DoD Networks Completely Compromised, Experts Say

AZA43 writes "A group of U.S. federal cybersecurity experts recently said the Defense Department's network is totally compromised by foreign spies. The experts suggest the agency simply accept that its networks are compromised and will probably remain that way, then come up with a way to protect data on infected machines and networks."

or it is used as a tool

[FudRucker]

to spread misinformation to those foreign spys that only think they compromised DoD computers (naw too good to be true) the US Gov is too stupid to do anything like that

Re:or it is used as a tool

[g0bshiTe]

I'd hate to think the DOD would be dumb enough to keep sensitive data on a network that was internet accessible.

Re:or it is used as a tool

I just hope that they're RFC 2549 compliant, with (hopefully) an encryption layer along with that.

Re:or it is used as a tool

[elgeeko.com]

Honeypot was my first thought too. You could keep the enemy scrambling to build the mind control ray gun we developed back in the 80s using technology we stole from the cities on the far side of the moon. Knowing someone is hacking your system can be a lot of fun.

Re:or it is used as a tool

Actually it isn't just to make access easier. We do it to make working feasible. Im sure you've heard of problems like mine and gloss over it at work and online, Mr Important Security Expert.
Because of stigs, on our dod network I couldn't run the installer for the software we were developing. I also didn't have the development tools I needed. It took over 6 months to get a approval for new tools. Some tools, like virtual pc, would not be allowed. I usually just gave up on my wishes for tools just like the people before me.
I could go on. Security broke features of the tools that I did have. Hotdeploy didn't work in tomcat. Eclipse autocomplete didnt work. Random memory errors and terminated processes. Eventually, cut and paste would hang the computer for several seconds.
Additionally, much time was spent on forms. Finding them, completing them, finding the right person to give it to, and following up when that idiot doesn't pass it on to the next idiot.
And thats when I got a job working for a japanese company. See ya!!

Re:or it is used as a tool

[erroneus]

Consider working with something other than Windows. (I know, not always an option depending on who you are working for.) And as for Japanese companies... you don't, by chance, mean the Japanese defense contractor which was breached just like Lockheed and the others do you?

I completely believe and understand your point of view. It's completely valid. It's one of the many reasons why the MS Windows platform is simply bad for security. It's not only Microsoft's fault, but also the fault of crappy developers who do not respect security models... even the bad ones Microsoft has put forward.

To be frank, there's really no way to get out of the hole that is MS Windows without doing some drastic, ugly and unpopular things. 1. Microsoft needs to significantly change their next OS breaking compatibility with the previous versions. 2. Microsoft needs to review and somehow disallow software which does not meet security principles. The result of this type of move could be disasterous for Microsoft for many reasons, though. It could mean a huge backlash from developers. It could mean a huge rejection by users since they wouldn't be able to get access to applications.

Security is a PITA. No question about it. But when security is built into the OS, it helps a lot. Windows as we know it today, evolved from DOS. I know, I know, there's little if any DOS in Windows today, but its evolutionary genetics still show today.

And in some ways, it can't be helped that administrator/root is needed to install applications. I wouldn't have it any other way, actually. But requiring administrator/root to USE tools which do not affect the OS is quite a problem. And that problem comes from a wide range of bad practices by both Microsoft and developers for Microsoft's Windows platform. With the exception of OS manipulating/managing tools, I have yet to see this problem in Linux. In fact, I see the OPPOSITE occur when programs actively discourage and even DENY the ability to run as the 'root' user. That's a huge diference in programming/development culture.

And before anyone calls me a fanboy or a troll or whatever, I use Linux primarily... it's true. I also use and support Windows and I have to admit I have been warming up to Windows 7 quite nicely. I don't *HATE* Windows as much as you might think. In the end, I hold that I don't actually CARE what I run so long as it works. And your point, once again, is quite valid in that in "MS Windows reality" usability and security are, in practice, diametrically opposing needs. I'm here to say it doesn't HAVE to be, but to make a change is painful if not impossible.

It's not surprising...

[SCHecklerX]

... given the general below-mediocre quality of the contractors and government employees that work for the DoD, and the amount of senseless policies for policy's sake claiming to be for 'security' but, uh, no, not really. The people in charge are the worst.

I just started working for DoD again, and want to punch people in the face all day long.

Re:It's not surprising...

Hilarious. I'm a fed here in IT (not DOD) and feel the same exact way. There are idiots that are high up and make decisions without knowing the technical consequences. I keep telling myself they will retire and leave soon, but it never happens.

It's going to be interesting in the next 5 to 10 years as all of the old folks are going to retire, and there's no new blood to take over for them. I don't know how it is at other places, but that's how it is here. And unfortunately, the new blood (me) is getting too frustrated to hang around much longer because of idiotic decisions that are made.

I'm only hoping that things will change and people will step down... Surely, it can't be like this at every government facility!

DOD security, not so good.

Reminds me of when I was sent to a DOD site to try to figure out why everyone was scoring 97% on a certain test.

30 seconds of looking around and I had a pretty good guess:

(1) The unused tests were printed out in print runs of 10,000 and kept in an alcove in a dusty unused office. Said alcove had a plywood door with 18 inch gaps at top and bottom. Padlocked, but with the hasp mounted backwards, with all the screws exposed.

(2) There was a 50 page per minute xerox copier in the same room, no access card needed.

That was a rude introduction to DOD security measures, and the cluelessness of the security folks.

The problem with the DOD

[WindBourne]

is that they will do political things. As such, they have LOADS of windows. And yes, they are LOADED with spies (and the DOD knew it). However, I differ with the expert. NSA should step in and help DOD upgrade everything to a decent set-up. Secure Unix or Linux (with SEL). NO MORE WINDOWS. In addition, restore the security that we used to have back in the 80's. We have slacked so much that many of the contractors are spies. Hell, I have dealt with a probable Chinese spy that was married to a USAF officer.

The USS reagan should be refitted with secured systems, or we should simply send it in the middle east and allow Iran to blow it up (better iran than china).

What amazes me is that EU, Russia, and China are all brighter than so many of the idiots in the DOD and at American companies.

Re:cut the wire

[HBI]

This post above deserves an upmod. Unfortunately, I can not comment further.

Cyano-Acrylate

We use CA epoxy as a very effective security measure. For any commodity hardware we buy, we fill all of the USB ports with a CA epoxy that prevents access. We also use it to permanently attach mouse and keyboard. Motherboard USB headers are also filled with CA to prevent the casual attachment of devices (although users cannot physically get to their machines, since they are in locked cabinets, with IDS tied to building security. Same goes for unused SATA, PCIe, and other ports. Any plug that isn't used is made unusable.

PCs are on a network, but users have no physical access to cables, and similarly we use a secure cable type with a current loop and TDR to detect physical tampering. If the current loop is cut, building security knows precisely where the cut is within seconds.

There is no wireless, and no bluetooth. Employees are not allowed to bring in cell phones, MP3 players, or anything else with any capability of capturing data, and yes, we 100% search at the door with metal detectors and millimeter wave detection like you see at the airport (except we actually know how to use it). We're also in a steel building with no windows and and EMI shielding, just in case.

We're not on the Internet. We have absolutely no need to connect to it. Even if we did have a spy as an employee, they would have to reproduce anything they did on another machine outside the office in order to transmit it anywhere else. And obviously, there is no means to allow employees to "work from home" in their pajamas in sandals.

Any new software has to go through a thorough vetting process, and any vendor wanting to sell us software is required to allow us to load the source code and build environment onto our build farm, review and inspect the code for possible attacks, and then compile it ourselves. This is a lot easier to achieve than you might think.

Finally, we're old school. Everything is compartmentalized. The guy working on the math routines has no idea why he's working on them, or what they will be used for. All he knows is that he's a software engineer in charge of high-level math function development. He doesn't know what the product is or what it does.

Re:Best use of the word cyber ever!

[Lucractius]

I dont know how well the "original" hacker mentality of 'everything is worth poking at' mentality would be tolerated in a state run hack team.
I cant give much in the way of proof for this but this argument is based on organisational psychology vs personal psychology... but anyway

China, the USA, Russia... I would imagine that the dog tag & rank 'military' hackers are selected via a process much like test pilots (different criteria obviously)

If you show aptitude in mathematics, logic, and attention to detail, you get funneled into a program, they hone your skills and teach you computer security theory & practice much like the basics I learned in university courses.
The goal of a state organisation would be a 'state hacker' who's priorities rank something like 1) the defense of the state, 2) their own life, 3) hacking
I would not call these "Hackers". They are soldiers with computer security training who follow orders.

Most true to the name and tradition/ethos hackers will not have this ordering, so 'recruiting' or 'nurturing' "free range"/"wild" hackers doesnt fit well with the goals of any nation.
The idea that "no your not allowed to try that" doesnt sit well with a dedicated old school type hacker. Because the first place the mind turns is 'Why?'
They may decide not to do something (eg: hack a SCADA system & shut down a hospital, killing people) but this decision usually comes after they worked out how to do it anyway, just because it was there to be worked out.