Significant Russian Attack On US Military Networks

killmofasta notes an LA Times story on a severe and widespread attack on US military computers that may have originated in Russia. Turns out the military's recent ban on flash drives was a precursor to this attack, which was significant enough that the President and the Defense Secretary were briefed on it. "The 'malware' strike, thought to be from inside Russia, hit combat zone computers and the US Central Command overseeing Iraq and Afghanistan. The attack underscores concerns about computer warfare. 'This one was significant; this one got our attention,' said one defense official, speaking on condition of anonymity when discussing internal assessments. Although officials are withholding many details, the attack underscores the increasing danger and potential significance of computer warfare, which defense experts say could one day be used by combatants to undermine even a militarily superior adversary. ... [A defense official said] 'We have taken a number of corrective measures, but I would be overstating it if I said we were through this.'"

Surely the US military is dumb enough..

[Viol8]

... to have sensitive systems directly connected to the internet?

Oh , wait...

Re:Surely the US military is dumb enough..

[OeLeWaPpErKe]

Ban on flash drives ... doesn't seem they came in through the internet.

(btw : of course the military has computers connected directly to the internet. They created the internet. The remaining systems are only sensitive in the economic sense of the word though)

just my 2c

Re:Surely the US military is dumb enough..

[theaveng]

How do we know this attack even happened?

Supreme Commander/General Eisenhower warned us to be wary of the military-industrial complex's desire to create wars just to keep themselves in business, and we already caught them in a recent lie (WMDs in Iraq that never existed). How do we know this "computer war" happened and is not just another made-up story to try to get trillions more dollars & keep the military-industrial companies employed?

I work for these people, and frankly I don't trust them. I'd personally be happy to give up my job in order to bring the Congressional budget into the black & reduce taxpayer burdens, but I know many of my colleagues would not. They want to keep their jobs regardless of cost (or lies).

Re:Surely the US military is dumb enough..

[zappepcs]

The other side of the coin is like this:

How do we know that it's not retaliation for an attack on Russian computers that originated from US military networks?

When we start hearing news stories about computer attacks from Latvia, Peru, or some small country in the far east perhaps they can be believed. Right now the news is all about attacks from people that the current administration would like to demonize. That makes the believability of these reports a little less than zero IMO. It sounds like pure propaganda at this point. If it is real, it's probably part of a cat/mouse game that we've been playing with them all along. Anyone who has been in the US military knows that we play war games all the time with Russia. Look up news on the USS Augusta, search for news about submarines a week before and after, you'll see that it hit a Russian sub in a bad game of chicken. Why would computer networks be any different? I bet there are teams of IT people that set up honey pot networks just for this kind of war game. It would be stupid to believe otherwise.

Re:Surely the US military is dumb enough..

[Nursie]

No.

Sorry. No.

That's so wrong it's funny. The whole world didn't believe shit about WMDs. Your government made shit up and then our government (UK) got involved because they thought it was politically expedient.

And the Syria thing? Please. Bullshit to justify US actions in light of the complete clusterfuck that the Iraq thing became.

Re:Surely the US military is dumb enough..

[Deadplant]

But the whole world believed that Iraq had WMDs

That is so ludicrously wrong you must have been watching american news.
The vast majority of the world did NOT believe that WMD nonsense.

Re:Surely the US military is dumb enough..

[Nursie]

"So 17 UN resolutions referencing WMDs represents what to you, moron?"

History. The Irqi gov't weren't cooperating, but Blix was not convinced they had any WMD when he was pulled out.

"Put the propaganda UK rags down, get some better medications, and go back to middle school and learn something before further poisoning the internet with your ignorance."

Lol. Republitard.

Re:Surely the US military is dumb enough..

[Deadplant]

So 17 UN resolutions referencing WMDs represents what to you, moron?

That is the result of the disfunctional and undemocratic security council where the USA has a vetoe.
Don't confuse security council resolutions for something representing world opinion.
It is the general assembly that is democratic and representative, the security council is a private club.

Re:Surely the US military is dumb enough..

[El+Torico]

I work for these people, and frankly I don't trust them. I'd personally be happy to give up my job in order to bring the Congressional budget into the black & reduce taxpayer burdens, but I know many of my colleagues would not. They want to keep their jobs regardless of cost (or lies).

I don't trust any upper-level manager in any industry, but especially not in DoD contracting, and I certainly don't trust DoD civilians to be honest or competent.
This is taking place during the transition between Administrations, so someone at the DoD hierarchy wants to make a show about how they are "protecting America" when everyone in the commercial sector dealt with the agent.btz trojan quietly months ago.

Re:Surely the US military is dumb enough..

[Hal_Porter]

That is the result of the disfunctional and undemocratic security council where the USA has a vetoe.
Don't confuse security council resolutions for something representing world opinion.

Except when they agree with you presumably, like just before the war.

Re:Surely the US military is dumb enough..

[jambox]

You must live in a parallel universe!

There are so many mainstream sources around UNSCOM and the IAEA that have come forward since the Iraq war that the truth is no longer in question. It goes like this:

Firstly, the Iraqi military and economy had been smashed by the first gulf war and subsequent sanctions.

Secondly, Hussein and the rest weren't stupid and clearly knew the US government, public and media were all baying for war.

Thirdly, the UNSCOM inspections were very thorough and even well funded and equipped (largely by the US taxpayer) and had a great deal of success in pressurizing the Iraqi regime into getting rid of what it had left, which in any case wasn't much because it was all so old. Dozens of Iraqi army officers defected through Syria or Jordan and confirmed the story.

Because of all this, successive administrations tried and failed to find a pretext to war. Parent is entirely correct - it's the defense industry wanting cash and the government finding any excuse to pump tax dollars to their well-to-do pals. It's good for the economy, according to the politicians.

What helped most of all to tip the balance in favour of war was when someone or other (probably the CIA) forged a now infamous document purporting to show the sale of yellow-cake uranium by Niger to Iraq. It was by all accounts a hilariously bad forgery and contained many, many obvious errors that clearly showed it could not be genuine. However, the White House released it to the media as genuine, who immediately, without checking it, presented it as causus belli to the trusting public. By the time the IAEA's Mohammed El Baradei announced a couple of days later that it was utterly false, it was too late. Not that the same, supposedly liberal media made a big deal of that.

That, my friend, is how rich, powerful people can manipulate the public into doing whatever they see as necessary, even when it calls for the deaths of hundreds of thousands of normal, working class people on all sides.

Re:Surely the US military is dumb enough..

[Hognoxious]

The whole point of the inspections was to make positively sure that Saddam didn't have any. I'm assuming you agree that's better than thinking he probably-maybe-not-sure doesn't then finding out that you're wrong, in the form of a big fireball over some city?

Answer this, if he didn't have any and wasn't in the process of making any, why was he so keen to get rid of the inspectors?

Everybody who says he didn't have WMD (on the basis of what we know now) is just a Monday morning quarterback. Hindsight is always 20-20.

Re:Surely the US military is dumb enough..

[hesaigo999ca]

Easy to keep the military systems safe, don't plug them into the internet...that way people all the way from Russia wont be able to hack them if there is no access....it would only be something from within, and this we already have a budget for, not need more money for it as a separate expenditure

Re:Surely the US military is dumb enough..

[peragrin]

well the simplest solution is to look at non US news sources. frequently the BBC posts stories about US military hours before american news outlets do. Pull your head out of your arse, and look at some else's news for a while. France while a some what ally will publish news that American news outlets won't as they are considered "sensitive" or not news worthy(read latest actress scandal is more important).

Re:Surely the US military is dumb enough..

[gwait]

Bullshit.
Those of us outside the feverish and patriotic US Propaganda machine could see that machine heavily at work.

Yes it was entirely plausible that Saddam had WMD,
so yes it was expedient to send in inspectors.
When said inspectors turned up absolutely nothing,
that wasn't the answer America wanted to hear, since "Something had to be done about 911!".

The best summary of the Iraq war propoganda machine at work is here:

http://www.pbs.org/moyers/journal/btw/watch.html

Why should you care? America is now worse than broke, and you spend trillions blowing up a country for no benefit to that country or to the average US citizen.

Re:Surely the US military is dumb enough..

[Sloppy]

How do we know that it's not retaliation for an attack on Russian computers that originated from US military networks?

I'm not sure it matters. Whether US military computers were choosing to load and execute foreign code as a result of a foreign first strike, or a foreign counter-attack, we still have the situation that US military computers are loading and executing untrusted code, and apparently unsandboxed, so that it ended up mattering.

I don't care why it happened at the political level; I care about why it's happening at the computer or operator level. People using "important" computers shouldn't be doing that, nor should their computers be making it easy for them to do that.

No matter why the military computers were attacked, the fact that the attack worked proves incompetence.

Re:Surely the US military is dumb enough..

[lysergic.acid]

while i don't doubt that electronic warfare is being actively developed by other nations (i'm sure the U.S. armed forces aren't the only military interested in, or actively developing, electronic warfare tactics), i wouldn't put it past the MIC to exaggerate the risk of electronic attacks in order to manipulate the public. it certainly wouldn't be the first time the public was mislead about our nation's defense in order to funnel tax dollars into unnecessary defense projects. and now with war logistics being an more lucrative than ever through the Logistics Civil Augmentation Program (LOGCAP) and its cost-plus award-fee contracts, even more more private sector companies have a vested interest in seeing a renewed Cold-War-type international tension and corresponding military spending.

it's just too bad Americans never heeded Eisenhower's farewell address. of course, if more people working in the defense industry were truly patriotic, they'd all be as morally enlightened as you, and the MIC wouldn't exist.

Re:Surely the US military is dumb enough..

[OeLeWaPpErKe]

*sigh* this is just so stupid it's hard to decide where to begin, but I'll try :

When you see an American article, in English, you always see "AP", "AFP" under it. There is a third agency, but it's name escapes me for now.

AP stands for associated press, which is not American
AFP stands for "agence france-presse" which is french.

They cooperate with one another, hardly ever making double coverage, so in practice an article with AP under it might have come from AFP. They both translate those articles in over 30 languages, and give their clients, like cnn, the right to copy them verbatim.

So 1/3rd (in theory, in practice more) of all the news you see has been collected by French reporters, or at least reporters paid by french people.

You will find nearly all news duplicated across the atlantic in practice. Everybody agrees having a singular entity collect all news is a terrible idea. Everybody also agrees that it's cheaper, so it wasn't a contest at all.

Also keep in mind that e.g. during the Israel-Lebanon (or rather Israel vs Lebanese terrorists that Lebanon couldn't (and can't) deal with, who are therefore in massive violation of just about every international treaty by their existence alone), AFP hired a Hezbollah "kolonel" to collect news for them (he had very good access to the battlefield, you see, and he didn't tell AFP about his position). This is then passed of as "impartial" information.

But the sad reality is, there isn't any alternative to them.

Re:Surely the US military is dumb enough..

[Xelios]

I think Stephen Colbert did a great job of summarizing the propaganda machine behind the Iraq war. You can watch the bit I'm talking about here:

http://www.youtube.com/watch?v=diEdNgnzR3g

Re:Surely the US military is dumb enough..

[adam.dorsey]

When you see an American article, in English, you always see "AP", "AFP" under it. There is a third agency, but it's name escapes me for now.

Reuters

Re:Surely the US military is dumb enough..

[Pros_n_Cons]

Yes lets forget about the Russia's recent aggression into Georgia
Lets also pretend Russia isn't going to finish building Irans first nuclear plant in 2009
Lets not acknowledge that Medvedev just signed a nuclear deal with Venezuela
Lets forget all the recent _obvious_ Russian aggression against the United States and just skip to the part where you make up facts out of thin air about the US attacking Russian computers. Then lets take this big steamy pile of B.s. and mod it plus 5 cause its anti-american and on slashdot.

It's obvious Russia wants war. They are doing everything they can to provoke the united states in hopes the US will be seen as the aggressor. The world doesn't seem to care Russia is trying to provoke a world war. You can say the US provoked the war with Iraq i suppose but its alittle late for that and has nothing to do with Russia. Iraq and the US have already reached an agreement and they seem fine. Its too late to jump in on their behalf talking of an unjust war when they're signing agreements saying when its okay to be there, and when its time to leave. So I say this Russia thing is a separate issue. they're on a hunt for power and they see the US as weak right now. Now is the time for them to assert themselves. We all know this is whats happening im just concerned why nobody in the world has a problem with another cold war. I guess hate for the US is so high they'd like to see it.
Its good to be skeptical of the US's claims on attacks but you gotta admit if you're a logical person this fits right in line with what Russia has been doing the last several months.

Re:Surely the US military is dumb enough..

[chrb]

AP stands for associated press, which is not American
AFP stands for "agence france-presse" which is french....
 

So 1/3rd (in theory, in practice more) of all the news you see has been collected by French reporters, or at least reporters paid by french people.

Do you really believe that this is true? For a start, the world's largest broadcasting news gathering organisation is the BBC, which is British. Secondly, I was under the impression that U.S. news broadcasters mostly ignore international issues and focus on domestic issues instead. It is unlikely that more than one third of U.S. domestic news is gathered by French men. You may also be interested to learn that the Associated Press (AP) is an American news agency and Reuters Group Limited is a British based news service.

As a non-U.S. citizen, the idea that over 1/3rd of U.S. news content is written by the French is an amusing idea - kind of on the same intellectual level as ranting about Freedom Fries and Surrender Monkeys.

Re:Surely the US military is dumb enough..

[zappepcs]

Well, since your handle is 'Pros_n_Cons' perhaps we should revisit the news:

Georgia started the strife with Russia - not the other way around.
Russia has been trying to get in on Iranian nuclear power to sell them stuff for a long time. The politics of the middle east is complex enough that no slashdot post will explain it all. Russia still needs warm water ports. Iran is a strategically valid place for them. Russia actually offered to help settle the sabre rattling over nuclear power in Iran by assisting with running the program. If you were to sit and look at America the way that the rest of the world has to, what Russia has done is not all that out of line.

One reason that people found a fondness for the cold war between Russia and the US is because it managed to keep a lid on the nuclear arms problem. With too many wild cards in the game, the game gets that much more difficult to play without losing.

....They are doing everything they can to provoke the united states in hopes the US will be seen as the aggressor.

uhmmmm, yeah, Iraq had to work pretty hard at that, didn't they?

Demonizing Russia or any other country is nothing more than propaganda. period. Propaganda that the world, specifically the US, does not need now, or ever.

Re:Surely the US military is dumb enough..

[peragrin]

a few years back when the american Sub hit a japanese fishing trawler, I heard about it from the BBC 3 hours earlier than CNN, FOX, or NBC began to air what happened.

the AP had it but it wasn't news worthy for hours afterwards. I didn't say other news sources wouldn't be biased as well, but if you want to know what is happening in the USA try an external news source first.

Another point the hotel shooting in India. the USA news sources are focusing 90% of their coverage on the 3 americans inside, more or else ignoring the other hundreds of people wounded.

I am smart enough to understand that french and british news are also biased towards their own people. You can learn quite a bit by keeping an open mind.

Oblig Windows jab

[mrbcs]

So umm, how's that Vista working out for you? What'd they use for the attack? Solitaire?

Re:Oblig Windows jab

[pubjames]

Actually it was britneynude.exe

Re:Oblig Windows jab

[oldspewey]

britneynude.exe

*shudder*

Re:Oblig Windows jab

I bet the infection is having trouble spreading because every time it tries to install it crashes out with the error "Please exit the following programs: US Government Trojan before attempting to install Russian Government Trojan."

Re:Oblig Windows jab

[orielbean]

Pre or post exploitation?

I offer my services

[MadMidnightBomber]

$100/hour to install air-gap firewalls on sensitive/classified networks. (Includes rental of scissors.)

Re:I offer my services

[onkelonkel]

You work for cheap. Ask for $225/hr and then offer a "preferred services provider" agreement where they can get you for $195 if they guarantee a minimum of 1000 hours.

Originating in Russian != Russian National

[UltraAyla]

Just remember that just because it originated in Russia does not mean that this was a Russian Government attack (though it could have been known about and ignored by them if it wasn't) - it just happens to have been in Russia - the headline is a little misleading in that sense.

Re:Originating in Russian != Russian National

[Midnight+Thunder]

Just remember that just because it originated in Russia does not mean that this was a Russian Government attack (though it could have been known about and ignored by them if it wasn't) - it just happens to have been in Russia - the headline is a little misleading in that sense.

But surely there are just evil dudes and dragons beyond our borders jealous about our freedoms (ignore DRM, unwarranted phone snooping, etc for this argument)? I know for sure that there are ice dragons and Igloo dwellers to the north. To the east there is meant to be an old continent, but I am yet to be convinced of its existence. ;)

Re:Originating in Russian != Russian National

[Detritus]

It would be equally silly to ignore the fact that China, Russia and certain other countries have well-funded technical and military intelligence collection programs that have been running for many decades, and explicitly target the United States.

Re:Originating in Russian != Russian National

[UltraAyla]

You're absolutely right and I completely agree - I'm not saying that this wasn't sponsored by or carried out by a foreign nation, but that we should not conclude that this is the case. It is very likely that this attack was from a foreign nation, and if it wasn't, there will be others.

Re:Originating in Russian != Russian National

[blhack]

I'm not sure how things work in Russia (if the state owns the networks or not) but wouldn't it be the ISP or bandwidth provider ignoring this?

I know, I know, ISPs can't (and shouldn't) be held responsible for this sort of thing, but just jumping at the Russian government because technically the copper(or fiber, or whatever) exists in Russian territory is a little bit silly IMHO.

Really the only way that we could hold a foreign government responsible for the actions of their citizens on the Internet would be to expect government oversight on all the packets floating around on the networks that exist within their territories. I highly doubt that there are many people on slashdot that would advocate that.
Really, the Internet needs to exist separately from real-world governments. I know that some are in favor of having no regulatory body of any kind on the networks, but I think things are starting to get out of hand. A government that exists for the internet only is starting to make sense, especially since people who have studied traditional, physical-world-based law have generally don't know head from ass when it comes to computer networks.

Re:Originating in Russian != Russian National

[methamorph]

It doesn't even mean that the ones behind the attack are russian nationals. For all we know it could be americans using 0wned computers in Russia.

Re:Originating in Russian != Russian National

[keithjr]

The global ramifications of this stance are more nuanced than that. It would be a sign of good faith if the Russian government were to prosecute the parties responsible for an attack on a foreign military body. Conversely, it is a sign of complacence if they do not.

Basically, the problems that the network can create are too many and too serious for the governments of the world to ignore. This doesn't mean 'Net Neutrality is impossible, but it means security reforms is going to have to happen sooner than later. Otherwise, the government will see no other option but to own the tubes.

Re:Originating in Russian != Russian National

[Omestes]

Yes, there are countries worse than us, much worse. But, there are also countries better than us. I find it odd that we went from claiming "We're the bastion to freedom" to claiming "We're not as bad as random Muslim theocracies, and some African anarchies, and perhaps China!". We should be striving to be the most free country in the world again, and not just mediocre.

As for all of our other metrics, we're failing. Sure, we're better than Congo, but who isn't (besides the Congo)? Its like murdering someone and saying "at least I didn't rape her!".

I do find it odd that we count DRM in here, DRM is not a government mandate, its a stupid mandate from the free market. No one is forcing anyone to use DRM media, sell DRM media, or anything else like that. Companies decided to do so, we decide to buy their products. Isn't the free market grand?

This is why my idea of striving to be the freest country in the world doesn't equate with many other people's idea of freedom. I don't think corporations fall into the list of priorities, only people as individuals. Free corporations have done their share in destroying America. I'm getting sick of having to spend energy on thinking of reasons to be proud of my own country.

Re:Originating in Russian != Russian National

[Venik]

In this case one should also remember that the US has similar programs that explicitly target Russia and China. And so, perhaps, it would make sense to better protect one's own networks than to blame the Russians and the Chinese for every security breach. Even if they are responsible. Especially if they are responsible. This way the Pentagon may only appear vulnerable, as opposed to vulnerable AND incompetent.

KGB or Spotty Teenagers?

[threeturn]

I love the way these things are always spun as if they are significant military attacks coordinate by the foreign government or their agents. Is there any evidence that it isn't just a few bored teenagers who happen to live in Russia and think it would be fun to try and hack the US DOD?

Re:KGB or Spotty Teenagers?

[Steauengeglase]

After all that went down in Georgia, I think it proves that there really isn't that much of a difference between the two.

Re:KGB or Spotty Teenagers?

[pubjames]

It probably is some windows worm or something written by a script-kiddie. But to admit that would be to embarrassing, so they make it out to be a big deal.

Like that poor Brit who was looking for info. about UFOs.

Re:KGB or Spotty Teenagers?

[Xest]

To be fair, it's not like when the US reports these attacks to China/Russia they do anything about them to suggest you might be right though.

It's the same with the whole Litvinenko thing here in the UK, we know where the Polonium came from (a Russian lab) we even pretty much know Lugovoi did it but as they wont help whatsoever to put him to trial and have instead put him into their parliament in a position of power it's kind of hard to give them the benefit of the doubt.

Maybe if they actually helped bring these perpetrators to justice we could give them the benefit of the doubt as you suggest, but when they instead protect the almost certainly guilt with no real trial or investigation then it only adds to the idea that the governments of these nations themselves are in fact responsible.

If a bunch of Canadians crossed the US border and attacked the US and then made it back to Canada safely and the Canadian government did nothing about it or even went as far as giving these people places in government as per the Luogovoi/Litvinenko affair then yeah I think most people would still say the Canadian government deserves a lot of the blame.

Don't get me wrong however, I do feel these "cyber attacks" are a little overstated, I hate to say it but it's becoming so common when I read about them I can't help but think "Who cares, stop moaning and either return the favour or learn from it and stop it happening again". As is pointed out here on Slashdot often though, they don't seem to learn from their mistakes and instead simply repeat them over and over. I'm not sure what the US government is trying to achieve with these cries? Trying to make us hate Russia/China? Don't worry their human rights record means a lot of us already do. Trying to get sympathy? Well what for? You're the military, you're the ones who are meant to be dealing with it and so on.

Or in other words, to put it simply- they're all just as bad as each other.

Re:KGB or Spotty Teenagers?

[Kent+Recal]

It probably is some windows worm or something written by a script-kiddie. But to admit that would be to embarrassing, so they make it out to be a big deal.

It is exactly this vain "cover-my-ass" attitude that makes situations escalate, sometimes up to the point of war. I understand that a bunch of old farts in DoD feel a strong need to justify (or increase) their Cyberwarfare budgets but pointing fingers at an allied country (relations with which are not always easy) in public over a non-issue like this is, imho, going way too far.

Network security by isolation of the critical parts is possible and this whole "cyberwarfare"-bullshit is just driving tears into the eyes of anyone who knows a bit about the subject.
Yes, an attacker could overload and DoS less important/perimeter networks and yes an attacker may able to overtake various individual machines or department networks, e.g. by sneaking trojans onto employee's computers, phishing etc.

If any of that worries you in a national-security kind of way then do your fucking homework and implement appropiate security layers and airgaps already!
A flash trojan is a non-issue because a critical system won't run flash. In fact, a critical system won't even interface with a system that could be taken over in such a way.

Re:KGB or Spotty Teenagers?

[Dramacrat]

Yeah, it defended itself from an invasion just as it did in 1941. You're right, nothing has changed, nor should it.

Re:KGB or Spotty Teenagers?

[Rinkhals]

I agree.

If this is the cutting edge of cyber-warfare, then it's quite frankly piss-poor.

And if the DoD defences against this attack are weak enough to be breached then the last thing they should be doing is bleating on about it and drawing attention to the fact.

Re:KGB or Spotty Teenagers?

[Hal_Porter]

Like that poor Brit who was looking for info. about UFOs.

That Brit was a Red. He gave an interview to the Guardian.

Re:KGB or Spotty Teenagers?

[Erikderzweite]

And what do you thing has happened in Georgia? To tell the long story short -- Russia has stopped a Georgian assault on its citizens (most people in South Osetia have Russian citizenship) and made Georgia return to negotiations with South Osetia.

The propaganda machine is working very well though. Next you'll tell that the Russians have violated Germany's sovereignty in 1945 and made their democratic elected leader commit suicide.

It isn't just targeting the US.

Anonymous coward here, for a reason etc.

I work with the USAF in a very official capacity in IT and got wind of the flash media ban a while back.

I've been asked to keep quiet about this, but since it isn't classified, and nobody takes slashdot seriously, take this for what it is worth:

We stopped using all flash media on all networks because we can no longer be confident that they do not come from the factory with payloads attached. I've seen entire boxes of flash media from the "amnesty boxes" set up inside USAF buildings sent off to NSA and FBI for investigation.

There are some who think that manufacturers have been infiltrated with the sole purpose of loading malware onto drives. And it isn't that it's specifically an attack on US Gov. computers - it's just that Gov. networks tend to be pretty incestuous, and flash drives are often moved back and forth between multiple computers daily by most users due to the flakiness of CAC (common access card) infrastructure.

So beware.

Re:It isn't just targeting the US.

[jimicus]

What's the point of putting malware if it won't be run? Or did I miss something, and "autorun" actually works on UMS devices in Windows?

You did, it does.

Re:It isn't just targeting the US.

[soulsteal]

The ban on flash media was to stop the propagation of a Win32 worm that "spreads by creating an AUTORUN.INF file to the root of each drive with the malicious .dll file."

It was just one of many steps taken to triage infected systems and protect uninfected systems.

It's possible it was an attempt to breach the DoD networks, but it's just as likely and more plausible that it's just another botnet being created.

Re:It isn't just targeting the US.

[ptbarnett]

What's the point of putting malware if it won't be run? Or did I miss something, and "autorun" actually works on UMS devices in Windows?

Yes, it does. But, it's relatively easy to disable.

Use a Microsoft "PowerToys" application to simply disable all drives: Tweak UI. It's only available for XP, at least from Microsoft. There is reportedly a version for Vista from a third-party developer.

Re:It isn't just targeting the US.

[flyingfsck]

Well, yeah. The problem is that flash drives are commonly used to bridge air gaps. The air gaps are there to isolate networks and and force manual transfer of data, but if the manual transfer method cannot be trusted then then something needs to be done about it. Banning flash drives may help, but it still leaves CDROMs and DVDs as a medium to bridge air gaps, so banning flash drives is just a temporary knee-jerk reaction really. The only long term solution is to stop using Mickey Mouse operating systems on secure networks.

Re:It isn't just targeting the US.

[will_die]

The bad thing about this was that all major malware/virus software has had protection against it since June.
So what had to of happened is some office with a high ranking official was not keeping their protection software up to date or disabled it, both against existing regulations.
They then ran into problem and it spread across their network and they spread the alarm. At that point it got high enough that you got the new requirements.

Re:My god. solution is stupidly simple

[uxbn_kuribo]

Yeah, we all know what happens when you connect military computers to the internet. Mostly because we all saw War Games.

Re:My god. solution is stupidly simple

[wiredog]

Almost as stupidly simple as reading the freakin' article. Which mentions that flash drives were banned inorder to keep the attack off of SIPRNet computers.

And almost as stupidly simple as banning soldiers from e-mailing and blogging on the public internet that, ummm, their families are on and, ummm, OK, maybe we need publicly accessible DoD computers.

Re:My god. solution is stupidly simple

[Endo13]

RFTA maybe? This infection is specifically designed to put itself on flash drives. I'll leave you to figure out the rest for yourself, since you think you're so smart.

Good old federal government...

The federal government is finally starting to see the fruits of its trifecta of asinine spending policies:

1) Lowest bidder (God forbid we get the best value for the tax dollar, not the cheapest).
2) Standard pay rates that don't take into serious consideration the skills and experience of employees. God forbid we adopt private sector pay policies because that might make us look like we're discriminating if some employees get paid a lot less than others.
3) The fact that it often takes an act of Congress to fire a federal employee.

Like most Northern Virginia-based software engineers, I've worked a federal contract here and there. I've been exposed to incompetence from federal employees that would not be tolerated by almost any corporation. My company actually brought a formal business case for why our government program manager was wrong and her decisions would be a disastrous waste of tax payer money to her bosses. We **pleaded* with them to override her and let our senior engineer do the architecture since she had no idea how to do it.

Guess what? They told us to shut up and get back in line.

There's this myth that the outsourcing of government has ruined the federal government. That's bullshit. Government contractors are often the only people who actually get shit done! We're the ones who actually do much of the heavy lifting because the civil service for so long was allowed to deteriorate into a combination of an affirmative action program and a welfare program for stupid white men.

There are real pockets of genuine competence and intelligence in the federal government, but unfortunately, they're so isolated by the prevailing culture and leadership that it would take a real Leviathan-wrangler at least 2 presidential terms to get any meaningful culling done.

Re:Good old federal government...

[Jeff+Hornby]

Standard pay rates that don't take into serious consideration the skills and experience of employees. God forbid we adopt private sector pay policies because that might make us look like we're discriminating if some employees get paid a lot less than others.

Private sector pay policies? As someone who works in the private sector, I can pretty much guarantee that private sector companies also use standard pay grades. Why is it that everybody thinks that private sector is a bastion of efficiency. I've worked for both private sector companies and government and the truth is that the private sector is just as screwed up as the government.

Re:Good old federal government...

[Bios_Hakr]

The US Military does not always choose the lowest bidder. The military is, in effect, a huge welfare program. Many times, we choose the vendor that provides the best social benefit. For instance, the GSA program gives additional weight to women-owned or minority-owned businesses.

As for pay, the military takes teenagers off the street and puts them in charge of some of the most complex systems in the world. When IBM hires a 19yo high-school grad and put him in charge of corporate email servers, then US military people can complain about pay in-equality.

Once you have been in for a while, you start to see how well the pay stacks up. You get free housing, tax-free shopping, free medical and dental, very cheap insurance, free travel, etc. Most base paychecks can easily be worth twice the advertised amount due to benefits.

Your final point is also not entirely valid. In most cases, an enlisted person or officer can be fired with 6 months of consistently bad reports. Civilian contractors can be easily dropped. GS and WG employees can be fired with 9 months of bad reports. SAS employees are usually asked to resign if they flub more than one major project.

The problem is that most people don't document performance issues properly. Without documentation, you can't fire anyone.

It's ALL PROPAGANDA

[Jeremiah+Cornelius]

These are professional liars, folks! This is a part of the Military disinformation effort - so publicly trumpeted right here on Slashdot - not so long ago.

If there had been any such REAL significance to this 'attack', do you think that it would be published and publicly acknowledged? There are very minor cold-war-era incidents and slip-ups that are still highly-classified, and never acknowledged.

I suppose this to be a non-event of ordinary malware, that is being used to:
1) Shape public opinion and generate suspicion
2) Justify restrictions on the Internet access/speech of military personnel
3) Profit!

Remember: In Soviet America, Military Network Attacks YOU!

Russian hackers

[Geoffrey.landis]

"may have originated in Russia" is not the same as "originated with the Russian government," of course.

My guess, the attacks are an attempt to turn the vast power of military computer systems into one giant spam-bot.

And, also, just think of all the new Nigerian scam letters that they could pull off with military connections... the "your son was wounded in Iraq and is being airlifted to a hospital in Germany, please send $10,000 to pay for a private room for him" scam will be much more powerful if it issues from a military computer (and, for that matter, much more convincing if the scammer knows the actual name, rank, and next-of-kin of the 'son').

The Americans Should Learn From The Brits

The British Intelligence have learnt how to avoid infecting their systems with infected flash drives. They leave them on the train where they can't do any harm.

Preparing for the new propaganda

[Bullfish]

If thse attacks are successful, they will replace the old practice of dropping leaflets on enemy soldiers... Now when the modern soldier opens his e-mail, he will be greeted with "Feeling ashamed of your small willy, we can help" etc etc

they "think" it's from Russia

[Mishotaki]

So, the other day, i thought that my girlfriend would like the present i gave her... God was i wrong...

Now they think that the attack comes from Russia... That means they're not sure about it at all, they just got a hunch that the attack is from the Russians, they don't say they got proof or anything, they just say they think it's from there...

However, suspicions of Russian involvement come at an especially delicate time because of sagging relations between Washington and Moscow and growing tension over U.S. plans to develop a missile defense system in Eastern Europe. The two governments also have traded charges of regional meddling after U.S. support for democratic elections in former Soviet states and recent Russian overtures in Latin America.

Just because the relations with the Russians aren't that good doesn't automatically mean they'll attack you in Irak...

For all we know, it could be Irakians who would attack the Americans... Well that would rather be "the Irakians defend themselves by trying to bring the American's computers down"

Re:tag MICROSOFT + WINDOWS... again n/t

[malevolentjelly]

They don't use a lot of Windows on internal systems in the DoD. As I'm to understand, they run a lot more Linux and Solaris. In the interests of national security, though, all these systems are too close to make a big difference security-wise.

They may have different levels of attackability for circumstances relating to casual attacks and casual computer use (this is where we say "is the default linux installation in X version of linux more or less secure than the default windows installation in Y version of windows?) But when these systems have proper internal security policies set up, it doesn't make a huge difference-- when they are well configured, they're functionally the same.

DoD systems are generally set up so that one is connected to the internal network and one to the external network-- when you want to move a file, you simply use a flash drive. The chances are very good that these are running different operating systems, anyway.

For a coordinated and advanced attack on our DoD network infrastructure it has less to do with what operating systems we are running, which is really just a question of usability and administration time, but moreso broader questions of security policy-- such as where do you get your flash drives?

In short, if one OS was the issue here, this attack couldn't have gotten anywhere. An OS really doesn't mean much when you compare it to the overall security model for the network infrastructure, especially with the physical network restrictions used by the DoD.

The biggest difference for the operating systems for their purposes would be more on features like TPM-enabled drive encryption, etc-- things that would make it more difficult to hack a stolen laptop-- stuff like that.

Not News

[jmyers]

Reading the article, which has almost no details, I think the LA Times is trying to make news out of nothing. The "senior military leaders" are basically like "senior business executives" who probably have no clue about any actual "attacks". They are just trying to hype up anything they can to increase their budgets.

The actual details they are dealing with is the same as any organization that uses computers and employs people.

What about what the US does?

[warGod3]

That is the odd thing... you never hear about the huge attacks on the Chinese, Russian, North Korean, etc. But then again, the USG would never do anything unethical or underhanded or hypocritical or .

"We have always been at war with East Asia"

[leoofborg]

Sorry, couldn't resist.

Also, the CBC [Canadians] are running sensationalist crud on their TV.

Most irritating soundbite from a DHS 'expert':

"Digital Pearl Harbor"

I think they must have run the same quote 3-4 times.

Me? I think the military / DoD is begging for $$$ as usual. What? We didn't bail out the military? Shame!

They Aren't.

[maz2331]

The US military is not stupid, and does take systems security very seriously. What would look like ultra-paranoid behavior to a civilian may well be fully justified in the military world.

The reason is simple: any breach, leak, or DoS can result in somebody being killed, operations foiled, or even wars lost.

Security people have to guard against known threats and techniques, which are very challenging, plus unknown ones that nobody has even thought to consider. Being able to trust the technology that they are using is a very important element in managing that security.

All systems are somewhat sensitive, given that even non-sensitive tidbits of information can be assembled together to give a pretty good picture of very sensitive activities if enough of them are available.

For example, a point of sale system in a military base's dining facility could be tapped to give a count of meals served per day. If an adversary sees a sudden drop or increase, they know that SOMETHING is going on. Combine that with changes at other bases and a picture of force distribution begins to emerge that then guides the adversary where to plan to deploy their forces to defend or attack.

I can see why there is a need to avoid the use of any removable media, even on non-sensitive systems. Just a few pieces of malware or compromised hardware can result in leaking enough unclassified "factoids" to compromise the secrecy and security of important operations.

Hardware is especially troublesome from a security standpoint. It does not need operating system permission to access memory, and can sit silently in place until activated. One innocuous-looking IC can easily contain a hidden microcontroller that has full DMA capabilities, and there's no way - short of physically mapping out every transistor in every chip in the device - to even know whether or not they exist.

I'd be paranoid too if military systems security was part of my job.

sigh

[Deadplant]

...experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement.

Classic propoganda.
Shame on Julian Barnes of the LA Times and the unnamed senior military leaders.

Re:So we are attacked and we do what?

[cptnapalm]

I think that, right now, no one is really sure what to do. I don't think that it is a cause for war (traditionally speaking), but it is a violation of sovereignty. I'm not sure what we can do about it at this point aside from defense and counter-offense.

Re:OS X, or a UNIX?

[gatkinso]

On a classified system, the entire computer, and anything that touches it (be it media, monitor, printer, or network) is also classified. There can be no instance of one window being classified and the other not: they are both classified at the same level regardless of content.

You can have an unclassified system running right next to a classified one, but they cannot interact with each other at all.