Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
News

DoD and Net Attacks 125

Posted by CmdrTaco from the stuff-to-read dept.
Chernyakov writes "The Washington Post has an article about attacks on DoD systems. According to the article, the Pentagon's chief information officer said 'The Defense Department suffered more than 22,000 electronic attacks on its computer systems in 1999 and about 14,000 in the first seven months of this year.' " Those numbers apparently count port scans too, but the article is interest, talking about many things, including the fact that they don't run any commercial software on their most classified systems for fear of backdoors. I imagine the DoD's sysadmins are a scary bunch.
This discussion has been archived. No new comments can be posted.

DoD and Net Attacks More

DoD and Net Attacks

Comments Filter:
  • I gave a shell account to some one who was helping me out with some linux stuff right when i converted. Turns out he was a bit of a script kiddie and was scannind thousands of ips around the world.. turns out one of these systems was working on a project for the DoD and they gave my school a call. Needless to say my school kinda bugged out and i almost got my butt kicked out over it. The script kiddie wasnt targeting the DoD computer, they didnt even know they had scanned it. The DoD has reason to be paranoid. but i think some times they may over react to a post scan.. not everyone is targeting them..
  • Well, granted not all port scans are an attack..
    But, is this really any surprise as to the numbers they're getting?

    Just a bunch of morons trying to act cool and using dumb little programs they download online, and as for the more serious ones, I'm not sure what they're trying to prove.

    This comes as no surprise, considering how some consider it "cool" to hack some big system.

    I'm not incredibly surprised that they're not using any commercial software, it may be a hassle, but then it sure does make it way harder to break through.

    Will there ever be a day when computers need not be worried about being "hacked" into?

    I've never heard anyone on Star Trek say, "they've hacked into our computer systems." No, I guess they just blow the bad guys up if that happens. And if someone does the same type of thing to the Defense Department (ie, getting access to high level computers) will do the next best thing, find those responsible and hunt them down.
  • Well, nobody but them knows what they use for in-house servers/workstations/etc, but the DoD "homepage" [defenselink.mil] uses Netscape Enterprise httpd on Solaris, according to Netcraft [netcraft.com] (the DoD's Defense Technical Information Center [netcraft.com] runs this combo as well).

    What's really odd about the Netcraft link above is the history of the DoD website. As of 11 Oct 00, their OS was listed as "unknown" (and the DTIC's OS was unknown as of 12 Oct 00; looks like they all swicthed at the same time). Maybe that's what the article was referring to?

    And if you want to see something really odd, try Netcrafting to the DTIC's IP addr [netcraft.com]. Their httpd/OS information was changed 9 Dec 00, which is tomorrow. And if you're not into conspiracy theories, then just tell yourself that it's because the run on GMT and they just made the switch to a new machine like ten minutes ago (it's currently 00:41 as I write this).

    -B

  • I imagine that the few "mission critical" systems the DoD has are written in house, by programmers with high security clearance, so that the Department knows the source very well. This of course does not preclude backdoors being put in the software but it most definitely lowers the chance.

    Of more interest, to me, is how this also coincides with the DoD's interest in performing attacks of this nature on other countries. It looks like cyberwarfare is picking up, with the increased use in the Isreali-Palestine conflict going on and the inherent spillover to US domains.

    I wonder how good the in house hackers are at intrusion of other systems?


  • If you really want to find out, quite a few portscanners will do OS detection for you - by identifying subtle differences in the TCP/IP packets (like sequence number choices, etc.) Privided that they haven't written their own OSes, you could always just nmap the DoD's machines and find out. It's only one more portscan to add to their pile...
  • Considering I use an OpenBSD box as my prmary web server and it's been up for ages without being hacked. I'd say OpenBSD is a good choice. Remember, anything truly sensitive in the DOD isn't on the publicly linked nets. They are even partitioning more and more computer systems into totally private networks. If the nets aren't linked, then data can flow without direct human intervention on site.
  • Anyone who works for the DOD stupid enough to respond to this? I don't work for them, but I know enough that anyone who does security for them isn't going to go out their way to tell the whole world about it. --Walt

  • why develop all this code inhouse? i would feel secure with OpenBSD nicely firewalled / services configured correctly. If not a regular distro of UNIX why not simply a heavy mod, apparently they have a full new operating system in place. Of course, this is from the same people who thought ADA was a good idea :)

    It is not that OpenBSD isn't secure, but as the Department of Defense, they are obligated to ensure that any software that they use is secure. Not that someone else says it is secure, but that it has been show through a software audit that is really is secure. Anything less is negligence. I do not want my government to use software that may have a backdoor in it.

    ADA is a good idea. It's a very powerful language. I don't like coding it, but it is a good idea. :)

  • yeah America has no power outside the US

    conspiracies aside the CIA is hardly the paragon of law adibism
    .oO0Oo.
  • Actual agents of foriegn powers are probably trying to gain access to secret information... Though traditional methods of gaining access are probably still effective.

    I'd be willing to bet this is true. Most intelligence-gathering is done through technological means now--spy satellites, analyses of trends in economic releases, monitoring network traffic, etc. Human operations make up about 10% of intelligence gathering now. It's mainly kept around to keep up an aura of cloak and dagger--in the CIA's case, it makes the pencilnecks in Congress feel like they're in charge of James Bond, so they'll give the CIA more money in the budget.


    ---
    Zardoz has spoken!
  • Perhaps, but if you have ever run nmap on a Open BSD machine you will see that the TCP sequence prediction comes back scrambled. Nmap cannot make an OS detection, only an OS guess.

  • They've got spy satellites in orbit that can identify somebody peeing in a corner of a training camp. I think they probably have some people who can grasp basic network security. :)


    ---
    Zardoz has spoken!
  • I work here, I am looking at it now. It is not shadow. =)

  • Re:Port Scan's (Score:4)

    by bellings ( 137948 ) on Friday December 08, 2000 @04:25PM (#571221)
    I'm afraid I don't understand what people are calling a "port scan." If I type
    $ telnet foo.bar.com 25
    does it count as a port scan in your book? Because thats the exact equivilant of what anyone checking for mail relays is going to do -- there is no reason to check any port other than the mail port if you're looking for a mail relay. But, if you've got an MX record screwed up somewhere, you're going to get exactly the same thing if someone tries to send you mail. How do you distinguish between someone checking for mail relays, and someone trying to send you mail?

    Another poster comments "how much of an "attack" is it to scan to see if FTP is open?" What kind of "scan" would anyone do to see if FTP is open? The user check to see if port 21 is open, and thats it.

    I remember reading once on slashdot how an @Home nameserver was "port scanning" some guys machine, because it responded to his machine's DNS requests. Come on -- that's not a scan.

    If checking one port is a "scan", then I'm afraid I probably scan hundreds, or even thousands, of machines a day. I'm such a 'leet hacker. Most of our webservers get tens of thousands of "scans" a day (generally, by people "scanning" port 80), from people all over the world. The mail servers get thousands of scans, too. What are you guys talking about?
  • Main Entry: surreptitious
    Pronunciation: "s&r-&p-'ti-sh&s, "s&-r&p-, &-"rep-
    Function: adjective
    Etymology: Middle English, from Latin surrepticius, from surreptus,
    past participle of surripere to snatch secretly, from sub- + rapere to
    seize -- more at RAPID
    Date: 15th century
    1 : done, made, or acquired by stealth : CLANDESTINE
    2 : acting or doing something clandestinely : STEALTHY
    synonym see SECRET
    - surreptitiously adverb

    eudas
  • In fact, nothing is classified until someone with a lot of authority says it is classified. Therein lies the problem. Much that should or could be classified may be exposed to the world on the unclassified nets, but because no one has made a conscious decision that it IS classified it is out there for the taking. This is why foreign governments like to sift through unclassified DOD websites and publications.

    In the DOD's first rush to put up websites 5 or more years ago a lot of sensitive information was thrown up on web pages to provide useful/interesting content for the web. I heard some real horror stories from some infosec people in the DOD about stuff they had found on open servers. In '97 or '98 the DOD suddenly woke up and tried to clamp down on their public servers.

  • ISS (Score:1)

    by bobalu ( 1921 )
    Ever work with ISS stuff? It ain't lame.

  • Re:Open Source Software security (Score:3)

    by jlg ( 215187 ) on Friday December 08, 2000 @04:29PM (#571225)
    Keep in mind that OpenBSD isn't really very old. These classified sites have been around for a while and it seems unlikely that OpenBSD could become better than what they had before in a just a few years.

    Fundumentally, OpenBSD is still UNIX. Remember the Orange Book codes? You don't see many UNIX systems past C2 because they really weren't designed for it. The A's and high B's belong to operating systems designed with security in mind from the start. Not insecure OSes that have been patched up.

    Not to say OpenBSD isn't secure, it's just not at the right level of paranoia.

  • Once apon a time there were quite a few rules that when folowed would preclude the use of anything Microsoft makes.
    The solution to back doors was to pay the extra $50k for the source code and review it yourself. Companys did so happly just to know they were reasonably safe.

    What happend? Managers would pick operating systems in office and on the network. They'd pick what they knew.. Windows NT..
    With that a freshly minted MSCE is more valuable than years of experence. With that any security rule that makes it hard for Microsoft to sell software gets throw out the window.

  • Related Article (sort of) (Score:1)

    by Anonymous Coward
    There was areally good article in Scientific American [sciam.com] recently, about some "wargames" (for lack of a better word ;-) where a fed team hacked into a classified nuclear weapons lab to test vulnerabilities. Not that that's so interesting in and of itself, but what I thought was a little scary was how easily they were aparently able to do it. Not exactly a technical article, but worth a read.
  • You spelled 'employer' wrong.
  • Their programmers died of old age so the backdoors they planted have been forgotten about ;-)
  • Pentagon officials said that, to the best of their knowledge, the Department of Defense's classified computer systems have not been breached.

    ...because that information would be classified, silly.

  • To think that a port scan is a single connection from a single host to a single port on another host is ridiculous. These reports are compiled from data given by various respectable organizations within the DoD (AFCERT, ACERT, NAVCERT, etc) who have well defined procedures for identifying and escalating these types of "attacks".

    A general description of a host scan would be x connections from host(a) to y ports on host(b) within time delta.

    A general description of a distributed port scan would be x connections from host(a) to y hosts port(n) within time delta.

    Most of the time these two types of scans are lumped together and refered to as port scans. Bammkkkk
  • Okay, so the DoD gets "attacked" 22,000 times a year. I'm not suprised since BlackIce Defender tells me that my Win2K system is "attacked" between 12 and 20 times a day, or about 5,000 times a year. Of course it depends on what you call an attack.
  • Actually many gov't systems use OPEN VMS
  • Systems handling material which is in fact classified aren't on the net, and generally don't run COTS (Commercial Off-The-Shelf) OSs.

    Logistics runs on COTS equipment: we've had public talks on the fun we had getting IP links up between ports during the Gulf War, to help manage the shipment of equipment and men. The networks are private, though, you understand.

    Tactical systems run on odd collections of stuff: Canadian equipment in my era was custom-built, reliable but not terribly secure. If I sent a flash message that I'd run into the enemy, it wasn't super critical to deny it to the enemy: they were busy send a flash message that they'd just encountered me!

    Systems used in a strategic role were different. As many of these as the military could afford were ran on "Trusted Computer Systems", like Multics. At the U.S. DOD's insistance, commercial computer vendors build Trusted OSs based on their standard ones.

    Any sort of planning document, or anything that would tip an enemy off early enough to matter, was closely held. Our term for these kinds of systems was "word processors for generals", and was done, sometime with COTS software, on commercial Trusted Systems.

    I have one of these, Trusted Solaris, on a box in my basement, mostly out of curiosity. Some people (HP, for example) use them as the basis on which to build firewalls, as B2-grade systems can block a surprisingly large number of kinds of exploits.

    These are the systems that the military keep secret stuff on, and which they indeed do lock behind closed doors and network with encryption devices (blacker boxes) on the cables.

    They're very different from the normal unclassified stuff that might get hooked to public networks: the unclas boxes are the same kind of machine any one of us might have. With all the usual security holes.

  • It's a good tease, but it's not generally true.

    The classified stuff is not on the unclassified nets, so you have to get inside the base to breach them.

  • I am a contractor working for the US Army handling events that are caught by the Intrusion Detection System used to monitor the network activity. These are the events that are part of these statistics in the article. The IDS used in ISS Real Secure, It has quite a bit of signatures and It works well for network level security for the Army's WAN. One thing about Real Secure though is that it's threshold for portscans is buggy. 30 seperate probes have to be detected within 15 seconds in order to trigger a Port Scan event. With NMAP, as long as you don't use the -0 switch, you actually have to work harder in order to get it to show! So the only scans that are detected are the script kiddies running their uber-windows scanning toolz, and it saddens me that they throw these statistics in as "hacker events".

    One thing I can say for the DoD, is that their SIPRNet (Secure IP Router Network) or classified network, is pretty damn secure. What secures it first hand is that it is completely isolated from the internet. There are absolutely no connections crossing the SIPRNet/Internet. Physical security is also extremely tight around just workstations for this network. That would explain though why there really haven't been too many reported cases of intrusions into the SIPRNet from the outside, pretty much the only possibility of a threat to that network would be disgruntled employees.
  • It would be fairer if you said that they have some very secure networks which aren't attached to the Internet . The script kiddies are attacking the non-secure computers attached to the non-secure nets, and the foreign powers are trying to infiltrate the bases where the secure systems are. Consequently, the number of attacks on the public and unclassified DOS systems should be large, and the number of sucesses about the same as on other non-secure systems.
  • From what I've heard, DoD sysadmins are all clones/offsprings of Pitr.

    (If you didn't get that one, read User Friendly.)

    "Off my systemzisch, zlotniks!"
  • not if you live outside the states it doesn't. I'm willing to bet most of thier real hacks are done outside of the US.
  • Since the can't run commercial software, even the minesweepers are custom made... I hope the have good game programmers in the dept!
  • Okay. Attack may be the wrong word, but from a security point of view, someone who is only trying to use a service they already know you have isnt' scanning you; someone is scanning you to find something out they didn't already know, which is something you should be aware of. So yes, it could be considered an attack, from a security analysis point of view. From a legal 'let's sue them' point of view, it's certainly not enough.

  • Re:Open Source Software security (Score:1)

    by Anonymous Coward
    I would be suprised!! On their classified systems they would have to use B2 systems at least, if not higher. OpenBSD is good, but it doesn't compare to a B system.

    So where do they get their trusted systems from? Either the commercial guys listed here [ncsc.mil], or from an OS written internally at say, NSA. The hordes of math geniuses they have probably come in real handy for writing trusted systems.

  • What would really be interesting is some statistics on how far the people got (but, they won't tell us for security reasons). Several years ago the DoD conducted a research project where they had people try to break into their systems called Elligible Receiver. http://www.soci.niu.edu/~crypt/other/eligib.htm has some good information about it.
  • They are quite spinelss when it comes to attacks. There is a new type of spaming attack using fast networks and adaptive guessing that can hit a server with hundred of thousands of messages in a very short time. Right now the writer is adjusting the code and when its released, it will nail a number of large computer system all over the world including the US goverments. I handed them all the data they need to prosecute this idiot but they choose to ignore it.

    I used to for as a contractor for DISA (they run/own the computers for the US AF and other branches) and the only time we could get anyone excited about attempted hacks was by informally asking the OSI guys if they had time to drop by and hassle some kid. When that happened, it involved two guys in cheap suits dropping by some kids house and asking a few questions.

    I like how they talk about the 1998 event. At that time hadn't learned their lession yet.
  • Let's keep things in the perspective. The machines that are truly important, ie holding classified data, are secured by one of the best possible methods. They are physically detatched from public networks and guarded by big, strong, mean people with machine guns.

    Sure, if you can get onto Intelink, you can hack your way into boxes by whatever means are currently in vogue. In fact, because of the removal of threat from the outside world, many machines actually have less security, since (right or wrong) we tend to trust people on the inside. Fortunately, getting access to Intelink is impossible for the average hacker. In this sense, the biggest threat is from the inside, as many noted security experts have said all along.

  • I agree. i'm willing to bet that they're using at least one of the BSDs, and it's probably OpenBSD.

    but what if they aren't. say they did write thier own OS. I wonder what it would be like....

  • Well it's good that DOD is doing something for its protection. Anyway, two years ago, defense in some sectors was near to miserable. The story they refer about the awakening is the example of this. As it was half told. The exploit was found in September and any well-learned sysadmin applied its patch on a month or two. However DOD's guys didn't handle a finger on it until they got these script kiddies harassing their systems. And the first thing they did was to go to the media and talk about "major attacks". What was the most stupid thing I heard about. In result they got a REAL DAMN attack that knocked down a few comps around. Great thing...

    I believe that DOD learned the lesson. And learned to NOT TO TRUST the media. Since then I have less learned about Pentagon's generals crying over journalists shoulders and more real work on their defenses. Since then I saw even some real though stuff on security coming from the inners of DOD. My congratulations people to have learned the lesson.

    If you kept that wave in 1998 then you could have got the third hackers counter-attack wave and this one could have been very heavy to hold. As people were getting really mad for seeing another Sundevil Operation coming up. Bashing hackers for the lass lazy security of your admins is not the way to operate. If you have a sleepy admin coming 8 o'clock to play minesweeper until 17:00 (time to go home!) is not our problem but yours. Fortunately it seems you got something out of what happened in 98.

    From Russia with nukes... Just kiddin'...
  • yeah, and who the hell has any motivation to hack your website?
  • Plus, logging portscans has some serious psycho-analytical value. If somebody is portscanning the first 1024 for standard services, they're a script kitty. However, if somebody is portscanning a small subset, or single one, in a high order 1025+, where they *are* running a service, then that calls for an immediate notification. Why? If somebody managed to 'hit gold' the first time, and find an accessible service, then they most likely had a contact, either from somebody inside or from somebody who used to be inside. The same holds true for an actual attack that is not preceded by a portscan. Knowing where to shoot for the first time is just asking to be watched.
  • No, more like counting people that walk up to your door and jiggle the handle to make sure that it's locked, and tap on the windows to see if they can open any.
  • heh sure they would go from scratch. You have to remember most of their OS's probably date back to the 1960s. Everything since then has simply been patched and upgraded as hardware changes. Basic security designs dont change that much...

  • scan: n, To look over quickly and systematically.

    Um... portscanning involves probing more than one port. All possible ports are probed in a typical portscan, one right after another, in rapid succession - hence the term 'scanning'.
  • ..when most of the other houses on the street have their doors open and people walking in and out..
  • Dude, they spend trillions on hardware
    Well they need to spend some on me, my P166 is driving me crazy......
  • What does it have to do with construction workers?
  • heh, the stupid was the fucker who got the letter sent in the first place :)

  • Re:Port Scan's (Score:3)

    by bellings ( 137948 ) on Friday December 08, 2000 @04:38PM (#571257)
    from a security point of view, someone who is only trying to use a service they already know you have isnt' scanning you; someone is scanning you to find something out they didn't already know, which is something you should be aware of

    So... if I type http://www.monkey.com/ into the address bar of my web browser, just to see what comes up, I'm doing a "port scan" on that server? Should the administrator of www.monkey.com be aware that I'm trying to hack into the site?

    If I decide I want to download the latest version of NetBSD, and I just randomly guess
    $ ncftp ftp.netbsd.org
    am I doing simething the administrator of the domain should be aware of? (In fact, last night I did exactly this. I had no idea where to download NetBSD -- that was just my first guess. I had no idea if there really was machine named ftp.netbsd.org, or what services it may provide. By trying to connect, I really was trying to discover something I didn't already know.)

    The only thing I'd call a real "port scan" is the kind of thing you can do with a program like nmap -- scanning dozens or hundreds of ports at once, just to see which are open. It shouldn't be a suprise to anyone that those "port scans" are easy to log, but next to worthless to break into the machine.
  • why is slashdot so gay, can't we have woman

    i think all the goats.ex trolls killed all the natalie portman trolls. i find the new group much more disturbing.

  • You don't need to use fiber to implement one-way links; standard ethernet, with one pair cut, will do the trick.

    --
  • ...on the internet right now that hold classified information and aren't secure at all. Infact you can ftp in as anon and pick up the files.

    So all this classified stuff isn't on the net is a joke to me. Also the 2 missing laptops that still have yet to be found with classified information are floating around somewhere in the US (this was in 1999 and people were dismissed over it). I just suspect that someone stole them and they aren't being used by terrorists but then again I could be wrong.

    Our nations policy; when it comes to computers is a damn joke. What they need to do is create a security division in the military and deploy them to secure information systems everywhere. Until then we will be unsecure as all hell.

    I'd suspect that they are talking about the not-connected DOS operated computers to order military parts because thats the only thing I can think of thats not really connected in some form or fashion. However you can press ESC and copy *.* A:\ and leave with that info. Order yourself some hummer parts or weapons etc. Anyway

    Have a good day.
  • So, which OS's are classified as what?
    What OS has an A or B?

    I heared NT4 was classified for C2, but I never heared about the others out there.

    Any URL's/links?
    --

  • DoD Computer Systems, OSs, and Commercial Software (Score:3)

    by thewiz ( 24994 ) on Friday December 08, 2000 @07:04PM (#571262)
    Understand that most attacks that are launched on DoD computer networks are against UNCLASSIFIED networks. They can contain sensitive information but the really CLASSIFIED stuff is housed on machines that aren't even connected to the Internet (think the original Mission Impossible movie). The sensitive machines that are connected to the Internet can't be found by any script kiddy or leet haxors. For those of you who think you're the hottest cracker around, think again. If the NSA or DoD hasn't approached you to join, you're not nearly as good as you think you are.

    To address a few issues that others have brought up:
    Attacking a military system with more than a port scan or mild probing WILL earn you a visit from some very terse (but polite) gentlemen.

    At the facility I work at we use Solaris, AIX, Windows NT, Windows 98, OS/390, MVS, and even Linux on an S/390. I'm sure there is a project somewhere that uses OpenBSD.

    Backdoors in commercial software are a VERY big issue, especially when the system is connected to the Internet. We DO use software like Emacs, and other Open Source software on our systems. Having the source code available for perusal by a programmer is EXACTLY the reason we use OSS. There is nothing hidden in OSS like there is in proprietary packages. Ever tried asking Microsoft for their code for any of their products so you could verify C2 compliance?

    The DoD does NOT engage in monitoring the public on the Internet (that's the FBI's job ;) ). You will be monitored while accessing a DoD site (and we post BIG warning messages about that) or if you attempt to do anything that is deemed an attack against DoD systems (the same kind of acts that would get you monitored by a commercial site).

    As for programmers putting backdoors into software that the DoD creates, that chance is nearly 0%. When a mission critical software package is written, it is done by more than one person, often by more than one team of people. The code is then subjected to multiple peer reviews. Everything that is done by the program is questioned and re-evaluated at each step of the development cycle. Why else do you think that the government is still using computers from the 70's and 80's? We haven't finished the code reviews yet! ;)

    Trusting foreigners - Well, you can't even get a clearance if you were not born in the U.S. (at least that's the way they say it's supposed to work).

    The DoD is NOT stupid or careless; unfortunately, there are times when people make mistakes and accidentally compromise classified information. This happens through laziness and cockiness on the part of users AND Admins; the same reasons that commercial sites get cracked.

    And, yes, many of us are not in this job for the pay, rather out of a sense of duty toward our country.
  • ...could be called DoD DoS's ?

    Sorry...couldn't help it :)
  • I wonder if that includes the computers top officials must have to play solitare on a daily basis?


  • The DoD uses the same techniques as any other organization who values privacy. If you're hitting a port for protocol foo on a machine that isn't dedicated to protocol foo, then that will earn you an IP block at the router level. The block lasts for quite a while (months, not minutes) and is then often dropped, unless you keep trying.

    Another poster comments "how much of an "attack" is it to scan to see if FTP is open?"

    If you're looking at the public FTP server, it isn't an attack; that's what the server is there for.

    But if you're outside the firewalls, looking for FTP on a machine inside the firewalls that isn't advertised for FTP, that's what's called "recon," and will earn you an IP block, automatically.

  • Check out Tales Of Woe [maximum3d.com] . It's the day-to-day true stories of the idiocy a network admin for the DoD has to deal with. It's absolutely hilarious.
  • You can get a clearance if you were not born in the U.S.; There is no rule against that. The background check just takes alot longer. If all pans out you get your clearance. Hrmm I believe ENTAC and some other agencies do that type of stuff.

    Most people I know want to get the hell out of service now. Not because they don't get to use cool stuff but because they get paid absolutely shit compared to their counterparts. They also don't get any perks. Then they also have to deal with a ranking situation and if anyone knows sysadmins/programmers. Sometimes when you know you're right you don't necessarily want to have to tell your commanding officer and/or general in some cases to fuck off.

    I see alot of talent in the army specifically, It's just not being used.

  • Port Scan's (Score:4)

    by holos ( 88324 ) on Friday December 08, 2000 @02:59PM (#571268)
    Is it really fair to count port scans as an attack? I can see classing it if it comes from a 192/10/172/169 address but normal scans are part of life, or they are at least for my boxes and me. With portsentry on them I usually get 5 a week from sources all around the world, usually they just check for mail relay and script kiddy tools but sometimes I'll catch the same IP scanning many machines, then they get monitored.
  • As a result, the official added, "we are not buying such off-the-shelf products in our most sensitive systems."

    And for the rest, do they actually go through the code to make sure that there are no vulnerabilities, or do they just assume that if there were then they would have been already found?

  • I think that servers like the US military (or NATO in general, IIRC Nato HQ in Brussels also had some being hacked problems from time to time), and sites like Microsoft.com, are simply grand prizes for hackers.

    And where real hackers are interested, the script kiddies follow (because it is kewl).

  • I like this better:

    It is like knocking on the door to see if anyone is home, then if someone is home, see if the door is open to be able to get in.

    There are many legitimate reasons to knock on the door to see if anyone is home (looking for the FTP port on a machine that you KNOW is running a warez FTP), but there is no reason to check for vulnerabilities (within the program with the port open)

    ok this could've been better, but it is late.......
  • Man, it's one thing to be a prick and try a DoS attack or something on a commercial or public site, the repercussions are limited at best. It's not often you hear about people getting arrested (although it does happen).
    But come on, attacking a Dept. of Defense site is just begging for some spookly looking heavily armed jerks to interrogate you under some hotlamps before hopping into the way-back machine and making it so you were never born!
    Oy vey, just my cent or two.

    Mike Thacker

  • Re:2000 Mission Critical Computers? (Score:4)

    by slickwillie ( 34689 ) on Friday December 08, 2000 @03:01PM (#571273)
    Are you kidding? Real defense weenies don't play solitaire, they play minesweeper.

  • Re:Open Source Software security (Score:1)

    by Anonymous Coward
    Who wouldn't be surprised if they use a lot of OpenBSD code? I mean.. Think about it. Here we have a codebase that has been audited by a group that publishes everything and still uses a BSD (non-viral) license.. It's also a BSD core, which is exceptionally mature in terms of people who can write code for it.

    It would at least be a decent start.. If you had good programmers with code auditors from there, you could build a system that would be as close to attack-proof as you wanted.

    Hm.

  • slashdotting .mil servers (Score:3)

    by Anonymous Coward on Friday December 08, 2000 @02:57PM (#571275)
    is slashdot organizing a DoS attack on US .mil servers by posting a link on the front page?
  • yes, there are probably computers on the internet containing classified material.

    but there are also bad people around planning bank robberies. such is the nature of our planet.

    note that you are legally obligated to share your knowedge of those 8 computers with your infosec POC.

    in fact, anyone whith a clearance who reads your post is legally bound to report it.

  • > My favorite is a guy called Agent Wesley, he's got reaaaly long fingers.

    At least, you thought he did until you felt a hand on each shoulder.

    Sorry; just an old construction worker's joke about a visit to the proctologist.

    --
  • This isn't too surprising, considering that
    • The DoD has quite possibly the most secure networks in the world (of those that are actually connected to the internet, of course). This makes them a target for anyone who wants a challenge.
    • Lots of script kiddie type "hackers" have been indoctrinated with the mass media image of a "leet haxor" who discovers important confidential information while poking around the DoD, and they figure it could happen to them.
    • Actual agents of foriegn powers are probably trying to gain access to secret information... Though traditional methods of gaining access are probably still effective.
    Consequently, this sort of statistic shouldn't suprise anybody.



    --

  • why develop all this code inhouse? i would feel secure with OpenBSD nicely firewalled / services configured correctly.
    if not a regular distro of UNIX why not simply a heavy mod, apparently they have a full new operating system in place.
    Of course, this is from the same people who thought ADA was a good idea :)
  • I suppose the must use open source stuff and linux then review the code and compile it themselves. Or they could write everything themselves, but due to required effort is about as likely as Microsoft (willingly) open sourcing windows.
  • People are nicer to the DoD than I had thought.

    There was a report [ieee-security.org] in 1996 that said that 65% of in-house testing hacks were successful. According to this more recent article, 3% of attempts caused damage, and only 1% managed to break into unclassified systems. That's a good sign, I think. Hacks are increasing at 10% a year, and security is increasing faster.

    The Pentagon is trying to protect itself from future attacks by deciding to "to carefully consider the origin of all software used in developing or upgrading information technology or national security systems." It sounds like they're mostly worried about those "foreigners" trying to put in backdoors. I'm not sure why they trust Americans more. But by using commercial software, like Microsoft and Lotus Notes, they're not only making their task impossible (anyone want to parse Win2000 to figure out which parts were written where?), but are focusing on the wrong worries. They should use smaller software packages, that can actually be reviewed, instead of huge bloatware that permits backdoors to be hidden.

    Thalia

  • > So when we grumble about possible backdoors in commercial software, it's paranoia. When the DOD does it, it's what? Justifiable, or just well-funded paranoia?

    Yeah, that was my first thought, too.

    I have a feeling that this article may have some substantial repercussions in the IT industry. If the DoD won't use closed-source software due to fear of backdoors, do you sleep well knowing that your workstation uses it?

    Your bank?

    Your voting machine?

    OSS advocates might get some mileage out of showing this to The Man.

    --
  • The Pentagon is trying to protect itself from future attacks by deciding to "to carefully consider the origin of all software used in developing or upgrading information technology or national security systems." It sounds like they're mostly worried about those "foreigners" trying to put in backdoors. I'm not sure why they trust Americans more.

    Perhaps they (the DoD, U.S. government) have a reason to suspect that companies in other countries could be persuaded/coerced into putting backdoors in their software by foreign powers? I can think of two reasons.
    The first being that they believe governments in other countries can exhibit more influence over companies in those countries. This is probably true, at least in some cases. In fact, in the U.S. I think it is far more likely that businesses exhibit influence over the government, rather than vice versa. : )
    The other reason I can think of is that they are able to coerce US companies to put in back doors, so they assume it is the cause in other countries.

    Just a thought.

    n8_f

  • Quality of DoD sysadmins (Score:5)

    by dkusters ( 2770 ) on Friday December 08, 2000 @04:11PM (#571284)
    Working for a DoD contractor who supplies software to the DoD, I can attest to the general lack of quality among their sysadmins. There are some amazingly good admins out there, but they are few and far between.

    The DoD has tens of thousands of computers at thousands of locations. They have over 10,000 different software applications that they have had written for them. I'm not exaggerating. Organizations as large as the DoD need a lot of admins. But, the admins are, for the most part, civil servants. They fit into the standard scale of civil servants jobs and wages. In other words, they don't get paid very well.

    Let's say your a good admin. Would you work for $70K at a computer company or for $40K for the DoD and have a BGen. screaming at you for not allowing him to receive his granddaughter's cute annimation in the mail even though you've explained that the latest DoD mandate forbade ActiveX in emails? Simple choice. Industry pays better and has a better working environment.

    So, what are you left with? One of the admins we deal with (let's call her Betty) was a typist in the secretarial pool (yes, the DoD still has those). She was promoted to an admin. Why? Because of her vast knowledge of networking? Because of her ability to troubleshoot hardware? No. Because she could type fast. This is a real story. Only the name has been changed.

    There are good DoD admins out there. They do it not for the environment or the money, but for the sense of pride out of helping the country. On average, the quality of the DoD admins is very low.

    Dave.

    P.S., this post does not reflect the opinions of my employeer.

  • Re:What OS's do they use? (Score:3)

    by superid ( 46543 ) on Friday December 08, 2000 @04:13PM (#571285) Homepage
    Oh for crying out glayvin...."we" use everything that you do. Everything...NT, 2000, 98, 95, DOS, Linux, solaris, Irix, AIX, HP-UX and thats all within sight of my office!

    What makes you think we're any different than a very large corporation? We are not one giant monolithic organization. We have well run firewalled networks...we have isolated networks...we have public webservers and database servers. Some I don't doubt will be defaced, others I have confidence that they are basically impenetrable.

    We have smart users that can setup their own systems, and we have some of the stupidest users you've ever seen (I got 3 trouble calls from one person for the same printer in 10 minutes... out of paper, offline, and then he printed to a printer 10 feet away and couldn't find the printout)

  • the article is interest? (Score:3)

    by divide_by_0 ( 176557 ) on Friday December 08, 2000 @04:13PM (#571286)
    Those numbers apparently count port scans too, but the article is interest, talking about many things....

    what kind of interest does this article get? I would hope it would get at least 5% compound interest anually.

  • So if someone goes over an entire class C only checking on port 31337 (Back Orifice default port) that's not a scan? What would you call that?

  • You think that the Department of Defense has bad security? A while back (September 11,) the government GRADED itself on each agency's security against computer hacks. They found that the grades were failing.

    See here [ttp] for a copy of the "report card."

    The Social Security Administration got the highest grade, a B.
    The National Science Foundation got a B-.
    The Department of Education and the Department of State got the grade of C.
    HUD, the Department of Commerce, and the Agency for International Development got the grade of C-.
    The Defense Department got a D+.
    The Department of Veterans' Affairs and the Treasury Department got a grade of D.
    The EPA, the Global Services Administration, and NASA got a grade of D-!
    The Office of Personal Management, the Health and Human Services Department, the Department of Agriculture, the Small Business Administration, the Department of Justice, the Labor Department, and the Department of the Interior got a grade of F!!
    The Department of Energy, the Nuclear Regulatory Commission, the Department of Transportation, and FEMA never even had a completed test!

    The overall grade for the government was a D-!

  • Was that supposed to refute what I was saying?
  • Sometimes when you know you're right you don't necessarily want to have to tell your commanding officer and/or general in some cases to fuck off.

    As an Army officer (but not speaking officially as such at the moment), I can tell you it is your duty to tell your CO she or he is full of shit (when that is the case), though I would suggest being a lot more polite and tactful. Don't just complain--provide actionable solutions to problems you see! However, once a decision is made, you need to support that decision as if it was your own.

    If you are affiliated with the Army, check out the Integrity and Loyalty "Army Values." Most Army officers I know are trying to do the best job they can, within a framework largely designed to support the combat arms branches, rather than the combat support or combat service support elements.

    --
    jvev atvf gurm rabs pern gvba

  • They chose to give her the sysadmin job, that's their fault. But she will feel their wrath (surprise!) when things don't work out.

    :(


  • not at all.. looking for an open FTP port is more like walking up to a book store and trying to open the door to see if it's open.

  • Many commercial OSes have some kind of evaluation of some version, and some have TCSEC (Orange Book) class B or above (or equivalent under other schemes). If you are really interested, here are some links:

    The field has its own specialist jargon, so it may take some effort to make sense of all that. Also remember that resistance to penetration is not required until you get a long way up the scale although it is probably what most people expect to get, only to be disappointed. It is actually very hard to show that a system is penetration resistant, much harder than merely making it penetration resistant (which is hard enough in itself if you want to keep some functionality).

  • Bwahahaha!

    Must burn karma to make the whoring game fun again. Damn karma cap.
  • I imagine the DoD's sysadmins are a scary bunch.

    Heh...probably neurotic, too. It's not a job I would want. I consume too much caffeine as it is.

  • I'll confess, (Score:3)

    by Shoeboy ( 16224 ) on Friday December 08, 2000 @03:04PM (#571303) Homepage
    I have been responsible for some of this. I can't help it - it's so rewarding.
    You scan a DoD computer and several large men come over to talk to you.
    They humiliate and scold you.
    If you're lucky, you get a cavity search!
    My favorite is a guy called Agent Wesley, he's got reaaaly long fingers.
    Anyway, just wanted you guys to understand my script kiddie motivations.
    --Shoeboy
  • Hmm...a port number is 16 bits...

    65535 - 22,000...

    My sources predict another 43,000 + attacks before the end of next year!

    --Spence
  • Though I doubt the host 'www.monkey.com' will NOT have a web site on it, given the 'www' prefix...

    I'm not saying there is anything whatsoever wrong with doing such a thing. I'm saying that, as part of an IDS, if I run a server that does NOT have an ftp server on it, then I would like to know about all the network traffic coming into my box, period. Even something as simple as an attempted FTP session, yes, is a concern.

    Please understand I don't mean to say you should compain about it, or even assume that something bad is happening, only that it is something you should not simply ignore. YOu should record it, make note of it. I'm saying that it has relevance in overall tight network security analysis, period.

    I'm not saying portscans are 'bad' to do either, I'm just saying that from a security point of view, as a sysadmin, you DO want to know about ANY non-prescribed network connection attempts or other traffic on your network, so you can properly make *informed* decisions as to what is a threat and what is not.

  • The article does not say what OS(s) they use, only that they dropped Solaris, and they dont use anything by Microsoft or Netscape (now AOL). (Heh, it would be rather funny if they used AOL to connect to the internet... But I digress.)

    I wonder what the odds are that they use something like Open BSD? Its similar enough to Solaris (Only BSD init as opposed to sysV) and they have the source code. Still, the article says that they don't use any "commercial" products, does that mean that they code thier own, including the operating system? I doubt it, while they might have their own in house apps, I bet that the OS is open source and widely avalible, I am willing to bet that its Open BSD. It would have been great to ask Theo on the Ask Slashdot that was here recently, but then, I doubt if Theo would know if the DoD is using his little BSD system anyhow...
  • So when we grumble about possible backdoors in commercial software, it's paranoia. When the DOD does it, it's what? Justifiable, or just well-funded paranoia?


    My mom is not a Karma whore!
  • I think both the Justice department and the NSA have both said they use OpenBSD. I'm a little less certin on the NSA having said so. I do remember a story [thestandard.com] about the Justice Department using OpenBSD for it's sensitive data.
  • I've had some (stupid) interludes with government agencies ... I sysadmin a small research lab, and one of the idiots in the lab tracerouted a State Department computer (it was a stupid thing to do in the first place )...

    Got a letter a few days later asking me to confirm that the machine WASN'T compromised and please explain why we were tracrouteing them ... Being this paranoid makes sense actually ... by firing off a letter to machines acting suspisciously, they undoubtedly make life harder on their would be attackers by making compromised machines known to their owners.

    The only complaint I have about the whole thing is it scared me shitless thinking we'd been compromised :-) The letter follows, although I removed the IP addressess ...

    Gentlemen, Greetings, the U. S. State Department Computer Incident Response Team (CIRT) received a report from our Security staff that we were being touched from IP address ***.***.***.*** which translated to host name *******.***.*** Interestingly the packet ttl is 1 and source port of 60704 did not change. The events occurred on Sep Sep 23 20:51:17 (all times are local). All attempts appeared to originate from host name ******.***.*** We understand that this may be due to operational activity. Please examine your security logs during this time period and let us know if this was indeed authorized activity. Your assistance and cooperation are greatly appreciated. Susan L. Tanoe US Department of State - Bureau of Diplomatic Security Computer Incident Response Team 301-985-8347 Report computer security incidents to: CIRT@state.gov 301-985-8375 (24-hour contact number) For more information, visit us on the IntrAnet at: http://acd.ds.state.gov/high/cif/cifmain.htm CLASSIFICATION: UNCLASSIFIED This e-mail is unclassified based on the definitions provided in E.O. 12958

  • Notice that a search for Air Force firewalls brings up Secure Computing's Sidewinder, a FreeBSD derivative.
  • ...was pretty cool. i've heard this trick is common in both mil and finance networks.

    all you do is hook a basic box to the web for normal https processing, but on the back end you convert critical data to udp packets and broadcast those via a one-way phiber link to a transaction box.

    the transaction box burns the transaction packets onto write-once cds.

    note that although it is possible to lose *some* info from the insecure side, or to have *some* incoming data distorted by the wiliest of hacker, it is impossible, without inside help or truly clueless administration, to have anyone get/distort all the records.

    the one-way link trick is pretty standard for sensitive data. truly hi-level secret stuff isn't connected to the web in any fashion. that would be idiocy.


  • that's why we keep reading these stories about an "Electronic Pearl Harbor" and how hard they're working.

    Face it, they just want an excuse to spend more money on eavesdropping on civilians on the Net, and this is just their way of making it sound like they're not looking for pr0n.

  • Re:Port Scan's (Score:3)

    by Falsch Freiheit ( 7780 ) <freiheit@g m a i l .com> on Friday December 08, 2000 @03:17PM (#571331) Homepage
    Yes.

    If you are intent on breaking into a machine to which you have no access, a port scan is the first step.

    For any kind of attack (whether with guns or with computers), reconnaissance is the first step.

    If you're not the DoD, though, I wouldn't worry about portscans. I don't count them as attacks just because they're so common. Besides, if I have a machine that runs several websites (some of which have files available for download), how much of an "attack" is it to scan to see if FTP is open? It could just be somebody who got a partial file download and wants to see if they can finish the download.

    Also, with most of your machines, there is *some* kind of legitimate access the public has to it. The SMTP port or HTTP or something like that. For many DoD machines, there is *no* legitimate access for most of the public.

    Only 5 a *week*? Wow. That's low. I think the main machine I do any admin for gets that many in an hour.

Slashdot Top Deals

Always draw your curves, then plot your reading.

Close