Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds (zdnet.com)

Posted by BeauHD on from the poor-security dept.

An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.

13 of 190 comments (clear)

  1. Oblig xkcd by purplie · · Score: 5, Funny

    https://xkcd.com/463/

  2. Re:Why would the DOD need a report? by JMJimmy · · Score: 4, Funny

    Security through obsolescence and incompatibility

  3. "Door censors showed doors" by Ashthon · · Score: 5, Funny

    They need to do a better job of censoring the doors. We don't need to see that filth!

  4. Most alarming discovery: by Gravis+Zero · · Score: 4, Interesting

    (10) Data stored on USB thumb drives was not encrypted.

    I'm not alarmed that it's not encrypted, I'm alarmed that they are using USB FLASH drives. If you are unaware, all of theses have MCUs and almost all of them use an 8051 CPU with re-programmable FLASH memory which makes them their own little computers that someone can hijack. It's also the attack vector used by Stuxnet to infiltrate an air-gapped network in Iran.

    The other things have obvious fixes but unless they are using USB devices specifically made so that they cannot be reprogrammed (one-time programmable MCUs) then there is a serious security issue here. I honestly hope that government would manufacture their own USB FLASH drives but the fact that I haven't read about it doesn't inspire hope.

    --
    Anons need not reply. Questions end with a question mark.
  5. I hope they are using 40 year old tech by aberglas · · Score: 5, Interesting

    Some very crude 8086 CPU with 16K of RAM is incapable of supporting viruses. And even though the code might be bad, it is small enough that someone understood it. And minimal communication with external world, 40 years ago is pre internet for most things.

    The problem starts when they upgrade to modern operating systems. And control it all from Windows desktops. Nobody really understands how they work. Everything is interconnected. And it is only a matter of time before some nasty manages to remotely press "the button".

  6. Re:Why would the DOD need a report? by ShanghaiBill · · Score: 5, Informative

    Yes, they ARE ballistic, because they have to be to hit a ballistic trajectory target before terminal stage.

    The are NOT ballistic missiles. They have terminal guidance to a moving target.

    Ballistic missile

  7. Re: Why would the DOD need a report? by Anonymous Coward · · Score: 5, Insightful

    The last time this type of report came out they were still using floppy discs

    I'm okay with floppy disks being used as a step to activate nuclear weapons. Force an air gap and real people to be involved. I'm not sure a system that fires a ballistic missile should have an antivirus, since they should never ever ever be running anything that hasn't had its pedigree gone through to the last semicolon. Basically I'd rather have the design be old, but known good, and require a person to take some esoteric list of manual steps, than have it all connected to a network with Windows on it, and plug and play. That esoteric list of steps and weird things like floppies may be a pain to maintain, but it provides some solid security against any kind of remote exploitation.

    Of course the rest of the article summary sounds like shear incompetence. Defence in depth is not optional for critical systems.

  8. Last I'd heard, they were using floppies by Spy+Handler · · Score: 5, Interesting

    and real 5.25 inch floppies (not the newfangled 3.5 inch ones)... formatted for CP/M. This was in a report I saw about 10 years ago. Even 10 years ago, this setup was deemed so obsolete that it was thought to be good security... there was no virus on earth being written for such an ancient system. And of course internet connection was out of the question.

  9. Summary Appears Broken by Dr.+Evil · · Score: 5, Insightful

    I'm not sure where the article summary got their list of findings. The report mentions USB *once*, and that's in a reference to a NIST glossary for removable media.

    Whomever summarized the summary appeared to not understand the report and added their own color and errors to it.

    "USB Thumb Drives" seems to be fabricated from the submitter reading "removable media"

    The ZDNet article is also guilty of this. E.g.,

    "DOD IG officials also discovered that at one MDA location, IT administrators failed to install an intrusion detection and prevention system --also known as an antivirus or security product.

    No. Just no.

    The report looks interesting though, far more nuanced.

  10. Re: Why would the DOD need a report? by arglebargle_xiv · · Score: 4, Funny

    They should install Kaspersky, then they'd be OK, A/V, filtering, an IDS, and a decent auth system all in one product suite.

  11. Re: WRONG. by c6gunner · · Score: 5, Insightful

    Whoever wrote that is just clueless. The Ballistic Missile Defense System is a system which protects against ballistic missiles, not one which fires ballistic missiles.

  12. You can understand why by petes_PoV · · Score: 4, Interesting
    Old software that isn't patched has some advantages. You know that what you are running is what was tested.

    Also, how would a missile based explain that it hadn't fired its missiles because the software had received a pushed update and was too busy applying it. And that it was more important to fix a bug in a foreign font than to unleash a nuclear holocaust.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  13. Re:Why would the DOD need a report? by LostMyBeaver · · Score: 4, Informative

    Having been a contractor in this sector a few times, let me just say that it's a revolving door system.

    The DoD, DoE, TSA, DHS, etc... are generally run by people completely lacking the ability to make decisions related to technology. This is not uncommon, hell, most of my company's customers are completely at the mercy of some slide shows and gartner reports.

    Consider this... what percentage of Cisco customers actually need what Cisco pedals? I've been reviewing most of our customer's networks and realized that the average customer paid $20 million over 5 years for their network. I assessed their needs, their requirements (then and now) and concluded that they should throw their networks away completely and replace them with systems costing and average of $500K CapEx and about $200K OpEx annually. But they will continue to spend an average of $4 million a year each because they are completely at the mercy of the salespeople who sell them tons of shit they don't need.

    The TLAs (three letter agencies) aren't even run by business leaders. They are run by bureaucrats. As such, they are even more poorly managed. I've worked with multiple organizations that hire people, stick them in secure environments after their clearance ... well clears and then cycles them out based on the fact that contracts are rolled over and over and over for no apparent reason other than the company who was currently contracted failed to do the job they were given because in order to get the job, they were forced to make a large number of false promises and now someone else making other false promises because they couldn't get the job if they answered honestly has taken over.

    No... the DOD has absolutely no idea what the hell is going on in the IT systems because they never hire anyone long enough to get a foothold. I was at an SAIC office not long ago which had over 200 desks and in most cases, those desks were filled by sub-sub-sub-contractors and most people had no idea what anyone did or even what company they worked for.

    If you think the DOD is bad, you should look at the State Department. I'm entirely convinced they simply let everyone walk through there unchecked.

    I think it really went all downhill with the introduction of the TSA which is basically nothing more than a way of keeping people off welfare and not calling it socialism. They have 1.2 million people in their Active Directory last I checked.... how many do you think are actually tracked and verified?