Slashdot Mirror

← Back to Stories (view on slashdot.org)

DoD Takes Criticism From Security Experts On Cyberwar Incident

Posted by Soulskill on from the no-mr-bond-i-expect-you-to-torrent dept.

wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."

10 of 116 comments (clear)

  1. The Article Doesn't Make a Good Case by Anonymous Coward · · Score: 2, Interesting

    The only thing the article really provides to dispute the Pentagon's account is that the worm is simple and common.

    But then it goes on to mention that while common, its payload is configurable. And the soldier quoted at the end of the article point blank says that it was the outsized effect (14 months of cleanup and lost data) compared to the simplicity of the vector that freaked them out so badly.

    Shit, all the military really needs is some logs showing where the thing was sending data and it gets a pretty solid idea of what's going on. And they hinted that there was something to the circumstances where the worm initially entered the system...

    Really, what's the story here? Pentagon says it conducted 'forensics' on the worm and decided on foreign origin, security analysts say, "But it's such a simple worm, it can't be that!" The analysts are talking out of their asses, and the Pentagon's explanations make a great deal of sense. Maybe the Pentagon is lying, maybe not, but nothing the doubters say in the article means anything.

    1. Re:The Article Doesn't Make a Good Case by Anonymous Coward · · Score: 1, Interesting

      Really, what's the story here? Pentagon says it conducted 'forensics' on the worm and decided on foreign origin, security analysts say, "But it's such a simple worm, it can't be that!" The analysts are talking out of their asses, and the Pentagon's explanations make a great deal of sense. Maybe the Pentagon is lying, maybe not, but nothing the doubters say in the article means anything.

      The implication was that it was a sophisticated attack. The attack vector was autorun. Consider this, my first computer was a Win95 box bought second hand when someone upgraded to 98. I used to buy computer magazines and use the included disks, which would use autorun to change my browser home page, so I learned to disable autorun.

      So if I as a computer newb with no training can work out how to disable this attack vector 10 years before it was used to attack pentagon systems, then the pentagon can not have placed system security as any type of a priority at all. They haven't even thought about it. IMO there should be a lot of people fired over this and permanently banned from any government IT security work. There were people being paid to secure those systems and they were sleeping on the job. Such sloppy work done by combat personnel, if it didn't result in their deaths, would probably warrant a dishonourable discharge or prison time for being AWOL.

    2. Re:The Article Doesn't Make a Good Case by quanticle · · Score: 2, Interesting

      Your explanation gives the Pentagon a lot of benefit. In my view, its equally likely that these government officials are exaggerating the impact and sophistication of the attack to keep from looking like fools when the inevitable congressional hearing on this subject arises. You'll get a lot more sympathy from the senator on the other side of the hearing room if you say you were hacked by a foreign intelligence agency as opposed to some 16 year old Chinese kid. Given how hard it is to trace the origin of these attacks, its quite easy to twist the limited evidence available to support one hypothesis or the other.

      My take on this? Some DoD employee brought a thumbdrive from home and infected his work PC. When others used their thumbdrives to copy information from this person's PC, they also got infected. Thanks to autorun and the relatively low profile this attack kept (e.g. it didn't do much to slow down infected computers) it took a long time for the IT department to find out about the infection. At that point the worm had become endemic to the network and many man-hours were spent rooting it out, hence the claim of "large expenses".

      Even if you don't find my explanation entirely reasonable, you have to admit that the existing evidence doesn't exactly prove that the Pentagon was attacked by sophisticated and nefarious spies. Could they have been? Sure. But its equally likely that they were attacked by a garden variety piece of malware for which they were unprepared.

      --
      We all know what to do, but we don't know how to get re-elected once we have done it
  2. Was the threat real? by falconwolf · · Score: 3, Interesting

    As the Security Week article suggests this sounds like the lying the military told about the Gulf of Tonkin Incident.

    Falcon

    --
    Should there be a Law?
  3. Another patch in the submarine's screen doors by Lanteran · · Score: 2, Interesting

    seeing as they're, you know, the pentagon, I highly doubt there are any real 'killer apps' they must have that they don't have the source code to. That said: why use windows? Its not designed to be a secure operating system in the same way that... say.. openBSD is, and while they may have the windows source code (I believe that large and gov't organizations are allowed to see it) they're not allowed to modify it. I'm just saying that in an environment like that, a very secure operating system, closed source or open is the way to go. You can't have it to where any old person can plug in a flash drive and compromise your system. Disabling autorun helps, it helps quite a lot, but it doesn't solve the underlying problem. If they refuse to change, methinks cyber warfare against the US just got a few orders of magnitude easier.

    --
    "People don't want to learn linux" hasn't been a valid excuse since '03.
    1. Re:Another patch in the submarine's screen doors by Arker · · Score: 1, Interesting

      And even if they do have the source code, do you really think an organisation that couldnt figure out they needed to turn off 'auto-run' in their install images has done a thorough audit of all those millions of lines of spaghetti?

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
  4. Two words: Bradley Manning by louarnkoz · · Score: 4, Interesting
    The Army just suffered one of the largest leaks in military history, thanks to Pfc Bradley Manning and Wikileaks. You would think that the priority would be to investigate the incident, check how recruits working on army intelligence are selected, trained and supervised, and perhaps review procedures so a lowly private does not have access to 100,000 secret documents that are only remotely linked to his mission.

    Instead, we get this implausible thumb drive scenario. And guess what, instead dof applying $0.02 of common sense, we will see a proposal to spend $2B on intelligence system upgrades and military contracts. Of course, senator, we have earmarked 20% of that for your state...

    -- Loaurnkoz

  5. Re:easily defeated, only if you disable the vector by Culture20 · · Score: 3, Interesting

    But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned.

    And what's more, Microsoft's suggested method of disabling autorun didn't work back then. They had to release a patch. And even then, they didn't disable autorun by default.

  6. Re:lulz by JackieBrown · · Score: 3, Interesting

    Where I work, someone inadvertently emailed emailed a spreadsheet of the 3000+ employees social security numbers, addresses, salaries, and our date of births.

    Their solution was to disable access to our personal email so that one one could leak that info to anyone else. It has been half a week and our personal emails are still blocked.

    The funny part is that I just plugged in my usb drive and windows popped up asking if I wanted to "open folders to view files" and sure enough, I can access my data on it and move information from my computer to it without the cyber trail.

    And I work at a "hippa complainant" medical equipment company.

    Funny thing is, since the person who sent the email is high enough on the food chain, they are still here while IT is checking to see if anyone emailed or copied it and threatening action against those employees.

  7. Excel: scourge of IT by mangu · · Score: 2, Interesting

    Where I work, someone inadvertently emailed emailed a spreadsheet of the 3000+ employees social security numbers, addresses, salaries, and our date of births.

    That's the result of having a tool that allows computer-illiterate people to process data.

    When the printing press was invented people started learning to read and write. They learned spelling and grammar.

    When the GUI was invented people started forgetting how to read and write. They want to click on icons because they don't want to learn the spelling and grammar of the commands that control the computer.

    In the computer world, Johannes Gutenberg invented the comic book.