Air Force Comments On Drone Malware

wiredmikey writes "Air Force officials have revealed more details about a malware infection that impacted systems used to manage a fleet of drones at the Creech Air Force Base in Nevada as reported last week. The 24th Air Force first detected the malware – which they characterized as a 'credential stealer' as opposed to a keylogger as originally reported — and notified Creech Air Force Base officials Sept. 15 that malware was found on portable hard drives approved for transferring information between systems. The infected computers were part of the ground control system that supports remotely-piloted aircraft (RPA) operations. The malware is not designed to transmit data or video or corrupt any files, programs or data, according to the Air Force. The ground system is separate from the flight control system used by RPA pilots to fly the aircrafts."

Haqqani

[ackthpt]

I wonder if he was told he won the Slobobvian Lottery before he was hit.

Re:

[mjwx]

I wonder if he was told he won the Slobobvian Lottery before he was hit.

So there is an entire country for Slobs and the have a lottery?

Why is this only being posted on /. now?

Re:

[Ozmodium]

At first I thought you were referring to the 80's movie Making The Grade "Exchange student from Lower Slobivia," but then stumbled upon the fact that Slobovia is used as a reference to any "non specific, far-away country." Wikipedia on Slobovia [wikipedia.org]

Re:

[Archwyrm]

Slobovia is somewhere near BFE if I recall my geography correctly.

Possible typo.

[pushing-robot]

A "feet of drones" is the proper collective noun only when they're on the ground. In the air they're known as a "bungle".

Re:

[Soulskill]

Fixed. Thanks for keeping us on our toes.

Re:

[oursland]

A "feet of drones"

Fixed. Thanks for keeping us on our toes.

I see what you did there!

Re:

[mjwx]

A true Slashdotter is not permitted to admire Apple due to an incompatabilitiy between the GPL and Apple's "walled garden."

Sorry. Turn in your Mac for a Debian box.

Good idea, wrong thread.

Here is where we're supposed to bash the US Air Force.

Re:

[ColdWetDog]

A "feet of drones" is the proper collective noun only when they're on the ground. In the air they're known as a "bungle".

Prior Art!

A 'bungle' is a large group of politicians in flight from reality.

Re:

[ColdWetDog]

Although, thinking about it a bit further, a bunch of drones in the air and the aforesaid flight of politicians are pretty similar concepts.

Carry on!

Checks out

[gadzook33]

Yeah, this makes much more sense. Didn't stop everyone from reporting that the drone fleet was infected with viruses when this first broke. I could be wrong but I'm fairly sure the Predator isn't running Windows 98 (or god help us all). I think those of us with some sense were wondering when the real story was going to break.

Re:

[Anonymous Coward]

The drone itself may not be running a standard OS, but it's entirely possible that part of the flight control system might. More critical systems have been built atop Windows platforms before, and the DoD doesn't have a particularly good record with computer-related sensibilities, see: How all .mil domains are digitally signed by a CA that no web browser (including those on DoD computers) recognizes as legitimate.

Question!

[MrEricSir]

If a drone running Windows 98 is destroyed, is it okay to re-use the license key on a new one?

Re:

[atisss]

It will hang into BSOD (Blue Sky Of Death) and stay in the air forever, so it will technically still be running licensed version, so - no.

Re:

[codepigeon]

Yes, but you still have to call the 1-800 number in india and let them know you don't have in installed on more than on drone in your household.

Re:

[Joce640k]

Windows autorun strikes again. To nobody's great surprise.

Re:

[hedwards]

Theoretically, it might require somebody to come back and collect it. Which is necessary in cases where there is a proper air gap even though it greatly increases the risk of being caught.

Re:

[hedwards]

I think they're usually called "officer."

Does this suggest

[phantomfive]

malware was found on portable hard drives approved for transferring information between systems.

Does that suggest that someone forgot to turn off auto-run? Or was it really only on the hard drive, and never actually infected the controlling computers?

Latest in AV Software...

[scalarscience]

My favorite quote from the article [securityweek.com]: “We continue to strengthen our cyber defenses, using the latest anti-virus software and other methods to protect Air Force resources and assure our ability to execute Air Force missions,” Cook said in a statement. “Continued education and training of all users will also help reduce the threat of malware to Department of Defense systems.” Why do I get the feeling that Norton/McAffee are offering their 'latest anti-virus software" to "strengthen our

Re:

[Anonymous Coward]

99% of the usage is broken and misunderstood. I'd say that only 1% of the populace actually understand security, and a diminished number actually take steps to placate the problem. When I hear that someone thinks that sticky plaster Anti Virus - will be like a hand barrier cream I cringe. This is the nation state that had a hand in Stuxnet.

Apparently, the air force has deduced that they understand this malware, and its just a password stealer for online games. So that's alright then. /SARCASM/ off.

I work in

They don't see the irony either...

[Paul Fernhout]

"It also underlines a fact I have known for years. Senior staff, officials, managers the political classes and military staff don't understand the technology at all."

http://www.pdfernhout.net/recognizing-irony-is-a-key-to-transcending-militarism.html [pdfernhout.net]
"Military robots like drones are ironic because they are created essentially to force humans to work like robots in an industrialized social order. Why not just create industrial robots to do the work instead? ... There is a fundamental mismatch between 21st cen

Damage control?

[SharpFang]

Sounds an awful lot like media damage control to me. Downplaying the scale of the failure and misinforming the public once the full scale has became known and the utter mind-boggling disaster it was has became apparent. So far it was "We've got an embarassing problems", and now it became "If the press learns of the full scale, heads will fall like rain."

Re:

[Sepodati]

Sounds like you wouldn't believe any explanation that doesn't fit your theory of what happened.

Jumping the meat barrier.

[BenJCarter]

Quite sophisticated. Found "on hard drives approved for transferring information between systems". I'm sure it's harmless though. No doubt the pilots surfing Facebook use a different code to log into the kill drones flying above our troops...right?

Whitewash

[Daniel Phillips]

The implication is apparently that since it was only the ground control system, not the flight control system, there was no danger of the aircraft control being compromised. This is false. The ground control system is in fact in complete control of the aircraft, if it so chooses. The bottom line is, somebody should be put in the brig for allow Windows anywhere near a UAV.

Re:

[Daniel Phillips]

It would also be arrogant to say simply switching operating systems will magically fix their problems.

Even more arrogant to deny that it would be a good start.

Re:Whitewash

[Kaedrin]

Wrong. Someone does however need to explain why systems like this don't have SRP (Software Restriction Policies) or AppLocker Policies enabled with a ridged white listing rule set.

Servers/Drones/etc like these should NEVER allow any account permission to run non-whitelisted applications. The fact is, barely any code should be allowed to execute, and itâ(TM)s completely inexcusable for them to not be using the whitelisting rules that are part of Windows/Active Directory. In an environment like this where there are ridged policies for doing practically anything related to production software, preventing rogue code execution should be mind boggling easy for one moderately skilled administrator.

Re:

[zero0ne]

The real question is how can someone build drone piloting software that actually works well on Windows?

I just don't see any type of Windows platform offering the kind of precision & computing speed needed to control a UAV 100 to 10,000 miles away.

Seems like something you would want done in the fastest language available, not some hodgepodge of .NET & Silverlight.
(I think I just threw up in my mouth a little)

Re:

[merky1]

If you RTFA, you would have determined that the flight control system is not infected, and the the systems that are in question are ancillary information systems. Think of a monitor with google maps...

The reason they use removable HDD's is probably so they can model the necessary mission data offsite, and then "replay" it at mission time.

Re:

[Anonymous Coward]

I just don't see any type of Windows platform offering the kind of precision & computing speed needed to control a UAV 100 to 10,000 miles away.

Do you know anything about Windows programming, or even Windows itself?

Re:

[phantomfive]

I remember reading somewhere that the latency is actually huge, something like 15-30 seconds (they are controlled from Nevada, after all). The AUVs do most of the flying themselves, and the people in Nevada tell them "go here" "go there" and "fire missile at that target." Then for takeoff and landing control is passed to someone onsite from the Middle East who has better latency.

Re:

[Daniel Phillips]

Or just don't let Windows anywhere near deadly weapons, how about. Never has been secure, never will be, not in any real, shipping form, except according to cynical apologists with their hands in the cookie jar.

Re:

[Ibiwan]

They're still using awkward wording. Neither the computer on the plane nor the computer the pilot is sitting in front of runs Windows. In the same trailer, there are also several machines used for data analysis that DO run Windows, and are the only place this malware (virus? worm? trojan? I never could keep them straight) could possible have taken hold. Also, the "credentials" in question are video game registration keys. Good luck finding many of those on these workstations!

This virus can't be a thread with no Internet.

[satuon]

If the computers are really not connected to the Internet as I had read from the earlier articles, the virus can't send any information it captures nor can it receive commands. At most it could format their hard drive.

Re:

[iive]

Have you forgotten about Stuxnet?
That virus was designed to sabotage industrial equipment that was not connected to internet. It was designed to propagate though removable drives and local networks. And Stuxnet did reach its target and sabotaged it successfully without even causing suspicion.

Imagine that the Chinese/Russians modify Stuxnet (I've read it is quite modular) to infiltrate the UAV control. Imagine that they add module that activates only when the drone enters GPS coordinates of China/Russia. Thi

What I don't understand

[aaaaaaargh!]

Why don't they allow only signed software that is on a whitelist to run on their computers?

Sure, whitelists are highly undesirable for ordinary consumers (to say the least..), but for the military or other domains with high security demands they seem to make sense to me. Shouldn't their software be audited and signed first anyway? Shouldn't they run a custom BIOS and an operating system that can check signatures before running code? Are there technical reasons against this?

Just wondering.

Re:

[jank1887]

you assume the hardware / OS is sufficient for the function you described. How many hacked up versions of Windows CE do you know that can be properly software secured? I still remember bypassing whitelists by renaming Netscape to Notepad. :)

Re:

[hAckz0r]

And they should use a "default deny security enforcement policy" (e.g. Bit9 software). If the application's signature is not on the permitted list it should be prevented from running. Period.

This however does not fix some underlying problems with remote distributions. Datasets have become too large to be easily handled on standard CD/DvD's, so many organizations have resorted to using hard drives to pass information. I still see potential problems. When mounting an 'untrusted' drive many things happen, n

How much longer consumer OSes on military systems?

[Viol8]

This is a farce. Neither windows, nor linux or OS/X or commodity PC hardware should be let within 100 miles of these systems. Wtf are the military playing at? Is their trillion dollar budget not enough to afford some proper kit and in house software FFS?

Re:

[WillAdams]

The military has been told by GAO and OMB and other bean counters to use COTS --- it's also more expensive to get things developed on proprietary systems and that runs into single source issues.

Arguably everyone should use NSA's security-enhanced Linux:

http://www.nsa.gov/research/selinux/ [nsa.gov]

Or similarly secured systems.

Re:

[INT_QRK]

BINGO! Policies that carry significant political political weight, especially when they become fashionable routes to swift approval, are especially prone to misunderstanding, misapplication, and imbalance between indented and unintended consequences. COTS, when misused as a panacea to achieve affordability, tends to not only be less affordable in the long run, but often leads to less effective solutions. The problem is that panaceas rarely are. Policies mindlessly pursued lead to poor results decoupled from

Animal House

[ThatsNotPudding]

"Remain calm, all is well."

What the keylogger captured

[jpvlsmv]

All that the keylogger captured was a bunch of sequences of "IDDQD" and "IDKFA" typed over and over again.

2-Part Attack?

[Gooba42]

Make the datalogger very infectious but otherwise look harmless.

The datalogger dumps the information back into someplace like say the portable hard drive that brought it into the secured area to begin with. It sets up shop and makes a gazillion copies of the data it was designed to ferret out but it does nothing but log the data.

Then the portable hard drive gets walked out of the building and used on other hosts, at least one of which is infected with a transmission vector which picks up the payload and for

I don't mean to point out the obvious here..

[idbeholda]

But if the offending piece of malware was on an NTFS file system, and accessed the ADS, hundreds of megabytes worth of lifted data could be stored, and nobody would be the wiser unless they checked to see what kind of data was hidden if resource forking was implemented. Pray this isn't the case, because if it is, Victoria won't have too many secrets left.