Return-Path: <sentto-279987-5205-1029668865-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sun, 18 Aug 2002 04:21:02 -0700 (PDT) Received: (qmail 8182 invoked by uid 510); 18 Aug 2002 11:06:11 -0000 Received: from n11.grp.scd.yahoo.com (66.218.66.66) by all.net with SMTP; 18 Aug 2002 11:06:11 -0000 X-eGroups-Return: sentto-279987-5205-1029668865-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.193] by n11.grp.scd.yahoo.com with NNFMP; 18 Aug 2002 11:07:45 -0000 X-Sender: fastflyer28@yahoo.com X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-8_0_7_4); 18 Aug 2002 11:07:44 -0000 Received: (qmail 77933 invoked from network); 18 Aug 2002 11:07:44 -0000 Received: from unknown (66.218.66.217) by m11.grp.scd.yahoo.com with QMQP; 18 Aug 2002 11:07:44 -0000 Received: from unknown (HELO web14506.mail.yahoo.com) (216.136.224.69) by mta2.grp.scd.yahoo.com with SMTP; 18 Aug 2002 11:07:44 -0000 Message-ID: <20020818110744.79196.qmail@web14506.mail.yahoo.com> Received: from [68.100.117.19] by web14506.mail.yahoo.com via HTTP; Sun, 18 Aug 2002 04:07:44 PDT To: iwar@yahoogroups.com, Information Warfare Mailing List <iwar@onelist.com> In-Reply-To: <200208180113.g7I1Dki22049@red.all.net> From: "e.r." <fastflyer28@yahoo.com> X-Yahoo-Profile: fastflyer28 Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sun, 18 Aug 2002 04:07:44 -0700 (PDT) Subject: Re: [iwar] Sleuths Invade Military PCs-fwd- As a sorry publicity stunt Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-1.5 required=5.0 tests=IN_REP_TO,FROM_ENDS_IN_NUMS,SOCIAL_SEC_NUMBER,SUPERLONG_LINE version=2.20 X-Spam-Level: Fred and Friends: Earlier reporting on the source of the major Pentagon Hack Attack was in error, and a few east coast paper and I all got skunked. While it is not unrealstic to assume that DOD had planned to have their systems checked to gain better knowledge of the methods which hacker use to get into their commericial .mil system,and thier largest intrusion point. Their story just did not make sense at face value as you do not announce you have problem prior to checking the systems out. They very likely commited a crime. It now appears that the news story was based on bad information, and it created a real mess. It seemed unlikely that DOD would complete such a system sweep in the public eye, as the problem is a serious one. It now appears this was all a well organized hoax-some type of publicity stunt. I am in hopes that the firm which instigated this effort along with involved parties finds that harsh legal blowback; far outdistances the "fun" they may have had in making DOD look bad, in public.. While I will be the first to admit this is a serious problem, based on the early reporting, the potential points of illegal entry into the patchwork quilt of security-that is what DOD calls it- is so full of exploits and intrusions point that this prank ought to concern us all as it is exposes a larger problem. Since the 2nd Clinton team started working this problem, the experts agreed that there was little that could be done with so many disperate machines running different OS's as well as APP software. The bottom line with this entire tale, is that DOD has quite a cyber mess with which to deal. And, the only solice that this sad events gives us, is that awareness has been heightened. Saivy people may be the best deterant there is to any continued problem. The good news herein, is that hard wiried systems for highly classified information are nearly impossible breach without inside help. To confuse this mess further, is the fact that each service has quite different cyber needs,and therefore, agendas. While there is a core of security needs for each service, that is where agreement ends. How to resolve this mess is a question without answer. The only way DOD will eventually securing a critical infrastructure is to greatly limit access and give the problem more than the "lip-service" which both Mr. Bush and SecDef Rumsfeld have thus done. Compared with other DoD problems this is a vry cheap fix. All it costs is bodies and hardware, but it is not a high flying command, thus it is remanded to the code writers, and if we get lucky, some more aggressive people, or simply those willing to say something when the problem shows up. With egg on my face-along with the Joint Staff- it appears that the west coast high tech firm initiated these attacks as a publicity stunt. I am high hopes that they clearly violated the amended National Security Act and that not equal to jaywalking-it is a serious crime.. If you forget the downside for just one momet, it does give you a clearner picture of the laxity of security in all commerical DOD system.(By that, I mean those which one can reach from either your DSL service, or an ISP-on the internet. The hard wired systems are still ship-shape. In sum, I hope these clowns learn a lesson the hard way,the by getting federal jail time.(Given the inter-state nature of their action, that is a very good bet). I am in hopes that federal law enforcement will ruin that firms day, come Monday morning. *Do I wish this occured, or was even possible-hell no, but sadly it is *Do I wish DOD and the services would develop and implement a strategic security plan to protect critical systems? I hope they do, but have realistic beliefs. The Killer in all of this, is that the billets and hardware to implement high end security is comparitively cheap- far less that the cost of one JST. We could acquire the proper hardware to meet the challenges of the present and future cyber fight with the best on the market and protect the defense critical cyber infrastructure for next to notyhing when compared with other acquisition requirements. It would make adjusting our warfighting to address dealing in terms of a battlespace far easier, too. The key to this all is for DOD to either acquire good people, or outsource this problem to private sector firms with both the people and hardware to stay apace with the capibilities of the badguys in this entire arena. to the the the Fred Cohen wrote: * subscribe at http://techPolice.com =A9 2002 The Washington Post Company washingtonpost.com Sleuths Invade Military PCs With Ease By Robert O'Harrow Jr. Washington Post Staff Writer Friday, August 16, 2002; Page A01 SAN DIEGO, Aug. 15 -- Security consultants entered scores of confidential= military and government computers without approval this summer, exposing= vulnerabilities that specialists say open the networks to electronic= attacks and spying. The consultants, inexperienced but armed with free, widely available= software, identified unprotected PCs and then roamed at will through= sensitive files containing military procedures, personnel records and= financial data. One computer at Fort Hood in Texas held a copy of an air support squadron's= "smart book" that details radio encryption techniques, the use of laser= targeting systems and other field procedures. Another maintained hundreds= of personnel records containing Social Security numbers, security= clearance levels and credit card numbers. A NASA computer contained vendor= records, including company bank account and financial routing numbers. Available on other machines across the country were e-mail messages,= confidential disciplinary letters and, in one case, a memo naming couriers= to carry secret documents and their destinations, according to records= maintained by ForensicTec Solutions Inc., the four-month-old security= company that discovered the lapses. ForensicTec officials said they first stumbled upon the accessible military= computers about two months ago, when they were checking network security= for a private-sector client. They saw several of the computers' online= identifiers, known as Internet protocol addresses. Through a simple= Internet search, they found the computers were linked to networks at Fort= Hood. Former employees of a private investigation firm -- and relative newcomers= to the security field -- the ForensicTec consultants said they continued= examining the system because they were curious, as well as appalled by the= ease of access. They made their findings public, said ForensicTec= President Brett O'Keeffe, because they hoped to help the government= identify the problem -- and to "get some positive exposure" for their= company. "We were shocked and almost scared by how easy it was to get in," O'Keeffe= said. "It's like coming across the Pentagon and seeing a door open with no= one guarding it." In response to an inquiry by The Washington Post, military investigators= this week confirmed some of the intrusions at Fort Hood, saying they were= occurred on PCs containing unclassified information. Senior officials said= they are preparing an Army-wide directive requiring all shared computer= files containing sensitive information to be password-protected. Sensitive= information includes such items as Social Security numbers, confidential= plans and so on, officials said. The Army has never before focused so intently on the security of desktop= computers containing unclassified data, but it is doing so now because so= many more machines are linked to vulnerable networks, officials said.= These systems are not as strictly secured because they are not supposed to= contain or communicate any classified material. More secure networks are= typically not linked to the Internet and employ much more stringent= safeguards, including procedures to authenticate the identities of= computer users. "Everything is connected," said Col. Thaddeus Dmuchowski, director of= information assurance for the Army. "Our 'defense in-depth' has to go down= to the individual computer." ForensicTec's electronic forays show that the government continues to= struggle with how to close off systems to prying eyes -- including= terrorists and foreign agents -- after a presidential directive last fall= making cybersecurity a national priority. That struggle was underscored by a General Accounting Office report last= month that concluded the government wasn't doing an adequate job= coordinating efforts to protect its online systems. Next month, the White= House's new Critical Infrastructure Protection Board will release a= sweeping national plan intended to bolster computer security. None of the material made available by ForensicTec appears to be= classified. But government and private specialists said that such open= systems pose a threat because compromised machines may contain passwords,= operational plans or easy pathways to more sensitive networks. They also could be used to mount an electronic attack anonymously or to= gather enormous amounts of unclassified information to gain insight about= what an agency or military unit is privately contemplating, specialists= said. "If you had an organized spy effort, that would be the real concern,"= Richard M. Smith, an Internet security consultant based in Cambridge,= Mass., said of ForensicTec's findings. "This is a widespread problem." Kevin Poulsen, another security specialist, worries that an intruder could= place onto an unsecured network malicious software such as a virus, worm= or Trojan horse program that could wind up on more-sensitive networks as= desktop machines migrate from one place to another. "The government is now lagging behind the sophisticated Internet users,= when they should be leading," said Poulsen, editorial director of= SecurityFocus, a Web site devoted to such matters. A spokesman for the Pentagon agency responsible for computer network= defense said he could not discuss the ForensicTec activity because the= vulnerabilities are under investigation. Maj. Barry Venable, a spokesman= for the U.S. Space Command, said the military takes seriously all such= intrusions, even if the system entered does not contain classified data.= He said hackers rarely gain control of military computers. "Even one successful intrusion or instance of unauthorized activity is too= many," he said. "The services and DOD agencies are working hard to educate= their computer users and administrators to practice and implement proper= computer security practices and procedures in a very dynamic information= environment." The issue of computer security has become more pressing in recent years as= vastly more computers and networks have been linked to the Internet. Many= public and private computers still have not been properly configured to= block outsiders, and security components of operating software often are= left set on the lowest default level to ease installation. Even though it's a felony under U.S. law to enter a computer without= authorization, the number of intrusions has skyrocketed, according to data= collected by the CERT Coordination Center at Carnegie Mellon University.= The number of incidents reported to CERT -- the leading clearinghouse of= information about intrusions, viruses and computer crimes -- increased= from 406 in 1991 to almost 53,000 last year. Howard Schmidt, vice chairman of the White House Critical Infrastructure= Protection Board, said officials have been crisscrossing the country to= push for better practices. But he acknowledged that many individuals still= don't take rudimentary precautions, such as adopting passwords more= complex than "password" or a pet's name. And system administrators often= do not fix known flaws with widely available software "patches." Schmidt said the board's strategy, to be announced next month, will provide= clearer guidance about how to achieve better security for government= agencies and businesses alike. A crucial element will be to encourage= people to follow through on existing rules and procedures. "This reinforces to us that there's still a lot of work to be done," he= said of the ForensicTec findings. "It's more than technology. . . . It's= people not following the rules, people not following the policies." The GAO report last month said the "risks associated with our nation's= reliance on interconnected computer systems are substantial and varied,"= echoing a series of earlier reports chronicling the government's inability= to secure its computers. "By launching attacks across a span of communications systems and= computers, attackers can effectively disguise their identity, location and= intent," it said. "Such attacks could severely disrupt computer-supported= operations, compromise confidentiality of sensitive information and= diminish the integrity of critical data." ForensicTec consultants said it wasn't hard to probe the systems. They= employed readily available software tools that scan entire networks and= issue reports about linked computers. The scans showed that scores of= machines were configured to share files with anyone who knew where to= look. The reports also contained people's names and revealed that many of= the computers required no passwords for access, or relied on easily= crackable passwords such as "administrator." The consultants said they identified other Internet addresses during their= exploration of Fort Hood, including those for machines at the National= Aeronautics and Space Administration, the DOD Network Information Center,= the Department of Energy and other state and federal facilities. Scans of= those systems yielded similar results: hundreds of virtually unprotected= computer files. O'Keeffe, the company president, said his consultants concluded that they= had tripped across a serious problem. "If we can do this, other governments' intelligence agencies, hackers,= criminals and what have you can do it, too," he said, adding that he hopes= to help the government by bringing the vulnerabilities to light. "We could= have easily walked away from it." The material they saw ranged from poetry and drafts of personal letters to= spreadsheets containing personal and financial information about soldiers.= A couple of memos to members of a squadron at Fort Hood included the= location of several safes and the inventory of one: secret operations= information on hard drives, floppy disks and CDs. Another memo designated a courier -- by name, rank and Social Security= number -- who would "be hand-carrying classified information" to Fort= Irwin Army Installation in California, apparently from February to June. The consultants also obtained access to spreadsheets and e-mail messages at= NASA containing details about vendor relationships, account numbers and= other matters. NASA spokesman Brian Dunbar said he could not confirm the= provenance of the information obtained by ForensicTec. But he said the= agency was investigating its claims of vulnerability in accounting-related= computers. "We will investigate what's going on here," he said. "If this information= is in the clear, it poses a risk to these companies and we need to get it= fixed." Steven Aftergood, a research analyst and government information specialist,= said that much of the data the consultants came across is, by itself, "of= limited sensitivity." But the easy access to government machines= represents a substantial security challenge, at a time when military,= government and business officials rely on computer networks more than= ever. "It's a qualitatively new kind of vulnerability that the government has not= quite come to terms with yet," said Aftergood, a senior research analyst= at the Federation of American Scientists. "And it is a vulnerability that= will increase in severity if the government doesn't do something about= it." =A9 2002 The Washington Post Company k Yahoo! Groups SponsorADVERTISEMENT ------------------ http://all.net/ Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. --------------------------------- Do You Yahoo!? HotJobs, a Yahoo! service - Search Thousands of New Jobs [Non-text portions of this message have been removed] ------------------------ Yahoo! Groups Sponsor ---------------------~--> 4 DVDs Free +s&p Join Now http://us.click.yahoo.com/pt6YBB/NXiEAA/Ey.GAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT