Slashdot Mirror
DoD Takes Criticism From Security Experts On Cyberwar Incident
wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."
A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives.
But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned. The Air Force SDC (Standard Desktop Configuration) and the follow-on FDCC (Federal Desktop Core Configuration) ended that.
Where I am, is a lot less on the "secret agent" / James Bond side of things, and a lot more on social engineering.
Two vectors were talked about.
Vector 1: Middle East. Some guys decided they wanted to be insurgents, but didn't have explosives experience and really didn't want to be shot at. So instead, they loaded up viruses on a bunch of hardware (external drives, thumb drives, etc) and sold it to soldiers. Said soldiers then turned around and used these drives on not only their personal computers, but also on Unclass and Classified systems, where it quickly spread because of bad IS/IA policies.
Vector 2: Pentagon area. Similar situation, but instead of selling pre-infected items, some foreign power just left a lot of pre-infected thumb drives around various coffee shops, etc. While some were turned in to lost and found, others were picked up by people who said, "Hey! Free thumb drive!" and proceeded to use them at work and at home. And when work was in a government office that, again had poor IS/IA policies, suddenly you've got computers opening holes in firewalls and transmitting data out.
Hence the big change in policy, to ban thumb drives, turn off auto-run, etc.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
But you are assuming facts not yet proven.
1) that it was in fact the commonly found version of this worm that was used rather than a specially crafted one
2) that it required auto-run to do what it was designed to do.
3) that auto-run was in fact still on in the subject machine
Sig Battery depleted. Reverting to safe mode.
Firstly, I have direct exposure and knowledge of the state of IA affairs in the DoD/IC world. Very direct. At an extremely senior level. This is a world of dysfunction that you cannot, I promise you, imagine. A world where the Gov hires contractors for insurance (so that they have someone to blame) and is unable to even so much as make a decision without pushing it all the way to the top of the agency/directorate/branch. A world where every vendor that peddles any product with "Cyber" or "Cloud" in the name can rest assured that they'll sell an enterprise license. A world where best practices are forever short-circuited in the name of 'emergent mission need'. There is an almost underworld movement amongst those technologists that understand this whereby Open Source solutions are being sneaked in the back door in the name of "research lab product". The USB problem is already solved (see HBSS Device Control) and the real issue was already solvable (via both a registry hack to disable USB storage devices and the auto-play disabling) but the retards at the top couldn't make a decision to move forward with it because, "What if it disables a keyboard, mouse or CAC reader". Idiots. The Government breeds them internally. No one worth their salt wants to be a Govvie. The pay sucks, the politics is unbearable and the future is bleak. Because of this it attracts dimwits who hire others like them, only dumber so that they don't threaten their 'stature'. The net result is Agencies full of semi-retarded morons who never leave, never get fired and keep getting promoted because the system's wired that way. We're doomed, I assure you.
I was there in 2008 during the midst of this. At that time, there were significant problems with security on the network terminals that we all used to access the internet. In most places, we were limited to two or three ways to access the internet (not NIPERNET.) Either computer labs operated by Spawar (government contractors) ,computers operated by Cyberzone (A commercial entity) or, if your FOB was large enough, in-room/tent access provided by the MWR (Morale Welfare and Recreation.)
Now all the computers that were in use there used satellite up-links to access the internet. Too many users would max the link, and access to the web would slow to a crawl, or worse. Think 5 - 10 minutes to load a web page. Now after a long day (or two, or three, or more!) out on mission, people would roll back in the gate, tromp off to the internet and eat, often in just that order and go to bed. Most of the time people were sending and receiving email and pictures from friends and family, baby pictures, movie clips and the like. Most of the time, these would be put on flash drives so people could see them later in their tents and so on.
The computers that were operated by the Cyberzone and Spawar rarely if ever had their anti-virus up to date. Worse, the anti-virus updates would take so long to download (hours!) that people would give up on doing them. The MWR and Post Exchange were often great about getting laptops out to troops in remote locations. However there was often no way to get software updates to these PC's. The situation was ripe for trouble.
Many people did both their office work and home use on the same computers, as the situation demanded.
While I was there in 2008, we began seeing signs of the SillyFDC worm and agent.btz in increasing numbers. We were able to track it back to the Spawar and Cyberzone computers, but we had no way to convince the people there to update their anti-virus. The PC's that were on NIPERNET at the time had restrictions on the use of flash drives, but those were not fully enforced. No-one is sure who “Crossed the Streams” but both worms started showing up in more and more NIPERNET computers. The largest problem in stopping it was that we were not in charge of policy of our own computers. We knew that the worms spread through the use of autorun, but we could not get people to bring in their flash drives to have them scanned. Worse, we could not disable autorun on the NIPERNET PC's. We had no access to the local policy on the machines (or anti-virus updates!) We were able to finally contain things by disabling autorun on personal computers, sacrificing one of our personal laptops to doing nothing but scanning possible infected drives, and quarantining known infected PC's from use.
We were never able to get updates for the anti-virus for the NIPERNET PC's, but we eventually discovered and distributed ClamWin for personal computers, though.
We received word about the no-flash-drives rule about 3 months later. That generally made things more difficult, as there were quite a few places that had no network access; a flash drive was the only way to move documents about. More people ended up doing work on their personal computers and ignoring the government ones after that.
Things that would help defend against this in the future:
Spawar, Cyberzone, and MWR should be required to keep on their networks a basic SAN that has updated anti-virus, security patches and run a script to update that when network traffic is low. That way, individuals can get their updates from local storage rather than trying to pull hundreds of megabytes over a slow network link.
If you have a computer while downrange, you should be required to make sure that it's security is up to date, and download patches (from the SAN) at least monthly. Anti-virus should be done as frequently as possible.
NIPERNET needs to have some method of having local administrators modify their systems. Many times, the local S-6 (Communication and Networking Support)
Citation
http://www.mysanantonio.com/business/local/kci_working_to_contain_employee_data_breach_102106769.html
...and was actually discussing the switch from Windows to Linux with couple friends of mine from the IA shop. I'm in charge of desktop PC support for this 3,300-user agency.
I'd like to preface things by saying that I use Linux exclusively at home and have for several years. No dual boot, no wine and no running Windows in a VM. I could do my whole job from within Linux if Firefox supported reading encrypted mail in Outlook Web Access and if there was something available for Linux that'd allow me to read Visio drawings in their native format.
Software costs are inconsequential so we'll ignore that argument for the time being. The biggest expense in an IT budget isn't software or hardware, it's people - and although things would settle down after a year or two the cost of migration is the showstopper here, not the cost of sustainment.
I've heard different stories about what caused the USB ban but for me the short version is that somewhere in DoD some sysadmin should have been fired. I can't say for sure what happened but at least two Defense Information Systems Agency (DISA) policies were violated - autorun wasn't disabled on the workstations and apparently workstation virus scanners weren't configured properly, so to minimize the threat DoD bans USB storage devices rather than fire the nitwit who wasn't doing his job.
Windows as a vector? Out of 3,300 users we had eight (yes, eight) security incidents in the last twelve months where a PC was infected by a hostile application - the reason I know this is I had to put that damn metric in a Powerpoint slide recently. Eight out of better than three thousand is a pretty good average, but the PCs still run like crap ;-)
They've authorized turning USB storage back on, but only for approved devices that will be encrypted and centrally managed - and USB storage will be enabled by device rather than by user. Unauthorized devices still won't work. We've decided that since folks have been working without thumb drives for two years we're gonna continue to let them work that way - we've got the infrastructure in place to authorize thumb drives by hardware signature but we don't plan to issue any to end users at this point.
DoD information security policies aren't written by Microsoft - Microsoft wouldn't hire anybody that stupid. Case in point - DISA mandates that LAN and WLAN interfaces on a machine can't be active at the same time but outside of creating separate hardware profiles for wired and wireless Windows doesn't support this configuration - and simply disabling network bridging doesn't satisfy the requirement. If you ask DISA how to implement this requirement they can't tell you. I can tell you there's a neat little application called Wireless AutoSwitch that'll do the job and it's dirt cheap, though.
But I digress.
we see things not as as they are, but as we are.
-- anais nin