Slashdot Mirror
Significant Russian Attack On US Military Networks
killmofasta notes an LA Times story on a severe and widespread attack on US military computers that may have originated in Russia. Turns out the military's recent ban on flash drives was a precursor to this attack, which was significant enough that the President and the Defense Secretary were briefed on it. "The 'malware' strike, thought to be from inside Russia, hit combat zone computers and the US Central Command overseeing Iraq and Afghanistan. The attack underscores concerns about computer warfare. 'This one was significant; this one got our attention,' said one defense official, speaking on condition of anonymity when discussing internal assessments. Although officials are withholding many details, the attack underscores the increasing danger and potential significance of computer warfare, which defense experts say could one day be used by combatants to undermine even a militarily superior adversary. ... [A defense official said] 'We have taken a number of corrective measures, but I would be overstating it if I said we were through this.'"
... to have sensitive systems directly connected to the internet?
Oh , wait...
So umm, how's that Vista working out for you? What'd they use for the attack? Solitaire?
I'm not anti-social, I'm anti-idiot.
$100/hour to install air-gap firewalls on sensitive/classified networks. (Includes rental of scissors.)
"It doesn't cost enough, and it makes too much sense."
Just remember that just because it originated in Russia does not mean that this was a Russian Government attack (though it could have been known about and ignored by them if it wasn't) - it just happens to have been in Russia - the headline is a little misleading in that sense.
I love the way these things are always spun as if they are significant military attacks coordinate by the foreign government or their agents. Is there any evidence that it isn't just a few bored teenagers who happen to live in Russia and think it would be fun to try and hack the US DOD?
Anonymous coward here, for a reason etc.
I work with the USAF in a very official capacity in IT and got wind of the flash media ban a while back.
I've been asked to keep quiet about this, but since it isn't classified, and nobody takes slashdot seriously, take this for what it is worth:
We stopped using all flash media on all networks because we can no longer be confident that they do not come from the factory with payloads attached. I've seen entire boxes of flash media from the "amnesty boxes" set up inside USAF buildings sent off to NSA and FBI for investigation.
There are some who think that manufacturers have been infiltrated with the sole purpose of loading malware onto drives. And it isn't that it's specifically an attack on US Gov. computers - it's just that Gov. networks tend to be pretty incestuous, and flash drives are often moved back and forth between multiple computers daily by most users due to the flakiness of CAC (common access card) infrastructure.
So beware.
DO NOT connect military affiliated computers to internet, EVER.
dont you already have your on military-net ? run them only on that network.
Read radical news here
So, let's send the attacks back to them. If they want to play that game, let's crash their communications/economy/country/way-of-life.
The federal government is finally starting to see the fruits of its trifecta of asinine spending policies:
1) Lowest bidder (God forbid we get the best value for the tax dollar, not the cheapest).
2) Standard pay rates that don't take into serious consideration the skills and experience of employees. God forbid we adopt private sector pay policies because that might make us look like we're discriminating if some employees get paid a lot less than others.
3) The fact that it often takes an act of Congress to fire a federal employee.
Like most Northern Virginia-based software engineers, I've worked a federal contract here and there. I've been exposed to incompetence from federal employees that would not be tolerated by almost any corporation. My company actually brought a formal business case for why our government program manager was wrong and her decisions would be a disastrous waste of tax payer money to her bosses. We **pleaded* with them to override her and let our senior engineer do the architecture since she had no idea how to do it.
Guess what? They told us to shut up and get back in line.
There's this myth that the outsourcing of government has ruined the federal government. That's bullshit. Government contractors are often the only people who actually get shit done! We're the ones who actually do much of the heavy lifting because the civil service for so long was allowed to deteriorate into a combination of an affirmative action program and a welfare program for stupid white men.
There are real pockets of genuine competence and intelligence in the federal government, but unfortunately, they're so isolated by the prevailing culture and leadership that it would take a real Leviathan-wrangler at least 2 presidential terms to get any meaningful culling done.
But that was before every wannabe script kiddy used it. I would have thought they'd have had a seperate disconnected military network of their own by now.
When will people learn...
you had me at #!
These are professional liars, folks! This is a part of the Military disinformation effort - so publicly trumpeted right here on Slashdot - not so long ago.
If there had been any such REAL significance to this 'attack', do you think that it would be published and publicly acknowledged? There are very minor cold-war-era incidents and slip-ups that are still highly-classified, and never acknowledged.
I suppose this to be a non-event of ordinary malware, that is being used to:
1) Shape public opinion and generate suspicion
2) Justify restrictions on the Internet access/speech of military personnel
3) Profit!
Remember: In Soviet America, Military Network Attacks YOU!
"Flyin' in just a sweet place,
Never been known to fail..."
"may have originated in Russia" is not the same as "originated with the Russian government," of course.
My guess, the attacks are an attempt to turn the vast power of military computer systems into one giant spam-bot.
And, also, just think of all the new Nigerian scam letters that they could pull off with military connections... the "your son was wounded in Iraq and is being airlifted to a hospital in Germany, please send $10,000 to pay for a private room for him" scam will be much more powerful if it issues from a military computer (and, for that matter, much more convincing if the scammer knows the actual name, rank, and next-of-kin of the 'son').
http://www.geoffreylandis.com
The British Intelligence have learnt how to avoid infecting their systems with infected flash drives. They leave them on the train where they can't do any harm.
If thse attacks are successful, they will replace the old practice of dropping leaflets on enemy soldiers... Now when the modern soldier opens his e-mail, he will be greeted with "Feeling ashamed of your small willy, we can help" etc etc
So, the other day, i thought that my girlfriend would like the present i gave her... God was i wrong...
Now they think that the attack comes from Russia... That means they're not sure about it at all, they just got a hunch that the attack is from the Russians, they don't say they got proof or anything, they just say they think it's from there...
However, suspicions of Russian involvement come at an especially delicate time because of sagging relations between Washington and Moscow and growing tension over U.S. plans to develop a missile defense system in Eastern Europe. The two governments also have traded charges of regional meddling after U.S. support for democratic elections in former Soviet states and recent Russian overtures in Latin America.
Just because the relations with the Russians aren't that good doesn't automatically mean they'll attack you in Irak...
For all we know, it could be Irakians who would attack the Americans... Well that would rather be "the Irakians defend themselves by trying to bring the American's computers down"
Reading the article, which has almost no details, I think the LA Times is trying to make news out of nothing. The "senior military leaders" are basically like "senior business executives" who probably have no clue about any actual "attacks". They are just trying to hype up anything they can to increase their budgets.
The actual details they are dealing with is the same as any organization that uses computers and employs people.
Better luck next time, Slugheads!
That is the odd thing... you never hear about the huge attacks on the Chinese, Russian, North Korean, etc. But then again, the USG would never do anything unethical or underhanded or hypocritical or .
"Be polite, be professional, but have a plan to kill everybody you meet." General James Mattis
Why not have all these genius Slashdotters run the entire network? They seem know so much more about these systems, their funding limitations, and functional requirements than the admins.
Or, we can question and challenge the government to do better without arrogantly pretending we're so much smarter than *everyone*.
Sorry, couldn't resist.
Also, the CBC [Canadians] are running sensationalist crud on their TV.
Most irritating soundbite from a DHS 'expert':
"Digital Pearl Harbor"
I think they must have run the same quote 3-4 times.
Me? I think the military / DoD is begging for $$$ as usual. What? We didn't bail out the military? Shame!
--- See you at the Tannhäuser Gate.
The US military is not stupid, and does take systems security very seriously. What would look like ultra-paranoid behavior to a civilian may well be fully justified in the military world.
The reason is simple: any breach, leak, or DoS can result in somebody being killed, operations foiled, or even wars lost.
Security people have to guard against known threats and techniques, which are very challenging, plus unknown ones that nobody has even thought to consider. Being able to trust the technology that they are using is a very important element in managing that security.
All systems are somewhat sensitive, given that even non-sensitive tidbits of information can be assembled together to give a pretty good picture of very sensitive activities if enough of them are available.
For example, a point of sale system in a military base's dining facility could be tapped to give a count of meals served per day. If an adversary sees a sudden drop or increase, they know that SOMETHING is going on. Combine that with changes at other bases and a picture of force distribution begins to emerge that then guides the adversary where to plan to deploy their forces to defend or attack.
I can see why there is a need to avoid the use of any removable media, even on non-sensitive systems. Just a few pieces of malware or compromised hardware can result in leaking enough unclassified "factoids" to compromise the secrecy and security of important operations.
Hardware is especially troublesome from a security standpoint. It does not need operating system permission to access memory, and can sit silently in place until activated. One innocuous-looking IC can easily contain a hidden microcontroller that has full DMA capabilities, and there's no way - short of physically mapping out every transistor in every chip in the device - to even know whether or not they exist.
I'd be paranoid too if military systems security was part of my job.
that's the second time in this thread i've seen the non-word "spreaded."
you have failured.
the united states is a nation of laws; badly written and randomly enforced -- frank zappa
...experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement.
Classic propoganda.
Shame on Julian Barnes of the LA Times and the unnamed senior military leaders.
I would have expected that on a military level, all software and operating systems used should be compiled from source, the source checked and risky features locked down. That would exclude proprietary operating systems like windows and mac OX and even prepackaged open source systems. Its probably not cheaper but cases like this should be wake up calls.
Maybe DARPA shouldn't have pulled funding for OpenBSD research a few years ago. I knew that was going to come back to bite the US DoD in the ass sooner or later.
Threatening but ultimately harmless attacks are carried about by scary foreign militaries, and devastating wide-scale attacks are carried out by bored spotty teenagers. What don't you watch TV!?!?
"When information is power, privacy is freedom" - Jah-Wren Ryel
Honeypots are gnu ... er, new? I recall encountering a honeypot site shortly after Gulf War One, "Endearing Sandstorm," or whatever that was. It had photos of the first predator reconnaissance flyer, but nothing to indicate scale except plastic bonding details. It sucked you in to a mysterious set of graphics which seemed to suggest that GPS was "fuzzy" for everyone but the military. I didn't linger. The ratio of effort to detail was set way too high, for something so obviously exposed.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
Oh fuck, I missed:
"We have taken a number of corrective measures, but I would be overstating it if I said we were through this."
=
We can't protect ourself from things like this.
you want to start a thermonuclear war because of a DDOS attempt?
get real.
DRM-free indie games for the PC and Mac: Positech Games
Do not even use a standard linux !
Use a SE linux or a BSD-like. Computer security is serious business in a few domains. In hospitals and military operations, authorizing a closed-source OS with the biggest malware and virus repository on the planet should be charged with felony or criminal negligence.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
"The news of my death have been greatly exaggerated."
It's funny how blind politically correct idiots can be. Nobody, not even Saddam himself, disputes that Saddam's army, under the direction of "Chemical Ali", FIRED WMD's AT DEFENSELESS CIVILIANS.
But of course it's politically expedient to claim he didn't have them.
It's a sad joke that people can be so stupid. It's like agreeing that a convicted murderer, who shot 10 people on live television, then bragged about it to the whole wold "never touched a gun". It's beyond stupid.
I'm just curious: Presuming all these things were real events, not made up, over exagerated, etc... At what point do you consider an attempt at hacking into government or military systems by another country to be an act of war? Are there levels of it? It's okay to break into some minor functionaries system, but we draw the line when you get into command and control systems that are passing sensitive data?
Or, is it just accepted that countries will be hacking one another's systems and that's okay?
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
That "Russian" attack on Estonia turned out to be Estonian in the end. The there was another "Russian" attack on USA, which turned out the be Chinese. Now we have a "Russian" attack again... These, combined with recent silly PR campaign "warning" the US citizens of the dangers of visiting Russian and ex-USSR domains, is obviously staged in order to prepare the US population for the forthcoming internet censorship measures in the US. Apparently, the emergence of Russian sources presenting information in English does not sit well with federal US brainwashing/propaganda structures. Expect this PR campaign to continue. I wonder what BS will they put out next.
In Soviet Russia, the US Military Networks attack YOU! Now, wait...
ROFL!! Boy are YOU ever the dupe. The majority of all the nations represented in the security council are tyrannies of one form or another. Most of the nations in Asia, most of the nations in Africa, and most of the nations in South America are either dictatorships or oligarchies, and that's just for starters. In the middle east everyone but Israel (and now Iraq) is, and in Europe you still find some undemocratic nations as well (Serbia, Bulgaria, Russia, etc). So the body you claim is "democratic" and "representative of world opinion" is actually a body largely controlled by the small subset of the world population that are dictators, and is only representative of their interests.
At least in the security council a larger proportion of the permanent council members are democratic regimes. Yes, you have China and Russia, but at least you have some veto wielding democracies in the mix to strike down all the tyranny friendly policies that originate in the rest of the UN. One of the reasons America as a nation is great is that all of our states are democracies, and they joined to form a regional democratic government that IS representative of us. In the farce that is the UN that is not the case, and it turns into a massively ineffectual body that tends to reward corruption and legitimize dictators.
I think if we learn anything from the UN, it is that a government made up of anything other than democratic states is worthless, and will fail completely.
Beware of bugs in the above code; I have only proved it correct, not tried it.
I think that, right now, no one is really sure what to do. I don't think that it is a cause for war (traditionally speaking), but it is a violation of sovereignty. I'm not sure what we can do about it at this point aside from defense and counter-offense.
On a classified system, the entire computer, and anything that touches it (be it media, monitor, printer, or network) is also classified. There can be no instance of one window being classified and the other not: they are both classified at the same level regardless of content.
You can have an unclassified system running right next to a classified one, but they cannot interact with each other at all.
I am very small, utmostly microscopic.
This just proves that mission critical operations and life-or-death reliance should not co-exist with networking.
Truth, Just Us, And Hatred For All Mankind!
Security through obscurity = bad. Peer verification of architecture = good. Old news, but it's all on my blog.
-- haaz.
They don't use a lot of Windows on internal systems in the DoD. As I'm to understand, they run a lot more Linux and Solaris.
Please clarify the source of your understanding. It's wrong. I know people who do DoD CnC work and they're MCSE's. But that's not a problem itself - the question is one of access controls. In some of the more secure TLA's you can't do file transfers between networks of different security levels, only formatted and validated data can do that.
But I suspect people with classified documents on their computers regularly access the IntarWeb, and that's a weakness, and, golly gee, our enemies are trying to exploit our weaknesses. Personally I have no problem giving a General two desktop computers so he can buy movie tickets from work, but that may not be 'streamlined'.
Now if you want to talk about military hardware, then just read linuxdevices.com for a few months and you'll get a good feel for what's in there.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
it is the encryption of the LAN/MAN/WAN that matters
Not just encryption, but how information is allowed to flow between systems with varying security classifications. We know how to do this right, but fail to do the right thing in the name of convenience and cost.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
All you have to do is go on Myspace pretending to be a girl, phishing for "Honeywell" employees, etc. I'm not particularly interested in that, but history tells us that in Russia and China they have all their engineers locked in a cage somewhere but I'm willing to guess it isn't like that anymore if you can get past the language barrier..
I often ask for him to be fired.
By your previous statement that it is career limiting (of the above statement), wouldn't this limit your career?
But I see both sides. I'm a younger guy and started working for a larger company and have eyed the government for some time. However, from what I understand its near impossible in some situations to get a job with the government and takes a billion years to actually finish the process.
Not only this but I hear stories from various family members that the government is so bureaucratic that half the crap that needs to get done doesn't because of all the BS red tape. Then most of the things that are done are done without any brains behind it. Granted these stories don't deal with the area of IT, but at least gives me a jilted picture of what goes on.
When I was a younger kid I'd go with one of my parents to hang out and watch them work for a day. Whenever we'd walk by offices with open doors I'd usually see nobody (probably in a meeting), or see someone but not really doing work. Granted I was like 9 or 10 and who knows what they were doing. But I did get games from several people (Commander Keen being one of them) so you knew they weren't always working, but screwing around with a game.
My parents didn't do that as far as I know. My mom might have done something as mundane as solitaire on her lunch hour, but I doubt it. Both of my parents instilled in me a sense of pride in my work which they both have...regardless of how crappy everyone else may work. So as an adult I'm astounded by how much people will screw around or even find ways not to do work. Even if I web browse at work I'm always attempting to further my knowledge in computer systems...even if it means reading /. ;)
Its funny that contractors are brought up...seeing as some online learning that I've been reading states that one great feature of contractors are the taxes for the company that is asking for the contractor. Not only that, but the company asking for the contractor normally doesn't have to worry about benefits or long term health care. So that is a huge trade off imo. One which I thought was sort of screwy. There is a lot of leeway in there to screw over independent contractors....Sorry meant to say "independent contractors" as contractors working from another business are dealt with differently I believe.
Heck, I have a friend who works for a contractor, that I think contracts for the government, and he gets screwed with overtime all the time. He ends having to work weekends just to get some projects finished, not by his part but due to others. And he's not getting much more than I am and I don't even have a degree (yet..I'm still working on mine, but I've got a full time IT job atm to at least get my career started).
"When the people fear the government, there is tyranny. When the government fears the people, there is liberty."
Administration says one thing... reality is likely the other.
Haven't we learned yet?
I'm not believing a damn thing those people say. Chances are the attack is coming from within their own network.
Right, Americans didn't suffer during World War II, either. Pull your head out. The entire world felt that war and that's why we've tried so hard to avoid any major conflicts.
SWM seeks new sig for a brief fling
Your absolutly right. The Russians do not want a war, any more then we wanted a war with Iraq, but the GOVERNMENT went ahead, fabricated lies about WMDs and poof! Pissed away BILLIONS of dollars. You think Medelev woudnt do the same?
I did some research into the losses Russia sustained during WWII. 30 Million killed in the Siege on Stalingrad alone. I think that the figure of 67 million total dead is also conservative.
(btw, it is a good oberservation anyway, good point! )
Yes, and it is the general assembly that contains such shining stars of freedom and prosperity that allow socialist authoritarian despotic hellholes like Zimbabwe to chair the Council on Sustainable Development (what's their inflation rate up to? One million percent? Gotta love shelling out a few hundred kilograms of paper for a beer.). The U.N., an international body with no internal corruption-busting mechanism (a prosecutor, if you will), has also allowed LIBYA to chair the Human Rights Commission. Hell, while they're at it, they should let Sudan chair something squishy feely-goody and human-rightsy too. You can obviously see the conflict of interest when Human Rights Watch makes a recommendation to the U.N. Group on Arbitrary Detentions to go into Libya. I'm no Bush supporter by any means... he trashed conservatism to the point where it became impossible for a true American hero to win the election, but I will always give credit where credit is due, and sending John Bolton to the U.N. was absolutely a good decision. After all, the U.N. is such a bang-up organization that they can funnel tens of billions of dollars through the oil for food "programme" (I love that spelling... makes it seem so... European), and not a single person is prosecuted and imprisoned for it. If there were a corrupt governmental bureaucracy studies field in universities, the U.N. would be the textbook example.
Most of the freaks and geeks (not that there's anything wrong with that) on /. are not military veterans, and as such, display the typical kind of juvenile disconnect from what really happens inside the terrible "military-industrial complex." I was part of the initial invasion, and sure as you're born, we had serious reason to believe that Chemical Ali would dump all sorts of nasty chicken-dance vapors on us, hence the entire first assault being performed at full MOPP protection in 110 degree heat. What else were we to believe? Surrendering Iraqi officers were telling our officers that they had chemical weapons at their disposal. As a commander, you HAVE to take such information as valid for the safety of your troops. As it turns out, it was merely a weak attempt to slow U.S. forces... because let me assure you, spending twelve hours straight in a chemical protection suit in the Iraqi heat sucks... a lot. No, really, it was about as fun as having your teeth drilled.
Invading Iraq was not about getting the WMDs, it was about removing a regime after it simply would not abide by the rules of the international community. Irregardless of how few weapons Hans Blix (what a raging wimp if I ever saw one) believed were in Iraq, the real issue was Saddam's constant manhandling of U.N. inspection teams that would often times be held at gunpoint for hours at road checkpoints and given access to sensitive and suspect sights only several hours or days after an attempted surprise inspection. As a comparison, if a police officer has every reason to believe is armed, because the guy is hiding something in his hand and says is a weapon, and when the suspect gestures it toward the officer the suspect gets killed, that officer acted in accordance with a proper escalation of force.
But, hey, I'm just a dumb Marine who remembers sitting in a cold squadbay out in the boonies of Camp Lejeune in February of 2003, and being with fifty other Marines huddled around a small radio, and listening to the news reports of Iraq's defiance of inspection demands and knowing that tomorrow we were heading over to supply to get issued most every piece of gear we rated. All those liberals out there who feel that Iraq "was about oil" or "was Bush's conspiracy" simply don't get it. They weren't the ones who helped civilian forensics teams load bodies onto the back of trucks as they were removed from mass graves, sweating their asses off in chemical protection suits, or geting intel reports from the S-2 NCO about the likelihood of nerve agents making you funky chicken dance in the sand.
The reason this virus spreads around is that Microsoft in its infinite wisdom decided that if certain files existed on a drive, they would get executed immediately when the drive is detected. While this is convenient for loading extensions that enhance the drives function, like encryption/decryption features, it is also obviously a problem when it loads malware. In the old days (DOS days) the user looked for a setup.exe file or install.exe and ran that if they wanted to install the software. These days when you stick in the CD, suddenly the installer is already running. This is either brilliant, or the most stupid idea ever. Microsoft probably created this feature of Windows primarily so there application software would be easier to install. The old way was never much of a barrier to getting software installed as long as the use knew about the "DIR" command. Of course the use of command line and commands like DIR or CD require basic knowledge, and Microsoft prefers, Plug and Play where installing and running software is no more difficult than inserting a DVD and having the movie start right away.
The entire world felt that war and that's why we've tried so hard to avoid any major conflicts.
...by outspending most of the world on offensive military technology and conducting offensive military campaigns against small, defenceless countries every few years....
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
cold war is over. bodily fluids...intact.
war room, still no room for brawling.
Good people go to bed earlier.