Summary: This is an interesting yet puzzling week for cyberwar-watchers. There are several news stories that paint a gruesome picture of the US’ intents and capabilities. Let’s look at them and see what they tell us. Or you can wait. Eventually this weaknesses will become front-page news, followed by the inevitable blue-ribbon commissions.
- Our enemies strike back: “The Return of the Worm that Ate the Pentagon”
- Perfidious Iranian terrorists strike back from cyberspace
- Congress affirms that The Pentagon can wage war in cyberspace
- About the author
- Links to other posts in this series about cyberwar
(1) Our enemies strike back
“The Return of the Worm that Ate the Pentagon“, Kim Zetter, WIRED, 9 December 2011
In this report WIRED revisits the 2008 incident that resulted in a ‘complete’ ban on the use of portable USB drives on military (NIPRnet and SIPRnet) networks, after a USB-borne trojan horse began compromising the classified networks. At the time we recall DoD spokespeople saying “no classified material was compromised” but in reality-land when your network has unknown installations of spreading malware, you are not entitled to make statements about what is or is not compromised. The assumption is that no data was exfiltrated because if data were exfiltrated it would have had to go out through an isolated “air gap” connection — exactly the kind of connection that Bradley Manning exfiltrated data from. In the world of computer security, being compromised is similar to being pregnant; there is no such thing as “a little compromised.”
The worm that got into SIPRnet was alleged (by none less than Deputy Secretary of Defense William Lynn) to have been motivated by a foreign intelligence agency — which is interesting since the worm in question, Agent.btz, appears to be fairly ordinary self-replicating malware.
What can we learn from the military’s experience with Agent.btz? Three very important things:
- Breakdowns of segmentation within the military’s networks have resulted in a dangerous situation in which a single penetration amounts to a massive penetration.
- System configuration management within the military’s networks is sorely lacking.
- Logging and audit trail within the military’s networks is sorely lacking or nonexistent.
When you construct a massive network that is a single “flat” logical topology without interior barriers, anyone who gets in to any one part of it, can get to all of the rest of it. This shows that DoD built the network with a very naive trust model, namely, that all of the 300,000+ people who have access to the network are trustworthy: that they can be counted on to not plug in a USB drive that they found lying on the ground outside the PX and that they are not Bradley Manning. If you design your network around the principle that a single mistake or a single bad actor can compromise all of it, your network cannot be said to be “secure” (or even “designed”) the fact that Manning was able to access systems all over SIPRnet from his single terminal is another data-point that shows the severity of this problem.
Another thing this problem points to is that the military networks might be susceptible to being taken down, in toto, by an attack worm. Remember “Code Red” from 2001 (see Wikipedia)? Once it got inside an organization’s perimeter (or firewall) if that organization had a flat topology network, the network collapsed under the load of the worm’s traffic. The way to clean up the outbreak of such a worm is to chop the network into segments, just as epidemiologists do while trying to eradicate something like smallpox, then treat each segment in isolation until they are clean – once they are clean, they can be reconnected. It is a cause for concern that a piece of malware like Agent.btz has not been eradicated by a similar method and it speaks volumes regarding the lack of capability for malware containment within military networks.
Following Code Red and Slammer and the great worm-rushes of 2000-2001, most corporations hardened their networks to include chokepoints that would permit effective anti-malware response. It is alarming that the military networks’ response has been ineffective.
System configuration management is another critical component of effective malware response. Basically, it’s just the degree to which the use of a computer matches the authorized purpose of that system, and that it should be configured with some degree of control toward that purpose. If your system is a dedicated and critical system – like a drone’s flight console — it ought to be configured so that the user can’t re-configure it without permission. When a user inserts a USB thumb-drive containing malware, the malware needs administrative privileges to be able to insert new code (DLL injection) or install new executables that take over the machine. So, when we hear that a USB keyfob can become a portal for malware, we know without a doubt that there are systems on the military networks in which ordinary users are working with administrative privileges. This is basic computer security 101 stuff.
Important advice: I hope that none of you who are reading this comment have logged in on your windows machine as the local administrator. Instead create a non-privileged account to do your browsing with and you’ve cured 95% of your malware problems!)
Finally, the article says that the military spent time attempting to locate “patient zero” in the attack. With so many uncontrolled systems inside the network it’s not surprising that they failed to do so, but in a competently managed large-scale crucial network system activity logs and network traces would be pulled back to analyze for the first signs of infection. In the case of a piece of malware like Agent.btz these signs are not subtle: attempts to connect out of the network to ‘botnet command-and-control systems ought to be immediately red-flagged at firewalls and core switches.
The military has spent a tremendous amount of money on computer security so far; this basic capability ought to have been in place for years. We know it is not, for some reason, because one of the things conspicuously lacking in the Bradley Manning case are detailed descriptions of his activities – activities that would be recoverable from system activity logs if they were enabled. I can only conclude that system and network activity logs are lacking or nonexistent – a state of affairs that would be considered rank incompetence in most commercial network environments.
To give you an idea what I’m talking about, consider my friend Joel’s network. He’s the CSO for a FORTUNE 500 company that has thousands of point-of-sale terminals all over the country, operated by non-expert retail store clerks. When one of those systems gets attacked with malware, their configuration management system detects it as a point-of-sale terminal that is no longer in an approved configuration, whereupon it is sequestered from the rest of the network, activity traces from the machine are automatically collected that record every connection into/out of the system so that the malware’s horizontal spread can be analyzed, credit card information is checked to determine if any customer accounts were accessed during that time, and the system is re-imaged while the malware team completes its investigation. Total time: usually under 3 hours (most malware is fairly well-known) and if it was necessary to swear in court that they knew exactly what the impact was of any given outbreak, they could.
(2) Perfidious Iranian terrorists strike back from cyberspace
“Iran hijacked US drone, says Iranian engineer“, Christian Science Monitor, 15 December 2011 — “In an exclusive interview, an engineer working to unlock the secrets of the captured RQ-170 Sentinel says they exploited a known vulnerability and tricked the US drone into landing in Iran.”
Apparently the drone that was downed in Iran was downed using a flaw in the drone’s software. More specifically, it appears that a well-known problem with the drones, that GPS signals can be over-shouted by a louder fake GPS signal, was used to manipulate the drone into thinking it was landing where it was supposed to, but actually it landed where the Iranians wanted it to. No doubt the “fly back to base if you lose command/control” option makes sense if you want to preserve your expensive investment in drones, but perhaps a “fly straight into the ground really fast if you lose command/control” option might be more appropriate in some areas of operation. Given that the GPS over-shouting scenario was well-understood, the “fly to base and land” option needed to be considered in a different context. Since Washington is very concerned about foreign high-tech espionage, tossing the Iranians a high-tech drone represents a trailerload of eggs on somebody’s face.
Once again we see the spectacle of the drone program — one of our coolest and niftiest bits of techno-stuff in the field — failing because of a long-standing flaw. It should come as no surprise to anyone that there had been plenty of warnings regarding this problem, before it happened. Similar warnings, regarding that the drones use unencrypted clear communications for their video — a problem known since the Kosovo intervention — have also come back to haunt the drone program. (As well as the configuration management problems on the drone’s control consoles) this is what happens when an organization does not understand information technology – it is unable to ask whether what it’s getting is reliable. It’s not enough to take a vendor’s word that “it’s OK” you need to know enough about the basic principles of system design, networking, software, and engineering, to be able to tell if you’re being sold something that has structural flaws that will be exploited.
I’m sure there will be a great deal more on this story as it develops.
(3) Congress affirms that The Pentagon can wage war in cyberspace
It’s nice to get permission for something that you’ve already been doing: “Congress Authorizes Pentagon to Wage Internet War“, Wired, 14 December 2011.
The question I want to ask, in light of the first two items of news, is “who are they kidding?”
Before you start talking about how you’re willing to go on the offensive, you’ve got to have covered the basic “security 101” stuff, or you’re The Kid With The Glass Jaw yelling that you’ll take on all comers.
I am aware that American Exceptionalism dictates that “we do unto you. you don’t do unto us.” And that’s a good thing, because otherwise it sounds like congress has just declared our networks as a fair target for any other nation that wishes to engage in unattributed covert actions. Now, at this point, I would expect someone to hop up and say, “but they already are!” which may be true — but if it’s true, it’s been amateurish stuff, so far. If the Iranians actually did do what they claim to have done with the drone, that shows a whole new level of playing the game – a level that the US clearly is not ready (or perhaps qualified) for.
(4) About the author
See the About the Authors page for information about Marcus J. Ranum
Other publications by Ranum:
- “The Problem with Cyberwar“, Rear Guard Security
(5) For More Information see the other posts in this series about cyberwar
The series Cyberwar: a Whole New Quagmire, by Marcus J. Ranum:
- Cyberwar: a Whole New Quagmire. Part 1: The Pentagon Cyberstrategy, 2 September 2011
- “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
- Conflating Threats, 14 September 2011
- About Stuxnet, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
- Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
- About Attribution (identifying your attacker), 21 October 2011
- You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011