A network intrusion at the Pentagon nine months ago resulted in the theft of an "amazing amount of data" that continues to pose a threat to national security, the CIO of the Defense Department said earlier this week. "This was a very bad day," Dennis Clem, who is also CIO of the Office of the Secretary of Defense, said during a …
They use Windows in the Pentagon? They use Windows in the Pentagon and it is networked? Are they totally fucking insane?
... when someone hacks the system it's a "bad day". But when they're handing the data out to all and sundry (according to El Reg's recent article about the webmaster receiving all those emails) they don't give crap.
Seems a bit double-standardish to me. Do they want the public to have the sensitive info or not?
There is no excuse for this...
Sorry but if you take the time, money and forethought, you can create a layered security approach that would limit your exposure.
The biggest problem is that you have a staff of employees who are not technical nor savvy enough to not get their pc's infected in the first place.
Black helicopters because I've said the truth that no one wants to hear, and that is that the Pentagon's IT operation staff are incompetent.
Do I detect evidence of criminal negligence?
"Over the course of two months leading up to the attack, malicious code infiltrated several systems belonging to the Pentagon's network and culminated in an exploit of a known Microsoft Windows vulnerability, Clem said."
So... There was a *known" vulnerability in Windows, and yet the Pentagon is using Windows.
So either someone who makes I.T. decisions for the Pentagon is criminally negligent, or that person has committed deliberate treasonous acts, in permitting the use of an operating system which is *known* to be vulnerable to such attacks.
At least the US Army has sense enough to dump Redmond's steaming pile.
I'm with A/C
I'm with A/C on this one - Networked Windows machines in the Pentagom with all this sensitive data on it seems outright unfathomable.
Since the invention of strangeloops information like this is pure BS.
If they are trying to recruit some hackers by this, they should have given out a bit more of a challenge.
And if they really think, they could nail down some "baddies" with this, they would be stupid :-D
what a wunch of bankers
In a word 'yes'.
Against mans^H^H^H^H governments stupidity, the gods themselves contend in vain.
It's now a matter of national security to batten down this pesky interweb thingy. Down with anyone using the internet for anything other than spending money.
Don't they know that a window is merely a hole sometimes filled with fragile easily broken material? There is no wonder that the US military cannot identify their own allies. The system is run by incompetants from the CinC down.
It doesn't add up
"an amazing amount of data" and "Network forensics show the hackers were able to access sensitive information, which they encrypted as they transmitted it back to their sites."
So The Pentagon has broken the hackers encryption to find out what data was gleaned? If they know how to do that and there are 70,000 malicious entry attempts per day, then how come it's gone on for so long?
"a known Microsoft Windows vulnerability" - don't tell me that Pentagon PCs are not fully patched with security updates...
Maybe they're preparing a subpoena against MS.
"Pentagon attackers stole 'amazing amount' of sensitive data’" It's the Pentagon, surely any amount of data stolen is an 'amazing amount of sensitive data'.
As for it being down to a Windows problem: This is a total red-herring, you can have windows workstations and desktop servers, totally securely, provided the edge servers aren't connected to the desktops/desktop servers (Desktop servers being file and print, app servers etc. etc.) and that you secure the workstations (no usb, floppy or cdroms and you limit web access.) etc. etc. etc.
I am thoroughly ashamed
I work for several companies companies that have ties to the military and if the pentagon is getting just 70 K malicious access attempts a day then somebody is either lying their butt off or they're not keeping adequate records. One of the companies I deal with has in the range of several 100 million a day, and those just the ones that make it past the border routers.
What happened at the Pentagon is nothing short of patently irresponsible. The rules they force us to play by include not allowing any data deemed sensitive (or higher) being broadcast over a LAN that has any access to the internet. Period. If it does, a lot of people have a lot of debriefing to do before they are escorted off the premises.
Since the US government has the tendency to understate facts, especially when it makes them look really bad, inept or flat out baffled, chances are the magnitude of what actually happened is just the tip of the iceberg.
Based on what I've seen in my own experience, I can can almost guarantee what ever got out of the Pentagon has now enshrined in some dark room, somewhere in the PRC, being reversed engineered.
As an American tax payer, I am dumbfounded that people that clueless are allowed to define and implement policies that allow this kind of shit to go on. Regardless of which administration it started under, it's the responsibility of the morons that are in office now, to clean it up... Providing they can find their own ass, using both hands, mirror, flash light (torch) and directions.
I believe the answer is yes, they are fucking insane.
Pirate flag because, well, yeah.
Define 'sensitive' information....
Nobody will say because "its a secret". You have to take the word of people who have been found to be liars before when they're trying to make some case or trying to make us all fearful. You've also got an Administration where even Cheney's used TP seems to be a classified document. So between the sheer incompetence of leaving machines open to hacking -- machines that shouldn't have been accessible from the public Internet in the first place if they were carrying classified material -- and the tendency of contemporary scare mongers to talk up any and everything as a grave threat to us all I'd just list the incident as "the secretarial pool got owned and all those HR memos about diversity days and excessive coffee breaks (and internet usage) got swiped". Yawn.
All your nasty pentagon secrets are belong to us
gazillions a day for the Iraq invasion ...
... and the Pentagram can't gin up enough payroll to have folks on Windoze patch patrol 24/7? I don't know which is worse: that this is true, or that it's a red herring (and the truth is worse). Is it coincidence that this news item comes out whilst the do- we- give- the- telcos- immunity- for- spilling- customer- data- without- a- subpoena debate continues?
Then i guess these Pentagon chaps should move over to my house, where my network is far more secure and the only sensitive info i have is my campus certificates.
Paris, because she's proven herself to be unclassified.
Every week there is a major IT security loss of valuable data in some western country. The IT industry must be made up of semi educated half wits. In a position safe guarding the national security of a country means you must be the best person for the job. It almost a Laurel & Hardy comedy when you read about defence contractors taking home laptops with half the countries secrets, and then leaving them in their cars which later stolen. The Pentagon being so easily hacked is a bloody joke. Who are these nameless bimbos that are the guardians of our countries secrets.. My dog could do better..
"One of the companies I deal with has in the range of several 100 million a day, and those just the ones that make it past the border routers."
Several hundred million attacks a day???
So a measurable percentage of the earths population are engaged in attacking this single company, every day! I think not.
I think maybe you mean several million hostile packets, not several million individual attacks.
70k/day sounds like a pretty high level of attacks, I wouldn't be suprised if the pentagon are vastly overstating the case to make it sound like 1 getting through isn't so bad.
"So a measurable percentage of the earths population are engaged in attacking this single company, every day! I think not."
The AC talked about "malicious access attempts" -- which I figure means attempts to bypass the network's security mechanisms. Such attempts typically are automated and a few million per day can come from a single PC without so much as the cooler fans spinning faster.
Of course they use Winders!
Surely you don't expect them to use Open Source software written by Godless commies, hippies and Yurpeans?
They need to use commercially developed stuff from Mercan companies; God Bless Merca!
(I'm guessing the hacking isn't just a one-way street; this might explain the PLA's interest in linux...)
Not too far fetched
I used to monitor my 2 public UK based IP addresses and when our time came round on the Chinese address list we got hit by hundreds of probing packets at a time. All would go quiet for a while and then we would come up again.
Meanwhile we had one fixed public US address which was not associated with any incoming services, I needed it for VPN setup, but the log everyday was always large. Most of the entries were US based Trojans trying to propogate though and to give them their due, most of the US ISPs I notified resolved their issues, where as most of the rest of the world ignored them.
Assuming the pentagon has a large public IP space it is conceivable that the numbers are at least this large. The trojans mostly just go through the numbers which would also explain why the new servers are targeted so quickly.
If they are just reporting firewall log entries to justify the resources used then fair enough but if they are actually letting the traffic through then they do need replacing.
"My god they use windows" -yes, I think this is a problem, but I'd also think it was a problem if they used Macs and a well known expolit was used to own the box, and the same for Linux, it's be a problem if a well know exploit was used to own the box.
"My dog could do better." I was going to post a very simillar response until i figured out this very simple thing.
I could do better, and it's be all very well until the latest greatest hacker evaded the system I put in place.
it's the any man and his dog feel he can do better ethos that's sending everyone down the tubes.
next they'll employ a bunch of ethical hackers I'm sure to design and test a system...
in truth there is only one way to secure a computer against remote attack and it involves the external data connection cable and a pai of scissors...
there are clearly a lot of best practices, and these are the ones that my collegues and my self advise on and implement on a daily basis, but the truth of the matter is that no system is 100% unbreakable.
But looking through the two supporting articles that go with this piece, there are a couple of things that I find very disturbing:
Quote # 1
'The portion of the network infrastructure under assault was shut down soon after the attack was detected. Recovery, which took three weeks and cost $4 million, involved the introduction of a new process of "checking out" temporary IDs and passwords for access to the network'
Am I to assume then that part of the hack was conducted by hijacking an unsecured 'Temp' account? Securing Temporary of 'Pool' accounts really is Security 101 and failing to do so demonstrates a pretty lax controls structure.
Quote # 2
'Hackers know within minutes when a new server or software is deployed in the Pentagon, and they attempt to intrude. They have stolen lots of information from the Defense Department, he said.'
Huh? But isnt that what a decent proxy firewall is designed to prevent? How on Earth could an unauthorised third party detect a new server buried behing a DMZ?
The implications behind the two comments quoted really are a bit gruesome. And that's not even mentioning the question of why they werent patched against the 'known vulnerability' in Windows.
Nice piece of personal PR for the said CIO though ..... his statements make him out to be some sort of hero, stepping into the breach with his 'big gambles'. The reality of course is that he is where the buck stops and I'd have expected a bit less of the 'didnt I do well' and a bit more of the 'I'm real sorry, but we screwed up'
@ Morely Dotes
Probably he is a Bush crony, and so is indemnified against criminal activity.
at least the hackers needed to use a known vulnerability these days - as opposed to just entering the default passwords! lol
So, here are the problems and solutions:
Prob1 - Need a network of pc's
Ans1 - Install Windows *throws up*, and put them on t'internet
Prob2 - Somebody guessed the default password - bugger
Ans2 - Change the default passwords and extradite the computer genius who used the default passwords, for he is truly a threat to US security
Pro3 - Somebody used a windows vulnerability to steal data
Ans3 - Keep updating windows
Pro4 - Updating windows keeps killing out pc's and losing masses of data.
Ans4 - Install Unix
Pro4 was a guess at the new problem - and obviously there are no more problems one unix is installed.
Lets see, How many sides does a pentagon have
C ring nitwits ...They were warned about those Peer to Peer file sharing networks!
Translates as "does not even meet the technical definition for Classified, let alone higher level secrecy requirements, but we still don't want it laying around in public." Essentially, it's almost anything the done in military or military support facilities that isn't either explicitly covered by a classification code or been vetted for dispersal to the public by the PR department.
At least according to the people I know who work with the military.
I am not sure that you can equate <involved the introduction of a new process of "checking out" temporary IDs and passwords> with <part of the hack was conducted by hijacking an unsecured 'Temp' account>
There will be many 'realname' accounts on the 0wnd system. So there need to be many 'pseudo name' accounts (as secured as was, or better) on the recovered system. Essentially, the user community has been provided with new (albeit short-lived) credentials.
<isnt that what a decent proxy firewall is designed to prevent? >
erm, yes and no
a decent, well-configured and managed proxy fw is indicated
?IT stamp as I am not sure there is any IT competence displayed by the Merkins on this one
Pls mail this to the home secretary
ID dtabase - unhackable?
pls post this to the home secretary for par rectal insertion
sure microsite is to blame
I never been a fan of billy goates and his fake software that he tries to enforce costs on you for running dodgy software in the first place..
but here is the thing.. if you go buy a car that ends up damaging your drive or the roads you would be up for compensation since its not doing what its supposed to be doing ie running on the roads and driving u from a to b..
If you move into a house and get broken into its not your fault that you moved into that house - insurance would pay back for costs and police would investigate the break in
so why is when microsoft produces badly written software that they have the cheeck to charge end users for it why cant they be held responisble for producing utter rubbish that should have been sent to recycle bin rather than production line.
Microsoft and its badly written system should ensure a badly patched PC can not do anything besides get the latest patches and get them installed prior to clicking on anything else !!
No proof whatsoever that the hack DID involve an unsecured temp account of course.....
On the other hand, if it didnt, why confess to such nincompoopery in the first place?
Regarding the firewall..... hey, I dont know....
With the right acl's & several layers of firewalls...
even windows machines can be marginally safe. But most businesses and government agencies view the costs of properly securing a network as price prohibitive. However, if you point out the costs of doing damage control, PR issues, legal fees and any long term loss of revenue caused by a breech, sometimes the decision makers 'see the light' and invest a little in more robust network security.
Finally, you'd figure as much money the US government pisses a way on stupid things, they would want to protect something as valuable as the data assets in the Pentagon... Note: Sometimes it's not always wise to go with the lowest bidder...
When you build a house that you know the big bad wolf is going to try and blow down, even a fucking 5 year old can tell you that you don't use straw as your foundation, you use the most solid bricks and best blueprints your money can buy. To be using Windows in the Pentagon is not just insane, it is criminally negligent.
"in truth there is only one way to secure a computer against remote attack and it involves the external data connection cable and a pai of scissors"
Um.. that's the idea behind SIPRNet and the other, "more secure" networks for the DoD. There is not even a physical link to the "civilian" Internet from those, and SECRET/TOP SECRET stuff stays there. I trust the DoD isn't using Windows there, though...
Anything "sensitive" should stay off the windows boxen. The Pentagon should be more sensitive on this and use at least SELinux, which is incidentally the NSA's MLS implementation on Linux.
The Pentagon having Windows PC's is kind of like opening up your server and finding it runs on bulbs and vacuum tubes, powered by hamsters...
Pentagon attackers stole 'amazing amount' of sensitive data’
spy on us, we spy on you!
Individual U.S. Security Companies
The pentagon should outsource to individual security firms* More reliable and efficient- easily controlled-
So the Air Farce recruiting commercials are lying too!
In the commercial they show a shot of the world's largest office building, with a voiceover claiming something like 3 million attacks every day.
Yeah, sounds to me like someone is pulling numbers out of their ass.