Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds (zdnet.com)

Posted by BeauHD on from the poor-security dept.

An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.

27 of 190 comments (clear)

  1. Why would the DOD need a report? by samdu · · Score: 2

    Shouldn't the DOD know exactly what our missile defense system is running? Why did they need to generate a report for this?

    1. Re:Why would the DOD need a report? by JMJimmy · · Score: 4, Funny

      Security through obsolescence and incompatibility

    2. Re:Why would the DOD need a report? by ShanghaiBill · · Score: 3, Informative

      Shouldn't the DOD know exactly what our missile defense system is running? Why did they need to generate a report for this?

      How do people "know" things? By learning. How would they learn? By reading. What would they read? A report. Where would the report come from? Someone tasked with generating it.

      Do you really think everyone in DoD is somehow born with knowledge about missile system OSes, and all the flaws in those OSes?

      Also, this has nothing to do with the security of "ballistic missiles". The missiles managed by MDA are NOT ballistic.

    3. Re:Why would the DOD need a report? by ShanghaiBill · · Score: 5, Informative

      Yes, they ARE ballistic, because they have to be to hit a ballistic trajectory target before terminal stage.

      The are NOT ballistic missiles. They have terminal guidance to a moving target.

      Ballistic missile

    4. Re: Why would the DOD need a report? by Anonymous Coward · · Score: 5, Insightful

      The last time this type of report came out they were still using floppy discs

      I'm okay with floppy disks being used as a step to activate nuclear weapons. Force an air gap and real people to be involved. I'm not sure a system that fires a ballistic missile should have an antivirus, since they should never ever ever be running anything that hasn't had its pedigree gone through to the last semicolon. Basically I'd rather have the design be old, but known good, and require a person to take some esoteric list of manual steps, than have it all connected to a network with Windows on it, and plug and play. That esoteric list of steps and weird things like floppies may be a pain to maintain, but it provides some solid security against any kind of remote exploitation.

      Of course the rest of the article summary sounds like shear incompetence. Defence in depth is not optional for critical systems.

    5. Re: Why would the DOD need a report? by arglebargle_xiv · · Score: 4, Funny

      They should install Kaspersky, then they'd be OK, A/V, filtering, an IDS, and a decent auth system all in one product suite.

    6. Re: Why would the DOD need a report? by Anonymous Coward · · Score: 2, Interesting

      Omg then it was true!

      That nefarious hacker Kevin Mitnick could have hacked and launched nukes by using a phone and whistling... Thank God he was kept in solitary and denied a phone for 6 months.

      Haha

      The MItnick hysteria was interesting, but ultimately just an example of uninformed people not knowing what was possible and assuming the worst, perhaps due to television.

      AI, on the other hand, seems the real threat, not because I believe your getting real intelligence, but because I believe it will be good enough to act as a lever for powerful people to manipulate the world. Imagine a world, similar to today's, but with everyone having say 50 years of AI tech developed. If you didn't see it in person, perhaps while using a certified recording device, could you tell whether or not an event occurred?

      Can the world survive it becoming impossible to tell truth from fiction? The optimistic view is we will somehow get better at detecting the lies, perhaps using more AI. I'm needless to say skeptical.

    7. Re: Why would the DOD need a report? by bernywork · · Score: 2

      https://5.imimg.com/data5/UB/V...

      Sorted!

      --
      Curiosity was framed; ignorance killed the cat. -- Author unknown
    8. Re:Why would the DOD need a report? by butzwonker · · Score: 3, Insightful

      Sounds like a penetration test was conducted, including physical access testing. That's normal and good procedure, just a bit shocking that they do it only now and bugs from 1990 haven't been fixed yet...

    9. Re:Why would the DOD need a report? by LostMyBeaver · · Score: 4, Informative

      Having been a contractor in this sector a few times, let me just say that it's a revolving door system.

      The DoD, DoE, TSA, DHS, etc... are generally run by people completely lacking the ability to make decisions related to technology. This is not uncommon, hell, most of my company's customers are completely at the mercy of some slide shows and gartner reports.

      Consider this... what percentage of Cisco customers actually need what Cisco pedals? I've been reviewing most of our customer's networks and realized that the average customer paid $20 million over 5 years for their network. I assessed their needs, their requirements (then and now) and concluded that they should throw their networks away completely and replace them with systems costing and average of $500K CapEx and about $200K OpEx annually. But they will continue to spend an average of $4 million a year each because they are completely at the mercy of the salespeople who sell them tons of shit they don't need.

      The TLAs (three letter agencies) aren't even run by business leaders. They are run by bureaucrats. As such, they are even more poorly managed. I've worked with multiple organizations that hire people, stick them in secure environments after their clearance ... well clears and then cycles them out based on the fact that contracts are rolled over and over and over for no apparent reason other than the company who was currently contracted failed to do the job they were given because in order to get the job, they were forced to make a large number of false promises and now someone else making other false promises because they couldn't get the job if they answered honestly has taken over.

      No... the DOD has absolutely no idea what the hell is going on in the IT systems because they never hire anyone long enough to get a foothold. I was at an SAIC office not long ago which had over 200 desks and in most cases, those desks were filled by sub-sub-sub-contractors and most people had no idea what anyone did or even what company they worked for.

      If you think the DOD is bad, you should look at the State Department. I'm entirely convinced they simply let everyone walk through there unchecked.

      I think it really went all downhill with the introduction of the TSA which is basically nothing more than a way of keeping people off welfare and not calling it socialism. They have 1.2 million people in their Active Directory last I checked.... how many do you think are actually tracked and verified?

    10. Re: Why would the DOD need a report? by drinkypoo · · Score: 2

      "They should install Kaspersky, then they'd be OK,"

      They should install Russian government spyware? Fantastic idea. We should put you in charge!

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Oblig xkcd by purplie · · Score: 5, Funny

    https://xkcd.com/463/

  3. "Door censors showed doors" by Ashthon · · Score: 5, Funny

    They need to do a better job of censoring the doors. We don't need to see that filth!

  4. a further realization of the cold war. by nimbius · · Score: 2

    The crumbling infrastructure of cold-war politics surely comes as a surprise to no one. the USSR's incentives for building infrastructure and defense were much more resilient and sustainable based on the charter of the government they were building as a reflection of the society itself.
    ,br> The US on the other hand only had one drive: just beat the USSR. It doesnt matter if your space program is run on nickels and dimes in 30 years, or your superhighways and bridges crumble without any meaningful maintenance or even a thought of repair, just so long as what you make now continues to promote the image that the US does it better. So here it is, our sterling testament to the defense of american freedom. At the time it was a pinnacle because it had to be. Now the doors are all ajar and the computers are run by idiots.

    --
    Good people go to bed earlier.
  5. Most alarming discovery: by Gravis+Zero · · Score: 4, Interesting

    (10) Data stored on USB thumb drives was not encrypted.

    I'm not alarmed that it's not encrypted, I'm alarmed that they are using USB FLASH drives. If you are unaware, all of theses have MCUs and almost all of them use an 8051 CPU with re-programmable FLASH memory which makes them their own little computers that someone can hijack. It's also the attack vector used by Stuxnet to infiltrate an air-gapped network in Iran.

    The other things have obvious fixes but unless they are using USB devices specifically made so that they cannot be reprogrammed (one-time programmable MCUs) then there is a serious security issue here. I honestly hope that government would manufacture their own USB FLASH drives but the fact that I haven't read about it doesn't inspire hope.

    --
    Anons need not reply. Questions end with a question mark.
  6. I hope they are using 40 year old tech by aberglas · · Score: 5, Interesting

    Some very crude 8086 CPU with 16K of RAM is incapable of supporting viruses. And even though the code might be bad, it is small enough that someone understood it. And minimal communication with external world, 40 years ago is pre internet for most things.

    The problem starts when they upgrade to modern operating systems. And control it all from Windows desktops. Nobody really understands how they work. Everything is interconnected. And it is only a matter of time before some nasty manages to remotely press "the button".

    1. Re:I hope they are using 40 year old tech by The123king · · Score: 3, Informative

      Will people stop thinking it's PC's. The military run PDP11's and VAXen. There's not an 8086 anywhere near, and the only intel chips are RAM chips

      --
      If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
    2. Re:I hope they are using 40 year old tech by drinkypoo · · Score: 2

      "Some very crude 8086 CPU with 16K of RAM is incapable of supporting viruses."

      Speaking as someone who was there and actually used those computers as my primary desktop for some years (my first PC was an IBM 5150), you are talking out your asshole. We had viruses back then - the first known PC virus dates from 1986.

      "And even though the code might be bad, it is small enough that someone understood it."

      Yes, assuming you had someone on staff who knew assembler and could operate a disassembler. Virus authors don't mail you the source code.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Whoosh ... by OzPeter · · Score: 2

    Think that should be "door sensors".

    Look! Up in the Sky! Is it a bird? Is it a plane? No, it's a joke .. flying right over the top of you!

    --
    I am Slashdot. Are you Slashdot as well?
  8. Last I'd heard, they were using floppies by Spy+Handler · · Score: 5, Interesting

    and real 5.25 inch floppies (not the newfangled 3.5 inch ones)... formatted for CP/M. This was in a report I saw about 10 years ago. Even 10 years ago, this setup was deemed so obsolete that it was thought to be good security... there was no virus on earth being written for such an ancient system. And of course internet connection was out of the question.

  9. Re:Why would the DOyou're D need a report? by Anonymous Coward · · Score: 3, Interesting

    you're not totally wrong.

    But the Paul Ryan shutdowns have wreaked havok on program budgets over the past 10 years, and yeah, that led to a LOT of chaos and turnover in these kinds of programs. I'm not at all s yearurprised there's a problem like this. Doing security RIGHT: in the context of a DoD framework like RMF, is very expensive. And just as you get a team that understands one process, it gets changed. And the requirements are laden with REALLY fucking expensive software licenses. WHich is an additional financial drain. You add to that - a product lifecycle that is expected to last decades: you won't really find a closed-source commercial solution that has that kind of longevity without some marketing goon on a rebranding spree, coming along and obsoleting one crucial part of the stack, and forcing significant rework.

    But no: a lot of us who work (or have worked ) in that space, LOVE the work, and love the people they work with - it's filled with a lot of exciting challenges and problem solving, and it does pay well - except that it's hard to find a program that doesn't force you to relocate every 5 years.

  10. Summary Appears Broken by Dr.+Evil · · Score: 5, Insightful

    I'm not sure where the article summary got their list of findings. The report mentions USB *once*, and that's in a reference to a NIST glossary for removable media.

    Whomever summarized the summary appeared to not understand the report and added their own color and errors to it.

    "USB Thumb Drives" seems to be fabricated from the submitter reading "removable media"

    The ZDNet article is also guilty of this. E.g.,

    "DOD IG officials also discovered that at one MDA location, IT administrators failed to install an intrusion detection and prevention system --also known as an antivirus or security product.

    No. Just no.

    The report looks interesting though, far more nuanced.

  11. Re:Why am I not surprised? by vtcodger · · Score: 2

    Yes, the military uses old technology. By design. They like their stuff to work. Reliably, Which it often does. It's hard to imagine a dumber idea than applying a mess of half baked "modern" technologies that routinely don't work to a problem quite different than that the ones that they don't solve. (Hint: Type "lists of data breaches" into your favorite search engine. **THAT** is what nifty modern technology buys you.)

    Suggested reading, for anyone who thinks the authors of this study have a point -- "Superiority" by Arthur C Clarke. https://www.freesfonline.de/au...

    Note that active military facilities typically have elaborate physical security measures including guys with guns in place and that the militaries of the world have been using encrypted communications since biblical times and relatively modern techniques for data protection about a century. On the whole, their approaches have a decent record except when someone inside leaks data or massive state level attacks are made on their technologies.

    Not that I'm a fan of spending billions to deploy Ballistic Missile Defense. Ever so long ago -- before most folks posting here were born -- I knew quite a lot about some aspects of the problem. It's an enormously difficult problem and I doubt that it's really been solved although it MIGHT -- and I emphasize MIGHT -- be able to intercept a single missile that doesn't deploy sophisticated countermeasures.

    --
    You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
  12. Maybe AI Could Help by Crashmarik · · Score: 2

    A massively parallel and distributed system to scan the system for viruses and security flaws and proactively take actions to safeguard the system.
    If it were satellite based we called it network in the sky or maybe some other sort of acronym

  13. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  14. Re: WRONG. by c6gunner · · Score: 5, Insightful

    Whoever wrote that is just clueless. The Ballistic Missile Defense System is a system which protects against ballistic missiles, not one which fires ballistic missiles.

  15. You can understand why by petes_PoV · · Score: 4, Interesting
    Old software that isn't patched has some advantages. You know that what you are running is what was tested.

    Also, how would a missile based explain that it hadn't fired its missiles because the software had received a pushed update and was too busy applying it. And that it was more important to fix a bug in a foreign font than to unleash a nuclear holocaust.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons