Cyber-attack on Defense Department computers raises concerns

Source: L.A. Times

Senior military leaders took the exceptional step of briefing President Bush this week on a severe and widespread electronic attack on Defense Department computers that may have originated in Russia -- an incursion that posed unusual concern among commanders and raised potential implications for national security.

Defense officials would not describe the extent of damage inflicted on military networks. But they said that the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones. The attack also penetrated at least one highly protected classified network.

Military computers are regularly beset by outside hackers, computer viruses and worms. But defense officials said the most recent attack involved an intrusive piece of malicious software, or "malware," apparently designed specifically to target military networks.

"This one was significant; this one got our attention," said one defense official, speaking on condition of anonymity when discussing internal assessments.

Read more: http://www.latimes.com/news/nationworld/nation/la-na-cyberattack28-2008nov28,0,6441140.story

Richard A. Clarke!

I happen to know what they found as the source of the malware: USB thumb drives with software preinstalled upon it that is supposed to make it easier for the user to use the drive. Everyone who has one of the drives knows this software.

The DoD has banned all USB thumb drives and is scrambling like the dickens on this matter. It is all hands on deck, red alert, Defcon 5, everybody panic time. No shit.

Note: This affects EVERY thumb drive out there that has this software on it. Every brand. The best thing you can do is that if you have a thumb drive with this software on it, plug it into a Linux machine and wipe that software out of there.

If you want security, you have to maintain control, physical and connective. It's like the idiocy of allowing all those cellphone cameras where you don't really want pictures taken, or putting DoD machines on the internet with no firewall and default server configurations, something I saw many times in the 90s. Security through obscurity.

Maybe they can come up with a cyber-condom to keep the thumb drives from being infected. (Joke.)

Not even on a person's person. But, there is the knucklehead factor: as you well know, in the wonderful world of ANY networks, there is always someone who thinks that the rules do not apply to them. Nowhere is that as pernicious and apparent as in the Defense sector. There are those in that area who have their little sinecures, consider themselves god-like and untouchable and above all rules, as such rules are for those who do not breathe the rarified air they do.

Of course, that only lasts until they are caught being knuckleheads and one monstrously pissed off two-star(or greater) kicks in their office door and proceeds to perform traumatic combat proctology upon their person.

But let me tell you: right now, regarding this situation, it is full-on assholes and elbows in the DoD. I suspect there is gonna be more than a few USB drive manufacture's sales reps who are gonna be hating life. That said, remember where all these drives are made:

China.

Yes, indeed. But remember, the internet is inherently unreliable and insecure, it's designed in, it's going to bite China in the ass too ...

our technology and its going to BITE us in the BUTT

Just don't have U3 on them or just run *NIX like Net BSD. I hear the Devs for Net BSD are very security conscious. Also why are on classified systems the end user granted admin privileges?

Though I neglect it since I retired. I think the idea of a thumb running *BSD, made net-invisible, has a lot of potential to do good, or make trouble, depending on what you want.

It still needs a little tweaking to lock it down.

Any time one uses a browser, they pretty much leave an open door.

Once you send little IP packets running around on the net, they can be seen. So you can watch unobserved, there is a nice public domain tool for that whose name "I forget", and you can decide whether and when and how and how long to be noticeable.

The weakness is the domain name servers. If you can go IP to IP, you can last a little longer. They monitor DU and look for logins. Since it's unencrypted, they can sniff the packets and match up IP's to users.

For which there are a number of free tools that "I forget" the name of too, purely to help out administrators, of course.

Is true they go after DNS, a weak spot for certain kinds of attack, and completely indispensable to the operation of the net. With the consequence that the coding and administration of bind was considerably tightened up, which was pretty loose to begin with. More security through obscurity.

I always assume I am being monitored, that I am "in public" on the net, since I've done some "watching" too; although on the other hand, there are way the heck too many of us to really be watched all the time. I used to play with packet filters and such, and the amount of "data" you can collect in no time at all is staggering, and it is amusing to consider the dreariness of the life of some guy whose job is to try to read and make sense of it all. It's true you can weed things out some, but in the end some poor slob has to look it over, and the filters are never as good as you would like, and they never find stuff you're are not looking for, which is often the stuff you really want.

I am always amused at the government's "we're going to watch everybody" software projects, because I KNOW how useless a huge, unstructured pile of data can be. Data is easy to come by, cheap. It is good data, relevant data, and a theory to explain it that is hard to come by, a lot of work to obtain.

Edit: what I was talking about with "invisible" was being invisible to port scanners and ping and the like, which is not that hard with *BSD, probably with Linux, though I have not done it on Linux.

The latest version was released yesterday.

http://freebsd.org./

http://www.freebsd.org/releases/7.0R/announce.html

---

Dramatic improvements in performance and SMP scalability shown by various database and other benchmarks, in some cases showing peak performance improvements as high as 350% over FreeBSD 6.X under normal loads and 1500% at high loads. When compared with the best performing Linux kernel (2.6.22 or 2.6.24) performance is 15% better. Results are from benchmarks used to analyze and improve system performance, results with your specific work load may vary. Some of the changes that contribute to this improvement are:

*

The 1:1 libthr threading model is now the default.
*

Finer-grained IPC, networking, and scheduler locking.
*

A major focus on optimizing the SMP architecture that was put in place during the 5.x and 6.x branches.

Some benchmarks show linear scaling up to 8 CPUs. Many workloads see a significant performance improvement with multicore systems.

---

JIT compilation to turn BPF into native code, improving packet capture performance.

---

jemalloc, a new and highly scalable user-level memory allocator.

---

X.Org 7.3, KDE 3.5.8, GNOME 2.20.2.

GNU C compiler 4.2.1.

BIND 9.4.2.

==========================

It's like candy, but I'm very lazy these days.

It will cost you a couple of CD-Rs to burn it.

This one is five years old, and parts are likely to get more expensive soon, and I'm not paying for anything M$ is willing to sell me now. Hmmm ...

and it runs just fine. If your box dies, just swap the drive into another. I backup my user directories onto a usb device so that in case of a fatal crash, it only takes a few minutes to set up a backup machine, swap the drive and restore the directory.
Older machines have problems running the new window managers due to limited RAM and slow I/O. I use XFCE 3.8xx for the WM. It has very low overhead and still allows you to run all programs that GNOME will run.
If you have problems with HD geometry ID, try a smaller partition, say 30GB. With smaller drives, I load the OS on / with a swap partition, that way there is no wasted space. The default install needs too much default disk space.

I have used XFCE at times, when I didn't have olwm up, it's my 2nd choice. But nobody does OpenLook anymore, you are on your own. I usually start with xwm and work up, or down or sideways, or whatever it is. I used to do support for XFree86, and a lot of Xwindows programming.

And there are tweaks, as you describe, in the disk setup that it's good to know. The default is greedy and simple-minded, and I like swap on second drive and a lot of separate /usr space.

I mostly build new ones so I can play with the resource hog software for videos and music, and for speed, esp. compile speed. But for most stuff old machines work fine, they almost never wear out except for the disks and the keyboards and the mice and like that. Very different from Windoze, where old hardware will drive you nuts looking for drivers, and then be very slow if it runs at all.

If you don't like the way they make 'em in the city
Cause they taste too strong the dang paper ain't pretty
Roll your own roll your own
You'll leave the ready rolls behind when you finally find a roll your own

There's the raspberry strawberry pretty red wine
Besides tasting good you're gonna have a nice time
Roll your own roll your own
You're gonna have a nice time i ain't lyin' roll your own

Well the first time you try it you're gonna cuss and shout
Cause the paper keeps tearin' and the stuffin' falls out
But don't give up cause after a while
You'll be smokin' right on with a big ole smile
Roll your own roll your own

http://www.lyricstime.com/hoyt-axton-roll-your-own-lyrics.html

I used to work with picoBSD a lot. Getting a running system on a 3.5 floppy disk was a lot of fun. That was back in the days when you could even get the kernel on a floppy.
Hours and hours waiting for a compile to finish. I hear ya'

You could drive people nuts trying to figure out what you got there. You could reboot, get into the BIOS, boot the flash drive, and off you go, no footprints. Also excellent for poking around on someone else's machine without leaving tracks, spook stuff.

and building diskless routers and switches.

My thoughts exactly. With a custom kernel and custom compiled binaries, they would be clueless.

7 allows booting from USB. I've been waiting for that. I did build some bootable CD versions with XWindows but the hardware overhead was too much. Too much unreliable mechanical crap to fail.

And a flash is sort of like a big floppy ...

CDs have the drawback that you have to get any working storage you need elsewhere; with a flash drive, you don't have to touch the rest of the machines "non-volatile" storage, unless you want to.

But the idea is not new, you can do it with Windoze, it's always been necessary to have ways to take control of a recalcitrant machine. It's all those hands-on system and network tools, and source code for all of it. I'm surprised the government hasn't tried to outlaw it yet. More security through obscurity. And not everybody is up to disentangling that stuff.

I read about doing a bootable flash in that hacker magazine, my brain forgets the name, but I think it was Windoze based, which was the first time I thought of using Pico. But I've never been motivated, and I have a lot of more pedestrian pursuits. I sort of burned out and retired a while back. Now I don't keep up.

Ah, here's one, gives and idea:

http://thewall.sourceforge.net/

Since Pico boots up as root, you have complete control of the machine. If I had one where the root password was lost, I could replace the password files, and reboot the target with a new root password.
People think they're safe because their system is password protected and the passwords are encrypted. Wrong.

If you can boot it with Pico, you can take out or put anything you want and not leave a trace.

You have to physically secure the machines to keep them safe. If they're not in a secure vault, and someone hostile has access, you're screwed.

Every bit on the machine is yours to set or clear, and when you leave, there is no way to tell you were ever there.

You have to physically destroy the hard drive(s). Even 'secure' delete programs might not erase everything.

The Chinese are smart. They will take fragments of information and, over time, put it all together. They have millions of eyeballs to pour over the data, things that software can't do.

I've personally dealt with PRC Intel officers. They're very good and very professional. Don't underestimate them.

And recycle the wreckage. Much quicker to do than trying to clean things up.

They're handy for all kinds of projects.

I was never much of a hardware wonk, just enough to get by.

http://en.wikipedia.org/wiki/Torx

You can take out the platters too.

Once you break the seal, they would know ...
:-)

the manufacturer is just a footnote in history.

There's a perverse satisfaction in cracking open an IBM DeathStar.:rofl:

No kiddie porn, no traffic with foreign nationals, no hacking of other peoples systems, no encrypted messages or secret codes, no criminal enterprises, my interest has always been to protect systems I was responsible for, and the need to know how things work. So if the Chinese or anybody else wants to spend enormous resources to excavate obsolete passwords to accounts that no longer exist on machines that no longer exist, or grovel through the detritus of my work, or look at my old pictures, I don't care that much. Security has to be proportionate to what is being protected. I'm pretty much Bob Milktoast when it comes to things that are illegal. Though I did fool with PGP back when it was still theoretically verboten.

But if I have internet accounts and the like on a machine, I will beat it to rubble.

:rofl:

stuff on don't mean much, or any other stuff found on any other PC. It's all ephemeral.

In the DoD, the #1 canon reads thusly:

"M$ and only M$, except on some high performance clusters. As it was in the beginning, is now and ever shall be. Amen"

Used to drive me nuts because then I would have to manage and configure all these Windoze boxes, and it was all bondage and discipline, a huge time sink, and even then you weren't safe, you were just "up to date".

for anonymous, untraceable surfing in cyber-cafes and libraries and the like. Something I have never been motivated to carry out, but admire from a distance.

Are they special thumbnails? Or are these things you pick up over the counter equally corrupted?

And my source is unimpeachable, it's all of them. Every last one. Every brand.

Like some sort of pre-scanning program that would analyze portable storage before the hard disk is allowed to open it?

Like another posted said, calling Richard Clark!

"Excuse me while I pardon this turkey."

And why was this "exceptional"?

Did president Cheney give Dubya clearance?

Obviously, not that protected. Obviously, not that classified.

Any network that has outside world connections that aren't physically isolated can NOT be considered either protected nor classified.

If there is a way to get in then 1) People know about it 2) It isn't protected

Hopefully what got penetrated was just a honey-pot and this press release is all just part of they psy-op to make the infiltrators think they got into something good.

These were not honeypots. These were real networks doing real secure stuff. Or so the story went at the time. The DoD is now re-examining that assessment, furiously.