I generally don’t have much of a problem with social networks. They are what they are and people are social creatures. Where it tends to become a problem is when it intersects with military networks for example. A problem that is all to real for the Brits.
From Sky News:
The MoD refused to comment on whether the leaks related to operational issues and what disciplinary action was taken.
MoD personnel need clearance from their bosses before publishing anything which relates to operations, or offers opinions on Defence activity.
Staff are also forbidden from speaking on behalf of the MoD in relation to controversial, sensitive or political matters.
The leaks have occurred 16 times in the last 18 months according to the article. And that’s just the ones that we’re aware of.
(Image used under CC from johnkay’s Flickr feed)
Ah, the epic fail abounds today. Now, having formerly worked for the DoD as a contractor I can say there are good contractors and others that should be given a cigarette and a blindfold.
I wonder where I’m leaning on this story.
From the WSJ:
Militants in Iraq have used $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations.
Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.
Now, first off this isn’t hacking. Transmission was/is in the clear. It’s just piss poor design and I’m rather amazed that this one made it into the field without someone catching it. Or maybe they did and were told to hush up in favour of meeting deadlines?
If you send data, or anything else for that matter in clear text, you have zero expectation of privacy. Zilch, zip, nada and bubkiss.
Just to put this firmly in perspective for our non-technical readers this is as secure as…
Or this…
For more on this story please follow the link to the WSJ article.
Article Link (Thx Brooks)
UPDATE: More information on this story from Wired. Apparently, this clear text problem affects more than just drone aircraft.
The DoD is locking down its tubes with some new crypto it would appear. In an effort to move into cloud computing in earnest within the DoD there is a move afoot to layer in security.
OK, I’m listening.
From GCN.com:
The new cryptographic technology enables the convergence of various Defense Department Global Information Grid networks that operate at different security levels, which currently require individualized infrastructure designed to handle restricted data – and also individualized costs.
“The government spends a considerable amount of money on these networks, and they’ve been looking for years for a way to combine them,” said David Gardiner, vice president of security technology and solutions at Unisys, which is deploying its Stealth technology under a one-year JFCOM contract.
“Stealth” you say? Oh, I got all tingly there for a moment.
Stealth works by splitting bits of data into multiple packets as it moves through the network, then reassembles the information packets when delivered to authorized users. Only authenticated users who have obtained a workgroup key, authorized by a Stealth Solution server, would have the means to reassemble and unscramble the packets.
In some ways this sounds oddly familiar. The article goes on to say how this could be used to help improve cloud computing from a security perspective. I’d be interested to see how the keys are managed.
Oh look. A nice black helicopter overhead. Wave to the nice men.
UPDATE: As per my conversation with Chris Hoff, I should offer clarity on the ‘Stealth’ article. “To be clear: Unisys’ Stealth is being ‘evaluated/assessed’ under the JFCOM contract, not widely deployed.” Thanks Hoff.
See, this is what happens when I write something with little to no sleep. Clarity escapes me.
(Image used under CC from iancarroll’s Flickr stream)
Here is an amusing article from the folks at Wired. The title says it all.
From Wired:
Good news, cybersecurity nerds: You ain’t running out of work, anytime soon. As last week’s cyber panic about North Korea showed, when there isn’t a teenager-simple denial-of-service attack that delays your access to a government website, there is a voracious hype machine that feeds on the tiniest slivers of data – both significant and trivial – and expels massive quantities of fear and misinformation. And where there’s cyber fear, there’s cybersecurity work to be done.
Cyberdouchery is alive and well.
For the full article, and the list, read on.
(Image used under CC from slipstreamblue Flickr feed)
Not entirely sure what the thought process was of John Roth who, after being warned, still travelled to China with a laptop containing military data relating to drones…and then shared said information with a Chinese and Iranian student.
Um, yeah.
From Scientific American:
John Reece Roth, 71, a prominent plasma physicist was sentenced to four years in prison for 18 counts of conspiracy, wire fraud and violations of the Arms Export Control Act, after he allowed a Chinese graduate student to see sensitive information on Unmanned Air Vehicles (UAVs), also known as drones.
“The illegal export of restricted military data represents a serious threat to national security,” David Kris of the U.S. Department of Justice, said in a statement, “We know that foreign governments are actively seeking this information for their own military development. Today’s sentence should serve as a warning to anyone who knowingly discloses restricted military data in violation of our laws.”
Only 4 years? I think he got off easy.
Um, whoops.
It turns out that there are flaws in the clearance process. Hell, I could have told them that. My ex-girlfriend had a Top Secret clearance and lied that she was dating a Canadian…yes, that qualifies as a foreign influence. Eh.
And no, I won’t name names. She was a pain in the arse and will remain in the past.
From Washington Times:
Flaws in the system for granting clearances to Defense Department staff and contractors pose a risk to national security, and the right tools to measure how well the process works are essential, said Rep. Anna G. Eshoo, California Democrat and chairman of a House intelligence subcommittee that oversees personnel and management issues.
“At present, we’re basically operating on faith. This shouldn’t be a faith-based process,” Ms. Eshoo told The Washington Times.
Gee, ya think?
The audit also found that nearly nine in 10 new top-secret clearances last year were granted even though background investigation files on the applicant “were missing at least one type of documentation,” most often employment verification.
Faith? For Top Secret clearances?
So, how would the US respond to a (gak) cyber attack? My concern would be, are they retaliating against the correct opponent. Its not like we’ve never relayed through a third party to attack…um, read about, yeah, that’s it, read about such a tactic.
But, in all seriousness I have heard a certain character in the US military recently imply that a nuclear option would be on the table. This caused me to choke on my coffee and wonder what colour the sky might be in his world. The media has been having a field day vilifying the Chinese and Russians and scaring folks in government. This will not help build level heads.
From the Associated Press:
“In the face of our almost universal reliance on untrusted systems, the United States currently is facing a grave national security challenge in the form of exploitation of our government and private-sector networks and information,” said Steven Chabinsky, assistant deputy director of cyber issues for the Obama administration’s director of national intelligence. “This exploitation is occurring on an unprecedented scale by a growing array of state and nonstate actors.”
OK, no argument there. Then he added this,
Chabinsky said the U.S. needs to figure out what it is prepared to do in the face of a cyber assault, such as an action that takes down the electrical grid. And, since the grid is privately run, officials must also decide how any counterattack should be coordinated with the corporate world.
Having been a part of the electricity vertical I can safely say that you can’t just hit the big red button that says, “shut down” and the grid goes dark. It’s no where near as simplistic as the media have lead folks to believe.
Damn you “Die Hard 4“.
So, as they examine their options I hope that cooler heads prevail and spend less time worrying about counter attacks and more on shoring up defenses.
(Image: risingpowers.foreignpolicyblogs.com)
I’m late to the party with this article.
Apparently, there are hackers that are ill disposed to the US. Who knew?
From Information Week:
The hackers, who collectively go by the name “m0sted” and are based in Turkey, penetrated servers at the Army’s McAlester Ammunition Plant in McAlester, Okla., and at the U.S. Army Corps of Engineers’ Transatlantic Center in Winchester, Va.
The breach at the McAlester munitions plant occurred on Jan. 26, according to records of the investigation obtained by InformationWeek. On that date, Web users attempting to access the plant’s site were redirected to a Web page that featured a protest against climate change.
On Sept. 19, 2007, the same hackers electronically broke into Army Corps of Engineers’ servers.
Interesting. I’m used to the “Pwned by $SCRIPTKIDDIE” type of defacement. A redirect to a page on climate change? OK, I’ll admit that’s a new one for me.
More on that story,
Investigators believe the hackers used a technique called SQL injection to exploit a security vulnerability in Microsoft’s SQL Server database to gain entry to the Web servers. “m0sted” is known to have carried out similar attacks on a number of other Web sites in the past — including against a site maintained by Internet security company Kaspersky Lab.
Ah! Now a remember these characters. Maybe the DoD can use some 31337 cops.
Sorry, had to tie that image in somehow.
As someone who once purchased a used Newton MessagePad 130 loaded with military command software (I’m not kidding), I couldn’t help but find this story simultaneously interesting and amusing.
Newsweek is reporting that the U.S. military is considering (and, if the article is correct in its suggestion, issuing) iPod Touches to soldiers, to provide such facilities as language translation and intelligence sharing. And it makes sense, really:
The future of “networked warfare” requires each soldier to be linked electronically to other troops as well as to weapons systems and intelligence sources. Making sense of the reams of data from satellites, drones and ground sensors cries out for a handheld device that is both versatile and easy to use.
(Gizmodo reported a similar story back in December 2008, discussing translation software.)
Yes, the iPhone and iPod Touch both bear a fantastic, intuitive interface, and can be made to do so much thanks to the App Store (not to mention jailbreaking, which opens up a world of near endless possibilities for the devices). Heck, the devices have even shown that they can pass muster with military’s tough requirements:
Typically sheathed in protective casing, iPods have proved rugged enough for military life. And according to an Army official in Baghdad, the devices have yet to be successfully hacked.
Come again. “Yet to be successfully hacked”? Maybe they missed 2007’s Mobile Safari TIFF exploit, or more recently, the (possible) iPhone shellcode execution vuln discovered by Charlie Miller. Additionally, the same jailbreaking that provides access to additional software and functionality often comes with the ability to install services, such as OpenSSH. Combining that with the well known password for the “mobile” and “root” users on the iPhone/iPod Touch (it’s “alpine”, btw), and soldiers’ intelligence-sharing, word-translating, Tap-Tap-Revolution-playing, network-accessible, probably-associated-to-an-attacker-controlled-WiFi-network are ripe targets.
(Update: 2009041000) Craig Ingram (@cji) notes something that I, in all of my wizdumb, didn’t discuss — there’s no mention of remote wipe being configured for these devices. Save for using Microsoft Exchange with the iPhone/iPod Touch, I don’t know of a built-in facility for remote wipe.
Read the Newsweek article for more of their story — you know, beyond the “yet to be hacked” stuff.
According to the US Army one of their databases was breached exposing the personal information for at least 1600 soldiers.
From FCW:
Soldiers who registered with, or participated in, the Army-sponsored Operation Tribute to Freedom program during the past five years may be affected by the security breach, Army officials said March 10. The service is notifying those soldiers about the issue through e-mail messages and letters.
The information that may have been breached includes the service members’ names, e-mail messages, phone numbers, home addresses, awards received, ranks, gender, ethnicity, and dates the soldiers deployed and returned from their deployment, Army officials said.
No SSN? That is a fair amount of personal information nonetheless.The part that makes me smile is the inevitable spin in a piece such as this. “The Criminal Investigation Command is investigating how the password-protected, secure Web-based information was penetrated.” Um, yeah.
I once did a test on a US military web facing system and was asked to breach it. I went for the low hanging fruit right out of the gate. Sure enough I was able to gain access.
Username: Admin
Password: abc123
Number of attempts: 1
Priceless.
