Return-Path: <sentto-279987-5201-1029647269-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 17 Aug 2002 22:16:10 -0700 (PDT) Received: (qmail 30526 invoked by uid 510); 18 Aug 2002 05:11:48 -0000 Received: from n9.grp.scd.yahoo.com (66.218.66.93) by all.net with SMTP; 18 Aug 2002 05:11:48 -0000 X-eGroups-Return: sentto-279987-5201-1029647269-fc=all.net@returns.groups.yahoo.com Received: from [66.218.66.96] by n9.grp.scd.yahoo.com with NNFMP; 18 Aug 2002 05:07:49 -0000 X-Sender: fastflyer28@yahoo.com X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-8_0_7_4); 18 Aug 2002 05:07:48 -0000 Received: (qmail 26770 invoked from network); 18 Aug 2002 05:07:48 -0000 Received: from unknown (66.218.66.216) by m13.grp.scd.yahoo.com with QMQP; 18 Aug 2002 05:07:48 -0000 Received: from unknown (HELO web14510.mail.yahoo.com) (216.136.224.169) by mta1.grp.scd.yahoo.com with SMTP; 18 Aug 2002 05:07:48 -0000 Message-ID: <20020818050748.41756.qmail@web14510.mail.yahoo.com> Received: from [68.100.117.19] by web14510.mail.yahoo.com via HTTP; Sat, 17 Aug 2002 22:07:48 PDT To: iwar@yahoogroups.com, Information Warfare Mailing List <iwar@onelist.com> In-Reply-To: <200208180113.g7I1Dki22049@red.all.net> From: "e.r." <fastflyer28@yahoo.com> X-Yahoo-Profile: fastflyer28 Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sat, 17 Aug 2002 22:07:48 -0700 (PDT) Subject: Re: [iwar] Sleuths Invade Military PCs With Ease (fwd) Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-1.5 required=5.0 tests=IN_REP_TO,FROM_ENDS_IN_NUMS,SOCIAL_SEC_NUMBER,SUPERLONG_LINE version=2.20 X-Spam-Level: Note from DC- The WashPost article on "The Attack of the DOD Systems" is a cyber redux of "the Invasion of the Body Snatchers". Fear not, as this attack was bought and paid for with your tax dollars. DoD knows that their commerical and other non-secure systems have been and will continue to be hacked into by all afficianados of "the Hack" from A to Z. Their computers are targets like the great white sharks, of hacking. They are making a reasonable attempt to know where their solvable problem lie-the easy exploits, and buffer overs, etc. They will take on the hard stuff, themselves-with outside firms who have killer infosec and IWAR teams of their own. It is a continuing work in progress. While this article made it sound like "the cyber sky is falling", I am happy to say that the feds know they have an enormous problem on their hands. This effort was just one step in its solution. There are hard-wired internal system than handles intelligence traffic and AOL is not the way in. Bottom line is while the fight between hackers and DOD will rage on for years, the most critical information is hard enough to get to find, even if you have proper access, that I am not too worried about the potential demise of soft copy TS-code word info getting into the hands of talented script kiddies and the hacker pals, regardless of all of the hacking war stories in the float. War stories are just that-stories. Where reality begins and ends in this case is all in the eye of the reader, and I hope you would dismiss a good bit of what you hear. Over a year ago, my DOD associated Visa Gold card has its number stolen off of a restricted web site. While Im sure it was a mess to clean up, apparently the system was commercially accessable-and thus vunerable as it had a rather serious intrusion problem-no detection availability. Thats cost them lots of cash, but the system was far better protected, in the end. This is a mess, but the most valuable info is still well protected. Fred Cohen wrote:* subscribe at http://techPolice.com =A9 2002 The Washington Post Company washingtonpost.com Sleuths Invade Military PCs With Ease By Robert O'Harrow Jr. Washington Post Staff Writer Friday, August 16, 2002; Page A01 SAN DIEGO, Aug. 15 -- Security consultants entered scores of confidential= military and government computers without approval this summer, exposing= vulnerabilities that specialists say open the networks to electronic= attacks and spying. The consultants, inexperienced but armed with free, widely available= software, identified unprotected PCs and then roamed at will through= sensitive files containing military procedures, personnel records and= financial data. One computer at Fort Hood in Texas held a copy of an air support squadron's= "smart book" that details radio encryption techniques, the use of laser= targeting systems and other field procedures. Another maintained hundreds= of personnel records containing Social Security numbers, security= clearance levels and credit card numbers. A NASA computer contained vendor= records, including company bank account and financial routing numbers. Available on other machines across the country were e-mail messages,= confidential disciplinary letters and, in one case, a memo naming couriers= to carry secret documents and their destinations, according to records= maintained by ForensicTec Solutions Inc., the four-month-old security= company that discovered the lapses. ForensicTec officials said they first stumbled upon the accessible military= computers about two months ago, when they were checking network security= for a private-sector client. They saw several of the computers' online= identifiers, known as Internet protocol addresses. Through a simple= Internet search, they found the computers were linked to networks at Fort= Hood. Former employees of a private investigation firm -- and relative newcomers= to the security field -- the ForensicTec consultants said they continued= examining the system because they were curious, as well as appalled by the= ease of access. They made their findings public, said ForensicTec= President Brett O'Keeffe, because they hoped to help the government= identify the problem -- and to "get some positive exposure" for their= company. "We were shocked and almost scared by how easy it was to get in," O'Keeffe= said. "It's like coming across the Pentagon and seeing a door open with no= one guarding it." In response to an inquiry by The Washington Post, military investigators= this week confirmed some of the intrusions at Fort Hood, saying they were= occurred on PCs containing unclassified information. Senior officials said= they are preparing an Army-wide directive requiring all shared computer= files containing sensitive information to be password-protected. Sensitive= information includes such items as Social Security numbers, confidential= plans and so on, officials said. The Army has never before focused so intently on the security of desktop= computers containing unclassified data, but it is doing so now because so= many more machines are linked to vulnerable networks, officials said.= These systems are not as strictly secured because they are not supposed to= contain or communicate any classified material. More secure networks are= typically not linked to the Internet and employ much more stringent= safeguards, including procedures to authenticate the identities of= computer users. "Everything is connected," said Col. Thaddeus Dmuchowski, director of= information assurance for the Army. "Our 'defense in-depth' has to go down= to the individual computer." ForensicTec's electronic forays show that the government continues to= struggle with how to close off systems to prying eyes -- including= terrorists and foreign agents -- after a presidential directive last fall= making cybersecurity a national priority. That struggle was underscored by a General Accounting Office report last= month that concluded the government wasn't doing an adequate job= coordinating efforts to protect its online systems. Next month, the White= House's new Critical Infrastructure Protection Board will release a= sweeping national plan intended to bolster computer security. None of the material made available by ForensicTec appears to be= classified. But government and private specialists said that such open= systems pose a threat because compromised machines may contain passwords,= operational plans or easy pathways to more sensitive networks. They also could be used to mount an electronic attack anonymously or to= gather enormous amounts of unclassified information to gain insight about= what an agency or military unit is privately contemplating, specialists= said. "If you had an organized spy effort, that would be the real concern,"= Richard M. Smith, an Internet security consultant based in Cambridge,= Mass., said of ForensicTec's findings. "This is a widespread problem." Kevin Poulsen, another security specialist, worries that an intruder could= place onto an unsecured network malicious software such as a virus, worm= or Trojan horse program that could wind up on more-sensitive networks as= desktop machines migrate from one place to another. "The government is now lagging behind the sophisticated Internet users,= when they should be leading," said Poulsen, editorial director of= SecurityFocus, a Web site devoted to such matters. A spokesman for the Pentagon agency responsible for computer network= defense said he could not discuss the ForensicTec activity because the= vulnerabilities are under investigation. Maj. Barry Venable, a spokesman= for the U.S. Space Command, said the military takes seriously all such= intrusions, even if the system entered does not contain classified data.= He said hackers rarely gain control of military computers. "Even one successful intrusion or instance of unauthorized activity is too= many," he said. "The services and DOD agencies are working hard to educate= their computer users and administrators to practice and implement proper= computer security practices and procedures in a very dynamic information= environment." The issue of computer security has become more pressing in recent years as= vastly more computers and networks have been linked to the Internet. Many= public and private computers still have not been properly configured to= block outsiders, and security components of operating software often are= left set on the lowest default level to ease installation. Even though it's a felony under U.S. law to enter a computer without= authorization, the number of intrusions has skyrocketed, according to data= collected by the CERT Coordination Center at Carnegie Mellon University.= The number of incidents reported to CERT -- the leading clearinghouse of= information about intrusions, viruses and computer crimes -- increased= from 406 in 1991 to almost 53,000 last year. Howard Schmidt, vice chairman of the White House Critical Infrastructure= Protection Board, said officials have been crisscrossing the country to= push for better practices. But he acknowledged that many individuals still= don't take rudimentary precautions, such as adopting passwords more= complex than "password" or a pet's name. And system administrators often= do not fix known flaws with widely available software "patches." Schmidt said the board's strategy, to be announced next month, will provide= clearer guidance about how to achieve better security for government= agencies and businesses alike. A crucial element will be to encourage= people to follow through on existing rules and procedures. "This reinforces to us that there's still a lot of work to be done," he= said of the ForensicTec findings. "It's more than technology. . . . It's= people not following the rules, people not following the policies." The GAO report last month said the "risks associated with our nation's= reliance on interconnected computer systems are substantial and varied,"= echoing a series of earlier reports chronicling the government's inability= to secure its computers. "By launching attacks across a span of communications systems and= computers, attackers can effectively disguise their identity, location and= intent," it said. "Such attacks could severely disrupt computer-supported= operations, compromise confidentiality of sensitive information and= diminish the integrity of critical data." ForensicTec consultants said it wasn't hard to probe the systems. They= employed readily available software tools that scan entire networks and= issue reports about linked computers. The scans showed that scores of= machines were configured to share files with anyone who knew where to= look. The reports also contained people's names and revealed that many of= the computers required no passwords for access, or relied on easily= crackable passwords such as "administrator." The consultants said they identified other Internet addresses during their= exploration of Fort Hood, including those for machines at the National= Aeronautics and Space Administration, the DOD Network Information Center,= the Department of Energy and other state and federal facilities. Scans of= those systems yielded similar results: hundreds of virtually unprotected= computer files. O'Keeffe, the company president, said his consultants concluded that they= had tripped across a serious problem. "If we can do this, other governments' intelligence agencies, hackers,= criminals and what have you can do it, too," he said, adding that he hopes= to help the government by bringing the vulnerabilities to light. "We could= have easily walked away from it." The material they saw ranged from poetry and drafts of personal letters to= spreadsheets containing personal and financial information about soldiers.= A couple of memos to members of a squadron at Fort Hood included the= location of several safes and the inventory of one: secret operations= information on hard drives, floppy disks and CDs. Another memo designated a courier -- by name, rank and Social Security= number -- who would "be hand-carrying classified information" to Fort= Irwin Army Installation in California, apparently from February to June. The consultants also obtained access to spreadsheets and e-mail messages at= NASA containing details about vendor relationships, account numbers and= other matters. NASA spokesman Brian Dunbar said he could not confirm the= provenance of the information obtained by ForensicTec. But he said the= agency was investigating its claims of vulnerability in accounting-related= computers. "We will investigate what's going on here," he said. "If this information= is in the clear, it poses a risk to these companies and we need to get it= fixed." Steven Aftergood, a research analyst and government information specialist,= said that much of the data the consultants came across is, by itself, "of= limited sensitivity." But the easy access to government machines= represents a substantial security challenge, at a time when military,= government and business officials rely on computer networks more than= ever. "It's a qualitatively new kind of vulnerability that the government has not= quite come to terms with yet," said Aftergood, a senior research analyst= at the Federation of American Scientists. "And it is a vulnerability that= will increase in severity if the government doesn't do something about= it." =A9 2002 The Washington Post Company k Yahoo! Groups SponsorADVERTISEMENT ------------------ http://all.net/ Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. --------------------------------- Do You Yahoo!? HotJobs, a Yahoo! service - Search Thousands of New Jobs [Non-text portions of this message have been removed] ------------------------ Yahoo! Groups Sponsor ---------------------~--> 4 DVDs Free +s&p Join Now http://us.click.yahoo.com/pt6YBB/NXiEAA/Ey.GAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT