Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Military Encryption Security United States Technology

US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds (zdnet.com) 190

An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.

This discussion has been archived. No new comments can be posted.

US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds

Comments Filter:
  • Shouldn't the DOD know exactly what our missile defense system is running? Why did they need to generate a report for this?

    • by JMJimmy ( 2036122 ) on Monday December 17, 2018 @10:57PM (#57821664)

      Security through obsolescence and incompatibility

    • by ShanghaiBill ( 739463 ) on Monday December 17, 2018 @11:09PM (#57821718)

      Shouldn't the DOD know exactly what our missile defense system is running? Why did they need to generate a report for this?

      How do people "know" things? By learning. How would they learn? By reading. What would they read? A report. Where would the report come from? Someone tasked with generating it.

      Do you really think everyone in DoD is somehow born with knowledge about missile system OSes, and all the flaws in those OSes?

      Also, this has nothing to do with the security of "ballistic missiles". The missiles managed by MDA are NOT ballistic.

    • by AHuxley ( 892839 )
      They know what's wrong but the skilled buddy team that can fix the problem is working on a list of 50 other ports/base/forts.
      The other buddy team is under watch by the FBI after one of them did something that attracted a security review.
      Too few really skilled mil workers/contractors for the buddy system, too many problems.
    • by ( 4475953 ) on Tuesday December 18, 2018 @03:48AM (#57822530)

      Sounds like a penetration test was conducted, including physical access testing. That's normal and good procedure, just a bit shocking that they do it only now and bugs from 1990 haven't been fixed yet...

    • by Anonymous Coward

      They have plenty of security. These guys invented security. Just not the kind millennial nazis like

    • by LostMyBeaver ( 1226054 ) on Tuesday December 18, 2018 @07:46AM (#57823280)
      Having been a contractor in this sector a few times, let me just say that it's a revolving door system.

      The DoD, DoE, TSA, DHS, etc... are generally run by people completely lacking the ability to make decisions related to technology. This is not uncommon, hell, most of my company's customers are completely at the mercy of some slide shows and gartner reports.

      Consider this... what percentage of Cisco customers actually need what Cisco pedals? I've been reviewing most of our customer's networks and realized that the average customer paid $20 million over 5 years for their network. I assessed their needs, their requirements (then and now) and concluded that they should throw their networks away completely and replace them with systems costing and average of $500K CapEx and about $200K OpEx annually. But they will continue to spend an average of $4 million a year each because they are completely at the mercy of the salespeople who sell them tons of shit they don't need.

      The TLAs (three letter agencies) aren't even run by business leaders. They are run by bureaucrats. As such, they are even more poorly managed. I've worked with multiple organizations that hire people, stick them in secure environments after their clearance ... well clears and then cycles them out based on the fact that contracts are rolled over and over and over for no apparent reason other than the company who was currently contracted failed to do the job they were given because in order to get the job, they were forced to make a large number of false promises and now someone else making other false promises because they couldn't get the job if they answered honestly has taken over.

      No... the DOD has absolutely no idea what the hell is going on in the IT systems because they never hire anyone long enough to get a foothold. I was at an SAIC office not long ago which had over 200 desks and in most cases, those desks were filled by sub-sub-sub-contractors and most people had no idea what anyone did or even what company they worked for.

      If you think the DOD is bad, you should look at the State Department. I'm entirely convinced they simply let everyone walk through there unchecked.

      I think it really went all downhill with the introduction of the TSA which is basically nothing more than a way of keeping people off welfare and not calling it socialism. They have 1.2 million people in their Active Directory last I checked.... how many do you think are actually tracked and verified?
    • Shouldn't the DOD know exactly what our missile defense system is running? Why did they need to generate a report for this?

      The DOD (and any organization for that matter) requires audit reports to confirm that what they know in inventory is actually true.

      Shit moves.

      Think data centers for instance. Routers move, get displaced, get fried, replaced, etc. You'll keep some type of inventory (hopefully tied to some sort of monitoring and procuring system), even if only manual. But every once in a while you need to double check that the list is sufficiently accurate to represent what you have.

      Same with software systems.

      So it is

  • by Anonymous Coward

    "Captain - censors indicate the ____ of a _____ ______ on the _______."

  • Oblig xkcd (Score:5, Funny)

    by purplie ( 610402 ) on Monday December 17, 2018 @10:51PM (#57821632)
    • +1... if it needs 2FA and AV then that means it is on the internet somewhere and they've already failed.
      • by hey! ( 33014 )

        Not necessarily. Air gapped sysrtems can be attacked by parties with sufficient means -- state actors. Remember STUXNET? It was a joint American/Israeli attack on SCADA systems controlling Iranian uranium centrifuges. To get at those air-gapped PLCs, we infected the whole world.

        It's not enough to air gap a system, you have to air gap every system that prepares data and program updates for that system. Essentially you have to build up an entirely separate parallel cyber infrastructure that never has c

        • by Atryn ( 528846 )
          Yes, not in the summary, but 10.1 is probably "people are running around sticking USB drives into things". :) Air-gapped only goes so far.
  • Our contractors and the military are running on 40-60 year old tech. They are incapable of fixing this and to scared that it will bring a portion of the national defense down for a time in the process so nothing will ever be done. That is until a rouge nation actually launches one of our nukes!
    • by aberglas ( 991072 ) on Monday December 17, 2018 @11:17PM (#57821766)

      Some very crude 8086 CPU with 16K of RAM is incapable of supporting viruses. And even though the code might be bad, it is small enough that someone understood it. And minimal communication with external world, 40 years ago is pre internet for most things.

      The problem starts when they upgrade to modern operating systems. And control it all from Windows desktops. Nobody really understands how they work. Everything is interconnected. And it is only a matter of time before some nasty manages to remotely press "the button".

      • I agree with you. Windows 3 or 95 might be simple enough to be safe and securable. But modern Windows Systems operate more or less by magic. OTOH, I think (hope) that modern Windows systems are confined to administrative systems -- how many unused days of leave does Sgt Jones have?, how many spare tires are in the motor pool? -- and aren't used for combat systems.

      • A massively parallel and distributed system to scan the system for viruses and security flaws and proactively take actions to safeguard the system.
        If it were satellite based we called it network in the sky or maybe some other sort of acronym

      • by dyfet ( 154716 )

        And lest not forget jovial....

      • by The123king ( 2395060 ) on Tuesday December 18, 2018 @06:39AM (#57822996)
        Will people stop thinking it's PC's. The military run PDP11's and VAXen. There's not an 8086 anywhere near, and the only intel chips are RAM chips
        • "Will people stop thinking it's PC's."

          Sure, just as soon as the military stops using Windows in critical systems. Perhaps you never heard of windows for warships? Sure, some of these systems may predate Windows entirely, but others do not and the US military has demonstrated a clear willingness to deploy windows in places where it not only makes no sense, but also compromises both security and reliability.

      • "Some very crude 8086 CPU with 16K of RAM is incapable of supporting viruses."

        Speaking as someone who was there and actually used those computers as my primary desktop for some years (my first PC was an IBM 5150), you are talking out your asshole. We had viruses back then [wikipedia.org] - the first known PC virus dates from 1986.

        "And even though the code might be bad, it is small enough that someone understood it."

        Yes, assuming you had someone on staff who knew assembler and could operate a disassembler. Virus authors don

      • Such a machine is well able to support an ASM virus, just not any modern giant stuff. You can have a contaminate and hook code very easily. As a matter of fact just to learn how to fight the stuff 20 years ago I did my own version of the pong virus from scratch, which also tried to determinate if there was a drive it could write to - it was only using hardware interrupt, 10h, 13h, and 08h/1ch for the "timer", and 03h to detect if somebody was monkeying. Deleted it once I was satisfied. I do not recall the e
    • Yes, the military uses old technology. By design. They like their stuff to work. Reliably, Which it often does. It's hard to imagine a dumber idea than applying a mess of half baked "modern" technologies that routinely don't work to a problem quite different than that the ones that they don't solve. (Hint: Type "lists of data breaches" into your favorite search engine. **THAT** is what nifty modern technology buys you.)

      Suggested reading, for anyone who thinks the authors of this study have a point --

      • by chill ( 34294 )

        You'd have a point, except:

        (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door censors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas.

        So much for the "elaborate physical security measures". This sounds like a recipe for a couple of college kids to sneak in and replace the EEPROMs in the laser targeting system.

        • by balbeir ( 557475 )

          So much for the "elaborate physical security measures". This sounds like a recipe for a couple of college kids to sneak in and replace the EEPROMs in the laser targeting system.

          Nah, you would have to be a real genius for that

  • The people on the "base" need to be able to use the missile systems for "war" when commanded.
    The idea that such computers would be networked beyond mil secure networks is "strange".
    Space, sea, land tracking systems would send the data along secure networks to a secure base. The US mil "gets" encryption end to end.
    Inside that base the only needed service is to use the data to get a missile "war" ready. Everything connected to the base should be mil grade secure.

    What happened?
    US staff are now allowed
  • by Ashthon ( 5513156 ) on Monday December 17, 2018 @11:13PM (#57821736)
    They need to do a better job of censoring the doors. We don't need to see that filth!
  • by account_deleted ( 4530225 ) on Monday December 17, 2018 @11:16PM (#57821750)
    Comment removed based on user account deletion
  • by Gravis Zero ( 934156 ) on Monday December 17, 2018 @11:17PM (#57821754)

    (10) Data stored on USB thumb drives was not encrypted.

    I'm not alarmed that it's not encrypted, I'm alarmed that they are using USB FLASH drives. If you are unaware, all of theses have MCUs and almost all of them use an 8051 CPU with re-programmable FLASH memory which makes them their own little computers that someone can hijack. It's also the attack vector used by Stuxnet to infiltrate an air-gapped network in Iran.

    The other things have obvious fixes but unless they are using USB devices specifically made so that they cannot be reprogrammed (one-time programmable MCUs) then there is a serious security issue here. I honestly hope that government would manufacture their own USB FLASH drives but the fact that I haven't read about it doesn't inspire hope.

    • by Dr. Evil ( 3501 ) on Tuesday December 18, 2018 @12:33AM (#57822056)

      I'm not sure where the article summary got their list of findings. The report mentions USB *once*, and that's in a reference to a NIST glossary for removable media.

      Whomever summarized the summary appeared to not understand the report and added their own color and errors to it.

      "USB Thumb Drives" seems to be fabricated from the submitter reading "removable media"

      The ZDNet article is also guilty of this. E.g.,

      "DOD IG officials also discovered that at one MDA location, IT administrators failed to install an intrusion detection and prevention system --also known as an antivirus or security product.

      No. Just no.

      The report looks interesting though, far more nuanced.

      • by dyfet ( 154716 )

        Indeed, I believe really we are talking about 5.25 and 8 inch floppy disks. Maybe mag tape, too. A lot of this stuff was classic dec.

        • by Dr. Evil ( 3501 )

          It would make for an interesting pentest, litter the parking lot with 5.25 and 8 inch floppies labeled "hangman", "death valley", "ascii art" or even just "STUXNET2.COM".

      • This. This technology is more than 30 years old. It is air-gapped, meaning that the primary security barrier is physical - it is invulnerable to any sort of ordinary hacking. Anti-virus makes zero sense. "Removable media" may well refer to floppy disks.

        The IG report does identify a number of problems, but mitigating these problems on ancient technology is non-trivial, and may not even be possible. For example, the processors involved may not even be capable of encrypting data to modern standards, in any sor

    • tbh they are probably better off without antivirus, though
  • ... unpatched Windows XP.

  • by Spy Handler ( 822350 ) on Tuesday December 18, 2018 @12:02AM (#57821948) Homepage Journal

    and real 5.25 inch floppies (not the newfangled 3.5 inch ones)... formatted for CP/M. This was in a report I saw about 10 years ago. Even 10 years ago, this setup was deemed so obsolete that it was thought to be good security... there was no virus on earth being written for such an ancient system. And of course internet connection was out of the question.

    • by Anonymous Coward

      Your attempt at geek cred was solid, but they were 8 inch disks.

  • If these problems apply to payroll and purchasing systems, then its a problem that should be fixed. If they apply to actually missile systems, then of course its a whole different kettle of fish.

    I hope and assume any missile systems or classified systems are air-gapped, and things like 2-factor authentication and anti-virus do not apply. Security is guys with guns who shoot anyone who crosses the air-gap without authorization.

    I also hope that any report on vulnerabilities of missile systems would be classi

  • The all run Windows 1.0 because "it's cool".

    /. where smarticles come to die.
  • We used to have MAD: Mutually Assured Destruction to each scare the other side into not starting a war. Now we have Mutually Assured Hacking, which means nobody will know what shit will actually work. Maybe we should keep some pre-digital weapons around in case.

  • The systems are so old, you need to physically get a person in there with punch cards... or a template, one hole punch, scissors and some plastic.
  • We don't have to sing kom by yah, just shut them all down and we'll never speak of it again.

  • (Sarcasm intended.) It's a good thing that these problems were found in defensive systems, thus ensuring that Mutually Assured Destruction can continue to be our world security policy.

    Even though this security audit found numerous problems, surely none of this kind of stuff is going on in our country's offensive ballistic missile systems. ...and it's not as if we have a President that goes around goading other country's rulers to lob a nuclear missile or few in our direction, so we have nothing to really wo

  • I keep hearing that net-connected infrastructure was infiltruded upon. In virtually every instance, these were places, such as military/gubmint and utilities that always have humans onsite. Humans in control, but apparently not controlling. Yes, power plants have to control their frequency, but they're connected directly to the grid, so why the net conx? We used to do that stuff well enough before we had the Intertubes.
    Is the way we're doing this sort of thing today any better, given that a

  • most importantly, they run windows 10.
  • no antivirus programs

    Let's not talk about attack vectors: AVs are known to introduce huge glaring vulnerabilities which allow kernel level access to the system.

    For such military systems Internet access must be disabled completely; such PCs must be configured such a way, the user cannot run any applications other the preconfigured ones (via security policies). All the scripting features must be locked down completely, i.e. no Microsoft Office, no VBS, no PowerShell, etc. etc. etc. USB flash drives support

    • Yes, sounds like a joke if they want to install antivirus on it. Funny enough that this means they run Windows. It would also mean that they need to regularly install new virus signatures.
      What would signatures of known viruses be good for anyway? Their enemy is a bit more capable than script kiddies. They will certainly put the effort in to write a new virus to shut down missiles.
  • So much for those wonderful STIGs that everyone else has to suffer through.
  • if security can't even be taken seriously at a missile launch site, how can you expect it from some company producing $15 webcams or other insane cheap IoT devices?

  • Just who in their right mind runs a Ballistic Missile System bas on Microsoft Windows o]
  • by petes_PoV ( 912422 ) on Tuesday December 18, 2018 @07:39AM (#57823254)
    Old software that isn't patched has some advantages. You know that what you are running is what was tested.

    Also, how would a missile based explain that it hadn't fired its missiles because the software had received a pushed update and was too busy applying it. And that it was more important to fix a bug in a foreign font than to unleash a nuclear holocaust.

  • by Anonymous Coward

    The Headline says "no multi-factor authentication mechanisms"

    The summary says "The Multi-factor authentication wasn't used consistently". So they did have MFA, it just wasn't implemented on a consistent basis. Could mean a bunch of things, but also could mean that MFA was implemented and doing the job, but just wasn't consistently implemented to the same standards at every installation.

  • Comment removed based on user account deletion
  • The ZDNet article states, "where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS)," which led to a lot of mistakes in this thread.

    That is both factually and grammatically incorrect.

    Here, I fixed it for the author; "where the Missile Defence Agency (MDA) had place ANTI-ballistic missiles AS part of the ..."

    Ballistic missiles are ICBMs and SLBMs. They deliver nuclear warheads to targets.

    ANTI-ballistic missiles are to destroy incoming ballistic

  • He wrote this entire article about the Missile *Defense* Agency, and can't figure out the difference between a ballistic missile and an ANTI-ballistic missile.

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...