DoD Takes Criticism From Security Experts On Cyberwar Incident

wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."

lulz

Millitary runs windows without disabling autorun. Now that's egg on your face...

Re:lulz

Clearly they need to create a new command structure and several brave new cyberwarfighter divisions to hold shift while inserting media. Higher ranking officers can take tech support calls or power cycle the nuke fire control on schedule.

Re:lulz

[JackieBrown]

Where I work, someone inadvertently emailed emailed a spreadsheet of the 3000+ employees social security numbers, addresses, salaries, and our date of births.

Their solution was to disable access to our personal email so that one one could leak that info to anyone else. It has been half a week and our personal emails are still blocked.

The funny part is that I just plugged in my usb drive and windows popped up asking if I wanted to "open folders to view files" and sure enough, I can access my data on it and move information from my computer to it without the cyber trail.

And I work at a "hippa complainant" medical equipment company.

Funny thing is, since the person who sent the email is high enough on the food chain, they are still here while IT is checking to see if anyone emailed or copied it and threatening action against those employees.

Re:lulz

[JackieBrown]

Citation

http://www.mysanantonio.com/business/local/kci_working_to_contain_employee_data_breach_102106769.html

Re:lulz

[Venik]

This is hilarious. A company specializing in identity theft prevention could not safeguard personal data of its own employees. The problem, of course, is not that some bigwig mistakenly sent a spreadsheet with names and SSNs. The problem is that such a spreadsheet existed in the first place and how it was released is really a secondary issue. I assume the guy just downloaded this information from HR database and put it in a spreadsheet for his personal managerial convenience. Probably so he can make pretty pie charts of the upcoming layoffs. This medieval approach to storing and transmitting employee PII suggests a possibility that KCI treats personal information of its customers in a similar manner.

Re:lulz

[corerunner]

I think you confused two parts of the article...

“We were able to move swiftly,” Izbrand said. “We are offering credit monitoring and identity-theft protection and any other assistance our employees want.” The credit and identity-theft services are being provided by an independent company, he said.

KCI is a publicly traded company that designs, markets and services products involved in the healing process and treatment of wounds. Its products include hospital beds and mattress replacements.

I disagree that the problem isn't that someone sent this spreadsheet to the entire company. It's not unreasonable for someone in HR to create something like that for a specific task, but it should be guarded closely. Maybe you meant it shouldn't have been so easily accessible that it could accidentally be emailed to the entire company, but that's not what you stated. That so-called bigwig should be reprimanded harshly if there's anyone above him.

Re:lulz

[vulcan1701]

Actually, you're wrong. Google DISA STIG, search the stuff for autorun and you will find that the DoD/military is required to disable autorun. USB Policy has also changed in the last 2 years. So if the claim is as described, the policies were put in place as a response to it. The STIG regarding disabling USB ports for mass storage came out in 2008.

They fucked up something really really basic

[HungryHobo]

on military systems.

And so they can either pretend it didn't happen or pretend that they were only defeated by a dedicated and skilful foe rather than by their own ineptitude and laziness.

they went with the latter.

Re:They fucked up something really really basic

[icebike]

You assume the fucked up.

Just because the version of this worm that is common in the wild is not particularly dangerous does not mean that the version used in the attack (or the fuckup if you will) was the same.

How you administer an injection matters a lot less than what was in the syringe.

Auto-run might have stopped this worm, but turning that off did not become standard practice till the Vista roll out, and the military may have had reason to use auto-run. To simply state that some minor setting in windows would have prevented this is naive.

The fuckup, if there was one, was allowing a foreign intelligence agency to get close to a military laptop.

Re:They fucked up something really really basic

[HungryHobo]

oh come on, autorun has been spreading USB viruses for years.
Turning it off was basic common sense before vista ever hit the shelves.

Re:They fucked up something really really basic

[icebike]

But you are assuming facts not yet proven.
1) that it was in fact the commonly found version of this worm that was used rather than a specially crafted one
2) that it required auto-run to do what it was designed to do.
3) that auto-run was in fact still on in the subject machine

Re:They fucked up something really really basic

[davester666]

By 'fucked up', he meant that they had installed Windows (any version) on pretty much all their computers.

Re:They fucked up something really really basic

[wealthychef]

He's also assuming that
4) Everyone in the military uses common sense.

Re:They fucked up something really really basic

[Runaway1956]

"Auto-run might have stopped this worm, but turning that off did not become standard practice till the Vista roll out, and the military may have had reason to use auto-run." Sorry - but auto-run is a known security risk, and it has been known for a lot longer than Vista has been in existence. This is the MILITARY we are talking about. The MILITARY is supposed to be more security conscious than Joe Blow who has nothing more important on his hard drives than some illegal porn.

Re:They fucked up something really really basic

[quanticle]

The damning portion of this experience isn't that a worm got on to military networks. The damage comes from the fact that this was an autorun worm. These worms are dependent entirely on human intervention to spread, and therefore spread much more slowly than automated worms targeting operating system vulnerabilities. Yet the military was unable to defend itself against this inept attack. If they have trouble defeating an autorun worm (something that a reasonably competent IT department can handle) how are they going to defend against the more sophisticated threats that sure to be on the way?

Re:They fucked up something really really basic

the military may have had reason to use auto-run.

Since the problem which auto-run solves is just "needing to doubleclick an icon after inserting a drive", I think I'm going to go with "their own ineptitude and laziness" on this one.

Re:They fucked up something really really basic

[icebike]

You've hit upon a key aspect of the event here, but I'n not sure you've interpreted it correctly.

See that is the part of the story that doesn't hold water, and its why I think the military may have more knowledge of this than the naive attention seeking critics.

This worm would be a really poor way to spread an intrusion, because of the need for human assistance to get started, and because it is essentially harmless and low risk and easily detected by anti-virus software both then and now.

Further, if you were the foreign intelligence agent that deposited this on a Centcom computer, would you wait for it to activate itself? You've risked your life to get in a position to do so, why would you not click that mouse one more time and run it yourself (making the whole auto-run issue a non issue).

Further, you miss the fact that Auto-run is not its principal method of spreading. Its just a subtle method of introduction. It spreads thru the network. See this article:

http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html

Its not like this thing is dependent on someone slipping thumb drives into computers all the way all the way from Iraq to the Pentagon.

It may have been a ruse, or it was a heavily modified form carrying a far more sophisticated (Translation: Chinese) payload.

In any event it is simply impossible to be the standard Agent.btz that everyone here heaps derision upon.

And Auto-Run being ON or OFF would not have made one iota of difference once its on the net.

Re:They fucked up something really really basic

[icebike]

Seriously? Is that all you got?

No one even knows if auto-run was involved, any you have convinced them in the court of ignorance without even a glance at the facts.

Re:They fucked up something really really basic

[ultranova]

See that is the part of the story that doesn't hold water, and its why I think the military may have more knowledge of this than the naive attention seeking critics.

This worm would be a really poor way to spread an intrusion, because of the need for human assistance to get started, and because it is essentially harmless and low risk and easily detected by anti-virus software both then and now.

Someone brought an infected USB stick from home. I'm sorry, but that's the most likely scenario, and certainly far more likely than someone wastes an agent who's managed to get access to military network in a completely pointless attack.

In all likelihood this wasn't an attack, unless your count attacks of stupidity, and those are just as common with military as they are with any other group.

Re:They fucked up something really really basic

[icebike]

If you think that is the likely explanation then you haven't read a single word about the extent of the damage and the amount of files stolen in this incident.

Re:They fucked up something really really basic

[HungryHobo]

"and easily detected by anti-virus software both then and now."

And this is the simple reason why no sophisticated attacker would use an already known virus.
Viruses are not that hard to write, I'm only a moderately skilled programmer and I've written a couple for the sake of proving I could (never released though).

If you use a known virus that's already infected grandmas computer then the AV companies will know it.

If you write your own with code unknown to the AV companies, even a fairly trivial virus that avoids disrupting the system or moving out into the greater internet can remain hidden indefinitely.

The simple fact that it was detected as Agent.btz at all will tell you that it's not a foreign intelligence service arranging the infection and is vastly vastly more likely to be a simple case of joe blogs plugging a thumb drive into his infected home machine and then taking it back into work.
Anyone with a serious goal of compromising specific military systems will roll their own if only to avoid detection.
And deniability is a paltry claim, viruses don't come with a "made in" sticker, a custom virus would be little different from the legions of programs created every day by people looking to steal credit card numbers and you're not going to be able to tie it back to whoever created it unless they fuck up.

Actually being ON or OFF makes all the difference.
It does spread through the network- using autorun.

Another infection vector: when a clean computer attempts to map a drive letter to a shared network resource that has Agent.atz on it and the corresponding autorun.inf file, it will (by default) open autorun.inf file and follow its instruction to load the malware. Once infected, it will do the same with other removable drives connected to it or other computers in the network that attempt to map a drive letter to its shared drive infected with Agent.atz - hence, the replication.

Did you even read the article you linked?

Any vaguely security conscious and competent network admin disables autorun and has since long before vista.
There's fuck all essential uses for autorun more significant than the security threat it of having it turned on.

Re:They fucked up something really really basic

[HungryHobo]

Autorun is the only infection vector of Agent.btz, through thumbdrives or through network drives.

If it was not agent.btz then they're being convicted in the the court of ignorance by their own claims.
If it really was agent.btz then they deserve the accusations of incompetence.

Re:They fucked up something really really basic

I think we (the US) should just launch all the nukes, we have enough tinfoil hats in the world and enough in the military, let's release all that paranoia in one cathartic moment, like a huge nuclear fueled orgasm for the war machine and the paranoid crack pots who support it.
WHO REALLY CARES ANY LONGER, THEY WILL JUST FUD YOU WITH LIES, LIE MORE TO COVER UP THOSE LIES AND TWIST THE TRUTH AND SUBVERT ANYONE WHO DOESN'T TOE THE LINE.
So, I know what I did had value to the economy, I am no longer doing it, because contributing to the insanity would make me feel as if I had some ethereal hand in generating this madness that is destroying the world.
STOP IT ALL!!!!!!!!
Tune out the media, their circus has just been turned up to 11 and the volume knob pried off.

Re:They fucked up something really really basic

[Thinboy00]

In military grade security, there is no legitimate reason to enable autorun, since you can always just manually start the program if you really want to start it.

Re:They fucked up something really really basic

[PK+Tech+Guy]

How you administer an injection matters a lot less than what was in the syringe

Thats what she said.

Re:They fucked up something really really basic

[quanticle]

What damage? What stolen files? The military has said nothing about files being stolen. From the article:

The worm, dubbed agent.btz, caused the military’s network administrators major headaches. It took the Pentagon nearly 14 months of stop and go effort to clean out the worm — a process the military called “Operation Buckshot Yankee.” The endeavor was so tortuous that it helped lead to a major reorganization of the armed forces’ information defenses, including the creation of the military’s new Cyber Command.

But exactly how much (if any) information was compromised because of agent.btz remains unclear. And members of the military involved in Operation Buckshot Yankee are reluctant to call agent.btz the work of a hostile government — despite ongoing talk that the Russians were behind it.

No mention of any files stolen. All the article says is that it took the military 14 months to clean the worm off its network. Given the size of the military's network, the level of bureaucracy involved in administrating it, and the incompetence of said bureaucrats, I don't find this to be a surprising figure at all. It doesn't speak to the sophistication of the attack. It highlights the lack of sophistication in the military's network administration skills.

Re:They fucked up something really really basic

[TheLink]

I on the other hand assume the US DoD was just making another lame attempt at getting more public money.

They hardly ever get punished for it, so why would they stop trying?

Re:They fucked up something really really basic

[icebike]

You need to check your facts.
First autorun is NOT the only vector for Agent.btz.
Second they never said it was agent.btz, rather they said it was based on that.

Re:They fucked up something really really basic

[HungryHobo]

Please, show me the other vectors that agent.btz uses then.
The link you provided only lists vectors which rely totally on autorun.

And if you're a forgien intelligence service there is no reason to use code already in the AV companies signature databases as a base for your attack, that just jeopardizes the attack since any civilian AV scanner will pick it up.

Rolling your own virus is not hard.

Re:They fucked up something really really basic

[HungryHobo]

"that it was in fact the commonly found version of this worm that was used rather than a specially crafted one"

Which makes no sense.
If a competent organisation is going to mount a serious well funded attack you don't use code which is already in virus signature databases.
You have one of your coders knock up something vaguely similar but with totally different code which will slip by AV software.

And as long as it avoids acting too obviously it will never be picked up by the AV software because it's rare for an antivirus scanner to be able to look at code never seen before and determine it's a virus unless it acts too blatantly like a virus.(attaching itself to every email, editing all exe's, adding itself to startup etc)

easily defeated, only if you disable the vector

[YrWrstNtmr]

A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives.

But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned. The Air Force SDC (Standard Desktop Configuration) and the follow-on FDCC (Federal Desktop Core Configuration) ended that.

Re:easily defeated, only if you disable the vector

[antifoidulus]

How about just getting rid of the main attack vector(Windows) altogether? The DoD "security" policies seem like they were written by Microsoft specifically to push Microsoft products. Windows is still the darling child of the DoD and anything else is considered "dangerous" and is subject to infinitely more scrutiny than Windows boxes are. And yet Windows is the most attacked(even if you scale the # of attacks to it's market share), most easily defeated OS out there. Hell even Google banned Windows after it got hacked(via Windows, what else!).

Re:easily defeated, only if you disable the vector

[icebike]

How about just getting rid of the main attack vector(Windows) altogether? The DoD "security" policies seem like they were written by Microsoft specifically to push Microsoft products. Windows is still the darling child of the DoD and anything else is considered "dangerous" and is subject to infinitely more scrutiny than Windows boxes are.

[citation needed]

Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.

You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.

But because you managed to bash both the military and microsoft in a single sentence you will probably be modded up anyway.

Re:easily defeated, only if you disable the vector

[hedwards]

Yeah, the DoD is really known for being secure. Remind me again how it was that Gary McKinnon managed to get into all those military computers? Oh, right, they had no password or a default password and no firewall which anybody could've accessed had they the stones or the poor judgment to try. But beyond that, even in its default state BSD is more secure than Windows is in that respect because you can't mount anything by default without having root. Now, there is an exception on most computers by booting into single user mode, but there's ways of handling that which can greatly reduce the likelihood of being haxxored. Unless I'm mistaken you can do that with Linux and Mac OSX, although generally not by default.

But beyond that because most of the individuals with knowledge of securing computer systems are younger and lower in rank, it can be kind of a toughy actually getting proper orders and resources to secure things. Or at least I assume that's what happened, it's the only explanation I can think of that's even halfway plausible that doesn't involve outright treason.

Re:easily defeated, only if you disable the vector

[antifoidulus]

And yet it gets hacked. It crashes constantly, it constantly needs virus updates etc. And yet there are a HUGE(before 2008 or so you couldn't actually totally disable autorun in Microsoft) security holes but they are just given a pass. The scrutiny applied to Windows is nothing compared to the amount applied to Linux because, and this is DoD policy, "Linux is open source and thus 'untrusted'". The level of logging required for Linux is insane and yet they really don't require the same level from Windows because you CANNOT log that much in Windows. Hosts.deny is required for Linux but no equivalent for Windows. nosuid has to be applied to every non-root drive for Linux, again nothing even close for Windows because Windows is simply incapable of such security. They allow NTLMv2 despite the fact that it is a proprietary protocol and thus incredibly insecure. Why, because it's really difficult to get Windows(esp. XP, which is still allowed) to authenticate with open, cryptographically secure protocols. They allow local and network users a lot more privileges on machines because it's impossible to actually get Windows operating smoothly without those privileges. The list goes on.

Quite simply put Windows lacks a lot of the basic security mechanisms that ALL other operating systems possess. And instead of doing the rational thing and banning Windows because of its shortcomings the DoD just brushes Windows' shortcomings aside(largely because Microsoft has a lot of lobbyists in high places in Washington). You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS. You think I am anti-DoD, I'm not. If I was I would be cheering their use of windows. If there is a cyber-war, I want my country to win which is why I think they need to BAN Windows ASAP. Microsoft has repeatedly shown that it is either unable or unwilling to fix their shit, so dump the motherfuckers already.

Re:easily defeated, only if you disable the vector

[Lord_Frederick]

DoD is very big, and there are hundreds of thousands of DoD computers that don't follow the simplest security best practices. Just because the NSA publishes a document on how a Windows box should be configured, doesn't mean it gets configured that way in the field. Military IT is just like social issues; The only area not being neglected and starved of resources is the last area to have a major shitstorm.

Re:easily defeated, only if you disable the vector

[Culture20]

But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned.

And what's more, Microsoft's suggested method of disabling autorun didn't work back then. They had to release a patch. And even then, they didn't disable autorun by default.

Re:easily defeated, only if you disable the vector

[interval1066]

WAITAMINUTE! You left the US because of the emphasis the culture puts on driving? Wow... I can think of a lot of reasons to leave here, but because you have a thin skin about not being able to drive? Incredible. That's about the stupidest... mumble mumble...

Re:easily defeated, only if you disable the vector

[YrWrstNtmr]

How about just getting rid of the main attack vector(Windows) altogether?

Sure. The complexity of moving a million users/desktops/servers + govt overhead is trivial. Is next Tuesday soon enough for you?

Re:easily defeated, only if you disable the vector

[Jane+Q.+Public]

The mere fact that DoD calls software "untrusted" because it's open source reveals a lot about the level of their collective knowledge/intelligence.

That's kind of like saying "We trust the contents of this closed shipping crate because we were told what's in it. But we don't trust the contents of that open shipping crate, even though we can see for ourselves what's in it."

Sometimes my government makes me embarrassed to be an American.

Re:easily defeated, only if you disable the vector

How about just getting rid of the main attack vector(Windows) altogether? The DoD "security" policies seem like they were written by Microsoft specifically to push Microsoft products. Windows is still the darling child of the DoD and anything else is considered "dangerous" and is subject to infinitely more scrutiny than Windows boxes are.

[citation needed]

Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.

Apparently so "well-studied and vetted" that they LEFT FUCKING AUTORUN ON. Yeah, heckuva job security analysts.

Re:easily defeated, only if you disable the vector

[icebike]

This story deals with computers in a war zone during 2008.

We are not talking about some receptionist in a recruiting office in Kansas.

Re:easily defeated, only if you disable the vector

[icebike]

You made that up.

That fact is not in evidence. It's not in the stories linked to this article. It's merely speculation by people here so they can thump their chests and sound like they know something.

Re:easily defeated, only if you disable the vector

[flydpnkrtn]

Surprise: the DoD uses Linux, and they have the same guides for locking and hardening Linux as they do for other Unices (Solaris) and for Windows.

See http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf (search for Linux) for examples.

Re:easily defeated, only if you disable the vector

[AhabTheArab]

Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.

Ha! Good one! Unless, of course, by "special build" you really mean "a burned ISO downloaded from the Pirate Bay - then you're spot on. And don't give me a [citation needed] either because [i was the guy doing those installs and know that damn near every other unit did it the same way]

Re:easily defeated, only if you disable the vector

Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.

You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.

But because you managed to bash both the military and microsoft in a single sentence you will probably be modded up anyway.

Most of the time it's a standard version of Windows that's been locked down according to the STIG (Secure Technical Implementation Guide). There are STIGs for UNIX, web servers, network devices, etc. There is no magic "custom install of windows...special build" blah blah blah ... because if there were, we would be using it at our office.

Re:easily defeated, only if you disable the vector

[Jane+Q.+Public]

Well, considering general natures of government and military today, I was willing to believe that Open Source was indeed "untrusted". But since you brought it up, I did some looking and found that there was an official DoD memorandum approving of Open Source back in 2003, updated in 2009. The 2009 document says, in part:

(1) There are positive aspects of OSS that should be considered when conducting market research on software for DoD use, such as:

(i) The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.

(ii) The unrestricted ability to modify software source code enables the Department to respond more rapidly to changing situations, missions, and future threats.

(iii) Relianceonaparticularsoftwaredeveloperorvendorduetoproprietary restrictions may be reduced by the use of OSS, which can be operated and maintained by multiple vendors, thus reducing barriers to entry and exit.

(iv) Open source licenses do not restrict who can use the software or the fields of endeavor in which the software can be used. Therefore, OSS provides a net-centric licensing model that enables rapid provisioning of both known and unanticipated users.

(v) Since OSS typically does not have a per-seat licensing cost, it can provide a cost advantage in situations where many copies of the software may be required, and can mitigate risk of cost growth due to licensing in situations where the total number of users may not be known in advance. (vi) By sharing the responsibility for maintenance of OSS with other users, the Department can benefit by reducing the total cost of ownership for software, particularly compared with software for which the Department has sole responsibility for maintenance (e.g., GOTS). (vii) OSS is particularly suitable for rapid prototyping and experimentation, where the ability to "test drive" the software with minimal costs and administrative delays can be important.

(2) While these considerations may be relevant, they may not be the overriding aspects to any decision about software. Ultimately, the software that best meets the needs and mission of the Department should be used, regardless of whether the software is open source.

. . .

Re:easily defeated, only if you disable the vector

[ToasterMonkey]

Well, considering general natures of government and military today, I was willing to believe...

Hey, what do /., AM radio talk shows, and FOX News have in common? People like you!!!!!!

Re:easily defeated, only if you disable the vector

[flydpnkrtn]

Yup... and when the subject has been brought up by those spreading FUD at work about FOSS (I'm employed by DoD) I have busted out that very same memo and quoted from it :)

Re:easily defeated, only if you disable the vector

[Jane+Q.+Public]

Why yes, they do! But obviously you are one of the rare exceptions.

Re:easily defeated, only if you disable the vector

[flydpnkrtn]

Hey, what do /., AM radio talk shows, and FOX News have in common? People like you!!!!!!

Oh come on now that's not fair... as I allude to in my reply to Jane Q., there are those even *inside* the DoD community who have the same preconceptions about FOSS "being insecure"....

Re:easily defeated, only if you disable the vector

[robsku]

You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.

I know that's exactly what I would be asking. No, not really, actually I would demand *more* scrutiny if Windows is used (and my demand for not using it for anything that important would not work). That can of course be translated (by small evil minds) to mean that I would allow some other system "without same level of scrutiny (than windows)".
I would never support windows (nor OS X but actually I just know too little about it and would only go for system that I know I can trust) in that or any other "serious business" environment (ie. hospitals should not use windows either, especially in any systems which working can be essential for someone to stay alive).

Anyway it's quite clear that you can't study Windows (any version) as thoroughly as you can study Linux or BSD systems and if they can ever upgrade the system (new system, more studying) then they truly can change it to another one too - and don't say it's much more work than just keeping the old OS, that I could perhaps understand as an argument if we were talking about some small business and not about part of your country's system for national security... But hey, it's not my army and I don't really care about army anyway but I would still have them rather use a decent system in finnish army if my opinion were to be asked.

Re:easily defeated, only if you disable the vector

Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.

True. However, the problem seems to be that the "vetting" still doesn't give you a reasonably locked-down computer (else 'autorun' would have been disabled by default, as any idiot knows that *automatically* *running* *code* is a major security violation) -- worse, the special version is so crippled that anyone who needs to get actual work done soon learns several ways to circumvent the restrictions. Users are thus going to violate security as a matter of course.

For example, one of the ways these systems are "locked down" is they forbid any sort of CLI/terminal/console access by default (i.e., to untrusted users). At one time, I knew three ways to get a CLI as an untrusted user, contrary to the system-enforced policy. (This was useful for winning bets with the security folks for a few years. In hindsight, I'm lucky I didn't have the Feynman solution applied to me.)

Part of the problem is that the DoD is in love with the idea of CotS software (and hardware). They really ought to go back to investing in their own code, based on their own standards, and make their own dogfood. Dump the Microsoft OSes, and adopt or adapt a more fundamentally sound operating system, with an emphasis on usability and security. Hire contractors to write the OS under DoD guidance, and mandate[1] that all software built on the government's dime be unencumbered by patents, and that the source be released into the public domain.

BSD supports both Bell LaPadula and Biba security models, I hear... sounds like a great place to start.

[1] By placing clauses in the contract that state that any code delivered to the government is unencumbered by patents, at the contractor's expense, and that by the *act* of turning code over to the government, all copyright claims by the contractor are relinquished. Too many big contractors "accidently" include encumbered or copyrighted code in deliverables, contrary to the terms of their contract... and get away with it, year after year.

Re:easily defeated, only if you disable the vector

[icebike]

Wait, you are still on this Auto-run thing?

No where in any of the linked articles does it say that auto run was the source of insertion, or that auto run was on, or that the USB ports were free of epoxy.

That auto run was the source of infection is an INVENTION of this thread. There is simply no evidence of this.

The worm engine used was based on an auto run worm, but if that was all there was to it it would have been caught by virus scanners of that era.

Re:easily defeated, only if you disable the vector

You're not actually in the military, are you? I'm "in theater" now, and it's *common* to see your average user circumvent the basic sign-on procedures of SDC because IT TAKES TOO FUCKING LONG. It shouldn't take 15 minutes to log in every single day (excluding boot time), and have frequent and random BSODs because of the poor implementation of SDC. This is at my entire post, back in Europe at home station, and everywhere I've been TDY in the last two years.

SDC is a joke, it's a security hole, and it's made our network FAR more insecure.

Re:easily defeated, only if you disable the vector

[History's+Coming+To]

That's the point, if autorun is enabled it is trivial, just take a bunch of automated linux installers on USB sticks, mark them "porn" and scatter them liberally around DC and a selection of military bases, it won't take long at all...

Re:easily defeated, only if you disable the vector

Quite simply put Windows lacks a lot of the basic security mechanisms that ALL other operating systems possess.

You are quite simply wrong, Windows XP and greater do not lack basic security mechanisms. You are clearly not well informed in this area. Windows Vista and Windows 7 infact have more powerful "security mechanisms", than any of the 3 main BSDs, Debian, OS X, Ubuntu, SuSE etc. Windows XP and greater, by default, has a far more powerful permission system than POSIX defines, that enables the administrator to more gracefully create complex permission hierarchies.

Just have a browse of this page:
https://secure.wikimedia.org/wikipedia/en/wiki/Security_and_safety_features_new_to_Windows_Vista

The process, security sandboxing feature, I believe was introduced with Windows Vista is also very powerful, and is missing by default, or lacking in many other operating systems. I know that Google Chrome makes use of it:
http://www.pcadvisor.co.uk/news/index.cfm?newsid=3209915&spotlight=1164:b

I'm not a fan of Microsoft, but I wont spread lies about them, especially in areas where they excel. Just because out of the box many of the security mechanisms aren't well configured, or enabled does not mean they are not there and are not being put to their full use in some organisations.

Where I perceive Microsoft lack, is:
  * Their use of proprietary systems that are not fully open to scrutiny by security researchers,
  * Their slow patching of of bugs that pose security issues to the system.
  * Their opaque security practices. They've been caught secretly rolling out security patches by hiding them in operating system updates that are marked as not being security related. I imagine this is to help create the illusion that Microsoft don't get many vulnerabilities in their code.
  * Their malicious, self-serving creation and maintenance of their Desktop operating system monopoly. With so many people using just one system it makes us vulnerable - all our eggs are in one basket.

Just to be clear: I am not stating that Microsoft make "secure" systems, I am simply stating that they do have decent "security mechanisms".

Re:easily defeated, only if you disable the vector

We identified this problem in 2007 on systems we were fielding that couldn't use antivirus. And we identified that disabling Autoplay would mitigate most of the dirty thumb drive threat. We made it part of our non-SDC configurations long before it was part of SDC.

Thumb drives are only as clean as the dirtiest computer you stick them in.

Re:easily defeated, only if you disable the vector

[deapbluesea]

You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS.

China already has their own military operating system Kylin . As far as anyone can tell, it's just BSD with some mods.

Another major factor you are missing is that the DoD has billions of dollars in specialized software that was designed for Windows, business practices are built around Windows, employees are trained on Windows, etc. It is not a simple matter of switching to *nix, *BSD, or whatever else when you have several hundred thousand employees who know nothing else. Look at the fact that the average age of federal workers is somewhere in the 50s [citation required]. Now think of your parents complaining about how they need a bigger hard drive because they are low on memory. Multiply that by about 300000 and you now have the headache of changing over a single service to a new OS. Multiply by 4, and you have the pain of doing that to all the services.

Re:easily defeated, only if you disable the vector

[ralphdaugherty]

Well, considering general natures of government and military today, I was willing to believe...

Hey, what do /., AM radio talk shows, and FOX News have in common? People like you!!!!!!

      He was willing, but he looked it up. That makes it people not like him.

  rd

Re:easily defeated, only if you disable the vector

[vulcan1701]

While these considerations may be relevant, they may not be the overriding aspects to any decision about software. Ultimately, the software that best meets the needs and mission of the Department should be used, regardless of whether the software is open source.

Bingo. The military used to use Unix and Solaris. I was in during the final years of it's general use. Only specialized systems are still using Solaris and some use Linix. My last deployment, we had a Mac media server. In the end, you use what your users are used to using, not what you as the admin/tech want. It is the same in any corporation. You can make all the sense in the world but in the end the boss gets what he/she wants.

The Article Doesn't Make a Good Case

The only thing the article really provides to dispute the Pentagon's account is that the worm is simple and common.

But then it goes on to mention that while common, its payload is configurable. And the soldier quoted at the end of the article point blank says that it was the outsized effect (14 months of cleanup and lost data) compared to the simplicity of the vector that freaked them out so badly.

Shit, all the military really needs is some logs showing where the thing was sending data and it gets a pretty solid idea of what's going on. And they hinted that there was something to the circumstances where the worm initially entered the system...

Really, what's the story here? Pentagon says it conducted 'forensics' on the worm and decided on foreign origin, security analysts say, "But it's such a simple worm, it can't be that!" The analysts are talking out of their asses, and the Pentagon's explanations make a great deal of sense. Maybe the Pentagon is lying, maybe not, but nothing the doubters say in the article means anything.

Re:The Article Doesn't Make a Good Case

Really, what's the story here? Pentagon says it conducted 'forensics' on the worm and decided on foreign origin, security analysts say, "But it's such a simple worm, it can't be that!" The analysts are talking out of their asses, and the Pentagon's explanations make a great deal of sense. Maybe the Pentagon is lying, maybe not, but nothing the doubters say in the article means anything.

The implication was that it was a sophisticated attack. The attack vector was autorun. Consider this, my first computer was a Win95 box bought second hand when someone upgraded to 98. I used to buy computer magazines and use the included disks, which would use autorun to change my browser home page, so I learned to disable autorun.

So if I as a computer newb with no training can work out how to disable this attack vector 10 years before it was used to attack pentagon systems, then the pentagon can not have placed system security as any type of a priority at all. They haven't even thought about it. IMO there should be a lot of people fired over this and permanently banned from any government IT security work. There were people being paid to secure those systems and they were sleeping on the job. Such sloppy work done by combat personnel, if it didn't result in their deaths, would probably warrant a dishonourable discharge or prison time for being AWOL.

Re:The Article Doesn't Make a Good Case

[guruevi]

No the external security analysts (Sophos, the seller of antivirus software) says: with a good antivirus *cough*buy Sophos AV*/cough* and centrally managed policies *cough*buy Sophos Enterprise*/cough* you can't have this simple attack entering your Windows workstations. They are probably right.

The DoD says, somebody put a USB stick in his computer and this was the result. They are probably also right.

What you can conclude out of those passages is that the DoD probably doesn't have Sophos Antivirus ;-) What a good sysadmin would conclude is that the DoD uses Windows for sensitive stuff, probably doesn't have an antivirus on their Windows machines and probably doesn't bother binding their systems to a central directory or if it is, it is only for central usernames and passwords, not for managing and locking down the computers. Some junior sysadmin probably tried once and then got yelled at because the grunts/management couldn't 'download the Internet' without 'entering my login' and this was very inconvenient and 'making them lose days worth of work' trying to figure out 'to install this program that plays this video - why am I not an administrator on my computer? It's MY computer, it says so right on the icon'

Given that the attack worked the way it did makes me think (as I have seen a lot in the last decade that I worked in the field) that all the military really needs is some logs showing where the thing was sending data and it gets a pretty solid idea of what's going on didn't work because they didn't have any logs to begin with. They might have incoming logs (maybe) on the blocked ports of the firewalls (as is the standard in many a firewall) but legitimate incoming, all outgoing and all established traffic probably isn't logged.

Re:The Article Doesn't Make a Good Case

[quanticle]

Your explanation gives the Pentagon a lot of benefit. In my view, its equally likely that these government officials are exaggerating the impact and sophistication of the attack to keep from looking like fools when the inevitable congressional hearing on this subject arises. You'll get a lot more sympathy from the senator on the other side of the hearing room if you say you were hacked by a foreign intelligence agency as opposed to some 16 year old Chinese kid. Given how hard it is to trace the origin of these attacks, its quite easy to twist the limited evidence available to support one hypothesis or the other.

My take on this? Some DoD employee brought a thumbdrive from home and infected his work PC. When others used their thumbdrives to copy information from this person's PC, they also got infected. Thanks to autorun and the relatively low profile this attack kept (e.g. it didn't do much to slow down infected computers) it took a long time for the IT department to find out about the infection. At that point the worm had become endemic to the network and many man-hours were spent rooting it out, hence the claim of "large expenses".

Even if you don't find my explanation entirely reasonable, you have to admit that the existing evidence doesn't exactly prove that the Pentagon was attacked by sophisticated and nefarious spies. Could they have been? Sure. But its equally likely that they were attacked by a garden variety piece of malware for which they were unprepared.

Re:The Article Doesn't Make a Good Case

They're not exaggerating either the sophistication or the impact; that's just the thing. They fully admit it was a bullshit vector they should have been prepared for, and they fully admit it took them over a year to manage a response. Read the quotes in the article, they sound downright embarrassed. Shamefaced, in fact. The general saying it took months just to get a count of computers? They're not trying to avoid looking like fools, they're shouting, "What fools we were!"

I find your explanation entirely reasonable. In fact, it's precisely what I believe happened. But the fact that it was a simple autorun exploit which administrative incompetence let spread hither and yon doesn't mean the payload wasn't trying to funnel data to someone. Most malware does nowadays, after all. It's pretty clear the Pentagon thinks--or at least wants us to believe--that whatever this virus sent home went to a foreign power. If they wanted to save face, they'd never admit that.

I'm not giving the Pentagon credit, per se. (I do give them credit for admitting such a colossal fuckup, though.) I'm saying that their story is entirely believable and that the detraction of the security experts boils down to, "But foreign spies would never stoop to that!"

Was the threat real?

[falconwolf]

As the Security Week article suggests this sounds like the lying the military told about the Gulf of Tonkin Incident.

Falcon

Re:Was the threat real?

or the MiG-25. Oversell the threat so you get a nice big budget for your toys/projects.

Re:Was the threat real?

[sampas]

Thisis another yellowcake tale -- ginned up to scare Congress into giving DoD the Internet "kill switch" in case of "national emergency" -- like Wikileaks. Most of this is in response to the less-than-credible story in Foreign Affairs: http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain. Now our own government wishes they could do what China and Iran can -- shut down the Internet at will when there's something on there that they don't like. Does the military even read the Constitution they swear to uphold?

Re:Was the threat real?

[hedwards]

Unfortunately, rather than fixing the problem, I fear that's the "fix" we're going to get. There are legitimate reasons to consider a "kill switch." As in the ability to take the nation off the internet at a moment's notice, however none of them are as easy or practical as simply restricting the kill switch to separating the military and emergency infrastructure from the net. Although the stupid thing there is that they probably shouldn't be directly on the internet in the first place.

The problem ultimately is that a kill switch would have to touch a huge amount of infrastructure, including satellite links in order to work, and I have very little confidence that even with highly qualified engineers working on it that there isn't going to be a bug, glitch or vulnerability that ends up working its way into the system.

Re:Was the threat real?

[falconwolf]

There are legitimate reasons to consider a "kill switch." As in the ability to take the nation off the internet at a moment's notice,

There are no legitimate reasons to disconnect the nation from the internet. It's all about censorship or fear of the unknown.

Falcon

Re:Was the threat real?

Let's think this through for a second here:

1. Media Coverage Opiates The People
2. Media Coverage Requires Internet and Satelite Networks
3. The US Government Rules The People
4. The US Government Requires the Internet and Satelite Networks to Accomplish 3.
5. The US Military Protects The People.
6. The US Military Requires the Internet and Satelite Networks to Accomplish 5.
7. Let's Build a Killswitch Capable of Shutting Down All The Above, For All The Important Governments and Militaries In The World.
8. Now Let's Put The People Who Have Their Entire Networks Devastated and Rendered Useless By A Low Threat Worm In Charge of Protecting Said Killswitch.

How do people not see the problem with this idea? This is like asking a pedo-rapist to babysit your children, the act is more than inevitable - it's hard to not think it were the intention. An Internet Killswitch is a potentially more powerful weapon than a Nuclear Bomb, and if it existed they would put it in the hands of people with less computer security smarts than my 8 year old sister: she's had a computer since birth and she's smart enough to not open suspicious downloads and disable autorun.

Re:Was the threat real?

The military can already disconnect from the "Internet"...they aren't on it anyway.

http://en.wikipedia.org/wiki/NIPRNet

Keep in mind that DARPA (or ARPA) really created this whole series of tubes to begin with. The D stands for Defense...which means DoD.

As far as the Constitution is concerned, it unfortunately doesn't cover Internet access. You have the right to access information, but there is not specific right for that information to be in a digital format.

Re:Was the threat real?

[Thiez]

I can't help but think '... PUNCH!' at the end of your posts, and imagine you striking down those who disagree with you.

Re:Was the threat real?

[DavidShor]

Sure there is. Knocking a country of the internet in the case of war could be a quite potent weapon. In the short term, it'd do a lot to disrupt internal communication.

From a humanitarian point of view, it's not ideal. But we let these people drop cluster bombs on cities, so that's really besides the point.

Re:Was the threat real?

[falconwolf]

Knocking a country of the internet in the case of war could be a quite potent weapon.

ie there are no legitimate reasons to consider a "kill switch" which will do the same thing, knock the country off the net.

Falcon

Just another vector for funding...

[notjustchalk]

Since when was efficacy or even logic a metric for whether or not a new department/task-group/domain/[insert group du jour] is deemed "necessary" for any govenrmental body? This is just another not-so-subtle attempt at widening the jurisdiction of the military. After all, if the boogyman is unmasked, why, another must be conjured lest we all wake up to the cold truth that these people are simply pissing large reams of money down the tubes.

In the end, all of this will be justified after the fact despite any protestations. War on terror, anyone?

ps. Although if you think about it, it's somewhat ironic that antivirus firms (Sophos, Symantec, etc), which have been frequent fear mongerers themselves, are calling the military on fear mongering.

Say It Ain't So

[SilverHatHacker]

Wait, are you saying a government agency might have lied, appealing to the general public's lack of knowledge in the area of computers and using a buzzword-filled report to justify an application of force? I find that hard to believe.

Re:Say It Ain't So

[martin-boundary]

How can you say such a thing? Government agencies never lie. Don't you realize that viruses are weapons of mass annoyance? The only way to be sure is to kill the Internet. With a switch. Located in a room deep underground in the basement of the Pentagon. You know the room I'm talking about, it's got a candybar dispenser in it and a pinball machine. The hackers will never think of searching for it there.

Re:Say It Ain't So

+1, Funny.

What we'd heard...

[NecroPuppy]

Where I am, is a lot less on the "secret agent" / James Bond side of things, and a lot more on social engineering.

Two vectors were talked about.

Vector 1: Middle East. Some guys decided they wanted to be insurgents, but didn't have explosives experience and really didn't want to be shot at. So instead, they loaded up viruses on a bunch of hardware (external drives, thumb drives, etc) and sold it to soldiers. Said soldiers then turned around and used these drives on not only their personal computers, but also on Unclass and Classified systems, where it quickly spread because of bad IS/IA policies.

Vector 2: Pentagon area. Similar situation, but instead of selling pre-infected items, some foreign power just left a lot of pre-infected thumb drives around various coffee shops, etc. While some were turned in to lost and found, others were picked up by people who said, "Hey! Free thumb drive!" and proceeded to use them at work and at home. And when work was in a government office that, again had poor IS/IA policies, suddenly you've got computers opening holes in firewalls and transmitting data out.

Hence the big change in policy, to ban thumb drives, turn off auto-run, etc.

Re:What we'd heard...

some foreign power just left a lot of pre-infected thumb drives around various coffee shops, etc.

Oh my god! They're in our lattes!

To be honest, the fact that it was such a dumb worm suggests the infection wasn't intentional at all.

The next doomsday weapon

[gilesjuk]

Now that many nations have nuclear weapons, it's obvious that development of the internet or IT doomsday device will be next.

I think the US military are hinting along these lines.

Another patch in the submarine's screen doors

[Lanteran]

seeing as they're, you know, the pentagon, I highly doubt there are any real 'killer apps' they must have that they don't have the source code to. That said: why use windows? Its not designed to be a secure operating system in the same way that... say.. openBSD is, and while they may have the windows source code (I believe that large and gov't organizations are allowed to see it) they're not allowed to modify it. I'm just saying that in an environment like that, a very secure operating system, closed source or open is the way to go. You can't have it to where any old person can plug in a flash drive and compromise your system. Disabling autorun helps, it helps quite a lot, but it doesn't solve the underlying problem. If they refuse to change, methinks cyber warfare against the US just got a few orders of magnitude easier.

Re:Another patch in the submarine's screen doors

[Arker]

And even if they do have the source code, do you really think an organisation that couldnt figure out they needed to turn off 'auto-run' in their install images has done a thorough audit of all those millions of lines of spaghetti?

Re:Another patch in the submarine's screen doors

[Lanteran]

heh, true enough. They want better security? Stop putting kids off of hacking, look at what china's doing...

Go figure

[ralphdaugherty]

      I would be surprised if the secret forensics information is anything more than the malware has Russian roots.

      Just because malware is written by Russia crackers doesn't make it a Russian government attack.

  rd

And the networks are still insecure...

I work for a TLA that shall remain nameless. Our contract IT support people, who are supposed to know what they are doing, still haven't figured out how to use group policy editor (in an active directory environment) to disable USB storage devices or how to disable autorun.

Two words: Bradley Manning

[louarnkoz]

The Army just suffered one of the largest leaks in military history, thanks to Pfc Bradley Manning and Wikileaks. You would think that the priority would be to investigate the incident, check how recruits working on army intelligence are selected, trained and supervised, and perhaps review procedures so a lowly private does not have access to 100,000 secret documents that are only remotely linked to his mission.

Instead, we get this implausible thumb drive scenario. And guess what, instead dof applying $0.02 of common sense, we will see a proposal to spend $2B on intelligence system upgrades and military contracts. Of course, senator, we have earmarked 20% of that for your state...

-- Loaurnkoz

Re:Two words: Bradley Manning

[Lifyre]

To be fair this incident happened two years ago. Which means they should be getting around to resolving the Bradley Manning issue and review some time in 2012...

Re:Two words: Bradley Manning

[MK_CSGuy]

You would think that the priority would be to investigate the incident, check how recruits working on army intelligence are selected, trained and supervised... Instead, we get this implausible thumb drive scenario.

Who said they are not doing that as well?
I don't see how one thing contradicts the other.

It's not a pretty picture

Firstly, I have direct exposure and knowledge of the state of IA affairs in the DoD/IC world. Very direct. At an extremely senior level. This is a world of dysfunction that you cannot, I promise you, imagine. A world where the Gov hires contractors for insurance (so that they have someone to blame) and is unable to even so much as make a decision without pushing it all the way to the top of the agency/directorate/branch. A world where every vendor that peddles any product with "Cyber" or "Cloud" in the name can rest assured that they'll sell an enterprise license. A world where best practices are forever short-circuited in the name of 'emergent mission need'. There is an almost underworld movement amongst those technologists that understand this whereby Open Source solutions are being sneaked in the back door in the name of "research lab product". The USB problem is already solved (see HBSS Device Control) and the real issue was already solvable (via both a registry hack to disable USB storage devices and the auto-play disabling) but the retards at the top couldn't make a decision to move forward with it because, "What if it disables a keyboard, mouse or CAC reader". Idiots. The Government breeds them internally. No one worth their salt wants to be a Govvie. The pay sucks, the politics is unbearable and the future is bleak. Because of this it attracts dimwits who hire others like them, only dumber so that they don't threaten their 'stature'. The net result is Agencies full of semi-retarded morons who never leave, never get fired and keep getting promoted because the system's wired that way. We're doomed, I assure you.

The Problem behind:

[drolli]

Virus writers update their viruses 100 times faster than the military its rules. I would not wonder if the rules effective at that moment were 10 years old (or just minor revisions - like fixing security holes already being exploited). I work in a very large company, and each time i try to report a security problem i observe, i am being told the IT department is responsible and its not my job - and nothing changes. I assume in the military its the same problem but worse; maybe you even go in jail because you figured sth out.

Obligatory

In Soviet Russia, KGB thumb worm auto-run you!

A Sysadmin's Lamentation...

[MacroMegaMan]

I was there in 2008 during the midst of this. At that time, there were significant problems with security on the network terminals that we all used to access the internet. In most places, we were limited to two or three ways to access the internet (not NIPERNET.) Either computer labs operated by Spawar (government contractors) ,computers operated by Cyberzone (A commercial entity) or, if your FOB was large enough, in-room/tent access provided by the MWR (Morale Welfare and Recreation.)

Now all the computers that were in use there used satellite up-links to access the internet. Too many users would max the link, and access to the web would slow to a crawl, or worse. Think 5 - 10 minutes to load a web page. Now after a long day (or two, or three, or more!) out on mission, people would roll back in the gate, tromp off to the internet and eat, often in just that order and go to bed. Most of the time people were sending and receiving email and pictures from friends and family, baby pictures, movie clips and the like. Most of the time, these would be put on flash drives so people could see them later in their tents and so on.

The computers that were operated by the Cyberzone and Spawar rarely if ever had their anti-virus up to date. Worse, the anti-virus updates would take so long to download (hours!) that people would give up on doing them. The MWR and Post Exchange were often great about getting laptops out to troops in remote locations. However there was often no way to get software updates to these PC's. The situation was ripe for trouble.

Many people did both their office work and home use on the same computers, as the situation demanded.

While I was there in 2008, we began seeing signs of the SillyFDC worm and agent.btz in increasing numbers. We were able to track it back to the Spawar and Cyberzone computers, but we had no way to convince the people there to update their anti-virus. The PC's that were on NIPERNET at the time had restrictions on the use of flash drives, but those were not fully enforced. No-one is sure who “Crossed the Streams” but both worms started showing up in more and more NIPERNET computers. The largest problem in stopping it was that we were not in charge of policy of our own computers. We knew that the worms spread through the use of autorun, but we could not get people to bring in their flash drives to have them scanned. Worse, we could not disable autorun on the NIPERNET PC's. We had no access to the local policy on the machines (or anti-virus updates!) We were able to finally contain things by disabling autorun on personal computers, sacrificing one of our personal laptops to doing nothing but scanning possible infected drives, and quarantining known infected PC's from use.

We were never able to get updates for the anti-virus for the NIPERNET PC's, but we eventually discovered and distributed ClamWin for personal computers, though.

We received word about the no-flash-drives rule about 3 months later. That generally made things more difficult, as there were quite a few places that had no network access; a flash drive was the only way to move documents about. More people ended up doing work on their personal computers and ignoring the government ones after that.

Things that would help defend against this in the future:

Spawar, Cyberzone, and MWR should be required to keep on their networks a basic SAN that has updated anti-virus, security patches and run a script to update that when network traffic is low. That way, individuals can get their updates from local storage rather than trying to pull hundreds of megabytes over a slow network link.

If you have a computer while downrange, you should be required to make sure that it's security is up to date, and download patches (from the SAN) at least monthly. Anti-virus should be done as frequently as possible.

NIPERNET needs to have some method of having local administrators modify their systems. Many times, the local S-6 (Communication and Networking Support)

Re:A Sysadmin's Lamentation...

[Simulant]

WTF is NIPER? http://en.wikipedia.org/wiki/NIPRNet/

Re:A Sysadmin's Lamentation...

[MacroMegaMan]

NIPRNET, not like my mangled spelling.

It's the DOD network for unclassified but sensitive data.

http://en.wikipedia.org/wiki/NIPRNet

http://everything2.com/title/NIPRNET

Re:A Sysadmin's Lamentation...

[codepunk]

I have been out of the military for quite some time but I don't see how your suggestions would help the matter anyhow. Sure there are some talented enlisted people that would more than be capable of handling the situation but the military command structure is no designed for that. Anyone worth a squat is not going to be doing anything more meaningful than cleaning a tank with a toothbrush. DOD contractors are no better they work for the govt because no one else want's them.

Re:A Sysadmin's Lamentation...

[basotl]

Mod parent up.

I was there in 2005/2006. So far you have given the best informed description of the situation that lead to the bad practices.

I still lament over the loss of being able to use a thumb drive. The things were darn useful when used IAW Thumb Drive policy and IMHO could still be used if policies were enforced. Now I often use my personal laptop as opposed a NIPPER and keep large documents such as FM's and TM's there.

Re:A Sysadmin's Lamentation...

[Lifyre]

Actually the solution to this is training your enlisted troops how to handle this. I was in Iraq when this went down, as a network admin for a grunt unit. The problem went away when we burned 10 CD's with AV that cleaned it (the most recent definitions from Symantec did NOT do this until almost 4 months later, making government computers completely open) and training 2 Marines per company on how to help their users. Within a week we had controlled the issue.

Re:A Sysadmin's Lamentation...

Military personnel, especially enlisted, are not generally hired for years of experience. Potential means capable of learning, not security expert. DoD contractors are the military officers and enlisted cleared for access.

Re:A Sysadmin's Lamentation...

[matchhead650]

I have never seen a S-6 shop that didnt have at least local admin rights to the computers they were responsible for.

In other news....

[Simulant]

...Iraq didn't really have WMD.

Bait

[Joebert]

I think all of these stories of military oopsies sound a lot like the story of the woman who "accidentally" dropped her bag and waits for some guy to pick it up. Except, in this case the guy gets tagged like an animal and watched like a hawk for the next 30 years.

was that a trap system? old systems that where not

[Joe+The+Dragon]

was that a trap system? old systems that where not updated but still where siting on part of the network?

Or did he point how bad there systmes are and they just tried to cover it up and though the book at him?

And without considering the obvious: decentralize

[evought]

It is interesting how any government solution to their own screw-up always involves giving them more power. The obvious solution to an "asymmetrical" cyber-security threat to our national infrastructure, from their point-of-view, is more centralization of authority and a big "cybersecurity command" that gets more budget dollars.

%0

you see the same stuff with outsourced IT out side

you see the same stuff with outsourced IT out side of a army setting.

Some times with little to no on site IT guy and outsourced ones are not tied ed to your site and some times there is lot of paper work and other BS to get stuff down as well.

Excel: scourge of IT

[mangu]

Where I work, someone inadvertently emailed emailed a spreadsheet of the 3000+ employees social security numbers, addresses, salaries, and our date of births.

That's the result of having a tool that allows computer-illiterate people to process data.

When the printing press was invented people started learning to read and write. They learned spelling and grammar.

When the GUI was invented people started forgetting how to read and write. They want to click on icons because they don't want to learn the spelling and grammar of the commands that control the computer.

In the computer world, Johannes Gutenberg invented the comic book.

i work for an agency under DoD...

[pointbeing]

...and was actually discussing the switch from Windows to Linux with couple friends of mine from the IA shop. I'm in charge of desktop PC support for this 3,300-user agency.

I'd like to preface things by saying that I use Linux exclusively at home and have for several years. No dual boot, no wine and no running Windows in a VM. I could do my whole job from within Linux if Firefox supported reading encrypted mail in Outlook Web Access and if there was something available for Linux that'd allow me to read Visio drawings in their native format.

Software costs are inconsequential so we'll ignore that argument for the time being. The biggest expense in an IT budget isn't software or hardware, it's people - and although things would settle down after a year or two the cost of migration is the showstopper here, not the cost of sustainment.

I've heard different stories about what caused the USB ban but for me the short version is that somewhere in DoD some sysadmin should have been fired. I can't say for sure what happened but at least two Defense Information Systems Agency (DISA) policies were violated - autorun wasn't disabled on the workstations and apparently workstation virus scanners weren't configured properly, so to minimize the threat DoD bans USB storage devices rather than fire the nitwit who wasn't doing his job.

Windows as a vector? Out of 3,300 users we had eight (yes, eight) security incidents in the last twelve months where a PC was infected by a hostile application - the reason I know this is I had to put that damn metric in a Powerpoint slide recently. Eight out of better than three thousand is a pretty good average, but the PCs still run like crap ;-)

They've authorized turning USB storage back on, but only for approved devices that will be encrypted and centrally managed - and USB storage will be enabled by device rather than by user. Unauthorized devices still won't work. We've decided that since folks have been working without thumb drives for two years we're gonna continue to let them work that way - we've got the infrastructure in place to authorize thumb drives by hardware signature but we don't plan to issue any to end users at this point.

DoD information security policies aren't written by Microsoft - Microsoft wouldn't hire anybody that stupid. Case in point - DISA mandates that LAN and WLAN interfaces on a machine can't be active at the same time but outside of creating separate hardware profiles for wired and wireless Windows doesn't support this configuration - and simply disabling network bridging doesn't satisfy the requirement. If you ask DISA how to implement this requirement they can't tell you. I can tell you there's a neat little application called Wireless AutoSwitch that'll do the job and it's dirt cheap, though.

But I digress.

Re:i work for an agency under DoD...

[TheLink]

> DISA mandates that LAN and WLAN interfaces on a machine can't be active at the same time

Does that really help security that much?

Many banks over here have basic network isolation - certain PCs and networks have zero Internet or other outside connectivity, yes it does affect productivity. There's a bank where people have to leave their PCs and go to another PC for googling or other internet access. That sucks in many ways, but I'm sure the DoD can afford more PCs per person and a better setup, if they sacked just a few dangerously/expensively incompetent people.

People who can't keep secrets when using certain technologies either shouldn't be using those technologies or shouldn't be allowed to handle those secrets. Assuming they can't be trained to handle the tech securely.

The Gov likes certification and tests right, so just create some tests, so even if a Big Shot can't pass those tests well too bad he's going to have to get his secret stuff via old-style paper workflow. If that affects productivity too much, "promote" Big Shot to somewhere where he can't cause as much damage. That's assuming your secrets are that important to keep.

Most Big Bosses are not expected to know how to operate a crane or a backhoe safely and effectively. If it's vital for their job, well then make sure they can do it. If it's not important then don't let them do it.

If the secrets aren't important enough for such strict measures, why the fuck should you care if the rest of the world gets them? They are clearly not that important.

Anyway in most cases, you get the right person to get close to some Blabbermouth and he'll be bragging about the secrets...

Re:i work for an agency under DoD...

+1, Great Pitch

See the need, create the fix, sell it back to your employer. Bravo.

None of us know if that was him

[Burz]

...chatting with Lamo. No one has been able to speak to Manning and that chat log seems to be the only thing pointing to him.

I can't help but think

[falconwolf]

'... PUNCH!' at the end of your posts, and imagine you striking down those who disagree with you.

Nope, I'm non-violent like Henry David Thoreau, who wrote Civil Disobedience, and Mohandas Karamchand Gandhi. Where I differ is that if it came to it, such as with the NAZIs, I would not hesitate to bare and use firearms.

There are four boxes of liberty: soapbox, ballot box, jury box, and ammo box. Use in that order.

Falcon

Military + Microsoft = Intelligence?

[dogzdik]

As Goatse said when the watermelon fell out along with his intestines, "There's your problem!"

.

If almost anything and everything Microsoft wasn't such a fragmented fuck up of a shitbag operating system, with 500 security settings in 900 locations, and with no interaction between any of them....

.

Jeezers FUCK I hate Microsoft.

.

I unless you learn the ways of the Jedi, and get power toys, have you ever tied to disable Autorun - so your fucking DVD drive doesn't just sit there spinning it's fucking guts out for hours and hours every day, for no particular reason than you chose to leave a fucking DVD in it.....

.

Fucking dickheads at microsoft.......

.

Fucking MICOSOFT security settings......

.

Farrrrkkkk I hate MICROSOFT.

.