Pentagon Confirms 2008 Computer Breach — 'Worst Ever'

jowifi writes "The New York Times reports that the Pentagon has confirmed that, in 2008, a foreign agent instigated 'the most significant breach of US military computers ever' using a USB flash drive. While the breach was previously reported on Wired and the LA Times, this is the first official confirmation of the attack that led to the banning of USB drives on government computers."

This is likely why MS has GPOs in W7

[mlts]

This is likely why Windows 7 has explicit GPOs to either set USB flash drives read-only, or deny them the ability to mount whatsoever. Other programs that have this functionality are PGP Universal, and Symantec Endpoint Protection.

Now, if MS can put autoplay/autorun to rest six feet under with Clippy and Bob, that would be a good security advance.

Re:This is likely why MS has GPOs in W7

[rikkards]

The thing that is stupid about it is that sure block exes from being run from a USB, then the user will copy it to the machine and run it there.
BTW, GPOs from day one have had the ability to disable Autoplay and autorun.

Re:This is likely why MS has GPOs in W7

Now, if MS can put autoplay/autorun to rest six feet under with Clippy and Bob, that would be a good security advance.

...Already in W7.

Re:This is likely why MS has GPOs in W7

[rickb928]

I have this dim recollection that we could do this with GPOs in Win XP.

And we could use ZenWorks to do it also. Much nicer editor, and volatile accounts are a blessing in school labs.

Disabling removable media isn't new, just overlooked.

Re:This is likely why MS has GPOs in W7

[Lehk228]

there should be a way to restrict execution to only code signed by the owning organization's IT security.

Re:This is likely why MS has GPOs in W7

[Ethanol-fueled]

There are ways to hide stuff like that from view on Windows. They magically show up when the USB device is plugged into a Linux box.

Related note: A similar piece of malware and the ensuing hassle is what prompted me to switch to Linux for good.

Re:This is likely why MS has GPOs in W7

there should be a way to restrict execution to only code signed by the owning organization's IT security.

You mean like AppLocker?

Re:This is likely why MS has GPOs in W7

[Darth_brooks]

XP has similar capabilities. We push GPO's that limit removable media to read only, so it's not a recent development.

Re:This is likely why MS has GPOs in W7

[dgatwood]

There should never have been a way to enable autorun in the first place. The very notion of automatically executing code or installers form a piece of media without the user explicitly taking any action is antithetical to proper security.

Re:This is likely why MS has GPOs in W7

Doesn't help the government NMCI machines, which are still running XP.

Re:This is likely why MS has GPOs in W7

[Mr+44]

Like "Software Restriction Policies" in windows XP and AppLocker in Windows 7?

Re:This is likely why MS has GPOs in W7

Which wouldnt have stopped this breach as copying files would have to be in the allowed code.

Re:This is likely why MS has GPOs in W7

There is. It's called Software Restriction Policies.

Re:This is likely why MS has GPOs in W7

What you mean is:
  "is the antithesis of proper security."

Re:This is likely why MS has GPOs in W7

In 2008 any standard issue Army computer would've have had autorun disabled. This was standard practice. In 2008 the Army was handing out commercially available encrypted USB drives and telling everyone to use them and nothing else. These drives had an unencrypted partition loaded with the software used to unlock and mount the encrypted partition, along with an autorun.bat script that would eliminate the extra steps needed to launch that encryption software, if you were to actually have autorun enabled.

So my guess is that some influential user got an admin to enable autorun to save him a few extra steps each time he inserted his encrypted USB drive. From there it was just a matter of time for that to come back and bite him.

Re:This is likely why MS has GPOs in W7

Yet it could have also been prevented by having the Anti-virus software auto scan all media upon insertion. The capability was already in Norton, but was not active by default setting.

Instead they over-reacted by banning all USB drives despite any impact to operations. Like Losing the ability to access external drives with gigabytes of mapping data. The laptop I was working on at the time had an 80 gig internal drive, I needed regular access to a drive with over 500 gig of maps. "Tough luck soldier, do without, but we still expect the same quality of product from your team." was the response.

How massive was the impact to operations in and out of the war zones, when all it would have taken was strict control of the auto-run (forbid it's activation) and set the AV software to scan all new media.

Re:This is likely why MS has GPOs in W7

[Ethanol-fueled]

Oh boy, do I ever.

He tells me, "I eatz da bananas, ja, den I shit on your chest!" Man, when after he's been eating those bananas, his feces are smoooth as silk. I smear them all over me and pretend it's a silk dress of chocolate while he fucks me in the ass.

I tried to invite Theo de Raadt to join us for a threesome, but he declined, citing that he was a pedophile and only interested in Cheese Pizza parties at Chuck E. Cheese's.

Re:This is likely why MS has GPOs in W7

[dgatwood]

I see no apparent difference between those two statements in modern English usage.

Re:This is likely why MS has GPOs in W7

There should never have been a way to enable autorun in the first place. The very notion of automatically executing code or installers form a piece of media without the user explicitly taking any action is antithetical to proper security.

What part of a user explicitly inserting the media doesn't count as taking action?

Re:This is likely why MS has GPOs in W7

[rtb61]

As tech spy, meant be good with computer. Mouse unplug, USB drive insert, reboot, bios change, boot from USB, OS on USB, very special do what you need to do nothing more, be quite and hide on network (plenty gigs), get data leave virus in bios (much cool), reboot, plug in mouse, done. The worst thing about this, most bioses have back-door passwords, arghhh.

Re:This is likely why MS has GPOs in W7

[JeffSpudrinski]

Win7 Applocker is a great idea, but it's not very dynamic at this point. You have to add programs and file names specifically to a blacklist manually including path name and file name, although I think you can use other thing like file hashes with a little more work in configuring it.

As it was explained to me, there's pretty simple ways around it and it's not smart enough to recognize new version of programs. An example of this would be a new version of Mozilla would run until it was explicitly blocked. Renaming executables could also be a way around it. As with everything else, the results you get from using it would be dependant upon the amount of work you're willing to put into configuring it. It's not just an "on switch" to make it happen.

Your best bet is to find something that has a pre-built whitelist/blacklist of known applications, then watches other things for suspicious behavior. There are a lot of these out there, but we use Sophos Application Control. Their pre-made list of applications you can either block or allow was pretty extensive and gets updated all the time. Saves us a ton of work. The network management tool is also pretty intuitive. Beats the crap out of anything McAfee had to offer. I'm not sure how well Microsoft's MOM server works in this area...I've had very little experience with it. I'm sure there's tons of other applications of varying quality that do this same thing.

Just my $0.02.

-JJS

Re:This is likely why MS has GPOs in W7

[dave420]

It's been possible to disable autorun using GPO since 2000.

Re:This is likely why MS has GPOs in W7

[Svartalf]

If they didn't intend for something to autoexecute, it's a problem. Much like Sony's infamous rootkit, you don't expect to insert a removable storage device and have something surreptitiously install a trojan onto your machine- and there's no interaction from the user past plugging in the device, you really don't know you've been had until well after the fact.

Re:This is likely why MS has GPOs in W7

[Svartalf]

You know... An Anti-virus program is like closing the barn door AFTER the horses have all went on walk-about. It only works on stuff that was identified by the anti-virus companies and they have some sort of signature data on the malware- which it's my understanding that they wouldn't have been any better protected in this case, no signatures or they'd have had a solid handle on it and not lost anywhere near as much operational intelligence.

Placing your faith in a piece of software that protects against stuff after the fact is a bad idea. Much like placing your faith solely in antibiotics to keep you healthy instead of taking better health precautions.

Re:This is likely why MS has GPOs in W7

[bleh-of-the-huns]

Disabling the ability to mount or mounting read only for USB mass storage devices would not have made a difference. Further, there is a fundamental flaw with USB...

During Blackhat/Defcon (or was it B Sides), a guy, whos name completely escapes me right now, as I did not get a chance to attend the briefing/talk, took a USB thumb drive and added some keyboard hardware to it. When you plug it into the system, it registers as an HID device, not a USB Mass storage device...

Guess what, every computer that is sold uses a USB keyboard and mouse. I am sure you can still find ps2 based keyboards, but not for places that require users to use a crypto card, or a CAC card (per HSPD-12), which generally drops into the keyboard, those are USB devices.

A small script with some keystrokes embedded into the USB drive that identifies itself as a keyboard, and you can instruct it to do whatever....

USB itself is flawed in that respect, so simply disabling USB Mass storage will not work.

Now if only I could remember who gave the damn talk....

Re:This is likely why MS has GPOs in W7

Except that the user explicitly took the action of putting the media in the machine, most likely with the intention of running the setup.exe.

Re:This is likely why MS has GPOs in W7

[dgatwood]

Wrong. The user put the media in the machine with the intent of doing something. Even with commercial CD-ROMs, quite often, the media contains other things besides the installer. It might contain documentation, it might contain installers for other tools, and so on. And in that case, auto-launching the installer is the wrong thing.

And further, the disc is not always an install disc. Whether it's a USB stick, a movie DVD, an audio CD, or whatever, having Windows install some piece of software behind your back is undesirable. In this case, non-install discs are getting autorun installers added to them that infect people's systems. That's pretty clearly not something the user intended to do by inserting the media.

Short of requiring autorun files to be signed by Microsoft, with Microsoft providing appropriate background checks, code auditing, and a properly designed CRL system, autorun is an inherently insecure concept. Even with code signing, it is completely unnecessary and presents a juicy target for malware exploitation. For example, somebody's malware might use a code signed installer to install something else.

In short, it is a gaping hole by design that cannot feasibly be made secure.

Re:This is likely why MS has GPOs in W7

[holiggan]

there should be a way to restrict execution to only code signed by the owning organization's IT security.

There is such a way: it's called "Software Restriction Policies". It's been around since Windows 2000 and it can be deployed by GPO... You can restrict by signature, by file name, by path, etc. It's part of Windows, it's "free", you just need to configure it.

http://technet.microsoft.com/en-us/library/bb457006.aspx

Oh, and you can block access to floppy, CD/DVD and USB drives as well. All with GPOs.

I'm no addressing specifically to you, but it gets on my nerves that people keep bashing MS, and they simply don't know squat about their products.

And it seems that the FBI, that would greatly benefit from this sort of security features, quite likely didn't have it implemented... "Incompetence" springs to my mind... If this incident involved linux in some way, everyone would say "it was shoddy configured, shoddy admins!", etc, etc... Since it involves MS products, the first reaction is "MS sucks". Well, I bet that, in this case, it was "soddy sysadmin" indeed.

Just my 2 cents...

Re:This is likely why MS has GPOs in W7

[ukyoCE]

No.

We're not talking about gaming consoles here, we're talking about PCs. People more often put in a disc to peruse files on the disc than to run any executable at all. There is also no way to know if a disc has an executable on it before you put it in. Running one automatically is a truly terrible idea.

It's right up there with "hide file extensions" as one of the most boneheaded things Windows does (BritneySpears.jpg.exe anyone?). And Microsoft steadfastly refuses to fix those flaws despite their constantly resulting in security vulnerabilities and serious user errors.

Re:This is likely why MS has GPOs in W7

[Oxyde]

Haha. I've seen a company try to implement this. They encountered a problem - hundreds of software developers couldn't run their own code.

Re:This is likely why MS has GPOs in W7

[Lehk228]

compiler should have had a valid signing key

Obligatory

[Flea+of+Pain]

Worst...Computer breach...Ever.

Re:Obligatory

[Flea+of+Pain]

Damn. Parsing got rid of my comic book guy html tags.

Re:Obligatory

[idontgno]

That's OK. Maybe some day Slashcode will actually render and tags. About the time they decide to implement more than 2% of the HTML entity set.

Re:Obligatory

[Monkeedude1212]

With good reason

</marquee>

Re:Obligatory

[xiong.chiamiov]

That's OK. Maybe some day Slashcode will actually render <comic book guy> and </comic book guy> tags. About the time they decide to implement more than 2% of the HTML entity set.

Of course, by that time, everyone else will have been using Markdown (or similar) for 10 years.

The right reaction?

[mangu]

the attack that led to the banning of USB drives on government computers.

This reminds me of the joke of the man that, having learned that his wife was fucking other men in the couch in the living room, moved the couch to the garage.

USB drives have a purpose for legal uses. Wouldn't it be better to improve their systems so that USB drives couldn't be used in harmful ways?

Re:The right reaction?

I have heard that the ban has since been lifted. I inferred from this that it was a temporary measure allowing them to get a secure solution in place.

Re:The right reaction?

Hahaha! Unfortunately, that joke accurately depicts what the U.S. government does. Some retard tried to light his shoes on fire, so now everyone has to take their shoes off. Some retard tried to set his underwear on fire, so now Chertoff can sell his backscatter machines. Some retard is going to try a rectal bomb, and we can all predict what our government's brilliant response to that will be.

Re:The right reaction?

[H3xx]

Problem: Guns kill people

Solution: Revoke the 2nd Amendment and ban guns!

Problem: Humans are the weakest link in computer security.

Solution: Outlaw people.

Re:The right reaction?

[Dahamma]

From TFA...

In an early step, the Defense Department banned the use of portable flash drives with its computers, though it later modified the ban.

Fixing the vulnerabilities takes time. It was just an emergency measure until they could investigate and come up with better policy.

Re:The right reaction?

[Beardo+the+Bearded]

They have.

Look, they have two completely separate computer networks. They've got a network that can access all the Classified Military Shit, and then they have the computers that can access Everything Bad in the Multiverse. (My terms, not theirs.) The two never meet. Never ever ever, and not even then.

99% of the time, you work with the Unclassified stuff. It's a PITA to work with Classified documents. You've got to go to a secure room, you can't make a copy unless you've signed off a billion times, you have to work on a special computer, you have to have a buddy / guard / watcher, and you've got to go through a debriefing after you've goofed around with it.

If your average worker / troop / contractor picked up a USB drive and put it into their EBitM network and it took over every machine in a billionth of a second and sent all the info on the EBitM network to China, Russia, and Zork the Evil, the risk to National Security would be zilch. Yeah, it would be a PITA to fix the compys, but it would be no worse than the same PITA you'd get in any large civilian network. The only difference is that it's a huge fucking PR nightmare. Think about how embarrassing it would be if Norton was taken down due to a worm. Now go up two orders of magnitude.

The computers you see the troops using are almost always personal property used for emailing back home, watching movies, playing games, and otherwise fucking around. The work computers are usually tied into the EBitM network and they use them for work. Unless you are one of The Anointed Few, you haven't even seen a computer that's handled Classified information.

Re:The right reaction?

[hedwards]

If the two never meet, then how do you explain that data breech where they lost terabytes of information to the internet? I'm not sure why the classified DARPA stuff wouldn't be similarly secured.

Re:The right reaction?

[0123456]

The most likely person to be killed with a firearm is the owner.

Well, yes, if you want to commit suicide and happen to have a gun, that's probably what you'll use. Most of us don't regard sucide as a 'nefarious purpose', particularly as anyone who's willing to shoot themselves can find numerous other reliable methods of killing themselves even if they don't have a gun.

I believe this is also the source of the infamous 'a cop is more likely to be killed with his own gun than kill a criminal', as cops have a high suicide rate and rarely kill criminals.

Re:The right reaction?

Are you running some daemon that scans slashdot for any mention of "guns", "second amendment", and so on? Because it seems like every time there's a thread on it, you show up with another misguided "regulated militia" post, despite being soundly refuted on several occasions.

- T

Re:The right reaction?

[guruevi]

After actually having implemented such a methods, it is noticed that nobody ever uses the classified network except for highly official stuff, when the project is done. It seems that all work in progress is just being saved on the non-classified network.

Trust me, I have implemented just about any security method in a variety of settings (medical, financial, ...). The fact remains that people can't be bothered to lock their screens when they step out because it's "too difficult" and "too complicated" let alone click the button to encrypt their e-mail or their USB sticks.

Re:The right reaction?

[codepunk]

The Supreme Court does not side with your theory.

Re:The right reaction?

[couchslug]

"Some retard is going to try a rectal bomb,"

Not absurd, been done, and thanks to the Internet we know concealing something the size of a hand grenade (spoon taped so it doesn't snag) is quite practical:

http://www.strategypage.com/downloads/iedsrectalcavities.pdf (possibly NWS for pics of raghead who blew himself in half)

http://www.cbsnews.com/stories/2009/09/28/eveningnews/main5347847.shtml

Re:The right reaction?

These were on MS systems. ZERO chance to EVER lock them down.

Re:The right reaction?

[not_hylas(+)]

@ 0123456

"... as anyone who's willing to shoot themselves can find numerous other reliable methods of killing themselves even if they don't have a gun."

http://games.adultswim.com/five-minutes-to-kill-yourself-adventure-online-game.html

Please, everyone, feel free to explore these options and test your theories.

Re:The right reaction?

[shadowofwind]

After actually having implemented such a methods, it is noticed that nobody ever uses the classified network except for highly official stuff, when the project is done. It seems that all work in progress is just being saved on the non-classified network.

I guess I shouldn't be surprised by anything, but I've never heard or seen any sign of people working with classified data on a non-classified network. Except for that Chinese guy who got charged for spying at Sandia.

Re:The right reaction?

Unless you are one of The Anointed Few, you haven't even seen a computer that's handled Classified information.

Until the Air Force takes a publicity shot without checking that the area is sanitized and then throws it on their website.

Re:The right reaction?

[dwillden]

While I haven't seen any official statement about it being lifted. I have started seeing USB drives work more and more often.

But then again maybe someone in the G6 (Army IT guys) just decided the ban was stupid when they were issuing out new computers and while USB was blocked, Firewire, eSATA and SD card port and slots were all active and working. My office went from everyone carrying USB drives in their pockets to everyone carrying SD cards.

Now if the machine is off the mil network the USB works, if the USB drive is in the machine when I connect to the network it works, but if I pull the drive out and re-insert it or if I connect and log in and then insert the USB drive it doesn't work, typical military brilliance.

Re:The right reaction?

Wow! It sounds like Internet information clearinghouse sites like wikileaks stand no chance of ever getting their hands on sensitive information with a system as strong as you describe.

Re:The right reaction?

[dave420]

Apart from all the strict security that can't be bypassed, including locking down USB drive access, sure.

Re:The right reaction?

[GameboyRMH]

Wow are those guys idiots or what? A known terrorist says he wants to renounce terrorism and turn himself in to the prince...in person.

Dora the Explorer wouldn't fall for that.

And yeah the pics in that PDF are only SFW if you work for rotten.com.

Re:The right reaction?

[NotOverHere]

Or the Navy does a similar PR shoot. The Wrong Panel was in the screen shot, and we have to stop using the phrase "in excess of 400 foot", because the legible gauge was very much so "in excess".

Re:The right reaction?

[Svartalf]

Actually, if there was a breach and it compromised operational data (definitely secret/top secret stuff...), it would be an issue of National Security as well as the PR nightmare you mention.

And just because the systems are supposed to be air-gapped, we all know that this is a fun process and doesn't always get done right. People are in the mix and people make mistakes all the time.

Re:The right reaction?

[Muad'Dave]

That also hints at either:

1) how poorly the average police officer is trained in using (and more importantly) retaining possession of his weapon while engaged in an altercation

2) the mamby-pamby rules that require the officer to put himself in a position where his weapon can be taken from him instead of using it while still out of reach of an armed or otherwise dangerous perp.

Re:The right reaction?

[Beardo+the+Bearded]

Either it was human error, which can lead to jail time (or in some very rare cases execution) or the info wasn't Classified. As was pointed out elsewhere in this thread, military breaches carry different penalties than civilian ones. Chief among those is that security is enforced with lead-based penalties.

I could give you millions of pages detailing a warship. It would bore you halfway to death, unless you're absurdly interested in which cable connects which junction box on some class of warship. But wait, that's not all! In revision A the junction box was replaced with a slightly different box and the wires were changed to a slightly thicker cable! (When people ask what I do, I jokingly reply, "I could tell you, but then I'd have to wake you up.")

I've easily got access to a few TB of exceedingly detailed information on that sort of stuff. It would be embarassing if it ended up on wikileaks but other than having the public react with WTF HOW MUCH DID THIS COST TO DRAW the risk to National Security is nil. It would take a team of spies something like 10 years to figure out what all the drawings mean and then to interpret them. By that time the systems will be upgraded or the ships will be changed to "reef class".

Re:The right reaction?

I believe this is also the source of the infamous 'a cop is more likely to be killed with his own gun than kill a criminal', as cops have a high suicide rate and rarely kill criminals.

That also hints at either...how poorly the average police officer is trained in...retaining possession of his weapon while engaged in an altercation...mamby-pamby rules that require the officer to put himself in a position where his weapon can be taken from him

[italics added by me, bold was yours] Did you even read the post to which you responded? How would a high suicide rate among cops be facilitated by losing possession of their weapons?

- T

They should have ...

[SlashDev]

... watched the movie "The Recruit" when it came out.

Do they ban flash cards as well?

[GodfatherofSoul]

That seems to be a more reasonable security risk.

Re:Do they ban flash cards as well?

[oneiros27]

Actually, I don't know that they've outright banned them, but since about that time, there's been a policy that US government owned removable storage is not to be used in non-government owned machines, and non-government owned storage is not be used in US government owned machines.

It wasn't just this incident that lead to it; there were incidents of people going to conferences and passing around USB sticks with the presentations, and then everyone coming back from their conference and putting a whole bunch of infected machines onto the network.

It's possible that the military's got even stricter rules on the matters, I don't really know, but for the agency I work for, the ban's on *all* writable removable media, to include external hard drives, cell phones that charge over USB, etc. (unless it's a government owned device).

BYOE

"He also put a name — Operation Buckshot Yankee — to the Pentagon operation to counter the attack"

Who are we counter attacking? With what?

Re:BYOE

Who are we counter attacking? With what?

Go back to smoking your bong; nothing for you to worry your little fuzzy head about.

Still vulnerable

[Bryansix]

Since the US Armed Forces, DoD, et al. still use Windows it would be prudent for all of them to employ BitLocker or whole drive encryption even on the unclassified computers. The reason being is that I just made a flash drive today that can still blank out the local system admin password on any windows computer in existance (unless they have BitLocker or TruCrypt).

Re:Still vulnerable

Congrats, did the guy at geek squad tell you how to do that one? The rest of us did this a while ago.

Re:Still vulnerable

[Monkeedude1212]

The reason being is that I just made a flash drive today that can still blank out the local system admin password on any windows computer in existance (unless they have BitLocker or TruCrypt).

Assuming you have a way to physically access the computer.

Locking the box inside a steel cage could also keep you out, with the added benefit of being harder to physically steal. But then again, TruCrypt and Bitlocker have the added benefit of making the drive much more difficult to access in the event it does get stolen.

And the cons are of course locking in a steel cage means you don't get to use CD's or USB sticks - and of course Encrypting the drive means you can't use a flash drive to reset the admin password should there be an entire turnover of the IT staff.

There is never a perfect solution to IT, this I've learned.

Re:Still vulnerable

[Bryansix]

Congrats because we take business from Geek Squad every day. They suck for business support. We specialize in SMB clients and provide real service.

Re:Still vulnerable

[Beardo+the+Bearded]

It's always someone's first day. It took you years to get to the point you could even post on /.

Re:Still vulnerable

[hedwards]

That was my thought, why are they allowing physical access to the USB ports without properly monitoring the devices being allowed to be used in the machines. Physical access to the keyboard and mouse is enough of a security risk as it is, but allowing people to plug in strange USB devices without first inspecting them strikes me as irresponsible. Admittedly, people do have to do their work, but I'm not sure why they weren't being required to scan the information on the drive before connecting it up to a secured computer.

There's no reason why the check point computer even needs to be connected to the net at all if you're willing to do manual updates to the security software via disk.

Re:Still vulnerable

Since the US Armed Forces, DoD, et al. still use Windows it would be prudent for all of them to employ BitLocker or whole drive encryption even on the

The technology they use is called HurtLocker, thank you.

Also, expect a knock on the door any minute now, and Men in Black
politely request you hand over this hazardous flash drive you mention.

Re:Still vulnerable

[Littleman_TAMU]

They started migrating everyone to whole disk encryption after this incident. My web-connected work computer was switched over about a year ago maybe more.

Re:Still vulnerable

[GameboyRMH]

On Vista/7, wouldn't this cause a UAC prompt to pop up? Unless you're looking to exploit a local privilege escalation vulnerability, and you're just hoping any Vista/7 machine you attack wouldn't be patched.

If you're just switchblading XP machines and infecting individual Vista/7 user accounts, that's old news.

Re:Still vulnerable

[Bryansix]

The exploit doesn't run in Windows.

Re:Still vulnerable

[GameboyRMH]

Oh it's a password reset boot utility that requires plenty of physical access to the machine. That's even older news.

Where there's a USB port ... there's a way

[PolygamousRanchKid+]

A US Army dental surgeon told me that their computers were "fixed", so they could not copy pictures of their operations to any external media. The surgeons needed anonymous pictures of operations that they had performed, for preparing for their careers after their service. Like, applying for a job somewhere.

One of them figured a way to use the USB port in the Canon printer that they had. They could toss pictures at the printer, and land them on the USB stick. Circumventing any blocks on the PCs from accessing the PCs' USB ports.

So any unprotected port is, well, a potential source of a leak.

Re:Where there's a USB port ... there's a way

This is a dumb question, but I'll ask anyway. Is it safe to assume that the government locks down the BIOS to prevent booting from a live-CD distro of Linux? Once an unscrupulous individual loads their own OS, mounting their own USB devices or the computer's file system would be trivial.

Re:Where there's a USB port ... there's a way

[countSudoku()]

That's a good work-around!

So any unprotected [USB] port is, well, a potential source of a leak.

Along with any camera, copier, cell phone, human with a memory, network accessible device, etc. Every kind of access restriction can be circumvented. *Every* kind.

I would suggest mounting all laptops in cement, then chaining the cement block down to the cube frame structure. Close off all connectivity, embed in a Faraday Cage, then keep anyone, including the approved user, from accessing it, and you're all set! Bob's your uncle! Otherwise, expect your data to escape. Because it will. :) Have a nice day!

More Self-Serving Hype

[yourpusher]

Rob Rosenberger at VMyths notes:

et’s cut to the chase. U.S. Deputy Defense Secretary William J. Lynn III wrote an op-ed for a commercial publication in which he claims a single USB thumb drive caused the worst military data breach in history. And according to Wikipedia, that one little USB stick led to the creation of the Pentagon’s new Cyber Command.
[. . .]

I’ll bet it took so long only because it was a classified operation. This malware would have blown over in a week if DoD-CERT had issued an email saying “hey, there’s a new virus running around, please scan your PCs for agent.btz.”

{sniff} I can definitely smell a lot of groupthink here. Not to mention hype, which goes hand in hand with groupthink.

Lynn suffers from a short memory span. We know this because he thinks the Pentagon got “a wake-up call” when agent.btz slithered into classified networks. If Lynn’s brain had more RAM, he would recall the Melissa virus did EXACTLY the same thing in 1999. It infected classified U.S. networks at a depth & scope even I myself would label “impressive.”

So why this story? Well (from the same source):

You can see I’ve got a healthy dose of skepticism over Lynn’s “Buckshot Yankee” revelation. And I’m not alone: Wired filed a story with the headline “Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack.”

Waitaminit. GCN’s breathless story includes the phrase “Lynn said Wednesday in a teleconference with reporters.” You mean to say he gabbed with the media on top of all the hype he wrote in an official capacity for a commercial publication? {sniff} I smell a book deal in the works when Lynn’s boss retires next year.

Re:More Self-Serving Hype

[INT_QRK]

Whenever an OSD, or for that matter any federal, official with "Honorable" in front of his or her name deliberately broaches any issue in a public venue, there is an underlying effect that he or she is trying to promote. This typically may involve either defending, or laying the groundwork for, some pending policy which has not quite achieved full acceptance from all the other key players with a stake in the game. Given especially that the Hon. Mr. Lynn is the DEPSECDEF, that is number two in the DoD, I'd anticipate another shoe to drop, and one of some considerable impact.

Flash Drives

[Reason58]

I know for sure that USB drives (flash and otherwise) have been banned on DoD systems for quite a while before 2008. Perhaps other government sectors didn't have this rule in place, but more likely it was simply not being enforced.

Re:Flash Drives

[PhxBlue]

And I know for sure that you're wrong. Personal flash drives have been banned on DOD systems, but government-purchased flash drives were perfectly okay to use.

Re:Flash Drives

Also, one was supposed to disable the ability to mount drives over USB on systems that did not require this functionality, even before 2008.

Re:Flash Drives

[Reason58]

Where are you seeing that this was a DoD approved device? You may be correct that it was not technically a rule for all flash drives, but no Army, Air Force, or civilian location where I worked allowed their use at all.

Re:Flash Drives

USB drives were at one time used to transfer between air-gapped networks when CD/DVD transfers would burn through media too often. I can attest to this.

Re:Flash Drives

The decision to allow flash drives was left to the individual agencies. Our agency purchased thousands of flash drives for official use before the ban. After the ban, we started buying thousands of USB hard drives because magnetic media was never banned. There so many basic security problems that banning flash drives is stepping over dollars to pick up dimes. Stupid knee-jerk reaction that has only made administration more difficult, not any of our systems more secure.

Re:Flash Drives

[matchhead650]

You never worked in Iraq then, because it was common usage to use personal and government flash drives on government computers during that time. Personal flash drives were not prefered, however they were still used by many indivisuals, myself included. Now they are banned by the local IT policy, as far as DOD or DA policy I don't know what the current policy is. The problem is that a flash drive that was not supposed to be on the classified network, was used on a classified machine and you know the rest.

Re:Flash Drives

Government purchased USB drives are allowed on government computers where I work.

Re:Flash Drives

[gandhi_2]

In my neck of the DOD, all external storage devices were disabled by GPO. And I'm nothing special. And flash drives bought from the GSA catalog are nothing special either.

Re:Flash Drives

[dwillden]

Wrong. I regularly used USB drives on classified and unclassified systems up until the ban. Personal ones were strictly verboten in classified systems but on unclass ones it was no big deal, and very common to use personal ones. Especially since supply would usually only come up with old low-capacity thumb drives (I'm talking 128 meg when 4 gb was common and 8 gb were the big ones on the market).

Re:Flash Drives

[Svartalf]

Then the systems really weren't air-gapped, you had a sneakernet between them.

Air-gapped means that never the two shall ever meet. Nothing like a flash or CD/DVD to be shared between the trusted and untrusted network can happen.

Haven't I seen this movie before?

[boddhisatva]

Same guy that stole the plans to defend South Korea from attack by the North with a thumb drive? There are solutions guys and they're not very difficult. How about this one, which I stole from "Cryptanomicon": Anything electronic going in or out goes through security. Personnel drop such things off at the entrance and then walk through a very large, strong magmetic field. Same thing leaving. Just like the airport only if you forget to drop off your watch, it gets fried.

Re:Haven't I seen this movie before?

[Lehk228]

my little 4 gig USB drive would become a dangerous projectile long before a magnetic field actually hurt it. my SD cards won't even do that.


unless you intend to use a powerful and oscillating electrical field, which will also kill anyone with a pacemaker or metal implant.

Re:Haven't I seen this movie before?

Personnel drop such things off at the entrance and then walk through a very large, strong magmetic field.

You do realize that flash memory is non-magnetic, don't you, and wouldn't be erased by a magnetic field? Even if you tried to use high-powered microwaves or EMP to cook such devices, it's a simple matter to shield them, and you probably wouldn't want your personnel to suffer such exposure as part of their jobs.

It's pretty much impossible to keep people from carrying miniaturized digital storage around with them. For example, I have a tiny flash drive that is just a sliver of plastic that slips into a USB port (not even a full connector, just a thin strip) and has 4 Gb on it. Works great, and I use it for backups of my critical personal files (real estate and bank documents, etc.) and hide it where nobody will ever find it. It is tiny, and I could find any number of places to carry it on my person, ways that would be undetectable without the kind of in-depth physical search that you wouldn't subject your regular employees to on a daily basis. I have a couple of micro-SD cards that are even tinier, and have adapters that let them plug into a USB port. Portable flash is here to stay, is only getting faster and more dense with time, and is a fact of life that security personnel are just going to have to deal with. Period.

Let's face it, any kind of secure facility simply needs to have its policies set to disallow such devices from even being mountable, and honestly, given the speed of networks nowadays, shouldn't permit anything important to be stored or copied to a given computer's local storage. It should not even be possible to open the case of a machine in such an environment: the Feds ought to be able to afford physically-hardened equipment that can't be easily cracked, and would disable itself if opened improperly (while simultaneously screaming for help.)

Yes, yes, sneakernet has its place, but not in a secure workplace. That goes for WAPs, cell phones, MP3 players, and bluetooth devices of any kind. The vast majority of people who sit at desks or in cubicles and work on a computer all day simply don't need camera phones, MP3 players, digital picture frames or anything else that has a computer interface and flash memory.

Re:Haven't I seen this movie before?

[PitaBred]

Didn't you read? He said magmetic field. I assume it has to do with magma, maybe burning the user alive. That sounds pretty secure to me.

Re:Haven't I seen this movie before?

[hedwards]

I was a bit surprised, but you're indeed correct about that. Not only that, but it's questionable as to whether the hard disk would be effected either. Theoretically you could amp up the magnetic field enough to destroy the SD card, from what I gather you'd also be removing the iron from the blood vessels with a magnetic field that strong.Busting the Biggest PC Myths

If the data is that sensitive you're better off with metal detectors and good old fashioned cavity searches.

Re:Haven't I seen this movie before?

[tsm_sf]

Your ideas intrigue me and I wish to subscribe to your newsletter.

Not the worst ever...

[d474]

In 1983, a high school kid named David Lightman hacked his way into DOD computer @ Norad called the W.O.P.R. which almost resulted in an all out nuclear war between the U.S.A. and Russia. I believe they made a movie about it.

So until I hear a story that tops that, keep your "worst ever" superlatives to yourself. Oh, wait...

Re:Not the worst ever...

Almost resulted? Dude, you don't know the half of it. Remember Back to the Future? The McFly story as told in the movie is only a tangential anecdote whereas the actual meat of the story (which was quashed for obvious reasons) is directly related
to the W.O.P.R. time-loop incident.

Re:Not the worst ever...

[DNS-and-BIND]

"It might help to beef up security around the W.O.P.R." Best movie line ever. I still laugh about it. WarGames was also notable as one of the vanishingly few positive portraits of a Southerner in a position of authority. I remember people being incredulous that General Beringer wasn't some "let's push the button now and nuke the Russkies" character that they expected when he first opened his mouth.

Re:Not the worst ever...

Would you like to play Global Thermonuclear War?

(Y / N)

Was it Windows, again?

[devent]

So, what system the computer were running? Why is that information never in this news reports? Are they assuming that computers just runs, without any software on it? Don't they know that computers usually have an operation system on it to be useful?

I really had it now. I clicked through the pages and agent.btz is mentioned. Nobody had mentioned that's a Windows worm Worm:W32/Agent.BTZ http://www.f-secure.com/v-descs/worm_w32_agent_btz.shtml Platform is Windows 32, of course. Why is nobody is mentioning the operation system? Why is nobody blaming Microsoft? Oh George W. Bush was briefed on it, was he briefed on it that the worm is only useful on Windows systems and that his military is vulnerable?

His article appeared intended partly to raise awareness of the threat to United States cybersecurity — “the frequency and sophistication of intrusions into U.S. military networks have increased exponentially,” he wrote — and partly to make the case for a larger Pentagon role in cyberdefense.

How about they mentioning that's it's increased on Windows and that Linux and other systems are save and sound? How about they ditched this system which proved times after times after times to be the only system that is vulnerable?

Re:Was it Windows, again?

Dude, chill. Your English is breaking up.

Re:Was it Windows, again?

The theory that an all Linux environment would be secure is false in the real world. All operating systems and applications are vulnerable to varying degrees. Windows is only the most heavily targeted and hence the most heavily exploited. Network defense in our vulnerability ridden world calls for highly skilled, motivated teams of network defenders to actively fight against the ever evolving attackers.

Re:Was it Windows, again?

[polaris20]

As much as I'm not a fan of Windows, it's the target, not the OS that's the problem. OS X and Linux can be circumvented too, if the prize is worth it. Anyone who doesn't realize that is a fool.

Re:Was it Windows, again?

[hedwards]

Given that eventually somebody found an exploit in the OpenBSD base install, I'd say it's a given that with enough of an incentive you can find one in any OS, it just takes longer for some than for others.

Re:Was it Windows, again?

[JamesP]

They should have gone with AIX or Solaris on PPC / Sparc

Re:Was it Windows, again?

[0123456]

The theory that an all Linux environment would be secure is false in the real world. All operating systems and applications are vulnerable to varying degrees.

But Linux won't be owned just by putting a USB stick in the slot. Sure, there might be USB driver bugs, but that's very different to autorunning software off the stick, or loading DLLs from the stick when you browse that directory.

Re:Was it Windows, again?

> As much as I'm not a fan of Windows, it's the target, not the OS that's the problem. OS X and Linux can be circumvented too, if the prize is worth it. Anyone who doesn't realize that is a fool.

And any house can be invaded by a high-level enough thief. Don't leave your door unlocked just because of it...

For most, changing the prize is not feasible (e.g., the lives of your dear ones), but changing the OS is.

Using Linux and feeling 100% secure is wrong.

Not migrating from Windows to [Linux|*BSD|*nix] is worse.

Re:Was it Windows, again?

[WindBourne]

Considering that there are more https servers with CC info on them running Linux/Unix, I would say that your logic is incorrect. The simple fact is, that ppl/crackers go after the EASY systems.

For example, why go to a house, with a burgler alarm, no windows, doors that you have to pick, that has $100 million if you can go to anther house that has basically no alarm, has open backdoors, and has only $1 million, though they MIGHT have a key to get into the OTHER Place, though you also get to the 100 million EASY? And even better yet, is finding the same easy system that has no money BUT also might contain the key to the above 100 million system.

I will take the one that is easy to get into to. So do the blackhats.

Re:Was it Windows, again?

[antifoidulus]

The windows security model is so incredibly incoherent and pointlessly complicated that its essentially worthless. Locking down a windows box is a laborious and error prone process, for instance in XP there are at least THREE different places where you set firewall policies and the ways they interact and overrule each other are incredibly complicated. The only reason for this pointless complexity is so that Microsoft can sell more MCSEs.

Compare this with Linux and iptables. I have essentially one text file that I have to manage*(ok for TCP connections there is also hosts.deny/allow) to configure the firewall. One, not three.

Re:Was it Windows, again?

Feel free to demonstrate this attack on a unix-clone network.

Re:Was it Windows, again?

[Psicopatico]

Sssshhttt! Don't let 'em know.

As long as there are gazillions of boxes running Windows out there, *our* Linux boxes are safe.

Re:Was it Windows, again?

[devent]

As much as I'm not a fan of Windows, it's the target, not the OS that's the problem. OS X and Linux can be circumvented too, if the prize is worth it. Anyone who doesn't realize that is a fool.

I don't care about what OS is more secure. But I do care that the news reporter are doing his/her job by telling what the affected system is. If it's Linux, fine, say Linux is affected. But nobody is ever mentioning that it's Microsoft Windows. In fact, please read the last 20 security reports. Microsoft Windows is never mentioned once.

Re:Was it Windows, again?

[polaris20]

I don't disagree with you at all. They should have reported exactly what version of Windows was used. Tech "reporting" is pretty bad these days overall. However I do find it amusing that one guy says my "logic is wrong" and that Linux is used for CC transactions and it's secure, etc. Apparently he hasn't seen any of the thousands of compromised Linux-run sites that are hosting today's flavor of Antivirus Pro/2010/etc malware. Again, it doesn't matter what the OS is. Any of the major three can be hacked if the target is worth the time.

Re:Was it Windows, again?

[polaris20]

Right, because Linux servers with CC info on them aren't being hacked on a daily basis, and then loaded with redirects to malware sites. Oh wait......they are. My viewpoint still stands. Any OS can be hacked provided the target is worthwhile.

USB drive on sensitive computers...

[geogob]

I didn't follow the original story back then, but I find somewhat surprising what I read here. USB drives allowed on a sensitive system containing sensitive informations seems like a bad idea how ever you present it. But having one universal port for everything is a problem for sensituve application. You can only block its use for data link on the software level, which will eventually be bypassed.

It will always be possible to retrieve information from the system, sometimes with considerable amount of work. But allowing USB drives just make it too easy and too likely to happen...

Re:USB drive on sensitive computers...

Actually, that is not true. You can physically disable the data connections on a USB port. The problem is that keyboards and mice and CAC readers are all USB devices that need the data paths to function.

Re:USB drive on sensitive computers...

[dskoll]

On Linux, you could compile kernels without support for USB mass storage devices. But I'm not sure that would be sufficient; maybe user-level USB access could be (ab)used to manipulate flash drives. Still, it'd make things a lot harder for the average attacker than a Windoze box.

Re:USB drive on sensitive computers...

[KahabutDieDrake]

Actually, it's trivial to disable USB in a windows system. I mean disable it at the system level. Further, it's not hard to disable it at the hardware level either. Some crazy glue will go a long way to making those ports useless.

That being said, there are always ways around such efforts, especially if you have physical access.

Re:USB drive on sensitive computers...

Removing the USB kernel module is superior to compiling a new kernel in the DoD realm, since vendor support for the OS (though never used or useful) would be broken if a custom kernel is used.

Re:USB drive on sensitive computers...

[LinuxIsGarbage]

On windows you can delete usbstor.sys or disable driver in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

Log their identity when USB storage is detected.

AFAIK, Everybody that uses a Pentagon computer uses a Common Access Card (CAC) that usually inserts in the keyboard. When you remove your CAC, you are logged out. In theory, nobody should ever be able to use a computer while logged into another user's account without their knowledge.

Although I believe all USB storage devices are banned from military computers, How difficult would it be to create a script to capture the user's ID info from the CAC and write it to a log file so offenders can be caught and prosecuted? It may not necessarily prevent a crime, but it would certainly help prosecutions after a crime is committed.

Ban Microsoft and your done

nuf said

Oblig

[xenapan]

Hey AT&T ima let you finish but the Pentagon had the worst data breach EVER! Worst data breach ever!

+1 Funny

[PerfectionLost]

Hilarious

Government contractors..

[Paracelcus]

The Gummermint in their infinite wisdom has decided that they will no longer hire Tech people as permanent employees (there are exceptions) so their has been an explosion of revolving door "new people" who have to be allowed to sit at a desk, in the building, at a console for up to six months until their security clearances come through. Can you say "social networking"?, I know you can!

Hi, Foobar, can I sit at your terminal, you know, just to check my Foobar account, is that OK? (check & mate).

Re:Government contractors..

[JamesP]

Hi, Foobar, can I sit at your terminal, you know, just to check my Foobar account, is that OK? (check & mate).

Let me guess, it's Alice and Bob again.

Darn those two!

Re:Government contractors..

[David_W]

Let me guess, it's Alice and Bob again.

Nah, it's Mallory.

Incredible software developments or hot air?

[jordan_robot]

USB ports, how boring... This is what I'm more interested in - FTFA:

Against the array of threats, Mr. Lynn said, the National Security Agency had pioneered systems — “part sensor, part sentry, part sharpshooter” — that are meant to automatically counter intrusions in real time.

Sounds almost next gen A.I. ish. If it weren't for the "pioneered" part, I'd just think he was talking about plain jane intruder detection systems.

Do we think these systems are really as advanced as insinuated? Or is it just puffing up for P.R. & intimidation? If these systems really are that awesome, how long before this tech trickles into the civilian world? Government software engineering can't be outpacing "civilian" efforts by that much, can it? --- Hey, what they hell do I know? I'm just a guy on a couch.

Re:Incredible software developments or hot air?

[cj_nologic]

Hey, what they hell do I know? I'm just a guy on a couch.

watch it - if you sit there too long you'll die.

Darn

[symbolset]

Now instead of an autorun that says 'do nothing' to launch my evil .exe, I have to plant a standard file format and an evil .dll on the pen.

That's like a whole extra step. It could take almost as long as typing this comment did.

Re:Log their identity when USB storage is detected

[matchhead650]

I can't speak for the pentagon, but none of the computers I have used that require a CAC for log on log you out or lock the computer when the CAC is removed.

So your argument is security through obscurity

[Sycraft-fu]

Well there's multiple problems with that, as applied to the government:

1) If the idea is to go to the less used system because it is more secure, that means changing any time your system isn't so minor. In fact they'd be much better to write their own OS, with no relation to any existing one, than to use Linux. Linux does have a fair bit of use and does get owned (our research labs get their poorly secured Linux boxes owned from time to time) and of course the government is a big user so them switching would make it a much larger target.

2) You are advocating a monoculture. The government does use UNIX, just not exclusively. So if the argument is "Switch all to one system," then you've created an environment easier to break in to. With multiple kinds of OSes, there is hope that a fault in one is not a fault in all. Switch everything to Linux and that all goes away.

3) While the government doesn't like getting a worm, that isn't their real concern. Their real concern is espionage. That means facing a well motivated, financed, and focused adversary. They'll break in to Linux if that's what it takes. The SVR isn't going to say "Oh shit, they aren't running Windows, oh well just leave off it then." They'll look for Linux weaknesses, and write attacks targeting that if that's what it takes.

4) There are real needs in terms of apps and so on, not all of which Linux can meet well (if at all). Even Office would be an example of this. OpenOffice is NOT the equivalent of MS Office. If you think it is that only demonstrates you've never used an office suite for anything more than simple activities. No shame in that, many don't need to, but many do, the government being one of them.

Also if you think that sites that hold CCs don't get owned you've got your head in the sand. Online sites get owned all the time and yes, many of them run Linux. Hell a payment processor got hit last year. My bank couldn't tell me who (privacy laws) but informed me my card was being replaced because it had been processed by that company.

Sorry, but systems get hacked. Trying for obscurity isn't a good solution. I'm not saying "All Windows all the time," but "All Linux all the time," is just as stupid.

Re:So your argument is security through obscurity

There is already a monoculture, it's just centered around Microsoft. Microsoft has posted a nice whitepaper (.doc) about the Air Force Standard Desktop, which includes such juicy tidbits as: "As of May 2006, it was installed on over 435,000 PCs. This represents more than 92% of the unclassified computers on the AF network. As application compatibility issues are resolved, the AF expects to have 100% deployment of the SDC.

The SDC is currently being implemented on the major classified network (SIPRNET) and will eventually be fully deployed there as well."

I would prefer the variety of operating systems. Unfortunately this also increases support difficulty.

Re:So your argument is security through obscurity

[WindBourne]

First, where do I advocate anything? I pointed out FACTS, not the fiction that MS is hit because it is a monoculture or the most heavily used.
Second, when I worked at TL agencies, I was prohibited from using MS except as a none-networked connected system. Why? Because the agencies do not want their code on the net. THere is NO SUCH THING as secured windows.
Third, if we are going to have a monoculture, then it is far far better to have a secured system, rather than something as unsecured as Windows. That would mean something like XTS-400, as well as a number of the DO-178B systems (who were typically designed with semiformally designed methods; though note that there are several DO-178B systems that do not match EAL 6, such as 2 linuxes).
Fourth, Solaris != HP-UX != OS-X != Linux != FREEBSD. And there is nothing in the Windows world equivalent to Trusted Solaris, SELinux, Trusted AIX, etc.

As to apps being needed, Office is NOT needed. It is desired only because of the monopoly that MS illegally built. If the feds, and/or EU pushed for open file formats requirements, then Office's monopoly would die.

Re:So your argument is security through obscurity

[Sycraft-fu]

If you think there is no such thing as secure Windows, but is such a thing as secure Linux it just means you are a zealot, uneducated, or both. Sorry, but there is no magic that makes Linux secure. I know this is something fanboys like to think, they tell themselves there is some architectural superiority that ensures it is a secure system but there's not. If you've taken the time to learn about how OSes actually work, at the high and low levels, you find that no, Linux is just another OS. How secure it is, as with Windows, depends on the implementation and practices.

However from your post it is clear you are a blinded zealot who hates MS and doesn't care to learn about how things really work. That's fine, but you fool only yourself.

Re:So your argument is security through obscurity

[devent]

4) There are real needs in terms of apps and so on, not all of which Linux can meet well (if at all). [...]

If nobody is using Windows for anything important, like they should, what do you think how fast will everybody port their applications?

Re:So your argument is security through obscurity

[WindBourne]

When you work in a secured environment for three letter agencies, please explain to them why you want Windows exposed to the net. I am quite certain that you have more knowledge than the nice folks at NSA, CIA, and NRO. Sadly, those at DHS and DOD will continue to have issues because they do not consider the issues of Windows vs. just about any other OS.

BTW, I have not said that Linux is secured. I have said that versions of it as well as other OSs are much more secured than anything coming out of the Windows arena. So, please do not put words in my mouth.

There will be security breaches, plan accordingly

[shoor]

I remember reading a book about the Mitrokhin archive, which was archival info about the activities of the KGB during the Cold War. One memorable thing was that the Soviets got a LOT of technical secrets from the West and they congratulated themselves on how it was cheaper to steal than develop on their own. The problem is, they couldn't get ahead that way. The porosity of the west allowed information to be traded, cross-fertilization, open competition that stimulated and sped up the development of new things, so that whatever was stolen was soon obsolete anyway.

As for diplomatic secrets, there was the famous incident of a bug in the US embassy in Russia from which the Soviets got a lot of diplomatic secrets. I've read comments that this actually was a good thing because that way the Russians knew the US wasn't planning to attack them any time soon, just as we could relax a bit thanks to our spy satellites and U-2s showing us the Russians weren't planning to attack us any time soon.

I admit I'm only offering speculation and hearsay, and I don't want to come across as too starry eyed and idealistic. Particularly in war loose lips and sink ships and Bletchley Park was very bad news for the Nazis in WW2 so there is a place for espionage and counter-espionage, but I do think that before people get utterly hung up on security and paranoia, they should perhaps do a little thinking outside the box.

Re:Log their identity when USB storage is detected

[dwillden]

They don't log you out. A few minutes after you walk away the screen saver will kick in and lock the screen, but pulling a CAC doesn't log you out.
That would make it a real pain to register a new CAC card on a system, or do one of many common tasks we do where someone will sit at another's machine and log into AKO or another site with their own CAC.

This is why DoD needs to put a bullet in M$

[SgtChaireBourne]

In 2008 any standard issue Army computer would've...

But were they able to track down and deal with the individual(s) that deployed Microsoft products?

The military procurement procedures produce a solid paper trail even if on some occasions they produce nothing else. Had they deployed properly engineered products rather than brands infamous for bad design the problem would not have arisen. The US Navy will focus on open systems only, if it can stay clear of the old M$ contractors and M$ resellers.

Not if the O/S is properly designed.

[master_p]

Code executed automatically off external media could be allowed if the O/S had a security model that allowed it. For example, if code in external media did not have write capabilities to the hard disk, or if said code had lower privileges over installed applications etc.

Re:Not if the O/S is properly designed.

[Svartalf]

Ah...but that would get in way of the "ease of use" of the OS.

They make a big deal about ease of use, but what nobody from that camp is willing to tell you is that ease of use almost always prevents any semblance of real security, leading to an easy "pwn4g3" for the script kiddies. For real security (and requiring goofy passwords ISN'T that, folks...), you're going to have some reduction in "ease of use". You don't auto launch stuff, for example.

Incident Brushfire

The breach was from a USB drive used overseas and occured on a classified system not a typical user PC. Hence the lack of information on its operating system. The military just don't want you to know it was thier super secure network that was compromised. People seem to think that these systems are always used carefully. People will do whatever they think they can get away with. If people see no potential harm in the action they are less likely to follow the rules. Most people don't think about external media as dangerous unless its being used to steal data. In reality they are one of the more dangerous devices due to thier portability. They are an IT security nightmare. Not only USB drives were blocked from use but all external media. This includes the use or installation of printers with USB slots and SD readers. Users were required to turn in all external storage devices including media cards for cameras, to be "evaluated". They were not returned.

A different world

[sjbe]

Trust me, I have implemented just about any security method in a variety of settings (medical, financial, ...).

What about military? I've worked in medical, financial, manufacturing and retail too. Military is very different.

The fact remains that people can't be bothered to lock their screens when they step out because it's "too difficult" and "too complicated" let alone click the button to encrypt their e-mail or their USB sticks.

Very true but the difference is that the military can send you to prison for the rest of your life if you get caught being sufficiently lazy/sloppy/incompetent with secure data. The same laws we live by in civilian life don't apply much of the time. The worst a financial firm can do is fire you. I'm not saying that people don't behave exactly as you describe (I'm sure they do) but there are people in the military who actually pay attention to this stuff.

you would think...

[hesaigo999ca]

You would think be military and all, they would have thought to disable all usb ports to begin with, no? Military seems to me to be the most important place to have the most security, with all those classified documents and all.

One ray of hope...

[TheCarp]

So no hope that the person who did this gave the info to Wikileaks? That would definitely be the best of all possible worlds here.

That would be the only silver lining that I could hope for here. You can't really blame other countries for spying, I am sure just as many (if not many more) USB drives were filled up with secrets by people on american payrolls, so its hard to feel bad for the US Military on this one. When you choose to play the game, sometimes you get played. I only really care about innocent bystanders.

So, really unless this was going to wikileaks, I don't care. If it was, then I applaud it.

There is one ray of hope though:

"A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States's global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target," he wrote.

Thats practically music to my ears. Talk about validating my statements that the military is utterly useless and kept around only because people are convinced that they actually do something for us.

-Steve

Modernization

[kuei12]

This goes from being shot with your own gun to being beat to death with your own laptop.