DoD Takes Criticism From Security Experts On Cyberwar Incident

wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."

They fucked up something really really basic

[HungryHobo]

on military systems.

And so they can either pretend it didn't happen or pretend that they were only defeated by a dedicated and skilful foe rather than by their own ineptitude and laziness.

they went with the latter.

Re:They fucked up something really really basic

[icebike]

You assume the fucked up.

Just because the version of this worm that is common in the wild is not particularly dangerous does not mean that the version used in the attack (or the fuckup if you will) was the same.

How you administer an injection matters a lot less than what was in the syringe.

Auto-run might have stopped this worm, but turning that off did not become standard practice till the Vista roll out, and the military may have had reason to use auto-run. To simply state that some minor setting in windows would have prevented this is naive.

The fuckup, if there was one, was allowing a foreign intelligence agency to get close to a military laptop.

easily defeated, only if you disable the vector

[YrWrstNtmr]

A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives.

But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned. The Air Force SDC (Standard Desktop Configuration) and the follow-on FDCC (Federal Desktop Core Configuration) ended that.

Re:easily defeated, only if you disable the vector

[antifoidulus]

How about just getting rid of the main attack vector(Windows) altogether? The DoD "security" policies seem like they were written by Microsoft specifically to push Microsoft products. Windows is still the darling child of the DoD and anything else is considered "dangerous" and is subject to infinitely more scrutiny than Windows boxes are. And yet Windows is the most attacked(even if you scale the # of attacks to it's market share), most easily defeated OS out there. Hell even Google banned Windows after it got hacked(via Windows, what else!).

Re:easily defeated, only if you disable the vector

[icebike]

How about just getting rid of the main attack vector(Windows) altogether? The DoD "security" policies seem like they were written by Microsoft specifically to push Microsoft products. Windows is still the darling child of the DoD and anything else is considered "dangerous" and is subject to infinitely more scrutiny than Windows boxes are.

[citation needed]

Military computers, especially in theater, get a custom install of windows, that is well known, because it is a special build, well studied and vetted.

You seem to be asking that something else, linux, apple, bsd, be allowed in without that same level of scrutiny.

But because you managed to bash both the military and microsoft in a single sentence you will probably be modded up anyway.

Re:easily defeated, only if you disable the vector

[hedwards]

Yeah, the DoD is really known for being secure. Remind me again how it was that Gary McKinnon managed to get into all those military computers? Oh, right, they had no password or a default password and no firewall which anybody could've accessed had they the stones or the poor judgment to try. But beyond that, even in its default state BSD is more secure than Windows is in that respect because you can't mount anything by default without having root. Now, there is an exception on most computers by booting into single user mode, but there's ways of handling that which can greatly reduce the likelihood of being haxxored. Unless I'm mistaken you can do that with Linux and Mac OSX, although generally not by default.

But beyond that because most of the individuals with knowledge of securing computer systems are younger and lower in rank, it can be kind of a toughy actually getting proper orders and resources to secure things. Or at least I assume that's what happened, it's the only explanation I can think of that's even halfway plausible that doesn't involve outright treason.

Re:easily defeated, only if you disable the vector

[antifoidulus]

And yet it gets hacked. It crashes constantly, it constantly needs virus updates etc. And yet there are a HUGE(before 2008 or so you couldn't actually totally disable autorun in Microsoft) security holes but they are just given a pass. The scrutiny applied to Windows is nothing compared to the amount applied to Linux because, and this is DoD policy, "Linux is open source and thus 'untrusted'". The level of logging required for Linux is insane and yet they really don't require the same level from Windows because you CANNOT log that much in Windows. Hosts.deny is required for Linux but no equivalent for Windows. nosuid has to be applied to every non-root drive for Linux, again nothing even close for Windows because Windows is simply incapable of such security. They allow NTLMv2 despite the fact that it is a proprietary protocol and thus incredibly insecure. Why, because it's really difficult to get Windows(esp. XP, which is still allowed) to authenticate with open, cryptographically secure protocols. They allow local and network users a lot more privileges on machines because it's impossible to actually get Windows operating smoothly without those privileges. The list goes on.

Quite simply put Windows lacks a lot of the basic security mechanisms that ALL other operating systems possess. And instead of doing the rational thing and banning Windows because of its shortcomings the DoD just brushes Windows' shortcomings aside(largely because Microsoft has a lot of lobbyists in high places in Washington). You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS. You think I am anti-DoD, I'm not. If I was I would be cheering their use of windows. If there is a cyber-war, I want my country to win which is why I think they need to BAN Windows ASAP. Microsoft has repeatedly shown that it is either unable or unwilling to fix their shit, so dump the motherfuckers already.

Re:easily defeated, only if you disable the vector

[Lord_Frederick]

DoD is very big, and there are hundreds of thousands of DoD computers that don't follow the simplest security best practices. Just because the NSA publishes a document on how a Windows box should be configured, doesn't mean it gets configured that way in the field. Military IT is just like social issues; The only area not being neglected and starved of resources is the last area to have a major shitstorm.

Re:easily defeated, only if you disable the vector

[Culture20]

But in 2007, that wasn't the case. Autorun usually on, and thumb drives not banned.

And what's more, Microsoft's suggested method of disabling autorun didn't work back then. They had to release a patch. And even then, they didn't disable autorun by default.

Re:easily defeated, only if you disable the vector

[flydpnkrtn]

Surprise: the DoD uses Linux, and they have the same guides for locking and hardening Linux as they do for other Unices (Solaris) and for Windows.

See http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf (search for Linux) for examples.

Re:easily defeated, only if you disable the vector

[Jane+Q.+Public]

Well, considering general natures of government and military today, I was willing to believe that Open Source was indeed "untrusted". But since you brought it up, I did some looking and found that there was an official DoD memorandum approving of Open Source back in 2003, updated in 2009. The 2009 document says, in part:

(1) There are positive aspects of OSS that should be considered when conducting market research on software for DoD use, such as:

(i) The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.

(ii) The unrestricted ability to modify software source code enables the Department to respond more rapidly to changing situations, missions, and future threats.

(iii) Relianceonaparticularsoftwaredeveloperorvendorduetoproprietary restrictions may be reduced by the use of OSS, which can be operated and maintained by multiple vendors, thus reducing barriers to entry and exit.

(iv) Open source licenses do not restrict who can use the software or the fields of endeavor in which the software can be used. Therefore, OSS provides a net-centric licensing model that enables rapid provisioning of both known and unanticipated users.

(v) Since OSS typically does not have a per-seat licensing cost, it can provide a cost advantage in situations where many copies of the software may be required, and can mitigate risk of cost growth due to licensing in situations where the total number of users may not be known in advance. (vi) By sharing the responsibility for maintenance of OSS with other users, the Department can benefit by reducing the total cost of ownership for software, particularly compared with software for which the Department has sole responsibility for maintenance (e.g., GOTS). (vii) OSS is particularly suitable for rapid prototyping and experimentation, where the ability to "test drive" the software with minimal costs and administrative delays can be important.

(2) While these considerations may be relevant, they may not be the overriding aspects to any decision about software. Ultimately, the software that best meets the needs and mission of the Department should be used, regardless of whether the software is open source.

. . .

Was the threat real?

[falconwolf]

As the Security Week article suggests this sounds like the lying the military told about the Gulf of Tonkin Incident.

Falcon

Re:Was the threat real?

[sampas]

Thisis another yellowcake tale -- ginned up to scare Congress into giving DoD the Internet "kill switch" in case of "national emergency" -- like Wikileaks. Most of this is in response to the less-than-credible story in Foreign Affairs: http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain. Now our own government wishes they could do what China and Iran can -- shut down the Internet at will when there's something on there that they don't like. Does the military even read the Constitution they swear to uphold?

Re:Was the threat real?

[hedwards]

Unfortunately, rather than fixing the problem, I fear that's the "fix" we're going to get. There are legitimate reasons to consider a "kill switch." As in the ability to take the nation off the internet at a moment's notice, however none of them are as easy or practical as simply restricting the kill switch to separating the military and emergency infrastructure from the net. Although the stupid thing there is that they probably shouldn't be directly on the internet in the first place.

The problem ultimately is that a kill switch would have to touch a huge amount of infrastructure, including satellite links in order to work, and I have very little confidence that even with highly qualified engineers working on it that there isn't going to be a bug, glitch or vulnerability that ends up working its way into the system.

Just another vector for funding...

[notjustchalk]

Since when was efficacy or even logic a metric for whether or not a new department/task-group/domain/[insert group du jour] is deemed "necessary" for any govenrmental body? This is just another not-so-subtle attempt at widening the jurisdiction of the military. After all, if the boogyman is unmasked, why, another must be conjured lest we all wake up to the cold truth that these people are simply pissing large reams of money down the tubes.

In the end, all of this will be justified after the fact despite any protestations. War on terror, anyone?

ps. Although if you think about it, it's somewhat ironic that antivirus firms (Sophos, Symantec, etc), which have been frequent fear mongerers themselves, are calling the military on fear mongering.

Say It Ain't So

[SilverHatHacker]

Wait, are you saying a government agency might have lied, appealing to the general public's lack of knowledge in the area of computers and using a buzzword-filled report to justify an application of force? I find that hard to believe.

What we'd heard...

[NecroPuppy]

Where I am, is a lot less on the "secret agent" / James Bond side of things, and a lot more on social engineering.

Two vectors were talked about.

Vector 1: Middle East. Some guys decided they wanted to be insurgents, but didn't have explosives experience and really didn't want to be shot at. So instead, they loaded up viruses on a bunch of hardware (external drives, thumb drives, etc) and sold it to soldiers. Said soldiers then turned around and used these drives on not only their personal computers, but also on Unclass and Classified systems, where it quickly spread because of bad IS/IA policies.

Vector 2: Pentagon area. Similar situation, but instead of selling pre-infected items, some foreign power just left a lot of pre-infected thumb drives around various coffee shops, etc. While some were turned in to lost and found, others were picked up by people who said, "Hey! Free thumb drive!" and proceeded to use them at work and at home. And when work was in a government office that, again had poor IS/IA policies, suddenly you've got computers opening holes in firewalls and transmitting data out.

Hence the big change in policy, to ban thumb drives, turn off auto-run, etc.

The next doomsday weapon

[gilesjuk]

Now that many nations have nuclear weapons, it's obvious that development of the internet or IT doomsday device will be next.

I think the US military are hinting along these lines.

Two words: Bradley Manning

[louarnkoz]

The Army just suffered one of the largest leaks in military history, thanks to Pfc Bradley Manning and Wikileaks. You would think that the priority would be to investigate the incident, check how recruits working on army intelligence are selected, trained and supervised, and perhaps review procedures so a lowly private does not have access to 100,000 secret documents that are only remotely linked to his mission.

Instead, we get this implausible thumb drive scenario. And guess what, instead dof applying $0.02 of common sense, we will see a proposal to spend $2B on intelligence system upgrades and military contracts. Of course, senator, we have earmarked 20% of that for your state...

-- Loaurnkoz

The Problem behind:

[drolli]

Virus writers update their viruses 100 times faster than the military its rules. I would not wonder if the rules effective at that moment were 10 years old (or just minor revisions - like fixing security holes already being exploited). I work in a very large company, and each time i try to report a security problem i observe, i am being told the IT department is responsible and its not my job - and nothing changes. I assume in the military its the same problem but worse; maybe you even go in jail because you figured sth out.

A Sysadmin's Lamentation...

[MacroMegaMan]

I was there in 2008 during the midst of this. At that time, there were significant problems with security on the network terminals that we all used to access the internet. In most places, we were limited to two or three ways to access the internet (not NIPERNET.) Either computer labs operated by Spawar (government contractors) ,computers operated by Cyberzone (A commercial entity) or, if your FOB was large enough, in-room/tent access provided by the MWR (Morale Welfare and Recreation.)

Now all the computers that were in use there used satellite up-links to access the internet. Too many users would max the link, and access to the web would slow to a crawl, or worse. Think 5 - 10 minutes to load a web page. Now after a long day (or two, or three, or more!) out on mission, people would roll back in the gate, tromp off to the internet and eat, often in just that order and go to bed. Most of the time people were sending and receiving email and pictures from friends and family, baby pictures, movie clips and the like. Most of the time, these would be put on flash drives so people could see them later in their tents and so on.

The computers that were operated by the Cyberzone and Spawar rarely if ever had their anti-virus up to date. Worse, the anti-virus updates would take so long to download (hours!) that people would give up on doing them. The MWR and Post Exchange were often great about getting laptops out to troops in remote locations. However there was often no way to get software updates to these PC's. The situation was ripe for trouble.

Many people did both their office work and home use on the same computers, as the situation demanded.

While I was there in 2008, we began seeing signs of the SillyFDC worm and agent.btz in increasing numbers. We were able to track it back to the Spawar and Cyberzone computers, but we had no way to convince the people there to update their anti-virus. The PC's that were on NIPERNET at the time had restrictions on the use of flash drives, but those were not fully enforced. No-one is sure who “Crossed the Streams” but both worms started showing up in more and more NIPERNET computers. The largest problem in stopping it was that we were not in charge of policy of our own computers. We knew that the worms spread through the use of autorun, but we could not get people to bring in their flash drives to have them scanned. Worse, we could not disable autorun on the NIPERNET PC's. We had no access to the local policy on the machines (or anti-virus updates!) We were able to finally contain things by disabling autorun on personal computers, sacrificing one of our personal laptops to doing nothing but scanning possible infected drives, and quarantining known infected PC's from use.

We were never able to get updates for the anti-virus for the NIPERNET PC's, but we eventually discovered and distributed ClamWin for personal computers, though.

We received word about the no-flash-drives rule about 3 months later. That generally made things more difficult, as there were quite a few places that had no network access; a flash drive was the only way to move documents about. More people ended up doing work on their personal computers and ignoring the government ones after that.

Things that would help defend against this in the future:

Spawar, Cyberzone, and MWR should be required to keep on their networks a basic SAN that has updated anti-virus, security patches and run a script to update that when network traffic is low. That way, individuals can get their updates from local storage rather than trying to pull hundreds of megabytes over a slow network link.

If you have a computer while downrange, you should be required to make sure that it's security is up to date, and download patches (from the SAN) at least monthly. Anti-virus should be done as frequently as possible.

NIPERNET needs to have some method of having local administrators modify their systems. Many times, the local S-6 (Communication and Networking Support)

Re:A Sysadmin's Lamentation...

[Lifyre]

Actually the solution to this is training your enlisted troops how to handle this. I was in Iraq when this went down, as a network admin for a grunt unit. The problem went away when we burned 10 CD's with AV that cleaned it (the most recent definitions from Symantec did NOT do this until almost 4 months later, making government computers completely open) and training 2 Marines per company on how to help their users. Within a week we had controlled the issue.

Re:lulz

[JackieBrown]

Where I work, someone inadvertently emailed emailed a spreadsheet of the 3000+ employees social security numbers, addresses, salaries, and our date of births.

Their solution was to disable access to our personal email so that one one could leak that info to anyone else. It has been half a week and our personal emails are still blocked.

The funny part is that I just plugged in my usb drive and windows popped up asking if I wanted to "open folders to view files" and sure enough, I can access my data on it and move information from my computer to it without the cyber trail.

And I work at a "hippa complainant" medical equipment company.

Funny thing is, since the person who sent the email is high enough on the food chain, they are still here while IT is checking to see if anyone emailed or copied it and threatening action against those employees.

i work for an agency under DoD...

[pointbeing]

...and was actually discussing the switch from Windows to Linux with couple friends of mine from the IA shop. I'm in charge of desktop PC support for this 3,300-user agency.

I'd like to preface things by saying that I use Linux exclusively at home and have for several years. No dual boot, no wine and no running Windows in a VM. I could do my whole job from within Linux if Firefox supported reading encrypted mail in Outlook Web Access and if there was something available for Linux that'd allow me to read Visio drawings in their native format.

Software costs are inconsequential so we'll ignore that argument for the time being. The biggest expense in an IT budget isn't software or hardware, it's people - and although things would settle down after a year or two the cost of migration is the showstopper here, not the cost of sustainment.

I've heard different stories about what caused the USB ban but for me the short version is that somewhere in DoD some sysadmin should have been fired. I can't say for sure what happened but at least two Defense Information Systems Agency (DISA) policies were violated - autorun wasn't disabled on the workstations and apparently workstation virus scanners weren't configured properly, so to minimize the threat DoD bans USB storage devices rather than fire the nitwit who wasn't doing his job.

Windows as a vector? Out of 3,300 users we had eight (yes, eight) security incidents in the last twelve months where a PC was infected by a hostile application - the reason I know this is I had to put that damn metric in a Powerpoint slide recently. Eight out of better than three thousand is a pretty good average, but the PCs still run like crap ;-)

They've authorized turning USB storage back on, but only for approved devices that will be encrypted and centrally managed - and USB storage will be enabled by device rather than by user. Unauthorized devices still won't work. We've decided that since folks have been working without thumb drives for two years we're gonna continue to let them work that way - we've got the infrastructure in place to authorize thumb drives by hardware signature but we don't plan to issue any to end users at this point.

DoD information security policies aren't written by Microsoft - Microsoft wouldn't hire anybody that stupid. Case in point - DISA mandates that LAN and WLAN interfaces on a machine can't be active at the same time but outside of creating separate hardware profiles for wired and wireless Windows doesn't support this configuration - and simply disabling network bridging doesn't satisfy the requirement. If you ask DISA how to implement this requirement they can't tell you. I can tell you there's a neat little application called Wireless AutoSwitch that'll do the job and it's dirt cheap, though.

But I digress.