Our defense in unsafe hands? That’s the obvious conclusion of a U.S. Government Accountability Office report examining recent penetration testing of various weapons systems.
In its report, the GAO castigates the Department of Defense for failing even the simplest of pentests. The whole thing makes fascinatingly depressing reading.
Of course, this comes as no surprise to certain voices in the wilderness. In this week’s Security Blogwatch, we let slip the dogs of war.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Appalling coverage of Google+ shutdown …
We’re all going to die
What’s the craic? Bill Chappell goes public—'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says:
Passwords that took seconds to guess, or were never changed from their factory settings. … Vulnerabilities that were known, but never fixed. Those are two common problems plaguing some of the [DoD]'s newest weapons systems, according to the [GAO].
…
The GAO says the problems were widespread: "DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development."
…
Despite the steadily growing importance of computers and networks, the GAO says, the Pentagon has only recently made it a priority to ensure the cybersecurity of its weapons systems. … The report stems from a request from the Senate Armed Services Committee, asking it to review the Pentagon's efforts to secure its weapons systems.
…
In several instances, simply scanning the weapons' computer systems caused parts of them to shut down. … "This is a basic technique that most attackers would use."
Can we have a lactic simile? Richard Chirgwin obliges us—GAO report finds more holes than a Swiss cheese, and very little hope for improvement:
If you were worried about the state of US military security systems you might not want to read the latest audit.
…
A “red teamer” cracked into a US Department of Defense system and rebooted it, but nobody noticed. … In another case, testers “caused a pop-up message to appear on users’ terminals instructing them to insert two quarters.”
…
That and a thousand other delicious details can be found in [the GAO] report. … Even simple tools let them wander systems at will, give themselves administrator privileges, and “largely operate undetected.”
…
A few other highlights:
Legacy software is going to get someone killed.
- ”Officials from one program we met with said they are supposed to apply patches within 21 days of when they are released, but fully testing a patch can take months; …
- ”Program offices may not know which industrial control systems are embedded in their weapons or … the security implications; …
- ”One test report indicated that the test team was able to guess an administrator password in nine seconds;
- Multiple weapon systems used commercial or open source software, but did not change the default password [allowing] test teams to look up the password on the Internet; …
- Even when an intrusion detection system was in place … it was ignored; …
- ”Test team activity was documented in system logs, but operators did not review them.” …
In summary? Here’s Bruce Schneier on Security Vulnerabilities:
The upshot won't be a surprise to any of my regular readers: They're vulnerable.
…
It is definitely easier, and cheaper, to ignore the problem or pretend it isn't a big deal. But that's probably a mistake in the long run.
Ain’t that the truth? Sam Biddle fiddles while DC burns: [You’re fired—Ed.]
The testers found embarrassing, elementary screw-ups of the sort that would get a middle school computer lab administrator in trouble, to say nothing of someone safeguarding lethal weapon systems. … The findings are all the more disturbing given that the GAO said they “likely represent a fraction of total vulnerabilities.”
…
[It] reveals colossal negligence in the broader process of building and buying weapons. … Even when weapons program officials were aware of problems, the issues were often ignored.
…
This, then, is the crisis: The U.S. has created a computerized global military using complex, interconnected, and highly vulnerable tools. … And now it must fix it.
This is nothing less than an engineering nightmare — but far preferable to what will happen if one of these software flaws is exploited by someone other than a friendly government tester.
Don’t hold back, Sam. Tell us what you really mean. James Gerard also doesn’t mince words:
This is so far beyond ridiculous. … What gross incompetence.
The ignorance of the officers in charge of the departments involved is grotesque. … Unless they show sufficient aptitude and determination, they must be reassigned to posts of lesser responsibility.
I hesitate to suggest court martial, but … they have committed dereliction of duty, and unless systemic ignorance gives them reasonable cover, I don’t know what would. Every officer in the chain of command needs the retraining and the close scrutiny of investigators.
But do you think the problem is confined to the military? marvinalone is here to burst your bubble:
It is absolutely happening in enterprise software. I have met sales guys and startup advisors that prided themselves in being able to play [the] game well. In a certain segment of this industry, you get laughed at if you try to actually come up with a solution.
And angry_octet gives it all eight bits:
I could write a long paper on this, and I would have if I thought it would've made a difference.
…
- Stovepiped organisations: stick in your own lane. But security is cross cutting.
- Security orgs want to stick to what they know …
- Security unwilling to own risk, fall back on ass-covering checklists. …
- True lack of expertise at stakeholder level. …
- It isn't career enhancing to identify naked emperors.
- Good security costs money upfront [but] fixing is someone else's problem [and] is new contracts and more work.
None of this is any surprise to ShanghaiBill, neither:
In the military … communication is inherently unidirectional, and they can go years between real world validations (i.e., wars).
"War games" are setup by the same people that are being tested, so if they fail … they can just change the rules and have a do-over. This famously happened during the run up to the 2003 Iraqi invasions, when … the Red Team (opfor) … was repeatedly banned from using unconventional tactics, such as underage bicycle messengers and roadside bombs, because that was "unrealistic".
…
We were hopelessly out numbered and out gunned since we were playing "insurgents". So we decided to … cut off the Blue Team's water supply. I was told that wasn't allowed. … So then we set up road blocks that targeted their chow trucks. Nope, that wasn't allowed either.
…
In the after-action critique, I can remember the colonel getting up and congratulating everyone on a job well done. … I am not surprised that America proceeded to lose several wars.
But are we using the right paradigm? jeff4747 ponders thuswise:
These systems are air-gapped.
At that point, you have to decide if the air gap is enough or if you want to add more security. When making that decision, you have to consider things like "If we can't fire this when we need to because a certificate expired, we will die".
And "an operator could sabotage this" doesn't require hacking the computer. … Throw a wrench in it. Or unplug it. Or fill the operator's station with bullets.
Is a good man hard to find? Not when you’re komali2:
I had the opportunity to tour the "USS BONHOMME RICHARD," as well as talk to visiting sailors and marines, this weekend during SF Fleet Week.
…
My takeaway impressions … after talking to the mechanics and network IT folks, is that a ton of their systems are old, the manpower turnover is between 1-2 years as they get cycled between boats … and training is extremely specialized. … Half the people I talked to, the ones actually running these systems, are overworked 19 year olds with circles under their eyes.
…
Most parts of the systems … usually perform to about 10% their pitched lifespan from whoever made them before they fail, repeatedly.
…
The only thing preventing access to a boat's network is standing orders and the threat of punishment. You can just plug right in. Every system runs on the same network: radar, weapons systems, anti-air, emergency comms, in-ship cameras...
…
As of right now, I have absolutely no confidence in the military to withstand a full on cyberattack from a similarly provisioned military.
Are there really no positive voices in this conversation? Oh wait, here’s Harlan Lieberman-Berg:
If you are interested in helping the US Government fix this particular trashfire, consider joining the Defense Digital Service. We work on a variety of DoD projects as part of the US Digital Service "tech peace corps". dds.mil
…
It's amazing work [but if] you're interested in being involved as a security researcher, reach out to me and we can talk about joining our bug bounty program.
…
you don’t do this job for the money. … You join because you want to make a real difference in people’s lives, in a visceral, real way.
I can say without exaggeration that there are people who would have died except for the work that our team had done. … The impact you can have working for USDS is massive. … You can personally change the lives of hundreds of thousands or millions of people. That’s the kind of hook that beats equity for me any day.
…
You can reach me at harlan@dds.mil
Meanwhile, Version 1.0 drags us back to the real world:
Not Again!
This has been going on for a long time, I remember when some kid hacked into WOPR with their IMSAI and nearly started a war.
The moral of the story? Quis custodiet ipsos custodes: Third-party audit of security is essential—especially with military tech.
And finally …
Google+ Shuts Down, Tech Press Goes Nuts
Or: A divisive senior reads headlines
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: David B. Gleason (cc:by-sa)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
