Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Weapons Data Stolen During Raid of Australian Defense Contractor's Computers (wsj.com)

Posted by BeauHD on from the here-we-go-again dept.

phalse phace writes: Another day, another report of a major breach of sensitive U.S. military and intelligence data. According to a report by The Wall Street Journal (Warning: source may be paywalled; alternative source), "A cyberattacker nicknamed 'Alf' gained access to an Australian defense contractor's computers and began a four-month raid that snared data on sophisticated U.S. weapons systems. Using the simple combinations of login names and passwords 'admin; admin' and 'guest; guest' and exploiting a vulnerability in the company's help-desk portal, the attacker roved the firm's network for four months. The identity and affiliation of the hackers in the Australian attack weren't disclosed, but officials with knowledge of the intrusion said the attack was thought to have originated in China."

The article goes on to state that "Alf obtained around 30 gigabytes of data on Australia's planned purchase of up to 100 F-35 fighters made by Lockheed Martin, as well as information on new warships and Boeing-built P-8 Poseidon maritime-surveillance aircraft, in the July 2016 breach." The stolen data also included details of the C-130 Hercules transport aircraft and guided bombs used by the U.S. and Australian militaries as well as design information "down to the captain's chair" on new warships for Australia's navy.

40 of 78 comments (clear)

  1. No problemo by nospam007 · · Score: 1

    "A cyberattacker nicknamed 'Alf' gained access to an Australian defense contractor's computers and began a four-month raid that snared data on sophisticated U.S. weapons systems. Using the simple combinations of login names and passwords 'admin; admin' and 'guest; guest' "

    Wow, much sophistication in the Australian loginname/password scheme,

    1. Re:No problemo by sehlat · · Score: 2

      Wow, much sophistication in the Australian loginname/password scheme.

      The article left out 'mate; mate' and 'That's not a knife;THAT's a knife'

    2. Re:No problemo by godel_56 · · Score: 4, Insightful

      That's kind of what happens when the Australian Signals Directorate wants brilliant hackers to work for them, but only offers to pay them entry-level Help Desk wages.

      It wasn't the Australian Signals Directorate but some dickhead project sub-contractor. According to someone on TV last night it's a 50 person company and they only have one man doing IT functions, which includes things like fixing printers. I wonder what happens if this person goes on holidays?

      While this company deserves to burn in hell, we also need to look at the idiots which gave them the job. Was no due diligence done to see if the sub-contractors were capable, and why did they need this kind of information in the first place? Balls should roll.

    3. Re:No problemo by Swave+An+deBwoner · · Score: 1

      Was no due diligence done to see if the sub-contractors were capable ...

      Gov't Decision Maker: "This one's the cheapest, take them."

      In the US that's more or less the requirement, after taking things like Equal Opportunity and Small Business into account, provided the bidder claims that they have the basic competence to do the job. Privatization is the way to go! </s>

    4. Re:No problemo by deviated_prevert · · Score: 2

      Yes as we all know only Australia uses that default username/password combo.

      Either that or something easy to remember and guess like waltzingmatilda or the likes. I would think that one could break into most of the infrastructure of .au with that one.

      Allowing user set passwords to administration rights that are global and are accessible over the internet to critical data that is not locked down and encrypted is inherently stupid. About as smart as allowing remote admin priviledge to a website from the assholes claiming over the phone to be from microsoft windows security division calling you because your computer has been compromised. I suspect that the contractor was connected to someone who gave out the contract to a friend with some cash because the contractor sure as hell was not vetted properly!

      --
      This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
    5. Re:No problemo by walterhpdx · · Score: 1

      Back in the early 90s I was sent to a very large ISP to install Sybase monitoring software. The sa password? Just “password”. And yes, they are still around today. Hopefully that password got changed.

    6. Re:No problemo by arglebargle_xiv · · Score: 1

      Wow, much sophistication in the Australian loginname/password scheme,

      I was expecting at least username = fosters, password = xxxx.

  2. Yup by RightwingNutjob · · Score: 1

    Back in the good old days, spies couldn't sit on their couches in their PJs watching soap operas while their scripts downloaded stuff in the background. They actually had to go out to do their jobs.

    Computers make everyone stupid.

    1. Re:Yup by PPH · · Score: 3, Funny

      sit on their couches in their PJs watching soap operas

      Why? Is Pornhub down?

      --
      Have gnu, will travel.
    2. Re: Yup by RightwingNutjob · · Score: 1

      Please, do post for all to see.

  3. Re: Australia's "navy" *rolls eyes* by Anonymous Coward · · Score: 1

    That's ok.

    Piles of dead Germans, Japanese, Koreans, Vietnamese (and others) made the same mistake.

    They underestimated too.

    I doubt the US Navy did much eye rolling when their aircraft carriers got "blasted" out from underneath them during joint exercises.

  4. how - foreign contractors == different standards? by Anonymous Coward · · Score: 1

    Doesn't the DoD audit and require proof of security protocols when handing over Secret information to both domestic and foreign contractors? How could having passwords of admin/admin and guest/guest miss even the simplest of tests?

    Pathetic and ridiculous to even classify stuff if this is how they run the show.

  5. 'admin; admin' and 'guest; guest' by Rick+Schumann · · Score: 3, Funny

    'facepalm; facepalm'

    1. Re:'admin; admin' and 'guest; guest' by RightwingNutjob · · Score: 3, Interesting

      You know, back before I switched over my ssh servers to nonstandard ports, I'd see daily attempts to log in as 'guest' or 'admin' as well as a dictionary of common usernames. People wouldn't try if it didn't work occasionally.

    2. Re:'admin; admin' and 'guest; guest' by Rick+Schumann · · Score: 1

      Sure. But you'd think they'd be smarter than this. Whatever happened to basic OpSec?

    3. Re:'admin; admin' and 'guest; guest' by Frederic54 · · Score: 1

      I switched my SSH port to non standard but always see login attempts... less than before but still, some people do insane port scanning

      --
      "Science will win because it works." - Stephen Hawking
    4. Re:'admin; admin' and 'guest; guest' by Rick+Schumann · · Score: 1

      less than before but still, some bots do insane port scanning

      I took the liberty of fixing that for you. ;-)

  6. Old-fashioned notions of combat. by whoever57 · · Score: 1

    I believe that these things occur because of an old mentality amongst the military that is still true on a physical battlefield: "the best defence is a strong offence".

    The thing is that, in "the cyber", offence and defence are mostly unrelated. Hacking another country does not stop that country from hacking back.

    This leads to the ridiculous situation where the NSA leaves the US government vulnerable so that it can hack Russia.

    --
    The real "Libtards" are the Libertarians!
  7. Re:how - foreign contractors == different standard by Bert64 · · Score: 2

    Having protocols and policies in place is one thing, actually adhering to and enforcing them is quite another...

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  8. Re:100 F-35? by caviare · · Score: 1

    No no, it's just doing what it perceives as its duty as the 52nd state of the US. I understand the UK is the 51st.

  9. The secure cloud is not by WillAffleckUW · · Score: 2

    In the old days, penetration exploits like this would be noticed, as large file transfers flooded routers going to unusual IPs, and someone literally would pull the plug on the router or swap in a honeypot.

    Nowadays, there is no such oversight, and the weakest point in any system is any weak point, be it someone not following basic security protocols or the NSA and other groups (there are more than you think) leaving exploit holes everywhere, including in your mouse, keyboard, monitors, and so on.

    It's like voting, use paper ballots. In this case, don't outsource weapons research. Don't trust, verify. And keep verifying, use social engineering tests on your "secure" facilities. I used to wait for people to "just go to the bathroom" (easy method: pop up a button cam under a windowsill, motion activate, fixed on door, after a while you pattern match with one on bathroom door, easy to extrapolate.

    And never ever trust third party.

    --
    -- Tigger warning: This post may contain tiggers! --
  10. Re:Alf by Pseudonym · · Score: 1

    In case you were curious, this is the cultural reference.

    --
    sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  11. Re:100 F-35? by Anonymous Coward · · Score: 1

    ... buying 100 F-35 aircraft?

    I think the original order was 48 aircraft but then we got a national leader who wanted to enact Reagan-era policies of welfare-bashing, gifts to the rich and a big military. So he ordered another 52 aircraft and a maintenance contract. He was demoted from leadership before he could enact other far-right policies but we're still fighting the deluded ideologues he left behind. We still hear him in the background, proclaiming he knows better than his own boss.

  12. ALF is a ref. to ALf Stewart and his rape dungeon by Anonymous Coward · · Score: 1

    yep.

    My guess is this was a "false flag" organised by the DSD to force the government into policy changes to make things more secure. Australian government is full of dinosaurs with little or no knowledge of IT and they really make idiotic descions (see the recent fuck up of the NBN).

    No sensitive data was lost, and they have released ALOT of info about this breach which is unusual.

    Therefore.. I call bullshit.

  13. One would hope by Snotnose · · Score: 1

    the folks in charge would be smart enough to put fake docs in places that could be hacked.

    But I'm a realist. I look at the hope hand and and see a pile of smelly stuff. I look in the "smart folks" hand and see nothing.

  14. Re:Alf by Pseudonym · · Score: 2

    Pull your head in, mate. Anonymous Drongo thinks there's only ever been one TV character named "Alf".

    --
    sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  15. Re:100 F-35? by AHuxley · · Score: 1

    Less of a bribe more of trying to lean from history.
    "Australia 'cracked top-secret US jet fighter codes'" http://www.news.com.au/nationa... (March 17, 2009)
    "The Americans kept saying they'd provide the codes, but never did."
    The new thinking is to spend big with the USA and everything will be so much better this generation.

    --
    Domestic spying is now "Benign Information Gathering"
  16. Re:ALF is a ref. to ALf Stewart and his rape dunge by AHuxley · · Score: 1

    Re "No sensitive data was lost, and they have released ALOT of info about this breach which is unusual"
    Every document and file would have had a checksum. The new NSA buddy system and more contractor security than ever would now be in place in 5 eye nations.
    Every access down a pipe or tube to any contractor has always been watched. Staff have all their home/work networks watched.
    The entry of any intruder would have been detected in real time. The files copied and what was of interest examined.
    The code litter of the intruder would have been studied and shared only with the USA and UK.
    Nothing would have been said to any politician, the media, any other staff if this had been real.
    The ASD would have only shared the results within the NSA and GCHQ. Nobody else has to know about real time intrusion detection or how intrusions are detected and what was found.
    A fictional cyber news story for cyber budget growth. New cyber powers is in the media in near real time.
    An actual cyber event would take a few more decades to get officially declassified and released.

    --
    Domestic spying is now "Benign Information Gathering"
  17. So I am curious by nehumanuscrede · · Score: 1

    Just how much hacking / stealing / pilfering needs to happen before someone decides the current way of doing business probably isn't the most secure way of doing it ?

    Here's a thought:

    Quit allowing sensitive / classified data outside of secure networks.

    You want access to that data ? Drive your ass into the facility designed to house and secure it. Yes, it's inconvenient. Security usually is.

    But it's either that or we may as well just de-classify all of it and mail it to everyone on the planet. Save a lot of trouble.

  18. Summary tells half the story by TapeCutter · · Score: 1

    The most important detail is AWOL in this discussion - none of the data stolen was classified information.

    --
    And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    1. Re:Summary tells half the story by michaelredux · · Score: 1

      No problem, as long as the warship plans don't include any exposed ventilation shafts that are vulnerable x-wing fighters.

  19. Re:how - foreign contractors == different standard by TapeCutter · · Score: 1

    I hate to dampen anyone's outrage but it wasn't a secret, none of the data stolen was classified.

    --
    And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
  20. Re:how - foreign contractors == different standard by RightwingNutjob · · Score: 1

    Then there's the fact that the more protocols and policies you have, the fewer of them are actually going to be implemented. Good security is just the right amount. Not so little that your passwords are left on default, no so much that no one gets around to changing the default passwords because they're busy checking all the other boxes and figuring out ways to get their work done despite them.

  21. Re:how - foreign contractors == different standard by gravewax · · Score: 1

    despite the articles insinuation none of that information is considered secret.

  22. Re:Alf by rtb61 · · Score: 1

    I would tend to lean to this Alf https://www.youtube.com/watch?..., heh heh, bloopers so apt. The security breach, even unclassified still really bad. New tender requirements, companies computer network security specifications, staffing, security system in place, parrallel networks (internal connections vs external connections) et al. Most places are quite secure because they do not want competitors who are meant to be on their side, stealing proprietary data and also of course publicly humiliating their competitor with a security breach, likely knocking them out from future competition. Real temptation to knock out your competitors from future bids by having them banned for inability to secure their computer system. Corporations hacking corporations is a big part of the corporate wars already under way (even to active combat, taking into account employing competing defence contractors out in the field on opposing sides, corporate employees will be actively trying to kill each other, just a matter of time and not much time at that and probably already happening).

    --
    Chaos - everything, everywhere, everywhen
  23. Re:Alf by Pseudonym · · Score: 2

    ASD incident response manager Mitchell Clarke told the Australian Information Security Association conference that the ASD had codenamed the hacker 'Alf' after the Home and Away character played by Ray Meagher.

    Source

    --
    sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  24. In fact there is nothing to see there by tinkerton · · Score: 1

    Well what do we have
    * the stolen information was commercially sensitive rather than “classified” military information.
    * the firm was subcontracted four levels down from defence contracts.

    In other words a nonevent not worth discussing, but he catchy title and summary are made up to sell it anyway.

    1. Re:In fact there is nothing to see there by tehcyder · · Score: 1

      * the firm was subcontracted four levels down from defence contracts.

      It doesn't matter whether it was subcontracted one hundred levels down, ultimately those at the top are responsible for not having proper security in place. Like making sure that sub-contractors check on the security of sub-sub-contractors, and so on.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  25. Kinda reminds me of when.... by bev_tech_rob · · Score: 1

    My company just got thru installing a new accounting system and there is a separate document handling piece that has its own login. The trainer that trained us on the main accounting piece showed us how to setup security on that software, but never showed us the setup on the Document Handling system. Someone called my extension inside my company asking for access to that system (I knew the person and his job, so I knew he needed access), and I happened to guess the default admin password was 'admin'. SMH & (facepalm). Obviously I made myself admin on the system with my own credentials and disabled the built-in admin acct.

    --
    You're messin' with my Zen Thing, man.....
  26. Military and intelligence data stolen .. by najajomo · · Score: 1

    Have they ever considered not storing their U.S. military and intelligence weapons data on a computer connected to the Internet?