Slashdot Mirror
US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds (zdnet.com)
An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.
Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.
Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.
Shouldn't the DOD know exactly what our missile defense system is running? Why did they need to generate a report for this?
Because nobody trusts all that safety crap to work consistently, and not break or interfere when you need it most.
"Captain - censors indicate the ____ of a _____ ______ on the _______."
Maybe it is time for a test shot to make sure it still works.
This is where equifax gets their best and brightest from
https://xkcd.com/463/
Our contractors and the military are running on 40-60 year old tech. They are incapable of fixing this and to scared that it will bring a portion of the national defense down for a time in the process so nothing will ever be done. That is until a rouge nation actually launches one of our nukes!
Why were they looking for antivirus? Did somebody decide to use a Microsoft OS for these systems, despite all the disclaimers that it's not fit for that purpose?
The people on the "base" need to be able to use the missile systems for "war" when commanded.
The idea that such computers would be networked beyond mil secure networks is "strange".
Space, sea, land tracking systems would send the data along secure networks to a secure base. The US mil "gets" encryption end to end.
Inside that base the only needed service is to use the data to get a missile "war" ready. Everything connected to the base should be mil grade secure.
What happened?
US staff are now allowed to bring "entertaining" consumer devices to "work" so they feel like staying in the US mil for longer?
The reasons why the rest of the base functions are not working is simple:
The base has to work and people on base need to move around and the computers used are ready for war use.
That needs internal open doors as everyone on base is "trusted" and have to move around to keep the "war" aspect of a US base ready.
The fix would be to bring in a staff of contractors under the "buddy" system to go over every system and get everything working as the US mil expects.
The problem the US has it has too few smart staff to now fix everything globally and under the buddy system rules.
The US mil has to let everything be war ready and not do expected mil repairs due to lack of trusted US contractors globally.
Good new your base is still ready for war.
The bad news is the buddy system is using 2X the trusted staff to watch over each other. Good for US security but the amount of staff needed is limiting give all the mil site the US has globally.
Follow the UK Navy idea and use one contractor/mil person to do the work? The US trusted the buddy system. Bad for security in the UK but the work is done.
The next person can be trusted to notice and report sabotaged/stolen equipment?
Find more people with the IQ and security background? The US mil cant teach IQ so it has to work with the skills it can attract.
Too few people are fit, smart, trustworthy and will work for a low wage in a distant US base.
The fit, smart, people go to special forces. The smart, trustworthy people end up in the NSA, CIA, and all the other agencies.
Good wages, wars and nice locations globally to work in.
Bring in more random contractors who don't pass security interviews?
They are mil and political not trusted due to their education level, faith, backgrounds, drug use, criminal friendships, lifestyles, gambling... have health issues.
Their backgrounds show they want spy for cash/faith/ have split loyalty.
Domestic spying is now "Benign Information Gathering"
They need to do a better job of censoring the doors. We don't need to see that filth!
Heard its good. :)
[($)]
The crumbling infrastructure of cold-war politics surely comes as a surprise to no one. the USSR's incentives for building infrastructure and defense were much more resilient and sustainable based on the charter of the government they were building as a reflection of the society itself.
,br> The US on the other hand only had one drive: just beat the USSR. It doesnt matter if your space program is run on nickels and dimes in 30 years, or your superhighways and bridges crumble without any meaningful maintenance or even a thought of repair, just so long as what you make now continues to promote the image that the US does it better. So here it is, our sterling testament to the defense of american freedom. At the time it was a pinnacle because it had to be. Now the doors are all ajar and the computers are run by idiots.
Good people go to bed earlier.
(10) Data stored on USB thumb drives was not encrypted.
I'm not alarmed that it's not encrypted, I'm alarmed that they are using USB FLASH drives. If you are unaware, all of theses have MCUs and almost all of them use an 8051 CPU with re-programmable FLASH memory which makes them their own little computers that someone can hijack. It's also the attack vector used by Stuxnet to infiltrate an air-gapped network in Iran.
The other things have obvious fixes but unless they are using USB devices specifically made so that they cannot be reprogrammed (one-time programmable MCUs) then there is a serious security issue here. I honestly hope that government would manufacture their own USB FLASH drives but the fact that I haven't read about it doesn't inspire hope.
Anons need not reply. Questions end with a question mark.
... unpatched Windows XP.
It little behooves the best of us to comment on the rest of us.
Some very crude 8086 CPU with 16K of RAM is incapable of supporting viruses. And even though the code might be bad, it is small enough that someone understood it. And minimal communication with external world, 40 years ago is pre internet for most things.
The problem starts when they upgrade to modern operating systems. And control it all from Windows desktops. Nobody really understands how they work. Everything is interconnected. And it is only a matter of time before some nasty manages to remotely press "the button".
You know that...
[($)]
Friendly reminder that this method is not a security mechanism. This is why you dont let bureaucrats run things.
Think that should be "door sensors".
Look! Up in the Sky! Is it a bird? Is it a plane? No, it's a joke .. flying right over the top of you!
I am Slashdot. Are you Slashdot as well?
They should be deterrent enough, right?
WRONG. "DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets."
and real 5.25 inch floppies (not the newfangled 3.5 inch ones)... formatted for CP/M. This was in a report I saw about 10 years ago. Even 10 years ago, this setup was deemed so obsolete that it was thought to be good security... there was no virus on earth being written for such an ancient system. And of course internet connection was out of the question.
If these problems apply to payroll and purchasing systems, then its a problem that should be fixed. If they apply to actually missile systems, then of course its a whole different kettle of fish.
I hope and assume any missile systems or classified systems are air-gapped, and things like 2-factor authentication and anti-virus do not apply. Security is guys with guns who shoot anyone who crosses the air-gap without authorization.
I also hope that any report on vulnerabilities of missile systems would be classified.
In fact, the "Defense" of the U.S. is very, very badly managed. Highly qualified people don't want to work helping the military kill people and destroy property.
Where in the World Is the U.S. Military? Quoting:
"Despite recently closing hundreds of bases in Iraq and Afghanistan, the United States still maintains nearly 800 military bases in more than 70 countries and territories abroad -- from giant "Little Americas" to small radar facilities. Britain, France and Russia, by contrast, have about 30 foreign bases combined."
you're not totally wrong.
But the Paul Ryan shutdowns have wreaked havok on program budgets over the past 10 years, and yeah, that led to a LOT of chaos and turnover in these kinds of programs. I'm not at all s yearurprised there's a problem like this. Doing security RIGHT: in the context of a DoD framework like RMF, is very expensive. And just as you get a team that understands one process, it gets changed. And the requirements are laden with REALLY fucking expensive software licenses. WHich is an additional financial drain. You add to that - a product lifecycle that is expected to last decades: you won't really find a closed-source commercial solution that has that kind of longevity without some marketing goon on a rebranding spree, coming along and obsoleting one crucial part of the stack, and forcing significant rework.
But no: a lot of us who work (or have worked ) in that space, LOVE the work, and love the people they work with - it's filled with a lot of exciting challenges and problem solving, and it does pay well - except that it's hard to find a program that doesn't force you to relocate every 5 years.
is password
or whatever the default was when they installed it
The all run Windows 1.0 because "it's cool".
/. where smarticles come to die.
I'm not sure where the article summary got their list of findings. The report mentions USB *once*, and that's in a reference to a NIST glossary for removable media.
Whomever summarized the summary appeared to not understand the report and added their own color and errors to it.
"USB Thumb Drives" seems to be fabricated from the submitter reading "removable media"
The ZDNet article is also guilty of this. E.g.,
No. Just no.
The report looks interesting though, far more nuanced.
This isn't something a grunt can install linux on and start improving. So nothing ever gets done. Management 101.
(6) Security cameras didn't cover the entire base. (7) Door censors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas.
The all run Windows 1.0 because "it's cool".
Nah... It’s MS-DOS 4.3 and TopView.
#DeleteChrome
Despite the obvious reality of a missile base having a lifespan of multiple decades, the Pentagon is more interested in buying new smart-bombs: It increases profits for their civilian buddies and decreases collateral damage for their military buddies. Such a policy means building better ways of killing makes peace cost millions of dollars per day and war, cheap.
...that system was designed in the 1960'ies or 1070'ies and was designed to run in an highly isolated environment and is not an off-the-shelf system.
That's far better than warships running on ME or XP.
We used to have MAD: Mutually Assured Destruction to each scare the other side into not starting a war. Now we have Mutually Assured Hacking, which means nobody will know what shit will actually work. Maybe we should keep some pre-digital weapons around in case.
Table-ized A.I.
000000
Caveats:
- The next page of the thread, dealing with bypassing two-factor authentication, is two "next"s forward.
- Poisoned Minds / S.S.D.D. is generally N.S.F.W. (Including the next few pages after the one linked.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The systems are so old, you need to physically get a person in there with punch cards... or a template, one hole punch, scissors and some plastic.
We don't have to sing kom by yah, just shut them all down and we'll never speak of it again.
My ism, it's full of beliefs.
(Sarcasm intended.) It's a good thing that these problems were found in defensive systems, thus ensuring that Mutually Assured Destruction can continue to be our world security policy.
Even though this security audit found numerous problems, surely none of this kind of stuff is going on in our country's offensive ballistic missile systems. ...and it's not as if we have a President that goes around goading other country's rulers to lob a nuclear missile or few in our direction, so we have nothing to really worry about.
On North Korea, it's clear that we have a very decisive and insightful President who is doing a great job staying on top of their development of new sites for launching nuclear weapons: "Maybe they are. Maybe they’re not. I don’t believe that. I don’t. And, you know, could. And which is — if it — if that’s the way it goes, that’s the way it goes. You know, I go with the way we have to go," [ Trump interview on Fox News with Chris Wallace, November 2018 https://www.foxnews.com/transc... ]
Besides, these defensive systems already fail about 20% of the time on carefully structured tests where everything is tuned up and the brass is watching, so we already knew we couldn't depend on them. https://www.mda.mil/global/doc...
I keep hearing that net-connected infrastructure was infiltruded upon. In virtually every instance, these were places, such as military/gubmint and utilities that always have humans onsite. Humans in control, but apparently not controlling. Yes, power plants have to control their frequency, but they're connected directly to the grid, so why the net conx? We used to do that stuff well enough before we had the Intertubes.
Is the way we're doing this sort of thing today any better, given that almost daily we read of new intrusions, often on stuff we really don't want dirty fingers in?
(8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas.
A 8086 can support viruses just fine. Not the modern windows-requiring crap, true. But back in the day there were plenty of viruses for DOS, too. A couple hundred bytes is all some of them need.
The real question is why they presume they need "anti-virus". If the controller is an embedded non-x86 CPU with an embedded OS in ROM, good luck getting viruses to take hold. Or even, say, a PARISC workstation with HP-UX on it. Or an alpha running vms. There's probably plenty of holes in it --not running everything as root is a decent start-- but very few adversaries even have the hardware to test their viruses on.
Apparently the DoD, and you too, have wintendo-only minds. Brain-rot, is what it is.
A massively parallel and distributed system to scan the system for viruses and security flaws and proactively take actions to safeguard the system.
If it were satellite based we called it network in the sky or maybe some other sort of acronym
Comment removed based on user account deletion
most importantly, they run windows 10.
Slashdot, fix the reply notifications... You won't get away with it...
Let's not talk about attack vectors: AVs are known to introduce huge glaring vulnerabilities which allow kernel level access to the system.
For such military systems Internet access must be disabled completely; such PCs must be configured such a way, the user cannot run any applications other the preconfigured ones (via security policies). All the scripting features must be locked down completely, i.e. no Microsoft Office, no VBS, no PowerShell, etc. etc. etc. USB flash drives support must be disabled as well. No BIOS access as well. No access to the actual hardware (i.e. PCs must be enclosed and only a mouse/keyboard/monitor must be accessible). That's the least they could do.
The sad part is that blackeyers ignore the crap out of reality and rewrite history, to keep their delusion of no bad shit going on.
Of course his "because" is wrong. But so is yours.
So much for those wonderful STIGs that everyone else has to suffer through.
and ask for millions in 'damages' and put them in jail for 300 years because your troops are either poorly trained or to badly led to do the job correctly.
if security can't even be taken seriously at a missile launch site, how can you expect it from some company producing $15 webcams or other insane cheap IoT devices?
On a long enough timeline, the survival rate for everyone drops to zero.
Just who in their right mind runs a Ballistic Missile System bas on Microsoft Windows o]
Also, how would a missile based explain that it hadn't fired its missiles because the software had received a pushed update and was too busy applying it. And that it was more important to fix a bug in a foreign font than to unleash a nuclear holocaust.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
In this situation, physical security is everything.
2FA? Two specially trained people have to both use their keys concurrently. The keys are far enough apart that a single person cannot physically turn them. Plus, they have to get inside to launch complex. 1 new guy might be able to get inside, but not two.
Auditors did their job but there isn't a checkbox for "does this apply in any way"?
Hint: no.
These computers are specialized. Not general purpose. They run a specialized system, not sure I'd even call it an OS.
The Headline says "no multi-factor authentication mechanisms"
The summary says "The Multi-factor authentication wasn't used consistently". So they did have MFA, it just wasn't implemented on a consistent basis. Could mean a bunch of things, but also could mean that MFA was implemented and doing the job, but just wasn't consistently implemented to the same standards at every installation.
The vendor didn't want to do it so it wasn't important. That's how every government contract I've ever seen has worked.
oh the days of the pencil as a password are still with us. ;-) dialup 300 baud still works.
People forget that plain text _is_ secure- full transparency == no place to hide unlike encryption
I remember getting my Drivers's License in US using my foreing passport, some years ago.
In Place Of Birth they put "OH" (Ohio).
Then people wonder how a bunch of crazies created 9/11...America is so full of flaws, people.
We are all doomed. So it not just the Orange Infant Commander-in-the-Chief that that is that problems.
The ZDNet article states, "where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS)," which led to a lot of mistakes in this thread.
That is both factually and grammatically incorrect.
Here, I fixed it for the author; "where the Missile Defence Agency (MDA) had place ANTI-ballistic missiles AS part of the ..."
Ballistic missiles are ICBMs and SLBMs. They deliver nuclear warheads to targets.
ANTI-ballistic missiles are to destroy incoming ballistic missiles.
Those are two VERY different things.
The articles is about ANTI-ballistic missiles.
FWIW, I was an ICBM Launch Officer and worked on design of control systems during the Clinton era. In my time, this had many, many, layers of physical security, encryption, information separation, and so on which resulted in the equivalent of multi-factor security for physical and information access and communication. I do NOT have knowledge of current systems. However, most likely the basic design philosophy of ballistic missile access control has not changed much.
He wrote this entire article about the Missile *Defense* Agency, and can't figure out the difference between a ballistic missile and an ANTI-ballistic missile.
Because I'm a retired IT guy. Also, I'm running Windows XP, but it's patching itself.
Registry Hack: Get Windows XP Security Updates until 2019
It thinks it's an ATM machine or other embedded OS.
ATM security still running Windows XP
Anthony Spadafora
15/11/2018
It little behooves the best of us to comment on the rest of us.
No Antivirus is needed since nobody knows how to write viruses for a VAX.
Also, there should be some kind of CAPTCHA or brainteaser you have to solve before you can order a launch.
I could be something simple, like putting a square peg in a square hole, or spell your way trough a whole tweet.
Such a machine is well able to support an ASM virus, just not any modern giant stuff. You can have a contaminate and hook code very easily. As a matter of fact just to learn how to fight the stuff 20 years ago I did my own version of the pong virus from scratch, which also tried to determinate if there was a drive it could write to - it was only using hardware interrupt, 10h, 13h, and 08h/1ch for the "timer", and 03h to detect if somebody was monkeying. Deleted it once I was satisfied. I do not recall the exact size but it was lower than 1kb.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org