Slashdot Mirror

← Back to Stories (view on slashdot.org)

DoD Takes Criticism From Security Experts On Cyberwar Incident

Posted by Soulskill on from the no-mr-bond-i-expect-you-to-torrent dept.

wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."

2 of 116 comments (clear)

  1. easily defeated, only if you disable the vector by YrWrstNtmr · · Score: 5, Informative

    A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives.

    But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned. The Air Force SDC (Standard Desktop Configuration) and the follow-on FDCC (Federal Desktop Core Configuration) ended that.

  2. A Sysadmin's Lamentation... by MacroMegaMan · · Score: 5, Informative

    I was there in 2008 during the midst of this. At that time, there were significant problems with security on the network terminals that we all used to access the internet. In most places, we were limited to two or three ways to access the internet (not NIPERNET.) Either computer labs operated by Spawar (government contractors) ,computers operated by Cyberzone (A commercial entity) or, if your FOB was large enough, in-room/tent access provided by the MWR (Morale Welfare and Recreation.)

    Now all the computers that were in use there used satellite up-links to access the internet. Too many users would max the link, and access to the web would slow to a crawl, or worse. Think 5 - 10 minutes to load a web page. Now after a long day (or two, or three, or more!) out on mission, people would roll back in the gate, tromp off to the internet and eat, often in just that order and go to bed. Most of the time people were sending and receiving email and pictures from friends and family, baby pictures, movie clips and the like. Most of the time, these would be put on flash drives so people could see them later in their tents and so on.

    The computers that were operated by the Cyberzone and Spawar rarely if ever had their anti-virus up to date. Worse, the anti-virus updates would take so long to download (hours!) that people would give up on doing them. The MWR and Post Exchange were often great about getting laptops out to troops in remote locations. However there was often no way to get software updates to these PC's. The situation was ripe for trouble.

    Many people did both their office work and home use on the same computers, as the situation demanded.

    While I was there in 2008, we began seeing signs of the SillyFDC worm and agent.btz in increasing numbers. We were able to track it back to the Spawar and Cyberzone computers, but we had no way to convince the people there to update their anti-virus. The PC's that were on NIPERNET at the time had restrictions on the use of flash drives, but those were not fully enforced. No-one is sure who “Crossed the Streams” but both worms started showing up in more and more NIPERNET computers. The largest problem in stopping it was that we were not in charge of policy of our own computers. We knew that the worms spread through the use of autorun, but we could not get people to bring in their flash drives to have them scanned. Worse, we could not disable autorun on the NIPERNET PC's. We had no access to the local policy on the machines (or anti-virus updates!) We were able to finally contain things by disabling autorun on personal computers, sacrificing one of our personal laptops to doing nothing but scanning possible infected drives, and quarantining known infected PC's from use.

    We were never able to get updates for the anti-virus for the NIPERNET PC's, but we eventually discovered and distributed ClamWin for personal computers, though.

    We received word about the no-flash-drives rule about 3 months later. That generally made things more difficult, as there were quite a few places that had no network access; a flash drive was the only way to move documents about. More people ended up doing work on their personal computers and ignoring the government ones after that.

    Things that would help defend against this in the future:

    Spawar, Cyberzone, and MWR should be required to keep on their networks a basic SAN that has updated anti-virus, security patches and run a script to update that when network traffic is low. That way, individuals can get their updates from local storage rather than trying to pull hundreds of megabytes over a slow network link.

    If you have a computer while downrange, you should be required to make sure that it's security is up to date, and download patches (from the SAN) at least monthly. Anti-virus should be done as frequently as possible.

    NIPERNET needs to have some method of having local administrators modify their systems. Many times, the local S-6 (Communication and Networking Support)