Slashdot Mirror
Air Force Network Admins Found Out About Drone Virus Through News Story
Nemesisghost writes "Wired's Danger Room reports that the network admins of the 24th Air Force found out about the virus infecting the drone cockpits at Creech Air Force Base in Nevada by reading the earlier news article. Quoting: 'Not only were officials in charge kept out of the loop about an infection in America’s weapon and surveillance system of choice, but the surprise surrounding that infection highlights a flaw in the way the U.S. military secures its information infrastructure: There’s no one in the Defense Department with his hand on the network switch. In fact, there is no one switch to speak of. The four branches of the U.S. armed forces each has a dedicated unit that, in theory, is supposed to handle cyber defense for the entire service. ... In practice, it’s not that simple. Unlike most big private enterprises, the 24th doesn’t have a centralized system for managing and monitoring its networks. There’s no place at the 24th’s San Antonio headquarters where someone could see all the digital traffic hurtling through the service’s pipes.'"
Compartmentalization AND Security through obscurity.
You can't make this stuff up.
Military intelligence.
Funny? Insightful? Informative? Troll. All four.
do they even bother to check ... apparently not
UNACCEPTABLE
When you have armies of people who don't want to pay taxes this is what you get. Networking training is not cheap, understanding it is not cheap. Finding people with enough knowledge combined to work across these systems is difficult and comes with a price.
... when the news pointed out recently that all the drone video surveillance footage is sent unencrypted? I know I found that a little surprising.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I wonder how much porn and illicit downloading goes through the military networks? In all the other computer networks I've seen, if no one is holding users accountable, the network will be abused.
So, tell me, again, how the virus got on the machines? A "thumb drive," you say? And, the virus keeps returning? Hrmmm...
Who thought this network infrastructure arrangement would be a good idea?
Taking stuff apart since 1969 (TM)
Standard security practice for high reliability systems is they don't get on the internet, and you lock them down so the operators can't install software. So how could a glorified arcade machine get infected? Oh that's because the men running it like to play games (that aren't installed) so they bring them in on usb sticks and badger the admins to unlock the machines so they can install them. Or the network admins are incompetent.
Just about every possible problem has been discussed on slashdot before.
Trying simple things to lock down military PC's such as sealing up CD-ROM/DVD drives and USB ports is defeated by the motivation of troops wanting to listen to his MP3 collection or view family videos.
Then the security of actual networks isn't done because the admin's are also engaged in regular military duties. They only have enough time to get any system setup before moving to the next assigned work task.
Research groups also have students going in and out as well as working remotely from other sites.
DTi has a report that the level of hacking was so bad that even the group conferences by telephone networks were being accessed remotely.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Have gnu, will travel.
When nuclear weapons were new, each branch of the military tried to become the 'nuclear' arm by introducing new weapons systems and trying to impress politicos with how they should be the ones with the budget and prestige. We don't need multiple branches of cybersecurity forces, we need one branch that can handle it all. Time to dump the military romanticism of the 18th century that divides our military into earth/water/air/fire/heart and reorg. Hell, maybe we even need another side to the Pentagon for cyberwarfare.
Ok, is this what they meant by downgraded provisional cyber command? As in, a room with pictures of maps on big flat screens and no actual command of anything? If this is the best the most elite hackers our military can muster, then I think my wife should try and apply. She knows how to use Excel pretty well.
..military, they really excelled when they added those bottom two mental categories (Category 5, unbelievably dumb, and Category 6, do not compete with a Pet Rock, sir!). Seriously, though, this is a prime example of what transpires when they've shipped the bulk of tech jobs offshore (as of July, 1999, there has been NO NET NEW job creation in the USA --- thanks Wall Street!!!): they keep erasing it and it just keeps coming back. Hmmm......and they do bisynchronous broadcasting: back and forth between the control element and the drones.....hmmmm....wonder why it just keeps coming back and back......who is next in line to control Skynet, me wonders????
We don't and probably won't ever really know the true nature of this virus. Assuming there is a C&C outside the network or a traitor inside, the thing probably was either told to self-destruct, plant a bogus virus and delete its trace - or it was manually deleted. And since no one was actively monitoring the systems, I'm guessing their logs and back-ups are in such a disarray that forensics won't yield much about the original infection.
*sarcasm* way to go, Obama. You can hire the world's best data mining and marketing scientists to crunch social media trend numbers for your campaign, but you can't secure the military which looks to you as their top chief? No, no, I'm not trying to be political... but that is very ironic and shows in general how as a whole our country's investment in computer tech is misplaced.
Anyways, since we can't privatize our intel, obviously we need to invest more money into educating, training or hiring decent (or better) cyber defense and security experts. And monitor our systems with a combination of 24/7 human and algorithmic plus machine learning AI. It needs to be a 110% top priority starting now. A strong policy there will also stimulate growth in the field - education will expand, demand for skilled workers will increase, and the computer industry as a whole will benefit.
So apparently Wired had the story in the first place, and now they have a second story reporting that the Air Force never knew about the problem until reading about it in their first story? There are two serious problems here.
First, it seems like Wired has motive for some exaggeration or misrepresentation here: "Our investigative reporting is so top notch they don't even know they're being investigated!" Certainly major exposes make it to press without a leak, it happens all the time, but any journalistic entity has ample motive to over-emphasize their cunning and resourcefulness. How about we rely on more than one source for these things, maybe?
Second, and much more importantly, if Wired really did manage the entire investigation completely under the radar, then they went to press with information about severe flaws in a military weapons system before even telling the government about it. That's unforgivably irresponsible. At minimum the Air Force deserved a direct and forceful communication from Wired the very minute the story went public, if not slightly before: these are weapons systems we're talking about, and remote controlled at that. Getting maximum impact for your story and not giving the government time for a cover up is one thing, but national security isn't just some neoconservative buzzword; some things really are secret and sensitive for good reason. You don't just scream "Top Secret files open on this desk over here!", even if there are files there. It's stupid and damaging.
This is no different, in many ways, from finding flaws in Microsoft products or credit card systems: you give the people who need to fix it some kind of heads-up before you go splattering it all over the internet. Yes, if you don't go public no one ever learns and no one is pressured to fix their problems, but going public before you even consider how you're going to communicate with the affected developer is just stupid grandstanding.
That's a headline we may see if we lose control of those things.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Regarding irresponsibility, it's not that the AF didn't know about the virus. It's that the folks at 24th AF didn't know about what was going on at a unit level at Creech AFB. :)
Ergo... It's that the right hand knew about the virus but hadn't told the left hand because they had told the right knee and thought it was the knee's job to tell the left hand
So Wired wasn't truly irresponsible (though the folks at Creech that revealed a military cyber vulnerability to the general public were very irresponsible)
start by hiring people based on skills and not BA's. It IT hands on work / training / tech school is a lot better then a 4 year CS class load.
Also there needs to be a way to get tech people in with out the boot camp part and or having to deal all the rank crap or the move up or get out idea. Some tech people can do good as a manager other not so much.
Also no stay away from lot's of non tech mangers.
eom...
Yes but on the other hand if you find flaws in Microsoft or credit card systems the worst that would happen is some fraud and/or inconvenience if the flaws are exploited. The possibility of automated remote controlled murder is a different thing entirely and should perhaps be treated differently. Going public early with maximum sensationalism might increase the likelihood of people realising that remote controlled killing machines are ultimately too dangerous to us all to allow their continued proliferation.
Korma: Good
... I'm technical and I made it in boot camp (USMC). Every Marine a rifleman. Its not hard and they don't just want IT people. Yes maybe if we get rid of boot camp and increase the pay for certain jobs and stop requiring everyone know how to shoot then the IT staff might be a little better, but I really doubt by much. There are some smart guys in the military things like this are usually a management issue.
from TFA: There’s no one in the Defense Department with his hand on the network switch. In fact, there is no one switch to speak
Maybe it's for the better. If there was a central control of whole network it would make it a great target for attack.
So apparently Wired had the story in the first place, and now they have a second story reporting that the Air Force never knew about the problem until reading about it in their first story? There are two serious problems here.
Not if you bothered to read the article. Here is the first paragraph:
Some people in the Air Force knew, but they did not notify their own network security organization. If true, then that is irresponsible behavior by Air Force personnel, and something we should thank Wired for reporting.
Having said that, I also have to admit that I'm confused about who knew what, and who was denied information. The original Wired story speaks of efforts to eradicate the malware:
One can only hope that the new bunch of security people who just found out about the malware via the Wired article are more competent than the first ones, who leaked the information to Wired. Was the leak itself irresponsible? I truly can't tell: when incompetence in handling such deadly weapons reaches such empyrean altitudes ...my mind boggles. Clearly, no one connected with this weapons system knows what they are doing, nor do they seem overly concerned.
Perhaps a bit of mental clouding is to be expected among individuals who run a weapon system "allowing U.S. forces to attack targets and spy on its foes without risking American lives"—apparently by killing them. Doublethink and duckspeak aren't conducive to organizational efficiency...but that's the price you have to pay to keep the terrorists from winning.
Great men are almost always bad men--Lord Acton's Corollary
Part of the shuffling around that created Cybercommand also created the 24th Air Force to be the AF's IT shop. They're still standing up and taking over operations from all the separate units.
So it's not completely surprising they wouldn't know about it. They may not have taken over at that base yet.
If they'd get the buzzword-happy officers out of there, in favor of brass-tacks "Network Security," we might see an improvement. Unlikely to get funded, though.
1) The network goons know they should report it. They dun goofed, they are in BIG trouble.
2) Had this virus been on a network that crosses into the Internet then it WOULD be detected. End of story. Even if it didn't cross into the Internet, it was detected by HBSS - aka anti-virus. Somehow the reporting dun broke down.
3) There will be fallout but most of this is FUD, telling the narrative "OMG teh US Military is not ready for CyberWarz!" Ok, chicken little, settle down... unless you are a airman in the networking section at Creech, everything is fine. There are many, many layers to this tootsie pop and even if it were full of shite it would take a while to get to that center of excrement. These guys blew it and didn't report the problem to anyone other than Wired?
... I'm technical and I made it in boot camp (USMC). Every Marine a rifleman. Its not hard and they don't just want IT people. Yes maybe if we get rid of boot camp and increase the pay for certain jobs and stop requiring everyone know how to shoot then the IT staff might be a little better, but I really doubt by much. There are some smart guys in the military things like this are usually a management issue.
well you want IT people to be IT not rifleman or other stuff that can let then be pulled from the IT to a non IT rifleman job even more so for a state side job.
Also there are IT people who are to old for boot camp and or are hacker types / people with Asburger / other stuff who can do a IT job but can't be the type of person you want on the front lines as a rifleman or the people who will fail boot camp.
It needs to be out side of the enlisted / officer side of things. Maybe direct commission like with scientists, pharmacists, physicians, nurses, clergy, and attorneys
it will end up just as bad with more cover ups.
This mean that the Obama Thing residing ithe White House can not direct the Preditor Drones to Kill USA citizens per recent secret executive order of the President of the United States of America Barak Hussien Obama II.
Wonderful.
Jolly Good.
A real Sucker Punch to Obama Boy!
Obama Boy needs a "Round House" Socker Kick to 'es Nuts I'd say.
Send the bastard to the turf. Then land a boot on 'es neck. Sure to send 'em to the Walter Reed for extended recoups just to survive.
Bastard Obama never should 'ave been born i say.
LoL
"Windows" was Orange Book C2 Rated in the 90s on WindowsNT v3.5SP3 on 3 certain Compaq Hardware Specs, with no CD Drive, Floppy Drive, no modem and no network connection. How much different could it be now. We have been told Windows 7 is the MOST SECURE Windows yet... so its gotta be better now than in the 90s. Right? The saying "Remember Ed Curry!" keeps popping up in my head for some reason.
greg, REMEMBER ED CURRY!!!
Have you ever tried to report a cybercrime? It's a difficult and mostly useless process. The local office will take your report, perhaps even thank you for the information, and if it involves real money they may even report it to a central office. Then, in each of the half-dozen cases I've seen personally, there will be _no_ effective followup. The only action I've seen has been when equipment was physically stolen, in bulk, from a multi-national corporation that deals regularly with federal law enforcement agencies.
Wired may well have reported the issue and been entirely ignored. This tendency to passively ignore, and do nothing, about cyber security incidents is precisely why public exposure of the laws has historically been far more effective than quietly reporting flaws and letting the vendor, or law enforcement, act at their own leisure. This is embodied by CERT, where both casual and profund security flaws are reported on a daily basis and profound flaws have remained unaddressed for over a decade at the reques tof the vendor of the flawed products. These flaws are still in effect, and the exploits are still used, so the silence is benefiting only the profits of the vendor and the crackers themselves.
Having spent many years in uniform and in a scif you find holes all the time, but can't report on them for fear of reprisal.
It's 100% about CYA and the security goes "unoticed".
Those of us who were naive enough to think that pointing them out would result in them being fixed instead walked away with LRO's and Article 15s.
The military hierarchy does not support real computer/network security.
You don't rock the boat.
well you want IT people to be IT not rifleman or other stuff that can let then be pulled from the IT to a non IT rifleman job even more so for a state side job.
IIRC 'every man a rifleman' is characteristic of the Marines, and not the same as other branches. The Marines consider it very important that every member of the team can operate that way. This is related to the particular job that Marines are intended to do, operating as small groups often out of touch with higher levels of command. So everyone on the team has to be able to pick up the slack when they lose someone. (IANA military guy - I've just read a lot.)
It's worth noting that in Desert Storm the Marines had their own network architecture (I think it was based on Banyan, an early proprietary windows-centric ethernet architecture). They brought in several thousand computers and had their entire network up and running in something over a week, from a bare patch of sand with no power. Pretty impressive for 1991. The other services, not so much.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Did you mean Assburger?
When I worked with the military as a contractor they were in the process of implementing a policy of turning off telnet access to their networks. When they did turn it off, they had not setup an alternative such as SSH, and as such no one could do their jobs. The admins at the Air Force bases didn't know how to setup SSH, and thus they simply went back and setup telnet.
Even during the interim "outage" when telnet was turned off, there was one base still allowing telnet access, and you could actually login there, and they had setup a kind of proxy that let you access any other air force base. It was like they created a backdoor to the systems of other air force bases.
It was simply an issue with the knowledge level of the admins that seemed prevalent across the 30+ air force bases that I worked with. Probably alot to do with the environment and their methods of encouraging advancement, training, and continual education.
I am.
The fact that they don't have a means of broadcasting alerts to the technicians is a sign of an absolutely scary level of incometence.
Are the launch codes for the nuclear arsenal as well protected and monitored as the drones? If so, the entire world should be terrified of American incompetence.
I do not fail; I succeed at finding out what does not work.
What you've just suggested is the same error clueless bureaucrats make about technology, except in reverse; the other side of the same coin.
PHBs who have no idea how computers or networks work say to organize or administrate them in a way that makes sense for organizing tangible items with physical problems, but utterly fails when applied to computers.
You have suggested organizing the branches of the military according to the way a computer network should be organized. Worse, you've suggested this not only regarding the branches' computer networks, but also regarding military operations.
Not only do you ignore the inter-service cooperation that already exists, but you ignore the pointless extra division that your idea would entail, like having AF pilots flying aircraft off carriers or flying Blackhawks full of Army troops. In both cases, the AF pilots would be working exclusively with members of the other branch, so what would the point be of having them under a different CoC? They'd end up assigned to TDY under another branch...in which case they might as well be in that branch in the first place. It really doesn't help unit cohesion to have artificial divisions between, e.g. the chopper pilots and the troops they carry around and support.
Are you even aware that the Marines are under the Department of the Navy? Sheesh.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
The drone control systems should be completely isolated physically. A secure drone control network should be devoid of any physical/wireless/removable media connection to anything other than drones and other drone control devices under local command. This must include input vectors such as removable media or anything other than secure updates installed by military personnel.
Think STUXnet.
Or perhaps SINOnet?
Paranoid? Or not paranoid enough?
For in politics, as in religion, it is equally absurd to aim at making proselytes by fire and sword. - Publius
One would think analyzing your own data traffic would be a good thing. sheesh...
"Those who make peaceful revolution impossible, make violent revolution inevitable" - JFK
If they're stupid enough to use Windows, why should we expect them to be smart about anything else? I was hoping the military would be more sensible than to use an OS with a history of security issues. It's only a matter of time before terrorists manage to hit us with our own weapons. It's pretty pathetic when we grow up in a computer centric culture and yet we allow people without adequate computer knowledge manage IT in the military as well as companies.
Networking engineers tend to be fairly braindead. They seem to think that as long as their switches are up and you can ping a server, it can't be a problem with the network. This seems to be universal.
"There's no one in the Defense Department with his hand on the network switch. In fact, there is no one switch to speak of. "
I am shocked that US runs it's country like this, build a big switch and glue someone's hand to it immediately you crazy fools.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
no IDS? no network sniffing?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
What's really amazing is that no one at Creech AFB bothered to tell their cybersecurity guys for two weeks even after they knew they had it. Imagine that! For two weeks!!! So, since no one outside Creech knew of the exploit it makes me wonder who broke the store that finally informed the security folks. Obvsiously someone at Creech who knew about the virus and was somewhat upset that no one was reporting it.
The USAF has more problems than just security. It has some serious disciplinary issues.
No one ever had to evacuate a city because the solar panels broke!
At the end of the day, at some point, those in power need to recognize that IT security is both a pervasive issue throughout the organization and a critical military asset for future operations. We couldn't fight wars of the past with IT, but wars of the future will certainly have an IT component. A distinct branch of service is needed.
One would think analyzing your own data traffic would be a good thing. sheesh...
It's normal practice for the military's network admins to be charged with keeping the machinery up and running while at the same time being STRICTLY PROHIBITED from ever seeing the contents of any of the data or traffic itself. Sure, they can place a deep packet inspection network security appliance inline with a network feed but the personnel are never allowed to know, or ever see what the appliance itself is seeing.
And I thought it was bad when we find out about virus infections when our firewall blocks the spambot...
"When information is power, privacy is freedom" - Jah-Wren Ryel
The armed forces are switching to Windows since thats what an all-volunteer military can understand.
Perhaps a bit of mental clouding is to be expected among individuals who run a weapon system "allowing U.S. forces to attack targets and spy on its foes without risking American lives"—apparently by killing them. Doublethink and duckspeak aren't conducive to organizational efficiency...but that's the price you have to pay to keep the terrorists from winning.
Uh, anybody who joins the military should know that their primary function is killing people, or making other people more effective at killing people, or otherwise helping to kill people. I'm not sure how that results in mental clouding - pretty smart people have been killing each other since the dawn of time.
And inefficient organizations are hardly something unique to the military. When people find a mistake in their records how many people drop what they're doing and call the corporate auditing group to tell them about it, versus just fixing it and hoping it never gets noticed? The only thing unique to the military is that organizational foul-ups can result in the wrong people getting killed.
I think it would not be so difficult to know the difference between expected data streams and unexpected data streams without ever knowing the content of the streams. IP addresses, MACs, ports, and any app info is all you need. There is no need for deep inspection.
"Those who make peaceful revolution impossible, make violent revolution inevitable" - JFK
If a war started right now we don't know who would choose where any of the major weapons would be pointed. Anonymous? The NSA? China? Russia?
Of course the really secret weapons (buried by the opposition under Soviet and American cities) are probably still just as effective as they were when deployed in the 60s and 70s.