back to article US forced to redesign secret weapon after cyber breach

The United States may be forced to redesign an unnamed new weapon system now under development – because tech specs and plans were stolen from a defence contractor's databases. Reuters and Aviation Week report on the revelation by US Deputy Defense Secretary William Lynn, made in the course of announcing beefed-up cyber …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    beefing up cyber defenses?

    The solution is to stop accessing the Internet from computers that can be compromised by opening an email attachment or clicking on a URL

    "Reuters and Aviation Week report on the revelation by US Deputy Defense Secretary William Lynn, made in the course of announcing beefed-up cyber defences intended to put a stop to such intrusions"

    "It is a significant concern that over the past decade, terabytes of data have been extracted by foreign intruders from corporate networks of defense companies"

    --

    "Hackers break into French defence industry"

    http://cyberseecure.com/2011/04/techeye-hackers-break-into-french-defence-industry/

  2. Anonymous Coward
    Black Helicopters

    How long before they blame B Manning?

    for this leak?

    The US DOD etc is almost as leaky as many of the US roadsigns after they've been riddled with buckshot and other weaponry. They will have to find someone to carry the can.

    BH's and anon for obvious reasons.

    1. Anonymous Coward
      Coat

      Bernard Manning?

      That'd be a bit of a stretch even for the evidence fabricators in the US establishment.

    2. nyelvmark
      Stop

      How long before they blame B Manning?

      Bernard Manning? Surely not!

      1. Anonymous Coward
        Coat

        Well

        Their security is a bit of a turkey...

        Yep. Coat please.

        1. Morteus
          Coat

          'ang on...

          ... wasn't that Bernard Mathews?

          Bootiful ...

    3. g e

      Bernard Manning!

      Blimey, was it his mother-in-law?

      Take my wife... etc, etc

    4. Anonymous Coward
      Flame

      US roadsigns

      I've only seen one roadsign in such condition in all my 35 years. And it was not riddled with "buckshot", just good ol' fashion bullet holes. Asshole.

      1. Anonymous Coward
        Anonymous Coward

        really?

        You've never driven in Alabama, have you?

      2. Solomon Grundy

        Roadsign Deaths

        I'm originally from far Eastern Tennessee and road signs without at least one bullet hole or scatter gun holes is a rarity. Sometimes on really slow days people get tired of shooting the signs and just run them over with their trucks.

  3. Anonymous Coward
    Anonymous Coward

    About the "security" of cloud services......

    So who knows what has been stolen from the American and British MILITARY. And we are being persuaded (Amazon, Google, IBM) that commercial cloud services are the wave of the future.

    Am I the only person on the planet who thinks that "the cloud" or SAAS over the Internet is a ghastly mistake?

    1. Tim Parker

      Re : AC About the "security" of cloud services

      "Am I the only person on the planet who thinks that "the cloud" or SAAS over the Internet is a ghastly mistake?"

      I missed the bit when somebody suggested hosting miltech data on 3rd party cloud data services - i'd like to think that there isn't anyone stupid to ever do anything like that, but i'd not bet a huge amount on that.

      Cloud services are fine for certain purposes, they are not a universal solution for data storage - but that's hardly news.

    2. Anonymous Coward
      Devil

      the cloud is a ghastly mistake?

      > we are being persuaded (Amazon, Google, IBM) that commercial cloud services are the wave of the future. .. Am I the only person on the planet who thinks that "the cloud" or SAAS over the Internet is a ghastly mistake? ..

      It'll be about as secure as the current stuff ..

  4. Anonymous Coward
    Facepalm

    It is my solemn belief....

    ...That anyone using the term 'cyber' in a serious (non-reportage, natch) way should be executed. Seriously, people - that term has been absurd since befoore 'Virtual Reality' was the next big thing.

    What next - are banks going to talk about cyber matrix clones hacking thevirtual reality grid? Sorry, I have to go - I'm choking to death on a corn flake.

    1. amanfromMars 1 Silver badge
      Pirate

      Re: solemn beliefs

      "What next - are banks going to talk about cyber matrix clones hacking thevirtual reality grid? Sorry, I have to go - I'm choking to death on a corn flake." ..... David W. Posted Friday 15th July 2011 13:57 GMT

      If that was meant to written, David W. ..... "What next - are banks going to talk about cyber matrix clones hacking their virtual reality grid?" ..... then probably definitely yes is the answer to that question, with the perps being obscenely well paid to keep their methodology to themselves and say nothing to anybody about how they become so suddenly, instantly wealthy. Although it will probably be nothing that they [the banks] will talk about, even amongst themselves, lest that which is used against their systems is used by others within their systems to, in effect, hold them to extortionate ransom, which is an interesting novel reversal of their great fortune, methinks, whenever one considers the too-big-to-fail model which is failing them and yet which lines their pockets with flash cash to squander on toxic crap.

      And whereas some may consider and proclaim such an enterprise as a questionable or criminal hack, a great many more would just recognise and herald such a dire state of affairs as poetic natural justice delivered, and in some cases would it be just so.

  5. Ru
    Black Helicopters

    On the bright side,

    as we're not talking about the loss of mere consumer data (because as we all know, the little people will always come back for more regardless of the abuses they suffer) but actual valuable data whose theft or damage has actual measurable financial impact on the company and its future, maybe we'll see a bit of improvement in the whole security thing.

    Working on top secret government projects you say? Not using a sensibly configured mandatory access control system? Don't see the point of SELinux or TrustedBSD? Gosh, that sounds an awful lot like treason old chap. Do put on this blindfold and stand against the wall, and I'll go bring in the next contract bidder.

    1. Galidron
      Unhappy

      You might think

      I saw a different article elsewhere that mentioned Defense contractors were complaining about being required to increase their security because it would be too expensive.

  6. Jason McQueen
    Mushroom

    Er...Internetz anyone?

    Surely the simplest answer is to pull the plug on the internet connection for any equipment that houses or has access to such data? The terminals can operate on an internal network but I struggle to see why an internet connection would be required for R&D of military equipment.

    Have a standalone terminal with an internet connection for all the lunchtime facebook browsing etc.

    1. Yag
      Devil

      Surely the simplest answer is to pull the plug on the internet connection...

      ... for any equipment that houses or has access to such data?

      Good idea! At least i'll be working instead of reading El Reg. :)

  7. g e

    Poor UK & USA

    Because these kind of nefarious activities are not the sort of thing we'd ever to to anyone. Oh no.

    Need a hypocrite tag... Rupert Murdoch or Rebekah Brooks, anyone?

    1. Anonymous Coward
      Paris Hilton

      You're right!

      Why can't we all just be friends? </sarcasm>

  8. Cormu
    FAIL

    Internet access

    like AC said I am amazed they keep such sensitive infomation on computers that can be access by the internet , the risks are knowen but seem to be conveiniantlly forgoten , I guess some emplyees there need critical infomation for their job from the youtube and facebook and such sites , the shit I received from the employees from our company when i blocked these site was unreal and the exuses i heard where hillearious to say the least :)

  9. Anonymous Coward
    Anonymous Coward

    Apparently

    It's some crazy balloon, rocket spy thing.

    They don't know who stole the plans, but the criminal mastermind goes by the name 'L'Ester' and is currently hiding at his secret volcano lair / donkey sanctuary deep in the Spanish mountains where he is designing a deep fat fried weapon of mass destruction.

    A special operations unit made up from slightly shop-soiled supermodels is being formed to extradite him back to Guantanamo Bay where he will be chased by large spiders harvested from German supermarkets to the sound of Icelandic elf songs.

  10. Anonymous Coward
    FAIL

    Cheapskates

    If these so-called "Defense Contractors" bought two servers they could keep one disconnected from the Internet.

    What utter fuckwits.

  11. The Mighty Spang

    did some tech support for a uk company in the 90s...

    that did some work for govt. secret areas were separate, locked and connected to a separate set of servers (locked room from main server aisle) via fibre. that room had NO other external data connections. If any of us were in there we had to have somebody else in the room. bust hard drives went into a locked safe in that room until we did a secure rubbish run.

    that.s how you keep things safe. can i have my £300,000,000 security consulting fee now please?

  12. joe.user
    FAIL

    Lookie here

    If you are going to provide goods to the Government, then it's time for the Gov't to make mandatory network audits of their potential suppliers/contractors.

    What idiot moves there money into a safe if they don't check the security first.

    Duh

  13. david 63

    I'm not sure...

    ...you can call it a secret weapon any more...

  14. Neil Barnes Silver badge
    Coat

    Are we suggesting

    that defence contractors seem to have difficulties with 'DMZ'?

  15. Peter Murphy
    Coffee/keyboard

    We need a bullshit icon.

    Because I'm smelling it from reading the article. In lieu of that, I'm using the "Esc" icon, due to the suspicious brown substance in the pic.

    So what bit of the article enraged me? A little bit of this.

    "Marine Corps Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, said the Pentagon must shift its thinking on cybersecurity from focusing 90 percent of its energy on building better firewalls and only 10 percent on preventing hackers from attacking U.S. systems."

    The thought's ok - 90% spent on firewalls is excessive. But I think he misses the point. _Physical security_ is a far better answer, as many commenters have pointed out already. Have your databases in separate networks from the web, and limit access to those who need it. And do those machines have USB ports? If so, remove them, because it's an easy way for spies to get at secrets. Firewalls should be completely redundant.

    However, my real scorn goes to this comment.

    "Cartwright said most viruses are only a couple hundred lines of computer code, but the patches to fix the holes they exploit can run into millions of lines of code."

    Oh my fucking god. Either the General is lying (because the patch should be a couple of orders less in lines of code), or the code has more holes than swiss cheese. And how likely is it that those millions of line of code introduce a few other unintended vulnerabilities along the way? (We are talking about patches written by tax-paid-out defense contractors, aren't we, rather than third-parties like OS and anti-viral manufacturers? It's not clear from the article, but that's the sense I get.)

    Here's an idea, General. In addition to the physical security mechanism already used, how about using the security features that come with the OS - access control lists and user permissions? That should restrict the freedom for viruses to damage your systems. Oh, and don't forget about disabling AutoRun.

    And if your systems still need million-of-line-patches afterwards because the Bride-of-the-son-of-Conficker comes along, then your code is shit, as is the defense contractors that wrote it. Sack them. Alternately, if the access control lists and the user permissions _break_ their software, sack them and bill them for wasting government money. A bit extreme, but the US Government needs all the cash they get at the moment.

    Course you won't do that, General. A man's got to think of his retirement, and what's better than a well-paid sinecure in a defense contractor's board of directors? Sacking contractors would make waves, and you don't do that in Washington, do you?

  16. Anonymous Coward
    Mushroom

    See 'n' Ohh!

    I'm sure the NSA/GCHQ is liberating similar data from other foriegn (Chinese?) defense contractors. Computer Network Exploitation (CNE) is all the rage nowadays amongst the national intel services.

    http://en.wikipedia.org/wiki/Computer_network_operations

    In fact China manufactures so much IT hardware that gets shipped around the world, I wonder how much of it has hidden 'backdoors' which 'calls home' every now and then.

    1. amanfromMars 1 Silver badge

      Upping the Ante

      "I'm sure the NSA/GCHQ is liberating similar data from other foriegn (Chinese?) defense contractors. Computer Network Exploitation (CNE) is all the rage nowadays amongst the national intel services." .... Anonymous Coward Posted Saturday 16th July 2011 08:53 GMT

      To be sure, to be sure, AC, it is a virile field of feverish activity with many wanting a piece of the action but precious few well enough equipped/staffed to perform and provide any satisfaction .......

      "In Defence of the Realm, One does as One Needs to Succeed.

      Posted Friday 15th July 2011 14:36 GMT

      That was a nice touch on this week's BOFH web page .... the carrying of a situations vacant advertisement for an "IT Security Exploitation Officer" in MI5. Presumably that is .milspeak for a crack hacker and super duper spooky person, both of which are as rare as hens' teeth and an even rarer find whenever seamlessly combined in the one excellent agent." ..... http://amanfrommars.blogspot.com/2011/07/110715.html

      Pay peanuts, get monkeys ..... https://www.mi5.gov.uk/careers/showjob.aspx?id=128 ..... and many before have said that Military Intelligence is oxymoronic.

  17. a_mu
    Stop

    what has happened to security

    Amazing.

    I've not been security cleared for a few years,

    but the computers we used to have with the secure stuff on were not allowed to be connected to the out side world.

    they were in secure rooms, with red ethernet cables, warning stickers on.

    and we had security people checking all the time.

    1. Pascal Monett Silver badge

      I totally agree

      I always thought Defense stuff was so secret that you could not even talk about it outside the special room you were supposed to work on it.

      I've been called in as a consultant for banks that have more security than these jokers (no laptop, couldn't touch keyboard and could only look at screen when operator authorized me to do so).

  18. Baked Beans

    Learn from the past

    When the Soviet Union was stealing Western technology (because they were incapable of developing their own) then there was one simple, elegant solution:

    http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage

    Worked before. Just sayin.

  19. Will Godfrey Silver badge
    Unhappy

    A slight paraphrase

    Against Mil/Gov stupidity, the gods themselves contend in vain.

  20. Anonymous Coward
    Linux

    Dault Username and Passwords

    How to hack the government via any agency with a netapp array:

    User name : admin

    Password: NetCache

  21. Anonymous Coward
    Holmes

    Churchill said...

    The truth should be accompanied by a large bodyguard of lies. So, perhaps the stuff nicked will be a little different than expected.

  22. flibbertigibbet

    And the sheep take off

    After reading the comments, it stuck me that like a flock of sheep you are all leaping to conclusions. Nowhere in the article does it say the data was extracted using the internet. Nowhere does it say the computers were even connected to the internet.

    For all we know, this might be like Stuxnet - computers not attached to the internet were attacked via a USB virus. Or move likely someone trusted simply connected a phone to the corporate LAN, and walked out the door with 30 Gb of state secrets on a micro SD card smaller than a finger nail.

    Paris because on a site supposedly dedicated to IT, the comments here are simply sad.

    1. Anonymous Coward
      Anonymous Coward

      Windows faggotry

      There are IS people and then you have your Windows Admins. There is a difference.

  23. Anonymous Coward
    Anonymous Coward

    @flippertheidiot

    The transcript of the speech the article was about starts:

    "WASHINGTON, July 14, 2011 – The Defense Department’s first strategy for operating in cyberspace is a milestone in the fight to protect the nation from potentially devastating network attacks, Deputy Defense Secretary William J. Lynn III said today."

    D'oh

This topic is closed for new posts.