Slashdot Mirror

← Back to Stories (view on slashdot.org)

Iran's Hacking of US Navy 'Extensive,' Repairs Took $10M and 4 Months

Posted by Soulskill on from the your-tax-dollars-at-work dept.

cold fjord sends news that Iran's breach of a computer network belonging to the U.S. Navy was more serious than originally thought. According to a Wall Street Journal report (paywalled, but summarized at The Verge), it took the Navy four months to secure its network after the breach, and the repair cost was approximately $10 million. From the article: "The hackers targeted the Navy Marine Corps Intranet, the unclassified network used by the Department of the Navy to host websites, store nonsensitive information and handle voice, video and data communications. The network has 800,000 users at 2,500 locations, according to the Navy. ... The intrusion into the Navy's system was the most recent in a series of Iranian cyberoffensives that have taken U.S. military and intelligence officials by surprise. In early 2012, top intelligence officials held the view that Iran wanted to execute a cyberattack but had little capability. Not long after, Iranian hackers began a series of major "denial-of-service" attacks on a growing number of U.S. bank websites, and they launched a virus on a Saudi oil company that immobilized 30,000 computers. ... Defense officials were surprised at the skills of the Iranian hackers. Previously, their tactics had been far cruder, usually involving so-called denial of service attacks that disrupt network operations but usually don't involve a penetration of network security."

25 of 147 comments (clear)

  1. Asymetrical warfare by cold+fjord · · Score: 5, Insightful

    Missiles, ships, planes, tanks, and large groups of soldiers all cost a lot of money. As long as you have them you are on a perpetual upgrade cycle if you don't want to be outclassed. A geek with a computer is pretty cheap, can do a lot of things, and cause a lot of really inconvenient problems. If there is one thing Iran probably isn't short of it is smart people that like to play with computers. It isn't 1988 anymore, and the world has heard about the internet.

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    1. Re:Asymetrical warfare by ZouPrime · · Score: 5, Insightful

      This is very true, but from the POV of the US, it is also a great argument for continuing to invest in offensive cyber capabilities.

      In the end, it costs way less to attack a network than to secure it properly. And unfortunately, this asymmetrical situation could remain true for a long time.

      This also can lead to a cult of the offensive:
      http://en.wikipedia.org/wiki/Cult_of_the_offensive

    2. Re:Asymetrical warfare by khasim · · Score: 5, Interesting

      My first question would be ... how are we sure that Iran did this?

      The second question would be how did whomever do it? We've heard about how the NSA/CIA/etc are stockpiling zero-day exploits. Stockpiling them instead of helping the vendors fix them. So were our systems cracked by an enemy using an exploit that we knew of?

    3. Re: Asymetrical warfare by aslashdotaccount · · Score: 2, Interesting

      You're spot on! Most of these organizations blow things massively out of proportion to attain more funding for their so-called 'research'. Even a relatively harmless virus in the POS computer of a staff knick-knack shop would be reported as a 'possible avenue for compromising the high-value intelligence networks'. That goes on to trigger an agency-wide investigation, which ends up in the request for funds to conduct the said study. The studies are then sourced to organizations with ties to the IT heads of the principle agency, thus spreading the goodwill, and getting some in return.

      It's also a cycle that's endorsed by all major software vendors. They always ensure that a certain amount of uncertainty goes into the security assurance of their products and services so that there's always 'room for improvement'.

    4. Re:Asymetrical warfare by Anonymous Coward · · Score: 3, Insightful

      Stockpiling them instead of helping the vendors fix them. So were our systems cracked by an enemy using an exploit that we knew of?

      This is an interesting question; it's still not enough. Experience in OpenBSD's audit process shows that a single vulnerability is an entry to finding other bugs. If you fix all of the similar bugs in your code then you very likely fix vulnerabilities you will never realise you had. The NSA (and the GCHQs) should be using it's government purchasing power to

      • insist that the source code to all software used by their nation is availble to them; recommend against code without the source code
      • actively identify and report vulnerabilities
      • build automatic tools which identify all similar bugs in the vendor's code
      • offer support to vendors in building their own tools to do similar things
      • again; recommend against and (for networks where they have access) insist on replacing software where the vendor doesn't then rapidly fix those similar bugs

      This kind of work would make the internet safer for everyone. It would interfere slightly with some of their spying work, however the benefit of having a safe, stable, secure internet would vastly outweigh that. Even so they would find plenty of space in a) software targeted to other nations and b) systems yet fully upgraded to be able to able to continue that work.

      When they fail to do this they are failing in their duties.

    5. Re:Asymetrical warfare by Gogo0 · · Score: 2

      DoD public-facing server are supposed to be cordoned off, DMZ'd, hardened to the point where theyre nearly unusable, and not contain anything but data classified as PUBLIC (ie, lose the server and you lose nothing important). These are part of many DISA requirements that simply werent followed. These guys were lazy/bad/apathetic -they arent now (though still getting paid the same, so why should they care).

      The "Bloodstream" is just some official talking out of his ass about something he doesnt understand, unless he is talking about the DISA network the navy rides (which could /correctly/ be analogized as the 'bloodstream' of the global navy network). But that would be actual serious shit, and a different story altogether. Or maybe its a regional/theatre ops center with connections to lots of enclaves. Who knows.

      My guess is that the web admins had a lax PKI implementation and local admin accounts that shared username/password with other servers. This "bloodstream" thing makes no sense as there are supposed to be physical and logical boundaries between enclaves. how much access do you have to your ISP's equipment? DoD networks are supposed to be like that to compartmentalize things.

      Really, most of the explanation of what actually took place sounds like gibberish.

    6. Re:Asymetrical warfare by AmiMoJo · · Score: 2

      My first question would be ... how are we sure that Iran did this?

      Because we have always been at war with Iran.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Asymetrical warfare by quenda · · Score: 2

      I just learned it was, maybe not all that surprising, western nations (GB and France) who made those nations/borders in the first place..

      The enemy of peace and stability have likely often been western military powers interfering and destabilizing regions.

      Thats a very bold accusation, coming from someone who admits to being one article away from complete ignorance on the subject.
      The British and French were trustees of those lands after the collapse of the Ottoman Empire. They had promised independence to the Arabs, for supporting them in WWI. What were they supposed to do? Leave the Arabs to sort out a diplomatic solution amongst themselves?

    8. Re:Asymetrical warfare by joss · · Score: 3, Interesting

      Most of what you say I agree with but:

      > A good bit of the code is actually somewhat amateurish

      Citation needed. Or, to put it less politely, are you out of your fucking mind ? Stuxnet is the most advanced piece of malware ever discovered, and it worked. I don't believe you have access to the original source code so, can you justify this comment in any way ?

      --
      http://rareformnewmedia.com/
    9. Re: Asymetrical warfare by jd2112 · · Score: 2

      Even a relatively harmless virus in the POS computer of a staff knick-knack shop would be reported as a 'possible avenue for compromising the high-value intelligence networks'.

      And yet thousands of compromised POS systems (Target, Nieman-Marcus, et al) aren't sufficient to switch to a more secure payment system.

      --
      Any insufficiently advanced magic is indistinguishable from technology.
    10. Re: Asymetrical warfare by Mabhatter · · Score: 4, Insightful

      That's ok, we attacked their infrastructure with damaging programs first. If the CIA is gonna play with hackers, they'd better make sure the rest of the military is ready to play ball too.

      It's not lie the navy had a few years of notice after Stuxxnet that the Iranians were going to take a shot back. If the navy can't hang with the big kids, they better stay out of hacking OTHER countries, eh.

  2. Maybe they learned by Megahard · · Score: 3, Interesting

    By studying Stuxnet.

    --
    I eat only the real part of complex carbohydrates.
    1. Re:Maybe they learned by rtb61 · · Score: 2, Informative

      Far more likely the US congress running around all the time threatening to kill millions of Iranians to keep Israeli campaign donors happy has motivated a lot of high order Iranian thinkers to work together to thumb their noses at the US dogs of war.

      Real reason why the failure, US computer security services were far too busy attacking everyone else, purposefully leaving holes in the system and in some super crazily deranged false flag attack creating new ones for others to exploit which is OK so long as they can also exploit them (seriously WTF). Want security in the US then completely separate cybersecuirty defence from offence and remind defensive system that they should consider offensive systems as the enemy and if they catch them operating within domestic territory they should be arrested and prosecuted.

      Until then expect to routinely fail on the defensive side because it is harder and there is more opportunity for promotion impacting failure (success is the expected norm, failure is punished). On the attack side of course failure is completely ignored (failure is the norm, success in rewarded). Not to forget that success on the attack side requires your targets to fail. I'm sure anyone with half a brain can see the problem this creates, well, perhaps not your typical US politician or military type. Hint, you create a system where attack is promoted and those within the system prefer the attack side because that's where the promotions are and defence is where the losers end up because success for them is never rewarded but failure is a guaranteed career killer (which is why you separate them). Attack will also hide information from defence to protect it so they can use it, whilst demanding all information from defence in order to create new attacks and weakening defence.

      --
      Chaos - everything, everywhere, everywhen
  3. Maybe they watched Iron Eagle... by TWX · · Score: 2

    ...and figured they could get some much-needed F14 parts if they requisitioned planes to be outfitted special for missions...

    --
    Do not look into laser with remaining eye.
  4. Let's hope... by Ichijo · · Score: 2

    ...the Navy saved taxpayers at least that much by not having tighter security.

    Well, it was a nice thought.

    --
    Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
  5. Tit for tat by Sigurd_Fafnersbane · · Score: 3, Insightful

    They seem to learn fast, also they have a lot of good engineers. We should expect some kind of response to Stuxnet and I guess we have established by Stuxnet that electronic warfare is OK for countries to do against each other.

    It is going to be much harder to stomach the day some Air-force guy is taken out by a drone attach in Virginia with a missile to his car as he is delivering his children to Kindergarten.

  6. Re:False flag? by Ralph+Wiggam · · Score: 4, Informative

    The Marine Corp's budget is $29B per year. An extra $10M would be an increase of 0.03%. The Department of Defense budget, minus the money spent on individual military branches, is $190B. $10M is 0.005% of that.

  7. Poor practices already have massive consequences by Anonymous Coward · · Score: 2, Informative

    It's not just the military or Iran. We choose to twittle our thumbs and write it off as a rarity. Most companies don't even realize the drastic damage its doing. When your competition in China has all your secrets and make identical clones of your products for a fraction of the price how do you expect to stay in business. Iran's impact is probably insignificant in the scheme of things. It's industrial espionage and 'theft' of proprietary information that's the major problem. Iran's just an exemplary example at the moment, but in reality most of these attacks are just swept under the carpet until the system breaks down utterly and completely. All the while you wonder why American companies are selling out there core businesses. There is nothing left the competition doesn't already have.

    The only answer to this problem is defaulting to hardened systems, moving away from auto-on for stupid default setting (macros, javascript, etc), etc.

    But your company uses Microsoft Windows? ohh never mind. Keep doing what your doing. I'm sure you'll survive given nobody ever went wrong with that!

  8. I know how to use HMI/SCADA to detonate things by IgnorantMotherFucker · · Score: 2

    this was clearly explained to me by the principal author of the HMI/SCADA program that I'd just been hired to work on. I later resigned in protest.

    It's been long enough I figure they've fixed their security holes by now.

    Despite their taking industrial safety very seriously, to company owner thought it was quite fucking funny that his product was totally shot through with security holes.

    HMI/SCADA: Human-Machine Interface / Supervisory Control And Data Acquisition. That's the proper name for what most would call industrial control systems.

    The Stuxnet and Flame worms attacked our competitor Siemens' HMI/SCADA, but only when the installations were in Iran. Particularly they spun the Uranium Hexafluoride Gas Turbine Centrifuges far faster than the could tolerate them, thereby damaging them.

    It's not like the Iranians don't know how to write computer programs. Maybe right now would be a good time to move way the Hell out into the countryside, and invest in some HEPA filters and lots of solar power.

    HEPA filters can get plutonium dust out of the air you see.

    --
    Please mail me URLs of software employers.
  9. The US Navy has lots of windows boxen by IgnorantMotherFucker · · Score: 5, Informative

    I know this because a client I once consulted for, sold 400,000 licenses for their Windows product to the Navy.

    Windows isn't so bad if it's properly locked down, but it's not really possible to do that unless all of your application are Windows Logo-compliant, for example they don't store end-user documents in the Program Files folder. I expect the military has a lot of homebrew software they absolutely need to use, that prevents Program Files from being locked down.

    Also everyone who actually administrates a windows box, has to actually know how to lock it down.

    The Navy's Smart Ship technology is being considered a success, because it has resulted in reduced manpower, workloads, maintenance and costs for sailors aboard the Aegis missile cruiser USS Yorktown. However, in September 1997, the Yorktown suffered a systems failure during maneuvers off the coast of Cape Charles, VA., apparently as a result of the failure to prevent a divide by zero in a Windows NT application. The zero seems to have been an erroneous data item that was manually entered. Atlantic Fleet officials said the ship was dead in the water for about 2 hours and 45 minutes. A previous loss of propulsion occurred on 2 May 1997, also due to software. Other system collapses are also indicated. [Source: Gregory Slabodkin, Software glitches leave Navy Smart Ship dead in the water, Government Computer News, 13 Jul 1998, PGN Stark Abstracting from http://www.gcn.com/gcn/1998/Ju... ...

    ``Using Windows NT, which is known to have some failure modes, on a warship is similar to hoping that luck will be in our favor,'' said Anthony DiGiorgio, a civilian engineer with the Atlantic Fleet Technical Support Center in Norfolk.

    --
    Please mail me URLs of software employers.
  10. Re:Asymetrical warfare - Not by bkmoore · · Score: 4, Interesting

    We're not at war with Iran, and no sane person in the U.S. or in Iran wants a shooting war. IMHO, what we have here is more of a cold-war style cat and mouse game where each side tries to provoke the other and see how far they can go. Examples being Iran supplying arms to Shiite militias in Iraq, Iran being involved in proxy wars in Syria and Lebanon, taking Americans hostage, and developing a nuclear weapons capability. The U.S. responded with Stuxnet and probably a few other things that we don't know about. In the end it's really about gaining some sort of political bargaining advantage and to have a stronger bargaining position when the time for deal making comes.

    Iran is also the regional heavy weight, and they're not a bunch of modern-day spearchuckers as the parent somehow implies. They do have a professional conventional military with semi-modern weapons systems. They also have the ability to maintain, develop and upgrade their weapons systems. The main difference between Iran and the U.S. is that Iran lacks the global logistical capabilities that America brings to the battle field, and the depth that the U.S. has in any fight. The Iranians would lose a conventional battle with the U.S. and both sides know this. Defeating the U.S. in a conventional battle probably isn't a factor in Iran's military planning. They're more focused on regional domination, especially if and when the U.S. pulls out of the middle east. Without the U.S. backing of the Gulf states, Iran would probably be able to defeat any of their neighbors in a conventional war, at least in theory. Without the U.S., the only country in the region that might defeat Iran would be India.

    If somehow forced into a conventional fight with the U.S., Iran could, with the right leadership, inflict heavy damage before being defeated. But Iran is a very old country. IMHO, they're playing for time and will poke us at any chance they get. As Sun Tzu once said, "If you wait by the river long enough, the bodies of your enemies will float by." In more modern terms that is called, "strategic patience."

  11. Re:False flag? by NoKaOi · · Score: 2

    The Marine Corp's budget is $29B per year. An extra $10M would be an increase of 0.03%. The Department of Defense budget, minus the money spent on individual military branches, is $190B. $10M is 0.005% of that.

    Another figure to put in in perspective: 5% of the cost of a single F-35 or F-22.

  12. Third question by ThatsNotPudding · · Score: 2

    Do we bother believing the DOD telling us another story about big, bad, Muslim wolves and the need for endless war footing?

    And if they spent $10 million, no doubt about 75% of that was wasted, poured down the maws of corpulent military contractors (cui bono).

  13. Re:Reading between the lines by Smauler · · Score: 2

    I am against violent extremists, aren't you? Certainly many ordinary Muslims are against the extremists and just want to live in peace.

    I think the Palestinians have been saying this for ages, but Israel's armed forces don't seem to be listening.

  14. Re:Reading between the lines by Uberbah · · Score: 2

    Hamas isn't saying that. They are still committed to the destruction of Israel

    You mean they want their stolen property back, no different than Jews demanding the return of property stolen from them. And your talking point died when Carter visited Hamas and talked them into accepting Israel as party of a peace deal, just by actually talking to them.

    Other parts left out of your storyline (cuz that's what you do), Israel created Hamas to undermine Fatah. And while you guys like to whine about the Hamas charter, the Likkud charter lays claim to all of the West Bank, which is flatly illegal and always has been. And then there's the odd Israeli official that nakedly talks about a "final solution" for their "Palestinian problem".

    Of course, one side has the best military hardware a sugar daddy can buy along with hundreds of nuclear weapons, but it's a good thing we have people like you to focus on the other side: rock throwers and gunpowder rockets straight out of the 12th century.