Slashdot Mirror
Worm Attack Prompts DoD To Ban Use of External Media
An anonymous reader writes "The Pentagon has suffered from a cyber attack so alarming that it has taken the unprecedented step of banning the use of external hardware devices, such as flash drives and DVDs [...] The attack came in the form of a global virus or worm that is spreading rapidly throughout a number of military networks."
be careful where you stick in the USB stick.. :)
This sounds like common sense. Seriously. Several years ago, a military bud of mine said that the worst threat to their security is the USB flash drive.
... external media bans DOD!
Tsunami -- You can't bring a good wave down!
Sounds like someone forgot to disable auto-run.
"DO YOU WANT TO PLAY A GAME?"
I'll be over in the bomb shelter quivering....CYA...
Microsoft Windows.
Chuck Windows, and adopt Unix. I realize there are some possible implications of using Linux because of the GPL, but then use BSD. There are bright Comp Sci guys in the military and DOD. Customize a military Unix, and use it throughout all the services. In fact, I think it's long past time DOD did this. With the computerization of everything from planes to ships, now's a smart time to do it. There's no way Windows should be running a ship of war.
Life is hard, and the world is cruel
Maybe they can use one of their $20,000 screwdrivers to remove the USB jacks. Or better yet have the manufactures disable them in the hardware or remove them when they are purchased.
Banning media doesn't work, you have to break the method for using it. You're just going to get some guy who thinks he's good with computers and he's immune to viruses because he's "a tech" and when he plugs his flash drive in the same things going to happen.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
Do you ever think about the potentially catastrophically apocalyptic events that could be heralded by the phrase, "The Pentagon has suffered from a cyber attack"? I shudder to think of various blue screens of death and then the weapons systems hijacked by Obvious Trolls and turned on X. Suddenly the internet becomes "serious business".
Because a virus can come from there as well. Along with web access, usenet access, ftp access.... might just as well unplug the network cable just to be safe.
Or they could install an OS that wasn't insecure by design.
Sounds like a tactic the RIAA would use.. Find a way to penetrate, and make portable drives look evil. Everyone knows external drives = piracy, so what better way than to get it banned by the Pentagon. Slowly it will be illegal to even make them!
Ohh RIAA, when will you be crushed? What next, banning torrenting at the Pentagon? Sheesh!
It looks like you're trying to blow up that building. Would you like to use:
1)Grenade
2)An RPG
3)Airstrike
ftfa: "Due to the presence of commercial malware.."
So.. this was malware someone purchased?
boycott slashdot February 10th - 17th check out: altSlashdot.org
I'm very surprised it hasn't been already. It probably will have been by the time this gets posted though. "This wouldn't be happening if they were using Linux!"
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
Dave Richards, the administrator of the Largo, Florida computer network, came up against this problem. He made the system mount USB disks as FTP shares, and made the file browser hide any executable files on the share so they couldn't be transferred.http://davelargo.blogspot.com/2008/02/hp-thin-clients-and-usb-access-for.html
I'm not surprised the DoD just completely shut the door on these things, but I think that for most admins, a solution like Dave's would be a really good compromise.
Well now I know why my thumb drive wasn't working, and all this time I was blambing it on Vista.
make war
Mark my words, it is because of Windows. If Linux or BSD based systems were predominant in the Pentagon, this would not be an issue.
The world, the U.S.A. is so screwed up. We all know what the problems are, but we can't address them because no one in position of power will discuss them.
U.S. Intelligence Agencies have been doing this for years. No cell phones, CD's, flash drives, or any other digital media. This is odd that the DoD is just now starting to do this since the other agencies are part of the Central Intelligence Services which is under the umbrella of the DoD.
This had better not include the overseas forces. What would our poor soldiers do when they have downtime? Isn't their quality of life bad enough? Now they can't even watch videos of their families waving at them and showing them homemade delicious cake. Believe me, those vids get previewed at the DOD before they get shipped over, so now there is either a greater risk to the stuff arriving in the field, or there is another big problem on the horizon to do with morale.
The dangers of knowledge trigger emotional distress in human beings.
Yesterday, a terrorist attack on the NHS brought three London hospitals to a halt.
The terrorists, representing an organisation calling itself "Microsoft," apparently used insecure third-party contractors to put a virus-running platform called "Windows" into critical systems in the hospitals, in order to extort money from them on an annual basis.
It is understood that a large percentage of all businesses are infected with the virus, wasting up to 25% of employees' working time and opening the companies to further attacks from related criminal organisations demanding to see all their licenses.
The virus in question, W32.SHILL/ZDNET, takes over the host's IT systems, leading to aches, pains, nausea, vomiting, pumping out prodigious quantities of faeces and a terrible compulsion to spread the infection to others. The patient also walks with a shuddering stumble and asks for their hospital meal to include tasty, tasty brains. Recovery has commenced when they have an overwhelming urge to throw their computer out of the window. "Getting this stuff out of the system makes MRSA look like a walk in the park," said one cleaner, waving his shit-encrusted hands about for emphasis.
When the infection became known, ambulances were diverted to other hospitals. "We have maintained a safe environment for our patients throughout the incident," said a spokesman for Barts NHS Trust, "keeping them in the Clostridium difficile culturing lab rather than risking exposing them to 'Windows.'"
http://rocknerd.co.uk
Only it was with people bringing in docx files and expecting to use them with OpenOffice and blaming the IT department when it wouldn't work. So I followed some guides and wrote a script, threw it up in a GPO and now only Admins can use USB storage.
The procedure is a HUGE pain in the ass (you need to modify ACL's on registry keys and the whole 9 to cover all angles) but scripted it was as simple as "USBStorage.exe </enable|/disable>" in a logon script.
I think it took all of two hours.
Boot Windows, Linux, and ESX over the network for free.
Skynet became self-aware at 2:14am EDT. By the time Skynet became self-aware, it had spread into millions of computer servers across the planet. Ordinary computers in office buildings, dorm rooms, everywhere. It was software in cyberspace. There was no system core. It could not be shut down.
Do you honestly think that foreign intelligence agencies won't write Linux or Macintosh viruses if it would get them into the DoD network?
When you try to protect a secret by putting in in a locked box, do you put it in a steel box with a good combination lock? Or do you put it in a cheap transparent plastic box with a lock that can be picked by a safety pin and hundreds of holes and little doors that can be opened even more easily?
Yes Linux, MacOS, and even OpenBSD aren't absolutely impregnable. But Windows has a decades long track record of holes (some unfixable) and a multibillion dollar malware industry built on exploiting them. The fewer holes you start with the easier it is to close them.
Essentially ANY military function is a security issue. For a person with any level of IT expertise to put such functions on Windows platforms is, IMHO, either a level of incompetence suitable for dishonorable discharge or of malice meeting the definition of treason.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I'm in ur base, haxoring ur computerz!!!
The V.A.--at least the healthcare part of it-- banned these months ago to prevent data from wandering away..
Forgot to disable AutoRun, perhaps. But actually, it's quite non-intuitive how to disable AutoRun in Microsoft Windows. There are several options, and none of them (and even all of them combined) will disable AutoRun and AutoPlay features in their entirety. In fact, up until recently, Windows Vista had the logic reversed for one of the AutoRun features! i.e., if you take the effort to disable the AutoRun feature, you actually put yourself at more risk. More details here:
http://www.kb.cert.org/vuls/id/889747
But luckily, there is a single registry value that can disable AutoRun at its core. Once this change is made, Windows will not interpret the Autorun.inf file on any device, effectively disabling AutoRun for all devices, including USB drives, network shares, and more. Get the scoop here:
http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html
DoD needs a security nazi ( soup nazi style ).
Since I am the 2nd most paranoid person on earth I hereby nominate myself.
Semper Fi, carry on.
I work as an IT contractor for the USAF and what it boils down to is muddied interpretations and lack of discipline. They already have regulations stating what you can and cannot do with data coming in and out of the work place. No, you're not allowed to bring a floppy in from home. No, you're not allowed to take a government floppy home with you. The same regulations should, by default, extend to CD/DVD/USB/any and all media but since they're not specifically written that way, people could quote the AFI back and say it was allowed. This new ban is merely a clarification to close the loophole.
Did they swat a fly with a nuclear bomb? Sure.
Has it worked? So far.
I think "All your bases are belong to us" just got a little more frightening.
The DoD issued a policy that disables USB devices such as cameras, flash drives, SD cards, etc. DVD-Rom discs and other optical media are still usable. Additionally I haven't actuallly seen any offical memo regarding the matter. Just a notice from the local sysadmins that it had happened.
Get real. Security all comes down to the person who's task it is to implement it.
Years ago, I was on a DoD facility where scheduling was being done on a UNIX box. Everyone there used the console for their work, everyone used the root account to do their work, and the password was written in on the first page of the book marked "Procedures" that was beside the console.
Why, without your clothes, you're naked, Miss Dudley!
Since when is fox news a Credible source !!!!
The SMTP standard used for sending email does not support anything but plain text. What you see as binary attachments are actually encoded as plain text.
The problem with email executable attachments is not in the email itself, but in the piss-poor operating system most people use, which runs with superuser rights most of the time. In a superior OS, like Linux for instance, a virus in an email attachment wouldn't have privileges to infect anything but the user's own directory.
Why isn't the federal government using an operating system that refuses to load or execute any programs that do not have an authorized digital signature from an agency security officer? Anything that hasn't been tested and approved, no matter where it came from, never gets the chance to run.
Mea navis aericumbens anguillis abundat
Iran !
I hope this helps.
Cordially as always,
Kilgore Trout
Did they not learn from Transformers?
I worked for a NASA contractor in 1993. We had standards around outside electronic media being brought into the office. You couldn't.
No floppy disks.
No CDRoms.
No tape media.
No cameras.
What's happened since then? Did we get stupid or just believe that anti-virus software was enough protection like idiots?
Ban Windows in DOD !
Slashdot bans vague sensationalist stories from Wired and Fox.
There is nothing about this story that is really news. Viruses and the like are always a problem. Bad user behavior is always a problem. And this "unprecedented ban" is nonsense. Now, maybe actually enforcing it for the Army may be news, but external media on government networks has been a big nono for a long time unless it was purchased by the government for government use. That whole bring your own crap from home has always been something you weren't supposed to do. The DoD has had the deal for government employees to get free anti-virus software for ages to help curb these types of problems for ages.
God I hate Wired stories about the military. I am convinced that the first time Wired actually has a story relating to military networks that has more than a 10% basis in reality without all of their typical bullshit hand waving the 7th seal of hell will open and demons will come to devour the Earth. I am also a little surprised to see a link to Fox news on front page slashdot. Remember people, these are the same assholes that had hackers making van's explode. Now suddenly they are worthy of front page links on a geek news page?
The only change I can believe in is what I find in my couch cushions.
...secretly, I still use USB drives. Don't tell anyone. It's easier than emailing myself everything.
Google: "All your data are belong to us."
We banned external devices in increments over the last two years at the Dept. of Veterans Affairs. No floppies, no USB drives, no CD or DVD burners. Makes perfect sense if your network infrastructure is sound.
Shouldn't the virus scanner have caught this?
Government should make use of sandboxes mandatory for all computing. Furthermore, I wonder if the millitary could get intel or amd to manufacture their processors with customized instruction sets? Seems like the most secure way to go. Then create a linux os on top of that with the new instruction set and customize gcc or something. That way all applications would need to be compiled for the "millitary" only processor. Just an idea :). Millitary stuff wouldnt run correctly on non millitary processors and viceversa.
Trying to install linux on my microwave, but keep getting a kernel panic...
Really this is another example of the DoD running scared from technology instead of learning to use it and embrace it. There are dozens of solutions already mentioned that solve this problem while still allowing the use of a fantastic technology.
This mindset invades everything the DoD does in IT and pushes them further behind their competitors.
The corridors of DoD workplaces are festooned with posters saying things like Never Give Out Your Password, so when I sought to raise consciousness about the IA risk from thumb drives I submitted a slogan and poster to DISA:
Don't Plug It In If You Don't Know Where It's Been
Never heard back from them.
This all out ban, on even DOD owned devices, there are many missions that can not have devices networked so, USB media was a life saver. At this point, we are going to be hurting in accomplishing the mission.
The ban on even DOD items came a few days after the scan requirement. The DOD is having all user turn there USB media devices in. Forget the issue with using personal USB, the DOD ban on there own stuff is going to cause issues. Curse windows.
This has been the standard practice for years, and this is also on the non-classified network. The difference is now they are placing a hammer in the hands of I.T. who catch lazy officers breaking the rules.
With the built in Windows tools you can disable the use of USB thumb drives while still allowing USB keyboards and etc. You just have to know how to use Group Policy and a small handful of Registry settings.
In Windows XP you simply go into RegEdit and go to this registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
Next, make a new key called StorageDevicePolicies. In there make a DWORD called WriteProtect and give it a value of 1. Now you can allow people USB keys but they can't write to them. Want to disable reading as well? Just add the appropriate DWORD.
For a non-built in method I hear good things from a friend that has used this in the past.
Why do I have the feeling this could be easily Google'd?
I have seen a number of military networks that are flat networks with all the same version of windows with all the same software behind a heavily locked down firewall (only port 80 and 443, typically). These are attack disasters waiting to happen - crunchy on the outside, sweet and chewy on the inside. If one machine gets infected, it's a good bet that all will be.
I bet they don't even know what the attack vector is.
I work at an AF base and have seen the directives. I keep seeing in the news that DVDs are included in this ban, but I haven't seen that come accross from our Comm people. So far, the only things we're not using right now are thumb drives and external HD type hardware.
If you want news from today, you have to come back tomorrow.
And I say that as a former Acting Security Officer for a regional command.
Was then.
Is now.
Wake me after the Chinese invade, will you?
"All your base are belong to Beijing"
-- Tigger warning: This post may contain tiggers! --
I assume the virus brings up a helpful countdown timer on all the infected machines. Surely the aliens have picked up enough SF movies on their way here that they understand that's part of the protocol.
Squirrel!
This is already standard procedure in the Air Force. They are not banning ALL use of the drives, they are simply requiring a scan of the drive first to ensure that it is clean.
"cease usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware"
Also:
"Eventually, some government-approved drives will be allowed back under certain "mission-critical," but unclassified, circumstances. "Personally owned or non-authorized devices" are "prohibited" from here on out. "
this has been standard in the Air Force for a long time. We only use NIPR or SIPR approved (and purchased by the organization) thumb drives. Always with encryption or at least a password required to mount the drive.
Seriously, even windows does not automatically run every program put on a thumb drive the second it is inserted into the machine.
The drives are scanned, takes about 30 seconds, and then it is allowed onto the network.
Both the NIPR and SIPR are considered to be their own little sandbox into which other things are not allowed.
This is stupid. I know the army gets away with a ton more stupidity in regard to computer security and networking than the air force, but this cannot truly be considered noteworthy news nation wide.
--and I back that slam against the army with the following:
-- allowing known crackable WEP wireless networks on their branch of the NIPR.
-- allowing untrained people to work with SIPR, and usually screw it up by connecting SIPR/NIPR interchangeably between the same computer...
-- etc etc
Who is this that even the wind and the waves obey Him? Surely this computer must submit also!
God, where are my modpoints when I need them most!
My roommate when I was working in DC over the summer worked at the DoJ, and they weren't allowed any sort of media. Seems to me the DoD was kind of asleep at the wheel.
No, they wanted to disable execution. Disabling writes is not going to stop you from executing something nasty (though it could help to stop more disks being infected), and disabling reads is overkill..
which is totally what she said
reading and writing is not the issue. It's cake on pretty much any platform to outright disable thumb drives on a machine. (which is probably what should be done here anyway, but I digress)
The issue at this point in the thread is with execute access. What's the magic HKEY for that they need to know?
I work for the Department of Redundancy Department.
I'm going to bookmark this for the next time someone claims that classified DoD systems are secure and can't be reached from the Interweb. Where there's a will, there's a way. And years after espionage via USB thumb drives had made it into the mainstream media, only now the DoD thinks of banning them.
Have gnu, will travel.
When you have got the source code of the entire OS there is nothing that you can't do, at least such a silly thing can be done, I dare you to convince me otherwise.
That having said, what do you pay me if I make your Linux computer automatically run code by inserting a USB flash drive? Apart from the fact that it might very well already run code automatically by inserting a USB flash drive, I assume I can even make it run executables contained on that very USB flash drive.
And yes, I do know, I am beeing pedantic but we are on /. here and are discussing what Linux might or might not be capable of, okey? :-)
When I worked on DoD projects years ago, things were obviously different. NO computer inside was ever able to communicate with the Internet.
If you brought floppies, CDs or hard drives into the facility, that's where they remained. No Media Was Ever Allowed out. None. Never. Nada.
When I worked nuclear power plants -- pretty much the same thing. Drug test and FBI check daily. No media that came in could leave. No systems could reach the Internet.
At the company facility, any DoD drives were removed at the end of your shift and locked in a safe until you checked them out the next time you needed them. They couldn't even remain in a computer if you weren't using it -- even for lunch breaks.
So, I'm surprised that as hacking attempts increase security actually decreased. Somebody really let the ball slip on this one. And, please explain how a Pentagon internal database had to have access to the Internet. That one just doesn't make any sense at all.
Banjo - The more I know about Windoze, the more I love *nix
Many DoD installations use Sun Ray's, a server-based computing solution. Although the desktop unit has USB ports, policy can be set on the server about who can use what types of USB devices. Mass storage devices can be disabled altogether, if desired, and there's nothing the user can do to override that.
Sounds like the Pentagon should have a look at an installation, maybe JICPAC. Combined with Trusted Solaris, it's about the most secure environment you can come up with. You can't even copy/paste between apps running in different zones.
But even using Sun Rays with linux servers would be a huge leap.
It's actually quite a bit easier to do than that. Just disable usbstor.sys with GPO. done. Keyboards still work. Mice still work. Just mass storage devices. And whoever said you can't prevent execute on windows systems is ignorant. You've been able to deny "Read & Execute" via NTFS permissions since NT 3. Note: Read is a seperate right. Since you have to be able to read it to exectute it, it's just included in the permission description. Semantics. Here's something that may help you understand it. It's not that complicated. In reading the doc it will talk about share permissions and individual permissions, group permissions, and NTFS permissions all seperately, and what wins in what scenario, and will talk about scenarios that no administrator that is worth his salt would ever implement. When done correctly it's actually very simple. However it does have the flexibility to be as complex as one needs it to be. http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html So there.
... what did you expect, something profound?
When I said "Windows does NOT run a ship of war", I referred to active ships. The USS Yorktown (CG 48) was decommissioned, and therefore is no longer an active ship of war. We evolved past using NT4.0.
The new Gerald Ford class aircraft carriers will be controlled by a variant of Windows Server 2003. And Windows OS's are creeping into other weapons projects as well. I have a friend that does work on the clusterfsck that is the Marine's new EFV, and he tells me that it's also run on a variant of W2K3. The military is standardizing on Windows for everything from vehicle control to C3 systems. And that's very bad news.
And BTW, I used to be a sailor, waayyy back in the day.
Life is hard, and the world is cruel
Removable storage has been banned from classified networks for years.
Why ban what is already banned, the "double-secret" ban?
I am the unwilling control for my Origin.
To set the record straight I don't live in the US and have never worked for any US government agency.
As a security consultant for over 12 years I can say that if DoD still allow USB throughout the network, especially their secure networks then they are behind the times.
I was gluing up USB ports, disabling BIOS settings, implemeting custom software to disable floppy/CD/USB drives for about 7 years...
The slashdot crowd love to throw technology (preferabily *nix) at a problem but the truth is, security is much more than just technology. It requires additional controls that take into consideration people and process.
To protect against threats on the workstation require much more than just applying security on the workstation. Proper network segregation is paramount.
Also I do doubt DoD would have lax controls in place in their secure zones that would put to rest of their network and at risk.
Most environments have security challenges. DoD is no different.
When I was in, there were several applications we used for various mapping tasks that required us to insert CD-ROMs full of the map data.
We only had CDs for roughly half the region we were concerned with, and this totalled a couple hundered CDs.
While hard drive space and bandwith has gone up tremendously since then, its a safe assumption that the amount of data involved has also grown tremendously.
Unless this order has some exceptions, this could be a serious blow to the effectiveness of some units and duty sections, that would outweigh pretty much any benefit that could plausibly come of this order. Doesn't matter how secure you are if you can't do your job in the first place.
Yes, you can use NTFS permissions. But we talk about USB drives here. Every thumb drive that I've met was FAT formatted. Just like it came from factory. If you format it NTFS, then "well known SIDs" would work. But if you use some user specific permissions ... well perhaps with well managed AD forest it might work. I still consider Linux solution more elegant.
What was the real story here?
I have it on inadequate authority that autorun was already disabled, removable storage was already banned, SEP 11 antivirus software was already required. Yet we are led to believe that an old worm that spreads by creating autorun files on removable media spread through the DoD.
Something stinks about this story.