DoD Takes Criticism From Security Experts On Cyberwar Incident

wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."

They fucked up something really really basic

[HungryHobo]

on military systems.

And so they can either pretend it didn't happen or pretend that they were only defeated by a dedicated and skilful foe rather than by their own ineptitude and laziness.

they went with the latter.

Just another vector for funding...

[notjustchalk]

Since when was efficacy or even logic a metric for whether or not a new department/task-group/domain/[insert group du jour] is deemed "necessary" for any govenrmental body? This is just another not-so-subtle attempt at widening the jurisdiction of the military. After all, if the boogyman is unmasked, why, another must be conjured lest we all wake up to the cold truth that these people are simply pissing large reams of money down the tubes.

In the end, all of this will be justified after the fact despite any protestations. War on terror, anyone?

ps. Although if you think about it, it's somewhat ironic that antivirus firms (Sophos, Symantec, etc), which have been frequent fear mongerers themselves, are calling the military on fear mongering.

Say It Ain't So

[SilverHatHacker]

Wait, are you saying a government agency might have lied, appealing to the general public's lack of knowledge in the area of computers and using a buzzword-filled report to justify an application of force? I find that hard to believe.

Re:Was the threat real?

[sampas]

Thisis another yellowcake tale -- ginned up to scare Congress into giving DoD the Internet "kill switch" in case of "national emergency" -- like Wikileaks. Most of this is in response to the less-than-credible story in Foreign Affairs: http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain. Now our own government wishes they could do what China and Iran can -- shut down the Internet at will when there's something on there that they don't like. Does the military even read the Constitution they swear to uphold?

Re:easily defeated, only if you disable the vector

[antifoidulus]

And yet it gets hacked. It crashes constantly, it constantly needs virus updates etc. And yet there are a HUGE(before 2008 or so you couldn't actually totally disable autorun in Microsoft) security holes but they are just given a pass. The scrutiny applied to Windows is nothing compared to the amount applied to Linux because, and this is DoD policy, "Linux is open source and thus 'untrusted'". The level of logging required for Linux is insane and yet they really don't require the same level from Windows because you CANNOT log that much in Windows. Hosts.deny is required for Linux but no equivalent for Windows. nosuid has to be applied to every non-root drive for Linux, again nothing even close for Windows because Windows is simply incapable of such security. They allow NTLMv2 despite the fact that it is a proprietary protocol and thus incredibly insecure. Why, because it's really difficult to get Windows(esp. XP, which is still allowed) to authenticate with open, cryptographically secure protocols. They allow local and network users a lot more privileges on machines because it's impossible to actually get Windows operating smoothly without those privileges. The list goes on.

Quite simply put Windows lacks a lot of the basic security mechanisms that ALL other operating systems possess. And instead of doing the rational thing and banning Windows because of its shortcomings the DoD just brushes Windows' shortcomings aside(largely because Microsoft has a lot of lobbyists in high places in Washington). You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS. You think I am anti-DoD, I'm not. If I was I would be cheering their use of windows. If there is a cyber-war, I want my country to win which is why I think they need to BAN Windows ASAP. Microsoft has repeatedly shown that it is either unable or unwilling to fix their shit, so dump the motherfuckers already.