Safe? by thatskinnyguy · · Score: 5, Insightful

    We are supposed to protect ourselves except we all kinda forget that part of the Constitution.

    --
    The game.
  15. Honey pot. by dsmatthews · · Score: 4, Interesting

    It would not be the first time that a government has gone to great length to convince others that the stolen data they have is real, when really it is not, rather it is carefully crafted misinformation designed to fubar any project or plans it is used in.

  16. Re:$TRILLIONS for Insecurity by Doc+Ruby · · Score: 4, Informative

    No, you're wrong.

    The Vietnam cost of $600B is in 2005 dollars. Using your calculator, that's already over $653B.

    Iraq alone has already cost more than that, well over $700B.

    And if you're interested in using a calculator, look into the fact that at least 80% of Iraq's cost is borrowed money, which (at typical 30 year Treasury bond rates) costs 155%. So that's already going to cost well over $1 TRILLION. And that's just Iraq, which has made us a lot more threatened.

    Feel safer?

    --

    --
    make install -not war

  17. Re:$TRILLIONS for Insecurity by dbIII · · Score: 4, Funny

    Bah! Have 300 Euros. That should about cover it next week.