US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds (zdnet.com) 190
An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.
Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.
Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.
Why would the DOD need a report? (Score:3)
Shouldn't the DOD know exactly what our missile defense system is running? Why did they need to generate a report for this?
Re:Why would the DOD need a report? (Score:5, Funny)
Security through obsolescence and incompatibility
Re: (Score:2)
The last time this type of report came out they were still using floppy discs
Re: Why would the DOD need a report? (Score:5, Insightful)
The last time this type of report came out they were still using floppy discs
I'm okay with floppy disks being used as a step to activate nuclear weapons. Force an air gap and real people to be involved. I'm not sure a system that fires a ballistic missile should have an antivirus, since they should never ever ever be running anything that hasn't had its pedigree gone through to the last semicolon. Basically I'd rather have the design be old, but known good, and require a person to take some esoteric list of manual steps, than have it all connected to a network with Windows on it, and plug and play. That esoteric list of steps and weird things like floppies may be a pain to maintain, but it provides some solid security against any kind of remote exploitation.
Of course the rest of the article summary sounds like shear incompetence. Defence in depth is not optional for critical systems.
Re: (Score:2)
Omg then it was true!
That nefarious hacker Kevin Mitnick could have hacked and launched nukes by using a phone and whistling... Thank God he was kept in solitary and denied a phone for 6 months.
Haha
Re: (Score:2, Interesting)
Omg then it was true!
That nefarious hacker Kevin Mitnick could have hacked and launched nukes by using a phone and whistling... Thank God he was kept in solitary and denied a phone for 6 months.
Haha
The MItnick hysteria was interesting, but ultimately just an example of uninformed people not knowing what was possible and assuming the worst, perhaps due to television.
AI, on the other hand, seems the real threat, not because I believe your getting real intelligence, but because I believe it will be good enough to act as a lever for powerful people to manipulate the world. Imagine a world, similar to today's, but with everyone having say 50 years of AI tech developed. If you didn't see it in person, per
Re: (Score:2)
I want to know what "Door censors" are
(and if I should be using them as part of my security setup)
Re: Why would the DOD need a report? (Score:2)
It's a newfangled cloud gadget which monitors your door and keeps out republicans.
Re: (Score:2)
Can the world survive it becoming impossible to tell truth from fiction? The optimistic view is we will somehow get better at detecting the lies, perhaps using more AI. I'm needless to say skeptical.
The world existed before invention of photographs and cameras and any recording devices, when all there was were human words and drawings, so I guess we'll adapt - as we always do, there'll be some chaos time though - as there always is. Unless, of course, this time there will not be enough wise people and thanks to our technology it would be the last humanity chaotic period.
Re: (Score:2)
I wonder if they have a huge stack of spare floppy disks (that they test regularly) or if someone is still manufacturing them for military use.
Re: (Score:2)
I wonder if they have a huge stack of spare floppy disks (that they test regularly) or if someone is still manufacturing them for military use.
You can still buy 3-1/2" and 5-1/4" floppies on Amazon. 8", not so much.
Re: Why would the DOD need a report? (Score:5, Funny)
Re: (Score:3)
"They should install Kaspersky, then they'd be OK,"
They should install Russian government spyware? Fantastic idea. We should put you in charge!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: Why would the DOD need a report? (Score:2)
For VAX/VMS, the current O/S developer provides support and is porting to X86: https://www.vmssoftware.com/se... [vmssoftware.com]
Re: (Score:3)
https://5.imimg.com/data5/UB/V... [imimg.com]
Sorted!
Re: (Score:2)
Re:Why would the DOyou're D need a report? (Score:3, Interesting)
you're not totally wrong.
But the Paul Ryan shutdowns have wreaked havok on program budgets over the past 10 years, and yeah, that led to a LOT of chaos and turnover in these kinds of programs. I'm not at all s yearurprised there's a problem like this. Doing security RIGHT: in the context of a DoD framework like RMF, is very expensive. And just as you get a team that understands one process, it gets changed. And the requirements are laden with REALLY fucking expensive software licenses. WHich is an additi
Re: (Score:2)
Re:Why would the DOD need a report? (Score:4, Informative)
Shouldn't the DOD know exactly what our missile defense system is running? Why did they need to generate a report for this?
How do people "know" things? By learning. How would they learn? By reading. What would they read? A report. Where would the report come from? Someone tasked with generating it.
Do you really think everyone in DoD is somehow born with knowledge about missile system OSes, and all the flaws in those OSes?
Also, this has nothing to do with the security of "ballistic missiles". The missiles managed by MDA are NOT ballistic.
Re:Why would the DOD need a report? (Score:5, Informative)
Yes, they ARE ballistic, because they have to be to hit a ballistic trajectory target before terminal stage.
The are NOT ballistic missiles. They have terminal guidance to a moving target.
Ballistic missile [wikipedia.org]
Re: WRONG. (Score:5, Insightful)
Whoever wrote that is just clueless. The Ballistic Missile Defense System is a system which protects against ballistic missiles, not one which fires ballistic missiles.
Re: (Score:1)
The BMDO missiles in question are not intercontinental ballistic missiles (ICBMs); nor even intermediate range ballistic missiles (IRBM).
"ballistic missile" is usually shorthand for ICBM.
Re: (Score:2)
The other buddy team is under watch by the FBI after one of them did something that attracted a security review.
Too few really skilled mil workers/contractors for the buddy system, too many problems.
Re:Why would the DOD need a report? (Score:4, Insightful)
Sounds like a penetration test was conducted, including physical access testing. That's normal and good procedure, just a bit shocking that they do it only now and bugs from 1990 haven't been fixed yet...
Re: Why would the DOD need a report? (Score:1)
They have plenty of security. These guys invented security. Just not the kind millennial nazis like
Re:Why would the DOD need a report? (Score:5, Informative)
The DoD, DoE, TSA, DHS, etc... are generally run by people completely lacking the ability to make decisions related to technology. This is not uncommon, hell, most of my company's customers are completely at the mercy of some slide shows and gartner reports.
Consider this... what percentage of Cisco customers actually need what Cisco pedals? I've been reviewing most of our customer's networks and realized that the average customer paid $20 million over 5 years for their network. I assessed their needs, their requirements (then and now) and concluded that they should throw their networks away completely and replace them with systems costing and average of $500K CapEx and about $200K OpEx annually. But they will continue to spend an average of $4 million a year each because they are completely at the mercy of the salespeople who sell them tons of shit they don't need.
The TLAs (three letter agencies) aren't even run by business leaders. They are run by bureaucrats. As such, they are even more poorly managed. I've worked with multiple organizations that hire people, stick them in secure environments after their clearance
No... the DOD has absolutely no idea what the hell is going on in the IT systems because they never hire anyone long enough to get a foothold. I was at an SAIC office not long ago which had over 200 desks and in most cases, those desks were filled by sub-sub-sub-contractors and most people had no idea what anyone did or even what company they worked for.
If you think the DOD is bad, you should look at the State Department. I'm entirely convinced they simply let everyone walk through there unchecked.
I think it really went all downhill with the introduction of the TSA which is basically nothing more than a way of keeping people off welfare and not calling it socialism. They have 1.2 million people in their Active Directory last I checked.... how many do you think are actually tracked and verified?
Re: (Score:2)
So you are saying compartmentalization works? I have a feeling one or two TLAs know exactly what is going on.
I doubt it. The US TLAs are notorious for the left hand not knowing what the right hand is doing. They should be connected, at least at the highest levels, but there's so much going on that by the time it filters up to a level where the agencies are comfortable with there being some sort of cross connect, it's too late. They're never comfortable until it hits the Director level, and there's too much going on for any one person to keep up with, even if that's all they did, and it isn't all they do.
Even wi
Re: (Score:2)
Shouldn't the DOD know exactly what our missile defense system is running? Why did they need to generate a report for this?
The DOD (and any organization for that matter) requires audit reports to confirm that what they know in inventory is actually true.
Shit moves.
Think data centers for instance. Routers move, get displaced, get fried, replaced, etc. You'll keep some type of inventory (hopefully tied to some sort of monitoring and procuring system), even if only manual. But every once in a while you need to double check that the list is sufficiently accurate to represent what you have.
Same with software systems.
So it is
"Door censors"? (Score:1)
"Captain - censors indicate the ____ of a _____ ______ on the _______."
Re: (Score:1)
Whoosh ... (Score:3)
Think that should be "door sensors".
Look! Up in the Sky! Is it a bird? Is it a plane? No, it's a joke .. flying right over the top of you!
Re: (Score:2)
That, or an ABM that went off course.
Re: (Score:2)
Maybe, except the "open door" status has been censored.
Oblig xkcd (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Not necessarily. Air gapped sysrtems can be attacked by parties with sufficient means -- state actors. Remember STUXNET? It was a joint American/Israeli attack on SCADA systems controlling Iranian uranium centrifuges. To get at those air-gapped PLCs, we infected the whole world.
It's not enough to air gap a system, you have to air gap every system that prepares data and program updates for that system. Essentially you have to build up an entirely separate parallel cyber infrastructure that never has c
Re: (Score:2)
Re: (Score:2)
"state actors capable of sneaking into air gapped facilities, but incapable of not being detected by McAfee"
made my day LOL
Re: (Score:2)
That's not how 2FA necessarily works.
Re: (Score:2)
Why am I not surprised? (Score:2)
I hope they are using 40 year old tech (Score:5, Interesting)
Some very crude 8086 CPU with 16K of RAM is incapable of supporting viruses. And even though the code might be bad, it is small enough that someone understood it. And minimal communication with external world, 40 years ago is pre internet for most things.
The problem starts when they upgrade to modern operating systems. And control it all from Windows desktops. Nobody really understands how they work. Everything is interconnected. And it is only a matter of time before some nasty manages to remotely press "the button".
Re: (Score:2)
I agree with you. Windows 3 or 95 might be simple enough to be safe and securable. But modern Windows Systems operate more or less by magic. OTOH, I think (hope) that modern Windows systems are confined to administrative systems -- how many unused days of leave does Sgt Jones have?, how many spare tires are in the motor pool? -- and aren't used for combat systems.
Maybe AI Could Help (Score:3)
A massively parallel and distributed system to scan the system for viruses and security flaws and proactively take actions to safeguard the system.
If it were satellite based we called it network in the sky or maybe some other sort of acronym
Re: (Score:2)
And lest not forget jovial....
Re:I hope they are using 40 year old tech (Score:4, Informative)
Re: (Score:2)
"Will people stop thinking it's PC's."
Sure, just as soon as the military stops using Windows in critical systems. Perhaps you never heard of windows for warships? Sure, some of these systems may predate Windows entirely, but others do not and the US military has demonstrated a clear willingness to deploy windows in places where it not only makes no sense, but also compromises both security and reliability.
Re: (Score:3)
"Some very crude 8086 CPU with 16K of RAM is incapable of supporting viruses."
Speaking as someone who was there and actually used those computers as my primary desktop for some years (my first PC was an IBM 5150), you are talking out your asshole. We had viruses back then [wikipedia.org] - the first known PC virus dates from 1986.
"And even though the code might be bad, it is small enough that someone understood it."
Yes, assuming you had someone on staff who knew assembler and could operate a disassembler. Virus authors don
Not quite right (Score:2)
Re: (Score:3)
Yes, the military uses old technology. By design. They like their stuff to work. Reliably, Which it often does. It's hard to imagine a dumber idea than applying a mess of half baked "modern" technologies that routinely don't work to a problem quite different than that the ones that they don't solve. (Hint: Type "lists of data breaches" into your favorite search engine. **THAT** is what nifty modern technology buys you.)
Suggested reading, for anyone who thinks the authors of this study have a point --
Re: (Score:2)
You'd have a point, except:
(5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door censors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas.
So much for the "elaborate physical security measures". This sounds like a recipe for a couple of college kids to sneak in and replace the EEPROMs in the laser targeting system.
Re: (Score:2)
So much for the "elaborate physical security measures". This sounds like a recipe for a couple of college kids to sneak in and replace the EEPROMs in the laser targeting system.
Nah, you would have to be a real genius for that
Why? (Score:2)
The idea that such computers would be networked beyond mil secure networks is "strange".
Space, sea, land tracking systems would send the data along secure networks to a secure base. The US mil "gets" encryption end to end.
Inside that base the only needed service is to use the data to get a missile "war" ready. Everything connected to the base should be mil grade secure.
What happened?
US staff are now allowed
"Door censors showed doors" (Score:5, Funny)
Maybe Kaspersky antivirus. (Score:2)
Comment removed (Score:3)
Re: (Score:2)
So the best way to weaken the US is to not give them an enemy?
Precisely.
From the mouths of anonymous cowards may fall the most profound insights. But boy is shoveling through the muck to find them a lot of work...
Most alarming discovery: (Score:5, Interesting)
(10) Data stored on USB thumb drives was not encrypted.
I'm not alarmed that it's not encrypted, I'm alarmed that they are using USB FLASH drives. If you are unaware, all of theses have MCUs and almost all of them use an 8051 CPU with re-programmable FLASH memory which makes them their own little computers that someone can hijack. It's also the attack vector used by Stuxnet to infiltrate an air-gapped network in Iran.
The other things have obvious fixes but unless they are using USB devices specifically made so that they cannot be reprogrammed (one-time programmable MCUs) then there is a serious security issue here. I honestly hope that government would manufacture their own USB FLASH drives but the fact that I haven't read about it doesn't inspire hope.
Summary Appears Broken (Score:5, Insightful)
I'm not sure where the article summary got their list of findings. The report mentions USB *once*, and that's in a reference to a NIST glossary for removable media.
Whomever summarized the summary appeared to not understand the report and added their own color and errors to it.
"USB Thumb Drives" seems to be fabricated from the submitter reading "removable media"
The ZDNet article is also guilty of this. E.g.,
No. Just no.
The report looks interesting though, far more nuanced.
Re: (Score:2)
Indeed, I believe really we are talking about 5.25 and 8 inch floppy disks. Maybe mag tape, too. A lot of this stuff was classic dec.
Re: (Score:2)
It would make for an interesting pentest, litter the parking lot with 5.25 and 8 inch floppies labeled "hangman", "death valley", "ascii art" or even just "STUXNET2.COM".
Re: (Score:2)
This. This technology is more than 30 years old. It is air-gapped, meaning that the primary security barrier is physical - it is invulnerable to any sort of ordinary hacking. Anti-virus makes zero sense. "Removable media" may well refer to floppy disks.
The IG report does identify a number of problems, but mitigating these problems on ancient technology is non-trivial, and may not even be possible. For example, the processors involved may not even be capable of encrypting data to modern standards, in any sor
Re: (Score:2)
Re: (Score:2)
They're runnibg ... (Score:2)
... unpatched Windows XP.
Re:Now How Would (Score:2)
Re: (Score:2)
Because I'm a retired IT guy. Also, I'm running Windows XP, but it's patching itself [thehackernews.com].
Registry Hack: Get Windows XP Security Updates until 2019
It thinks it's an ATM machine [msn.com] or other embedded OS.
ATM security still running Windows XP
Anthony Spadafora
15/11/2018
Re: (Score:2)
If they don't have patches, how will anyone know the branch of military, you insensitive clod?
Last I'd heard, they were using floppies (Score:5, Interesting)
and real 5.25 inch floppies (not the newfangled 3.5 inch ones)... formatted for CP/M. This was in a report I saw about 10 years ago. Even 10 years ago, this setup was deemed so obsolete that it was thought to be good security... there was no virus on earth being written for such an ancient system. And of course internet connection was out of the question.
Re: (Score:1)
Your attempt at geek cred was solid, but they were 8 inch disks.
Not clear whch systems (Score:2)
If these problems apply to payroll and purchasing systems, then its a problem that should be fixed. If they apply to actually missile systems, then of course its a whole different kettle of fish.
I hope and assume any missile systems or classified systems are air-gapped, and things like 2-factor authentication and anti-virus do not apply. Security is guys with guns who shoot anyone who crosses the air-gap without authorization.
I also hope that any report on vulnerabilities of missile systems would be classi
And most importantly... (Score:2)
Nah... (Score:2)
The all run Windows 1.0 because "it's cool".
Nah... It’s MS-DOS 4.3 and TopView.
Re: (Score:2)
Gomer's Pile (Score:2)
We used to have MAD: Mutually Assured Destruction to each scare the other side into not starting a war. Now we have Mutually Assured Hacking, which means nobody will know what shit will actually work. Maybe we should keep some pre-digital weapons around in case.
It's called physical security (Score:2)
We could shut them all down (Score:2)
We don't have to sing kom by yah, just shut them all down and we'll never speak of it again.
It's a good thing.... (Score:2)
(Sarcasm intended.) It's a good thing that these problems were found in defensive systems, thus ensuring that Mutually Assured Destruction can continue to be our world security policy.
Even though this security audit found numerous problems, surely none of this kind of stuff is going on in our country's offensive ballistic missile systems. ...and it's not as if we have a President that goes around goading other country's rulers to lob a nuclear missile or few in our direction, so we have nothing to really wo
The sort of thing that probly shouldn't be co... (Score:1)
I keep hearing that net-connected infrastructure was infiltruded upon. In virtually every instance, these were places, such as military/gubmint and utilities that always have humans onsite. Humans in control, but apparently not controlling. Yes, power plants have to control their frequency, but they're connected directly to the grid, so why the net conx? We used to do that stuff well enough before we had the Intertubes.
Is the way we're doing this sort of thing today any better, given that a
And... (Score:2)
Speaking of antiviruses (Score:2)
Let's not talk about attack vectors: AVs are known to introduce huge glaring vulnerabilities which allow kernel level access to the system.
For such military systems Internet access must be disabled completely; such PCs must be configured such a way, the user cannot run any applications other the preconfigured ones (via security policies). All the scripting features must be locked down completely, i.e. no Microsoft Office, no VBS, no PowerShell, etc. etc. etc. USB flash drives support
Re: (Score:2)
What would signatures of known viruses be good for anyway? Their enemy is a bit more capable than script kiddies. They will certainly put the effort in to write a new virus to shut down missiles.
STIG (Score:2)
not taken seriously (Score:2)
if security can't even be taken seriously at a missile launch site, how can you expect it from some company producing $15 webcams or other insane cheap IoT devices?
Missile System runs on Microsoft Windows o] (Score:2)
Re: (Score:2)
The same people that run their warships on Windows.
You can understand why (Score:5, Interesting)
Also, how would a missile based explain that it hadn't fired its missiles because the software had received a pushed update and was too busy applying it. And that it was more important to fix a bug in a foreign font than to unleash a nuclear holocaust.
no multi-factor authentication mechanisms? (Score:1)
The Headline says "no multi-factor authentication mechanisms"
The summary says "The Multi-factor authentication wasn't used consistently". So they did have MFA, it just wasn't implemented on a consistent basis. Could mean a bunch of things, but also could mean that MFA was implemented and doing the job, but just wasn't consistently implemented to the same standards at every installation.
Re: (Score:1)
OP article language is incorrect. (Score:2)
The ZDNet article states, "where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS)," which led to a lot of mistakes in this thread.
That is both factually and grammatically incorrect.
Here, I fixed it for the author; "where the Missile Defence Agency (MDA) had place ANTI-ballistic missiles AS part of the ..."
Ballistic missiles are ICBMs and SLBMs. They deliver nuclear warheads to targets.
ANTI-ballistic missiles are to destroy incoming ballistic
Good to read stories by "the experts" (Score:2)
He wrote this entire article about the Missile *Defense* Agency, and can't figure out the difference between a ballistic missile and an ANTI-ballistic missile.
Re: (Score:2)
Any command that is given will be followed and the "missile" will work.
The troops are tested to follow any correct command.
Its just they have to keep doors open and know not to "fix" things as they don't get the support to fix everything.
So a base is left in a state of poor repair but the skilled people on duty can run from room to room to get it all working when the command is given.
The open doors help with the running part and that is vital to keep the US war ready.
D
Re: (Score:2)
The US can detect any and all "launch" attempts globally in real time.
The only question politically is if the US still responds will all its nuclear missile systems on launch detection.
Is the US mil now commanded to wait and see and then respond? Still commanded to launch fully on any other nations when they launch?
Re: (Score:2)
The funny part is how few people are going to believe you.
Ob S.S.D.D (Score:2)
000000 [poisonedminds.com]
Caveats:
- The next page of the thread, dealing with bypassing two-factor authentication, is two "next"s forward.
- Poisoned Minds / S.S.D.D. is generally N.S.F.W. (Including the next few pages after the one linked.)
maybe not...dont be so sure... (Score:1)
Re: (Score:2)
Plus, they have to get inside to launch complex.
(6) Security cameras didn't cover the entire base.
(8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas.
Ooops.