The United States may be forced to redesign an unnamed new weapon system now under development – because tech specs and plans were stolen from a defence contractor's databases. Reuters and Aviation Week report on the revelation by US Deputy Defense Secretary William Lynn, made in the course of announcing beefed-up cyber defences …
beefing up cyber defenses?
The solution is to stop accessing the Internet from computers that can be compromised by opening an email attachment or clicking on a URL
"Reuters and Aviation Week report on the revelation by US Deputy Defense Secretary William Lynn, made in the course of announcing beefed-up cyber defences intended to put a stop to such intrusions"
"It is a significant concern that over the past decade, terabytes of data have been extracted by foreign intruders from corporate networks of defense companies"
"Hackers break into French defence industry"
How long before they blame B Manning?
for this leak?
The US DOD etc is almost as leaky as many of the US roadsigns after they've been riddled with buckshot and other weaponry. They will have to find someone to carry the can.
BH's and anon for obvious reasons.
That'd be a bit of a stretch even for the evidence fabricators in the US establishment.
How long before they blame B Manning?
Bernard Manning? Surely not!
Blimey, was it his mother-in-law?
Take my wife... etc, etc
Their security is a bit of a turkey...
Yep. Coat please.
I've only seen one roadsign in such condition in all my 35 years. And it was not riddled with "buckshot", just good ol' fashion bullet holes. Asshole.
... wasn't that Bernard Mathews?
You've never driven in Alabama, have you?
I'm originally from far Eastern Tennessee and road signs without at least one bullet hole or scatter gun holes is a rarity. Sometimes on really slow days people get tired of shooting the signs and just run them over with their trucks.
About the "security" of cloud services......
So who knows what has been stolen from the American and British MILITARY. And we are being persuaded (Amazon, Google, IBM) that commercial cloud services are the wave of the future.
Am I the only person on the planet who thinks that "the cloud" or SAAS over the Internet is a ghastly mistake?
Re : AC About the "security" of cloud services
"Am I the only person on the planet who thinks that "the cloud" or SAAS over the Internet is a ghastly mistake?"
I missed the bit when somebody suggested hosting miltech data on 3rd party cloud data services - i'd like to think that there isn't anyone stupid to ever do anything like that, but i'd not bet a huge amount on that.
Cloud services are fine for certain purposes, they are not a universal solution for data storage - but that's hardly news.
the cloud is a ghastly mistake?
> we are being persuaded (Amazon, Google, IBM) that commercial cloud services are the wave of the future. .. Am I the only person on the planet who thinks that "the cloud" or SAAS over the Internet is a ghastly mistake? ..
It'll be about as secure as the current stuff ..
It is my solemn belief....
...That anyone using the term 'cyber' in a serious (non-reportage, natch) way should be executed. Seriously, people - that term has been absurd since befoore 'Virtual Reality' was the next big thing.
What next - are banks going to talk about cyber matrix clones hacking thevirtual reality grid? Sorry, I have to go - I'm choking to death on a corn flake.
Re: solemn beliefs
"What next - are banks going to talk about cyber matrix clones hacking thevirtual reality grid? Sorry, I have to go - I'm choking to death on a corn flake." ..... David W. Posted Friday 15th July 2011 13:57 GMT
If that was meant to written, David W. ..... "What next - are banks going to talk about cyber matrix clones hacking their virtual reality grid?" ..... then probably definitely yes is the answer to that question, with the perps being obscenely well paid to keep their methodology to themselves and say nothing to anybody about how they become so suddenly, instantly wealthy. Although it will probably be nothing that they [the banks] will talk about, even amongst themselves, lest that which is used against their systems is used by others within their systems to, in effect, hold them to extortionate ransom, which is an interesting novel reversal of their great fortune, methinks, whenever one considers the too-big-to-fail model which is failing them and yet which lines their pockets with flash cash to squander on toxic crap.
And whereas some may consider and proclaim such an enterprise as a questionable or criminal hack, a great many more would just recognise and herald such a dire state of affairs as poetic natural justice delivered, and in some cases would it be just so.
On the bright side,
as we're not talking about the loss of mere consumer data (because as we all know, the little people will always come back for more regardless of the abuses they suffer) but actual valuable data whose theft or damage has actual measurable financial impact on the company and its future, maybe we'll see a bit of improvement in the whole security thing.
Working on top secret government projects you say? Not using a sensibly configured mandatory access control system? Don't see the point of SELinux or TrustedBSD? Gosh, that sounds an awful lot like treason old chap. Do put on this blindfold and stand against the wall, and I'll go bring in the next contract bidder.
You might think
I saw a different article elsewhere that mentioned Defense contractors were complaining about being required to increase their security because it would be too expensive.
Surely the simplest answer is to pull the plug on the internet connection for any equipment that houses or has access to such data? The terminals can operate on an internal network but I struggle to see why an internet connection would be required for R&D of military equipment.
Have a standalone terminal with an internet connection for all the lunchtime facebook browsing etc.
Surely the simplest answer is to pull the plug on the internet connection...
... for any equipment that houses or has access to such data?
Good idea! At least i'll be working instead of reading El Reg. :)
Poor UK & USA
Because these kind of nefarious activities are not the sort of thing we'd ever to to anyone. Oh no.
Need a hypocrite tag... Rupert Murdoch or Rebekah Brooks, anyone?
Why can't we all just be friends? </sarcasm>
like AC said I am amazed they keep such sensitive infomation on computers that can be access by the internet , the risks are knowen but seem to be conveiniantlly forgoten , I guess some emplyees there need critical infomation for their job from the youtube and facebook and such sites , the shit I received from the employees from our company when i blocked these site was unreal and the exuses i heard where hillearious to say the least :)
It's some crazy balloon, rocket spy thing.
They don't know who stole the plans, but the criminal mastermind goes by the name 'L'Ester' and is currently hiding at his secret volcano lair / donkey sanctuary deep in the Spanish mountains where he is designing a deep fat fried weapon of mass destruction.
A special operations unit made up from slightly shop-soiled supermodels is being formed to extradite him back to Guantanamo Bay where he will be chased by large spiders harvested from German supermarkets to the sound of Icelandic elf songs.
If these so-called "Defense Contractors" bought two servers they could keep one disconnected from the Internet.
What utter fuckwits.
did some tech support for a uk company in the 90s...
that did some work for govt. secret areas were separate, locked and connected to a separate set of servers (locked room from main server aisle) via fibre. that room had NO other external data connections. If any of us were in there we had to have somebody else in the room. bust hard drives went into a locked safe in that room until we did a secure rubbish run.
that.s how you keep things safe. can i have my £300,000,000 security consulting fee now please?
If you are going to provide goods to the Government, then it's time for the Gov't to make mandatory network audits of their potential suppliers/contractors.
What idiot moves there money into a safe if they don't check the security first.
I'm not sure...
...you can call it a secret weapon any more...
Are we suggesting
that defence contractors seem to have difficulties with 'DMZ'?
We need a bullshit icon.
Because I'm smelling it from reading the article. In lieu of that, I'm using the "Esc" icon, due to the suspicious brown substance in the pic.
So what bit of the article enraged me? A little bit of this.
"Marine Corps Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, said the Pentagon must shift its thinking on cybersecurity from focusing 90 percent of its energy on building better firewalls and only 10 percent on preventing hackers from attacking U.S. systems."
The thought's ok - 90% spent on firewalls is excessive. But I think he misses the point. _Physical security_ is a far better answer, as many commenters have pointed out already. Have your databases in separate networks from the web, and limit access to those who need it. And do those machines have USB ports? If so, remove them, because it's an easy way for spies to get at secrets. Firewalls should be completely redundant.
However, my real scorn goes to this comment.
"Cartwright said most viruses are only a couple hundred lines of computer code, but the patches to fix the holes they exploit can run into millions of lines of code."
Oh my fucking god. Either the General is lying (because the patch should be a couple of orders less in lines of code), or the code has more holes than swiss cheese. And how likely is it that those millions of line of code introduce a few other unintended vulnerabilities along the way? (We are talking about patches written by tax-paid-out defense contractors, aren't we, rather than third-parties like OS and anti-viral manufacturers? It's not clear from the article, but that's the sense I get.)
Here's an idea, General. In addition to the physical security mechanism already used, how about using the security features that come with the OS - access control lists and user permissions? That should restrict the freedom for viruses to damage your systems. Oh, and don't forget about disabling AutoRun.
And if your systems still need million-of-line-patches afterwards because the Bride-of-the-son-of-Conficker comes along, then your code is shit, as is the defense contractors that wrote it. Sack them. Alternately, if the access control lists and the user permissions _break_ their software, sack them and bill them for wasting government money. A bit extreme, but the US Government needs all the cash they get at the moment.
Course you won't do that, General. A man's got to think of his retirement, and what's better than a well-paid sinecure in a defense contractor's board of directors? Sacking contractors would make waves, and you don't do that in Washington, do you?
See 'n' Ohh!
I'm sure the NSA/GCHQ is liberating similar data from other foriegn (Chinese?) defense contractors. Computer Network Exploitation (CNE) is all the rage nowadays amongst the national intel services.
In fact China manufactures so much IT hardware that gets shipped around the world, I wonder how much of it has hidden 'backdoors' which 'calls home' every now and then.
Upping the Ante
"I'm sure the NSA/GCHQ is liberating similar data from other foriegn (Chinese?) defense contractors. Computer Network Exploitation (CNE) is all the rage nowadays amongst the national intel services." .... Anonymous Coward Posted Saturday 16th July 2011 08:53 GMT
To be sure, to be sure, AC, it is a virile field of feverish activity with many wanting a piece of the action but precious few well enough equipped/staffed to perform and provide any satisfaction .......
"In Defence of the Realm, One does as One Needs to Succeed.
Posted Friday 15th July 2011 14:36 GMT
That was a nice touch on this week's BOFH web page .... the carrying of a situations vacant advertisement for an "IT Security Exploitation Officer" in MI5. Presumably that is .milspeak for a crack hacker and super duper spooky person, both of which are as rare as hens' teeth and an even rarer find whenever seamlessly combined in the one excellent agent." ..... http://amanfrommars.blogspot.com/2011/07/110715.html
Pay peanuts, get monkeys ..... https://www.mi5.gov.uk/careers/showjob.aspx?id=128 ..... and many before have said that Military Intelligence is oxymoronic.
what has happened to security
I've not been security cleared for a few years,
but the computers we used to have with the secure stuff on were not allowed to be connected to the out side world.
they were in secure rooms, with red ethernet cables, warning stickers on.
and we had security people checking all the time.
I totally agree
I always thought Defense stuff was so secret that you could not even talk about it outside the special room you were supposed to work on it.
I've been called in as a consultant for banks that have more security than these jokers (no laptop, couldn't touch keyboard and could only look at screen when operator authorized me to do so).
Learn from the past
When the Soviet Union was stealing Western technology (because they were incapable of developing their own) then there was one simple, elegant solution:
Worked before. Just sayin.
A slight paraphrase
Against Mil/Gov stupidity, the gods themselves contend in vain.
Dault Username and Passwords
How to hack the government via any agency with a netapp array:
User name : admin
The truth should be accompanied by a large bodyguard of lies. So, perhaps the stuff nicked will be a little different than expected.
And the sheep take off
After reading the comments, it stuck me that like a flock of sheep you are all leaping to conclusions. Nowhere in the article does it say the data was extracted using the internet. Nowhere does it say the computers were even connected to the internet.
For all we know, this might be like Stuxnet - computers not attached to the internet were attacked via a USB virus. Or move likely someone trusted simply connected a phone to the corporate LAN, and walked out the door with 30 Gb of state secrets on a micro SD card smaller than a finger nail.
Paris because on a site supposedly dedicated to IT, the comments here are simply sad.
There are IS people and then you have your Windows Admins. There is a difference.
The transcript of the speech the article was about starts:
"WASHINGTON, July 14, 2011 – The Defense Department’s first strategy for operating in cyberspace is a milestone in the fight to protect the nation from potentially devastating network attacks, Deputy Defense Secretary William J. Lynn III said today."
- 20 Freescale staff on vanished Malaysia Airlines flight MH370
- Neil Young touts MP3 player that's no Piece of Crap
- Review Distro diaspora: Four flavours of Ubuntu unpacked
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- Sysadmins and devs: Do these job descriptions make any sense?